26/6/55

Cisco SSL VPN Configuration

Cisco SSL VPN Configuration






Step1: ทำการ format disk0 เพื่อที่มีที่เก็บ client software

R1 # format disk0: 

Step2: upload the client software:  (202.1.1.1 = ftp server)

R1 # copy ftp://cisco:cisco @ 202.1.1.1/anyconnect-win-2.4.0202-k9.pkg disk0 :/ anyconnect-win-2.4.0202-k9.pkg 

Step3: Configure

### AAA Configure ใช้ username บน Local ###
R1 (config) # aaa new-model 
R1 (config) # aaa authentication login thaiciscoclub.com local 
R1 (config) # username cisco password cisco

### กำหนด ip pool to client ###
R1 (config) # ip local pool SSLVPNPOOL 192.168.1.10 192.168.1.100

### กำหนด software client ###
R1 (config) # webvpn install svc disk0:/anyconnect-win-2.4.0202-k9.pkg 

### กำหนดค่า SSL VPN ### 

R1 (config) # webvpn gateway thaiciscoclub.com 
R1 (config-webvpn-gateway) # ip address 202.1.1.254 port 443    << IP สำหรับ on SSLVPN Web
R1 (config-webvpn-gateway) # inservice 
R1 (config-webvpn-gateway) # exit 

R1 (config) # webvpn context webtext 
R1 (config-webvpn-context) # ssl authenticate verify all 
R1 (config-webvpn-context) # policy group SSLVPNWEB 

R1 (config-webvpn-group) # functions svc-enabled 
R1 (config-webvpn-group) # banner #SSL-VPN Thaiciscoclub#
R1 (config-webvpn-group) # svc address-pool SSLVPNPOOL 
R1 (config-webvpn-group) # svc split include 1.1.1.0 255.255.255.0   << Tunnel to this local network
R1 (config-webvpn-group) # svc dns-server primary 1.1.1.10
R1 (config-webvpn-group) # svc dns-server secondary 1.1.1.20 
R1 (config-webvpn-group) # exit 

R1 (config-webvpn-context) # default-group-policy SSLVPNWEB
R1 (config-webvpn-context) # aaa authentication list thaiciscoclub.com
R1 (config-webvpn-context) # gateway thaiciscoclub.com
R1 (config-webvpn-context) # inservice 
R1 (config-webvpn-context) # exit 


Verify: ทำการ connect และ install จากนั้น ก็ test ping ไปยัง server












Mission complete






24/6/55

Any Transport over MPLS (AToM) 

        Service provider ทำ L2VPN สำหรับลูกค้า ที่ ปลายทางด้านหนึ่งของลูกค้า ใช้ Frame-Relay และ ปลายทางด้านหนึ่งของลูกค้าใช้ Ethernet Lan โดยทำการเชื่อมเป็นแบบ Layer2 โดย over MPLS 
        โดย PE เป็น Router ที่ เชื่อมต่อกับ Router ลูกค้า CE จาก Diagram เมื่อทำการ Configure แล้ว router CE1และ CE2 จะสามารถ ping ถึงการได้โดยตรง (192.168.1.0/24)



Configure: 
ใช้ Tunnel VC = 123,  dlci = 123




P (R1)

!
ip cef
mpls label protocol ldp
mpls ldp router-id Loopback0 force
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip ospf network point-to-point
!
interface FastEthernet1/0
 ip address 10.1.12.1 255.255.255.0
 mpls ip
!
interface FastEthernet1/1
 ip address 10.1.13.1 255.255.255.0
 mpls ip
!
router ospf 100
 router-id 1.1.1.1
 network 1.1.1.1 0.0.0.0 area 0
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 0
!


P1 (R2)

!
ip cef
frame-relay switching
mpls label protocol ldp
mpls ldp router-id Loopback0 force
!
pseudowire-class atom-eth-fr
 encapsulation mpls
 interworking ip
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf network point-to-point
!
interface FastEthernet1/0
 ip address 10.1.12.2 255.255.255.0
 mpls ip
!
interface Serial2/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 clock rate 2016000
 frame-relay intf-type dce
!
router ospf 100
 router-id 2.2.2.2
 passive-interface Serial2/0
 network 2.2.2.2 0.0.0.0 area 0
 network 10.1.12.2 0.0.0.0 area 0
!
connect atom Serial2/0 123 l2transport
 xconnect 3.3.3.3 123 pw-class atom-eth-fr
 !
!



P2 (R3)
!

ip cef
mpls label protocol ldp
mpls ldp router-id Loopback0 force
!
pseudowire-class atom-eth-fr
 encapsulation mpls
 interworking ip
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf network point-to-point
!
interface FastEthernet1/0
 ip address 10.1.13.3 255.255.255.0
 mpls ip
!
interface FastEthernet1/1
 no ip add
!
interface FastEthernet1/1.123
 encapsulation dot1Q 123
 xconnect 2.2.2.2 123 pw-class atom-eth-fr
!
router ospf 100
 router-id 3.3.3.3
 passive-interface FastEthernet1/1
 network 3.3.3.3 0.0.0.0 area 0
 network 10.1.13.3 0.0.0.0 area 0
!


CE1 (R4)
!

interface Serial0/0
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 192.168.1.4 123
 frame-relay map ip 192.168.1.5 123 broadcast
 no frame-relay inverse-arp
!


CE2 (R5)
!

interface FastEthernet0/0
 no ip address
!
interface FastEthernet0/0.123
 encapsulation dot1Q 123
 ip address 192.168.1.5 255.255.255.0
!



Verify:


PE1#sh mpls ldp neighbor 
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.19965
State: Oper; Msgs sent/rcvd: 194/195; Downstream
Up time: 02:45:00
LDP discovery sources:
 FastEthernet1/0, Src IP addr: 10.1.12.1
        Addresses bound to peer LDP Ident:
          10.1.12.1       10.1.13.1       1.1.1.1        
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.53939 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 156/147; Downstream
Up time: 02:01:10
LDP discovery sources:
 Targeted Hello 2.2.2.2 -> 3.3.3.3, active, passive
        Addresses bound to peer LDP Ident:
          3.3.3.3         10.1.13.3  



PE1#sh mpls l2transport binding 
  Destination Address: 3.3.3.3,  VC ID: 123
    Local Label:  19
        Cbit: 1,    VC Type: IP,    GroupID: 0
        MTU: 1500,   Interface Desc: n/a
        VCCV: CC Type: CW [1], RA [2]
              CV Type: LSPV [2]
    Remote Label: 19
        Cbit: 1,    VC Type: IP,    GroupID: 0
        MTU: 1500,   Interface Desc: n/a
        VCCV: CC Type: CW [1], RA [2]
              CV Type: LSPV [2]


PE1#sh mpls l2transport vc 

Local intf     Local circuit              Dest address    VC ID      Status  
-------------  -------------------------- --------------- ---------- ----------
Se2/0          FR DLCI 123                3.3.3.3         123        UP         


PE2#sh mpls l2transport vc

Local intf     Local circuit              Dest address    VC ID      Status  
-------------  -------------------------- --------------- ---------- ----------
Fa1/1.123      Eth VLAN 123               2.2.2.2         123        UP      
R3#





ตอนนี้  CE1 CE2 สามารถ ping บน network interface 192.168.1.0/24 เจอแล้ว !!!!!








30/5/55


INTER-AS option C {Mutihop eBGP between RR} IPv4+labels




                R7 and R8, เป็น ของลูกค้าเจ้าเดียวกัน แต่ อยู่คนละ Site โดย R7 อยู่กับ Provider AS100 ส่วน R8 อยู่กับ Provider AS200 ที่นี่ ลูกค้าต้องการให้ R7 และ R8 run MPLS VPN L3 โดย R7 R8 run RIP V2 กัน

               ดังนั้น Provider 2เจ้านี้เลยต้องทำ MPLS Inter AS กัน ครับ โดยปกติ มีหลาย option ในการ join กัน option A,B,AB,C แต่ใน example นี้ C นะครับ เพราะมันจะยังคง LDP ระหว่าง Inter AS กันอยู่ แต่                   ปกติถ้าเป้น provider จะใช้ Option A มากกว่าเพราะมัน security กว่าไม่ยุ่งยากด้วย แต่ที่ทำ option C เพราะดูๆมัน advanced และการ forward packet จะดีกว่า ... ว่าไปนั้น 555


R1: ----------------------------------------------------------------------------

!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 10.1.3.1 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 100
 router-id 1.1.1.1
 log-adjacency-changes
 redistribute bgp 100 subnets
 network 1.1.1.1 0.0.0.0 area 0
 network 10.1.3.1 0.0.0.0 area 0
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 192.168.1.2 remote-as 200
 !
 address-family ipv4
 neighbor 192.168.1.2 activate
 neighbor 192.168.1.2 send-label
 no auto-summary
 no synchronization
 network 3.3.3.3 mask 255.255.255.255
 network 5.5.5.5 mask 255.255.255.255
 exit-address-family
!
no ip http server
no ip http secure-server
!
mpls ldp router-id Loopback0
!


R2: ----------------------------------------------------------------------------

!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 10.2.4.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 200
 router-id 2.2.2.2
 log-adjacency-changes
 redistribute bgp 200 subnets
 network 2.2.2.2 0.0.0.0 area 0
 network 10.2.4.2 0.0.0.0 area 0
!
router bgp 200
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 192.168.1.1 remote-as 100
 !
 address-family ipv4
 neighbor 192.168.1.1 activate
 neighbor 192.168.1.1 send-label
 no auto-summary
 no synchronization
 network 4.4.4.4 mask 255.255.255.255
 network 6.6.6.6 mask 255.255.255.255
 exit-address-family
!
mpls ldp router-id Loopback0
!


R3: ----------------------------------------------------------------------------

!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.1.3.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 10.3.5.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 100
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 10.1.3.3 0.0.0.0 area 0
 network 10.3.5.3 0.0.0.0 area 0
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor rr_client peer-group
 neighbor rr_client remote-as 100
 neighbor rr_client update-source Loopback0
 neighbor 4.4.4.4 remote-as 200
 neighbor 4.4.4.4 ebgp-multihop 255
 neighbor 4.4.4.4 update-source Loopback0
 neighbor 5.5.5.5 peer-group rr_client
 !
 address-family vpnv4
 neighbor rr_client send-community extended
 neighbor rr_client route-reflector-client
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community extended
 neighbor 4.4.4.4 next-hop-unchanged
 neighbor 5.5.5.5 activate
 exit-address-family
!
mpls ldp router-id Loopback0
!

R4: ----------------------------------------------------------------------------

!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.2.4.4 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 10.4.6.4 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 200
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 10.2.4.4 0.0.0.0 area 0
 network 10.4.6.4 0.0.0.0 area 0
!
router bgp 200
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor rr_client peer-group
 neighbor rr_client remote-as 200
 neighbor rr_client update-source Loopback0
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 ebgp-multihop 255
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 6.6.6.6 peer-group rr_client
 !
 address-family vpnv4
 neighbor rr_client send-community extended
 neighbor rr_client route-reflector-client
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community extended
 neighbor 3.3.3.3 next-hop-unchanged
 neighbor 6.6.6.6 activate
 exit-address-family
!
mpls ldp router-id Loopback0
!

R5: ----------------------------------------------------------------------------

!
ip cef
!
ip vrf A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 route-target import 200:2
!
mpls label protocol ldp
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.3.5.5 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface Serial1/0
 ip vrf forwarding A
 ip address 192.168.1.1 255.255.255.252
 serial restart-delay 0
 !
router ospf 100
 router-id 5.5.5.5
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 0
 network 10.3.5.5 0.0.0.0 area 0
!
router rip
 version 2
 no auto-summary
 !
 address-family ipv4 vrf A
 redistribute bgp 100 metric 10
 network 192.168.1.0
 no auto-summary
 version 2
 exit-address-family
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf A
 redistribute rip
 no synchronization
 exit-address-family
!
mpls ldp router-id Loopback0
!

R6: ----------------------------------------------------------------------------

!
ip cef
!
ip vrf A
 rd 200:2
 route-target export 200:2
 route-target import 200:2
 route-target import 100:1
!
mpls label protocol ldp
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.4.6.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface Serial1/0
 ip vrf forwarding A
 ip address 192.168.1.5 255.255.255.252
 serial restart-delay 0
!
router ospf 200
 router-id 6.6.6.6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 10.4.6.6 0.0.0.0 area 0
!
router rip
 version 2
 no auto-summary
 !
 address-family ipv4 vrf A
 redistribute bgp 200 metric 10
 network 192.168.1.0
 no auto-summary
 version 2
 exit-address-family
!
router bgp 200
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 200
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family vpnv4
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf A
 redistribute rip
 no synchronization
 exit-address-family
!
mpls ldp router-id Loopback0
!

R7: ----------------------------------------------------------------------------

!
interface Loopback0
 ip address 7.7.7.7 255.255.255.0
!
interface Serial0/0
 ip address 192.168.1.2 255.255.255.252
 serial restart-delay 0
!
router rip
 version 2
 network 7.0.0.0
 network 192.168.1.0
 no auto-summary
!

R8: ----------------------------------------------------------------------------

!
interface Loopback0
 ip address 8.8.8.8 255.255.255.0
!
interface Serial0/0
 ip address 192.168.1.6 255.255.255.252
 serial restart-delay 0
!
router rip
 version 2
 network 8.0.0.0
 network 192.168.1.0
 no auto-summary
!








18/5/55

การ Bridging Ethernet over an IP network using DLSw+



การ Bridging Ethernet over an IP network using DLSw+


    ลูกค้า มี network cloud อยู่ โดยตอนนี้ ลูกค้า มีปัญหา อยู่ 2 site ที่ต้องการให้ 2 site นี้ มองเห็น internal lan ของทั้งสอง site มองเห็นเป็น เป็น subnet เดียวกัน ! เนื่องจาก application ท่ีซื้อมัน มันมี requirement แบบนี้


   โดยลูกค้าไม่ต้องการให้เพิ่ม hardware หรือ แก้ไข rotuing ใดๆทั้งสิ้น T__T


ปกติ ถ้าเป็นการขึ้น network ใหม่ จะแนะนำให้ ทำ mpls vpn l2 จะ ยืดหยุ่นมากในอนาคต แต่กรณีนี้ เราจะมาใช้ command พื้นฐานที่ โลกลืมกันนะครับ




Focus กันตรงที่ต้อง แก้ไขนั้น ตามนี้นะครับ

Router-A
!
bridge irb
bridge 1 protocol ieee
!
interface FastEthernet0/1
 description Link to lan 192.168.2.20/24
 no ip address
 bridge-group 1
!
dlsw local-peer peer-id 172.16.32.2
dlsw remote-peer 0 tcp 172.16.33.2
dlsw bridge-group 1
!

Router-B
!
bridge irb
bridge 1 protocol ieee
!
interface FastEthernet0/1
 description Link to lan 192.168.2.22/24
 no ip address
 bridge-group 1
!
dlsw local-peer peer-id 172.16.33.2
dlsw remote-peer 0 tcp 172.16.32.2
dlsw bridge-group 1
!

Verify: Try to use ping for testing.. Got it!

ปล. ถ้าต้องการความ security เพิ่มขึ้น ลองใช้ tunnel gre นะครับ (แต่ production network จริงๆ ไม่ค่อยแนะนำนะครับ)

บทความหน้า: พบกันลูกค้าจอมงก 555 ใช้ router 2ตัว (ทำ Active/Standby) ทำ Extranet Zone เพื่อ support External network


21/1/55

CE_Router of IP-SEC-SSO tunnel protection project

ทำการ Configure IPSEC-R1 กับ IPSEC-R2 เพื่อ รองรับ Statefull Switch Over ให้แก่ IPSEC Tunnel Protection mode
Note: tips ใช้ eigrp เพื่อ control route ให้วิ่งบน tunnel


SSO-IPSEC-R1 ************************************************
!
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
policy-map Test_Match_Policy_Only
class ICMP
class GRE
!
redundancy inter-device
scheme standby HA-out
!
redundancy
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 172.16.1.2
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 172.16.1.3
!
ip cef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key cisco123 address 172.16.1.10 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile sso-secure
set transform-set trans1
redundancy HA-out stateful
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 1.1.2.1 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source 172.16.1.4
tunnel destination 172.16.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile sso-secure
qos pre-classify
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 1 ip 172.16.1.4
standby 1 priority 120
standby 1 preempt
standby 1 name HA-out
standby 1 track FastEthernet0/1 30
standby 1 authentication md5 key-string 24991
service-policy output Test_Match_Policy_Only
!
interface FastEthernet0/1
ip address 172.16.1.17 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 2 ip 172.16.1.19
standby 2 priority 120
standby 2 preempt
standby 2 name HA-in
standby 2 authentication md5 key-string 24991
standby 2 track FastEthernet0/0 30
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.17 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.1
log-adjacency-changes
network 172.16.1.2 0.0.0.0 area 0
!
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
!
!


SSO-IPSEC-2 ************************************************
!
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
policy-map Test_Match_Policy_Only
class ICMP
class GRE
!
redundancy inter-device
scheme standby HA-out
!
redundancy
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 172.16.1.3
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 172.16.1.2
!
ip cef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key cisco123 address 172.16.1.10 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile sso-secure
set transform-set trans1
redundancy HA-out stateful
!
interface Loopback0
ip address 1.1.1.2 255.255.255.0
!
interface Loopback1
ip address 1.1.2.2 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source 172.16.1.4
tunnel destination 172.16.1.10
tunnel protection ipsec profile sso-secure
qos pre-classify
!
interface FastEthernet0/0
ip address 172.16.1.3 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 1 ip 172.16.1.4
standby 1 preempt
standby 1 name HA-out
standby 1 authentication md5 key-string 24991
service-policy output Test_Match_Policy_Only
!
interface FastEthernet0/1
ip address 172.16.1.18 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 2 ip 172.16.1.19
standby 2 preempt
standby 2 name HA-in
standby 2 authentication md5 key-string 24991
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.18 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.2
log-adjacency-changes
network 172.16.1.3 0.0.0.0 area 0
!
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
!
!

################################################
show cry map
show cry isa sa
show cry ipsec sa
show cry policy
debug crypto ha
debug crypto isakmp ha
debug crypto ipsec ha
show redundancy inter-device
show redundancy states
################################################


REMOTE-IPSEC-2  (IPSEC-R3) ************************************************
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
hash md5
group 2
lifetime 120
!
crypto isakmp key cisco123 address 172.16.1.4 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile soo-secure
set transform-set trans1
!
interface f0/0
ip add 172.16.1.10 255.255.255.248
!
interface f0/1
ip add 172.16.1.25 255.255.255.248
no sh
!
interface lo 0
ip add 1.1.1.3 255.255.255.0
!
interface lo 1
ip add 1.1.2.3 255.255.255.255
!
interface tunnel1
ip unnumbered lo0
tunnel mode ipsec ipv4
tunnel source 172.16.1.10
tunnel destination 172.16.1.4
tunnel protection ipsec profile soo-secure
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.25 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.3
log-adjacency-changes
network 172.16.1.10 0.0.0.0 area 0
!

PE_Router of IP-SEC-SSO tunnel protection project

ต่อจาก LAB1 เดิม ในส่วน ของ CE router ที่ลูกค้า ต้องการme ipsec tunnel protection ระหว่าง site PE4 กับ PE7 โดยส่วนแรก ต้อง configure PE-4 กับ PE7 ขึ้นมาก่อน เพื่อสร้าง MPLS VPN ขึ้นมาระหว่าง สอง site นี้ จากนั้น จึงทำการ CE router ต่อไป

MPLS-PE-4 ************************************************
hostname PE4
!
ip cef
!
ip vrf IPSEC
rd 100:2
route-target export 100:2
route-target import 100:2
!
mpls label protocol ldp
mpls ldp neighbor 10.1.1.11 password cisco
mpls ldp neighbor 10.1.1.22 password cisco
!
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!
interface Loopback100
description # For sham-link vrf IPSEC #
ip vrf forwarding IPSEC
ip address 10.10.10.4 255.255.255.255
!
interface Ethernet1/0
description # To P1 e1/3 #
ip address 192.168.1.14 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/1
description # To P2 e1/3 #
ip address 192.168.1.46 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/2
description # To SW IPSEC R1-R2 #
ip vrf forwarding IPSEC
ip address 172.16.1.1 255.255.255.248
half-duplex
!
router ospf 10 vrf IPSEC
router-id 10.10.10.4
log-adjacency-changes
area 0 sham-link 10.10.10.4 10.10.10.7
redistribute bgp 100 subnets
network 172.16.1.1 0.0.0.0 area 0
!
router ospf 1
router-id 10.1.1.4
log-adjacency-changes
max-metric router-lsa on-startup wait-for-bgp
max-metric router-lsa on-startup 360
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
area 0 authentication message-digest
network 10.1.1.4 0.0.0.0 area 0
network 192.168.1.14 0.0.0.0 area 0
network 192.168.1.46 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.11 remote-as 100
neighbor 10.1.1.11 password cisco
neighbor 10.1.1.11 update-source Loopback0
neighbor 10.1.1.22 remote-as 100
neighbor 10.1.1.22 password cisco
neighbor 10.1.1.22 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community
no auto-summary
no synchronization
network 10.1.1.4 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community extended
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community extended
exit-address-family
!
address-family ipv4 vrf IPSEC
redistribute ospf 10 vrf IPSEC match internal external 1 external 2
no synchronization
network 10.10.10.4 mask 255.255.255.255
exit-address-family
!
mpls ldp router-id Loopback0 force
!
MPLS-PE-7 ************************************************
hostname PE7
!
ip cef
!
ip vrf IPSEC
rd 100:2
route-target export 100:2
route-target import 100:2
!
mpls label protocol ldp
mpls ldp neighbor 10.1.1.11 password cisco
mpls ldp neighbor 10.1.1.22 password cisco
!
interface Loopback0
ip address 10.1.1.7 255.255.255.255
!
interface Loopback100
description # For sham-link vrf IPSEC #
ip vrf forwarding IPSEC
ip address 10.10.10.7 255.255.255.255
!
interface Ethernet1/0
description # To P1 e2/1 #
ip address 192.168.1.22 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/1
description # To P2 e2/1 #
ip address 192.168.1.54 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/2
description # To SW IPSEC R3 #
ip vrf forwarding IPSEC
ip address 172.16.1.9 255.255.255.248
half-duplex
!
router ospf 10 vrf IPSEC
router-id 10.10.10.7
log-adjacency-changes
area 0 sham-link 10.10.10.7 10.10.10.4
redistribute bgp 100 subnets
network 172.16.1.9 0.0.0.0 area 0
!
router ospf 1
router-id 10.1.1.7
log-adjacency-changes
max-metric router-lsa on-startup wait-for-bgp
max-metric router-lsa on-startup 360
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
area 0 authentication message-digest
network 10.1.1.7 0.0.0.0 area 0
network 192.168.1.22 0.0.0.0 area 0
network 192.168.1.54 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.11 remote-as 100
neighbor 10.1.1.11 password cisco
neighbor 10.1.1.11 update-source Loopback0
neighbor 10.1.1.22 remote-as 100
neighbor 10.1.1.22 password cisco
neighbor 10.1.1.22 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community
no auto-summary
no synchronization
network 10.1.1.7 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community extended
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community extended
exit-address-family
!
address-family ipv4 vrf IPSEC
redistribute ospf 10 vrf IPSEC match internal external 1 external 2
no synchronization
network 10.10.10.7 mask 255.255.255.255
exit-address-family
!
mpls ldp router-id Loopback0 force
!

CE_Router of DMVPN Customer Project.

Configure สำหรับ CE ตาม Diagram LAB 1 


ลูกค้า ใช้ R1,R2 เป็น Hub DMVPN และ R3,R4 เป็น Spoke โดย Hub เป็นแบบ redundancy dmvpn โดยตย. นี้ มีการทำ qos บน DMVPN ด้วย




R1-DMVPN (Hub)

!
class-map match-all CPP
    match access-group name CPP
!
class-map match-all PRIORITY
   match ip dscp af43
!
policy-map PRIORITY_QOS
   class PRIORITY
      priority 512
!
policy-map WEST_QOS
   class class-default
      shape average 1000000
!
policy-map EAST_QOS
   class class-default
      shape average 1000000
      service-policy PRIORITY_QOS
!
policy-map CPP
   class CPP
      police rate 10000000 conform-action transmit exceed-action drop violate-action drop
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
   mode transport
!
crypto ipsec profile DMVPN
   set transform-set dmvpn_base
!
interface Tunnel1
desc # DMVPN Tunnel #
ip address 100.1.1.1 255.255.255.0
no ip redirects
ip mtu 1428
no ip next-hop-self eigrp 10
ip nhrp authentication thaiciscoclub
ip nhrp map multicast dynamic
ip nhrp network-id 1000
ip nhrp holdtime 550
no ip split-horizon eigrp 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp map group EAST service-policy output EAST_QOS
ip nhrp map group WEST service-policy output WEST_QOS
!
interface Ethernet0/0
desc # Interface CE to PE #
ip address 10.1.1.2 255.255.255.252
!
interface Ethernet0/1
desc # Internal interface #
ip address 10.1.2.2 255.255.255.0
standby 1 ip 10.1.2.1
standby 1 timers msec 200 msec 600
standby 1 priority 120
standby 1 preempt delay minimum 180
standby 1 name dmvpn
standby 1 track Ethernet0/0 30
standby 1 authentication md5 key-string 24991
!
router eigrp 10
variance 4
network 10.1.2.0 0.0.0.255
network 100.1.1.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.2 0.0.0.0 area 0
!
ip access-list extended CPP
permit ospf any any
permit eigrp any any
permit icmp any any
!
control-plane
service-policy input CPP
!
!


R2-DMVPN (Hub)


!
class-map match-all CPP
match access-group name CPP
!
class-map match-all PRIORITY
match ip dscp af43
!
policy-map PRIORITY_QOS
class PRIORITY
priority 512
!
policy-map WEST_QOS
class class-default
shape average 1000000
!
policy-map EAST_QOS
class class-default
shape average 1000000
service-policy PRIORITY_QOS
!
policy-map CPP
class CPP
police rate 10000000 conform-action transmit exceed-action drop violate-action drop
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
desc # DMVPN Tunnel #
ip address 100.1.2.1 255.255.255.0
no ip redirects
ip mtu 1428
no ip next-hop-self eigrp 10
ip nhrp authentication thaiciscoclub
ip nhrp map multicast dynamic
ip nhrp network-id 1001
ip nhrp holdtime 600
no ip split-horizon eigrp 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp map group EAST service-policy output EAST_QOS
ip nhrp map group WEST service-policy output WEST_QOS
!
interface Ethernet0/0
desc # Interface CE to PE #
ip address 10.1.1.6 255.255.255.252
!
interface Ethernet0/1
desc # Internal interface #
ip address 10.1.2.3 255.255.255.0
standby 1 ip 10.1.2.1
standby 1 timers msec 200 msec 600
standby 1 preempt delay minimum 180
standby 1 name dmvpn
standby 1 authentication md5 key-string 24991
!
router eigrp 10
variance 4
network 10.1.2.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.6 0.0.0.0 area 0
!
ip access-list extended CPP
permit ospf any any
permit eigrp any any
permit icmp any any
!
control-plane
service-policy input CPP
!


R3-DMVPN   (DMVPN-SPOKE (EAST SITE))
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
description to HUB-1
ip address 100.1.1.3 255.255.255.0
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.2
ip nhrp map 100.1.1.1 10.1.1.2
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
tunnel source Ethernet0/0
tunnel destination 10.1.1.2
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp group EAST
!
interface Tunnel2
description to HUB-2
ip address 100.1.2.3 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.6
ip nhrp map 100.1.2.1 10.1.1.6
ip nhrp network-id 1001
ip nhrp holdtime 300
ip nhrp nhs 100.1.2.1
delay 1000
tunnel source Ethernet0/0
tunnel destination 10.1.1.6
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp group EAST
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.252
!
interface Ethernet0/1
ip address 10.3.3.1 255.255.255.0
!
router eigrp 10
variance 4
network 10.3.3.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.10 0.0.0.0 area 0
!
!


R4-DMVPN  (DMVPN-SPOKE (WEST SITE))

!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
description to HUB-1
ip address 100.1.1.4 255.255.255.0
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.2
ip nhrp map 100.1.1.1 10.1.1.2
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
tunnel source Ethernet0/0
tunnel destination 10.1.1.2
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp group WEST
!
interface Tunnel2
description to HUB-2
ip address 100.1.2.4 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.6
ip nhrp map 100.1.2.1 10.1.1.6
ip nhrp network-id 1001
ip nhrp holdtime 300
ip nhrp nhs 100.1.2.1
delay 1000
tunnel source Ethernet0/0
tunnel destination 10.1.1.6
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp group WEST
!
interface Ethernet0/0
ip address 10.1.1.14 255.255.255.252
!
interface Ethernet0/1
ip address 10.4.4.1 255.255.255.0
!
router eigrp 10
variance 4
network 10.4.4.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.14 0.0.0.0 area 0
!


##################################################################################
show dmvpn detail
show ip nhrp group-map
show policy-map multipoint
show crypto ipsec sa
show crypto isakmp sa
##################################################################################