DMVPN

DMVPN

Refer to  "diagram 4 VPN technology"

configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following requirements

l  Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish this task

l  R17 must be the hub router

l  R18 and R19 must be the spoke and must participate in NHRP information exchange

l  Disable send icmp redirect message on all three tunnel interfaces

Configurethefollowingparametersonall the three tunnel interfaces

l  Configure the bandwidth to 1000 kilobits per second

l  Configure the delay to 10000 microseconds

 

 

l  Adjust the IP MTU to 1400 bytes

l  Adjust the TCP maximum segment size to 1360 bytes

l  Authenticate NHRP using the string “45678key”(without quotes!).

l  Use the NHRP network-id 45678

l  Configure the NHRP hold time to 5 minutes.

l  Ensure that spoke-to-spoke traffic does not transit via the hub.

R17

====

R17(config)#interface Tunnel0

R17(config-if)# ip address 10.18.19.1 255.255.255.0

R17(config-if)# ip pim sparse-mode

R17(config-if)# tunnel source 203.3.17.2

R17(config-if)# tunnel mode gre multipoint R17(config-if)#bandwidth 1000

R17(config-if)#delay 1000

R17(config-if)#ip mtu 1400

R17(config-if)#ip tcp adjust-mss 1360

R17(config-if)#ip nhrp network-id 45678

R17(config-if)#ip nhrp authentication 45678key R17(config-if)#ip nhrp holdtime 300

R17(config-if)#ip nhrp map multicast dynamic

R17(config-if)#ip nhrp redirect

R17(config-if)#tunnel key 45678

 

R18

====

R18(config)#interface tunnel 0

R18(config-if)# ip address 10.18.19.18 255.255.255.0

R18(config-if)# ip pim sparse-mode

R18(config-if)# tunnel source Serial4/0

R18(config-if)# tunnel mode gre multipoint

R18(config-if)#bandwidth 1000

R18(config-if)#delay 1000

R18(config-if)#ip tcp adjust-mss 1360

R18(config-if)#ip mtu 1400

R18(config-if)#ip nhrp shortcut

R18(config-if)#ip nhrp map 10.18.19.1 203.3.17.2

R18(config-if)#ip nhrp map multicast 203.3.17.2

R18(config-if)#ip nhrp network-id 45678

R18(config-if)#ip nhrp authentication 45678key

R18(config-if)#ip nhrp nhs 10.18.19.1

R18(config-if)#tunnel key 45678

R18(config-if)#ip nhrp holdtime 300

 

R19(config)#interface Tunnel0

R19(config-if)# ip address 10.18.19.19 255.255.255.0

R19(config-if)# bandwidth 1000

R19(config-if)# ip mtu 1400

R19(config-if)# ip pim sparse-mode

R19(config-if)# ip nhrp authentication 45678key

R19(config-if)# ip nhrp map 10.18.19.1 203.3.17.2

 

 

R19(config-if)# ip nhrp map multicast 203.3.17.2

R19(config-if)# ip nhrp network-id 45678

R19(config-if)# ip nhrp holdtime 300

R19(config-if)# ip nhrp nhs 10.18.19.1

R19(config-if)# ip nhrp shortcut

R19(config-if)# ip tcp adjust-mss 1360

R19(config-if)# delay 1000

R19(config-if)# tunnel source Serial4/0

R19(config-if)# tunnel mode gre multipoint

R19(config-if)# tunnel key 45678

 

R17(config)#router eigrp CCIE

R17(config-router)#address-family ipv4 unicast autonomous-system 45678

R17(config-router-af)#af-interface tunnel0

R17(config-router-af-interface)#no split-horizon

 

      DMVPN Encryption

 

 

Refer to "Diagram 4 VPN technology"

Secure the DMVPN tunnel using IPSEC according to the following requirements

 

Configure IKE phase 1 as per the following

l  Use AES encryption with the pre-shared key "CCIE" (without quotes).

l  The key must appear in plain text in the config

l  All IPSEC tunnels must be authenticated using the same IKE phase 1 pre-shared key

l  Use 1024 bits for the key exchange using the Diffie-Hellman algorithm

l  Configure a single policy using priority 10

l  Ensure that the ISAKMP key lookup is done in the VRF LOCALSP. Use a crypto keyring to accomplish this requirement.

 

ConfigureIKEphase2 as per the following requirements

l  Use CCIEXFORM as transform set name

l  Use DMVPNPROFILE as IPSEC profile name

l  Use IPSEC in transport mode

l  Use the IPSEC protocol ESP and algorithm AES with 128 bits

l  Ensure that the DMVPN cloud is secured using above parameters.

l  Use tunnel protection in your config

 

R17(config)#crypto isakmp policy 10

R17(config-isakmp)#authentication  pre-share

R17(config-isakmp)#encryption  aes

R17(config-isakmp)#group 2

R17(config)#crypto keyring CCIE vrf LOCALSP

R17(conf-keyring)#pre-shared-key address 0.0.0.0 key CCIE

R17(config)#crypto ipsec transform-set CCIEXFORM esp-aes 128

R17(cfg-crypto-trans)#mode  transport

R17(config)#crypto ipsec profile DMVPNPROFILE

R17(ipsec-profile)#set transform-set CCIEXFORM

R17(config)#interface tunnel 0

R17(config-if)#tunnel vrf LOCALSP

R17(config-if)#tunnel protection ipsec profile DMVPNPROFILE

 

R18(config)#crypto isakmp policy 10

R18(config-isakmp)# encr aes

R18(config-isakmp)# authentication pre-share

R18(config-isakmp)# group 2

R18(config)#crypto keyring CCIE vrf LOCALSP

R18(conf-keyring)#pre-shared-key address 0.0.0.0 key CCIE

R18(config)#crypto ipsec transform-set CCIEXFORM esp-aes 128

R18(cfg-crypto-trans)# mode transport

R18(cfg-crypto-trans)#crypto ipsec profile DMVPNPROFILE

R18(ipsec-profile)# set transform-set CCIEXFORM

R18(ipsec-profile)#interface tun 0

R18(config-if)#tunnel vrf LOCALSP

R18(config-if)#tunnel protection ipsec profile DMVPNPROFILE

 

R19(config)#crypto isakmp policy 10

R19(config-isakmp)# encr aes

R19(config-isakmp)# authentication pre-share

R19(config-isakmp)# group 2

R19(config)#crypto keyring CCIE vrf LOCALSP

R19(conf-keyring)#pre-shared-key address 0.0.0.0 key CCIE

R19(config)#crypto ipsec transform-set CCIEXFORM esp-aes 128

R19(cfg-crypto-trans)# mode transport

R19(cfg-crypto-trans)#crypto ipsec profile DMVPNPROFILE

R19(ipsec-profile)# set transform-set CCIEXFORM

R19(ipsec-profile)#interface tun 0

R19(config-if)#tunnel vrf LOCALSP

R19(config-if)#tunnel protection ipsec profile DMVPNPROFILE

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。