ทำการ Configure IPSEC-R1 กับ IPSEC-R2 เพื่อ รองรับ Statefull Switch Over ให้แก่ IPSEC Tunnel Protection mode
Note: tips ใช้ eigrp เพื่อ control route ให้วิ่งบน tunnel
SSO-IPSEC-R1 ************************************************
!
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
policy-map Test_Match_Policy_Only
class ICMP
class GRE
!
redundancy inter-device
scheme standby HA-out
!
redundancy
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 172.16.1.2
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 172.16.1.3
!
ip cef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key cisco123 address 172.16.1.10 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile sso-secure
set transform-set trans1
redundancy HA-out stateful
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 1.1.2.1 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source 172.16.1.4
tunnel destination 172.16.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile sso-secure
qos pre-classify
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 1 ip 172.16.1.4
standby 1 priority 120
standby 1 preempt
standby 1 name HA-out
standby 1 track FastEthernet0/1 30
standby 1 authentication md5 key-string 24991
service-policy output Test_Match_Policy_Only
!
interface FastEthernet0/1
ip address 172.16.1.17 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 2 ip 172.16.1.19
standby 2 priority 120
standby 2 preempt
standby 2 name HA-in
standby 2 authentication md5 key-string 24991
standby 2 track FastEthernet0/0 30
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.17 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.1
log-adjacency-changes
network 172.16.1.2 0.0.0.0 area 0
!
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
!
!
SSO-IPSEC-2 ************************************************
!
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
policy-map Test_Match_Policy_Only
class ICMP
class GRE
!
redundancy inter-device
scheme standby HA-out
!
redundancy
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 172.16.1.3
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 172.16.1.2
!
ip cef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key cisco123 address 172.16.1.10 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile sso-secure
set transform-set trans1
redundancy HA-out stateful
!
interface Loopback0
ip address 1.1.1.2 255.255.255.0
!
interface Loopback1
ip address 1.1.2.2 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source 172.16.1.4
tunnel destination 172.16.1.10
tunnel protection ipsec profile sso-secure
qos pre-classify
!
interface FastEthernet0/0
ip address 172.16.1.3 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 1 ip 172.16.1.4
standby 1 preempt
standby 1 name HA-out
standby 1 authentication md5 key-string 24991
service-policy output Test_Match_Policy_Only
!
interface FastEthernet0/1
ip address 172.16.1.18 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 2 ip 172.16.1.19
standby 2 preempt
standby 2 name HA-in
standby 2 authentication md5 key-string 24991
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.18 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.2
log-adjacency-changes
network 172.16.1.3 0.0.0.0 area 0
!
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
!
!
################################################
show cry map
show cry isa sa
show cry ipsec sa
show cry policy
debug crypto ha
debug crypto isakmp ha
debug crypto ipsec ha
show redundancy inter-device
show redundancy states
################################################
REMOTE-IPSEC-2 (IPSEC-R3) ************************************************
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
hash md5
group 2
lifetime 120
!
crypto isakmp key cisco123 address 172.16.1.4 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile soo-secure
set transform-set trans1
!
interface f0/0
ip add 172.16.1.10 255.255.255.248
!
interface f0/1
ip add 172.16.1.25 255.255.255.248
no sh
!
interface lo 0
ip add 1.1.1.3 255.255.255.0
!
interface lo 1
ip add 1.1.2.3 255.255.255.255
!
interface tunnel1
ip unnumbered lo0
tunnel mode ipsec ipv4
tunnel source 172.16.1.10
tunnel destination 172.16.1.4
tunnel protection ipsec profile soo-secure
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.25 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.3
log-adjacency-changes
network 172.16.1.10 0.0.0.0 area 0
!
21/1/55
PE_Router of IP-SEC-SSO tunnel protection project
ต่อจาก LAB1 เดิม ในส่วน ของ CE router ที่ลูกค้า ต้องการme ipsec tunnel protection ระหว่าง site PE4 กับ PE7 โดยส่วนแรก ต้อง configure PE-4 กับ PE7 ขึ้นมาก่อน เพื่อสร้าง MPLS VPN ขึ้นมาระหว่าง สอง site นี้ จากนั้น จึงทำการ CE router ต่อไป
MPLS-PE-4 ************************************************
hostname PE4
!
ip cef
!
ip vrf IPSEC
rd 100:2
route-target export 100:2
route-target import 100:2
!
mpls label protocol ldp
mpls ldp neighbor 10.1.1.11 password cisco
mpls ldp neighbor 10.1.1.22 password cisco
!
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!
interface Loopback100
description # For sham-link vrf IPSEC #
ip vrf forwarding IPSEC
ip address 10.10.10.4 255.255.255.255
!
interface Ethernet1/0
description # To P1 e1/3 #
ip address 192.168.1.14 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/1
description # To P2 e1/3 #
ip address 192.168.1.46 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/2
description # To SW IPSEC R1-R2 #
ip vrf forwarding IPSEC
ip address 172.16.1.1 255.255.255.248
half-duplex
!
router ospf 10 vrf IPSEC
router-id 10.10.10.4
log-adjacency-changes
area 0 sham-link 10.10.10.4 10.10.10.7
redistribute bgp 100 subnets
network 172.16.1.1 0.0.0.0 area 0
!
router ospf 1
router-id 10.1.1.4
log-adjacency-changes
max-metric router-lsa on-startup wait-for-bgp
max-metric router-lsa on-startup 360
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
area 0 authentication message-digest
network 10.1.1.4 0.0.0.0 area 0
network 192.168.1.14 0.0.0.0 area 0
network 192.168.1.46 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.11 remote-as 100
neighbor 10.1.1.11 password cisco
neighbor 10.1.1.11 update-source Loopback0
neighbor 10.1.1.22 remote-as 100
neighbor 10.1.1.22 password cisco
neighbor 10.1.1.22 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community
no auto-summary
no synchronization
network 10.1.1.4 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community extended
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community extended
exit-address-family
!
address-family ipv4 vrf IPSEC
redistribute ospf 10 vrf IPSEC match internal external 1 external 2
no synchronization
network 10.10.10.4 mask 255.255.255.255
exit-address-family
!
mpls ldp router-id Loopback0 force
!
MPLS-PE-7 ************************************************
hostname PE7
!
ip cef
!
ip vrf IPSEC
rd 100:2
route-target export 100:2
route-target import 100:2
!
mpls label protocol ldp
mpls ldp neighbor 10.1.1.11 password cisco
mpls ldp neighbor 10.1.1.22 password cisco
!
interface Loopback0
ip address 10.1.1.7 255.255.255.255
!
interface Loopback100
description # For sham-link vrf IPSEC #
ip vrf forwarding IPSEC
ip address 10.10.10.7 255.255.255.255
!
interface Ethernet1/0
description # To P1 e2/1 #
ip address 192.168.1.22 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/1
description # To P2 e2/1 #
ip address 192.168.1.54 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/2
description # To SW IPSEC R3 #
ip vrf forwarding IPSEC
ip address 172.16.1.9 255.255.255.248
half-duplex
!
router ospf 10 vrf IPSEC
router-id 10.10.10.7
log-adjacency-changes
area 0 sham-link 10.10.10.7 10.10.10.4
redistribute bgp 100 subnets
network 172.16.1.9 0.0.0.0 area 0
!
router ospf 1
router-id 10.1.1.7
log-adjacency-changes
max-metric router-lsa on-startup wait-for-bgp
max-metric router-lsa on-startup 360
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
area 0 authentication message-digest
network 10.1.1.7 0.0.0.0 area 0
network 192.168.1.22 0.0.0.0 area 0
network 192.168.1.54 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.11 remote-as 100
neighbor 10.1.1.11 password cisco
neighbor 10.1.1.11 update-source Loopback0
neighbor 10.1.1.22 remote-as 100
neighbor 10.1.1.22 password cisco
neighbor 10.1.1.22 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community
no auto-summary
no synchronization
network 10.1.1.7 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community extended
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community extended
exit-address-family
!
address-family ipv4 vrf IPSEC
redistribute ospf 10 vrf IPSEC match internal external 1 external 2
no synchronization
network 10.10.10.7 mask 255.255.255.255
exit-address-family
!
mpls ldp router-id Loopback0 force
!
MPLS-PE-4 ************************************************
hostname PE4
!
ip cef
!
ip vrf IPSEC
rd 100:2
route-target export 100:2
route-target import 100:2
!
mpls label protocol ldp
mpls ldp neighbor 10.1.1.11 password cisco
mpls ldp neighbor 10.1.1.22 password cisco
!
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!
interface Loopback100
description # For sham-link vrf IPSEC #
ip vrf forwarding IPSEC
ip address 10.10.10.4 255.255.255.255
!
interface Ethernet1/0
description # To P1 e1/3 #
ip address 192.168.1.14 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/1
description # To P2 e1/3 #
ip address 192.168.1.46 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/2
description # To SW IPSEC R1-R2 #
ip vrf forwarding IPSEC
ip address 172.16.1.1 255.255.255.248
half-duplex
!
router ospf 10 vrf IPSEC
router-id 10.10.10.4
log-adjacency-changes
area 0 sham-link 10.10.10.4 10.10.10.7
redistribute bgp 100 subnets
network 172.16.1.1 0.0.0.0 area 0
!
router ospf 1
router-id 10.1.1.4
log-adjacency-changes
max-metric router-lsa on-startup wait-for-bgp
max-metric router-lsa on-startup 360
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
area 0 authentication message-digest
network 10.1.1.4 0.0.0.0 area 0
network 192.168.1.14 0.0.0.0 area 0
network 192.168.1.46 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.11 remote-as 100
neighbor 10.1.1.11 password cisco
neighbor 10.1.1.11 update-source Loopback0
neighbor 10.1.1.22 remote-as 100
neighbor 10.1.1.22 password cisco
neighbor 10.1.1.22 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community
no auto-summary
no synchronization
network 10.1.1.4 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community extended
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community extended
exit-address-family
!
address-family ipv4 vrf IPSEC
redistribute ospf 10 vrf IPSEC match internal external 1 external 2
no synchronization
network 10.10.10.4 mask 255.255.255.255
exit-address-family
!
mpls ldp router-id Loopback0 force
!
MPLS-PE-7 ************************************************
hostname PE7
!
ip cef
!
ip vrf IPSEC
rd 100:2
route-target export 100:2
route-target import 100:2
!
mpls label protocol ldp
mpls ldp neighbor 10.1.1.11 password cisco
mpls ldp neighbor 10.1.1.22 password cisco
!
interface Loopback0
ip address 10.1.1.7 255.255.255.255
!
interface Loopback100
description # For sham-link vrf IPSEC #
ip vrf forwarding IPSEC
ip address 10.10.10.7 255.255.255.255
!
interface Ethernet1/0
description # To P1 e2/1 #
ip address 192.168.1.22 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/1
description # To P2 e2/1 #
ip address 192.168.1.54 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
half-duplex
mpls ip
!
interface Ethernet1/2
description # To SW IPSEC R3 #
ip vrf forwarding IPSEC
ip address 172.16.1.9 255.255.255.248
half-duplex
!
router ospf 10 vrf IPSEC
router-id 10.10.10.7
log-adjacency-changes
area 0 sham-link 10.10.10.7 10.10.10.4
redistribute bgp 100 subnets
network 172.16.1.9 0.0.0.0 area 0
!
router ospf 1
router-id 10.1.1.7
log-adjacency-changes
max-metric router-lsa on-startup wait-for-bgp
max-metric router-lsa on-startup 360
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
area 0 authentication message-digest
network 10.1.1.7 0.0.0.0 area 0
network 192.168.1.22 0.0.0.0 area 0
network 192.168.1.54 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.11 remote-as 100
neighbor 10.1.1.11 password cisco
neighbor 10.1.1.11 update-source Loopback0
neighbor 10.1.1.22 remote-as 100
neighbor 10.1.1.22 password cisco
neighbor 10.1.1.22 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community
no auto-summary
no synchronization
network 10.1.1.7 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 10.1.1.11 activate
neighbor 10.1.1.11 send-community extended
neighbor 10.1.1.22 activate
neighbor 10.1.1.22 send-community extended
exit-address-family
!
address-family ipv4 vrf IPSEC
redistribute ospf 10 vrf IPSEC match internal external 1 external 2
no synchronization
network 10.10.10.7 mask 255.255.255.255
exit-address-family
!
mpls ldp router-id Loopback0 force
!
CE_Router of DMVPN Customer Project.
Configure สำหรับ CE ตาม Diagram LAB 1
ลูกค้า ใช้ R1,R2 เป็น Hub DMVPN และ R3,R4 เป็น Spoke โดย Hub เป็นแบบ redundancy dmvpn โดยตย. นี้ มีการทำ qos บน DMVPN ด้วย
R1-DMVPN (Hub)
!
class-map match-all CPP
match access-group name CPP
!
class-map match-all PRIORITY
match ip dscp af43
!
policy-map PRIORITY_QOS
class PRIORITY
priority 512
!
policy-map WEST_QOS
class class-default
shape average 1000000
!
policy-map EAST_QOS
class class-default
shape average 1000000
service-policy PRIORITY_QOS
!
policy-map CPP
class CPP
police rate 10000000 conform-action transmit exceed-action drop violate-action drop
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
desc # DMVPN Tunnel #
ip address 100.1.1.1 255.255.255.0
no ip redirects
ip mtu 1428
no ip next-hop-self eigrp 10
ip nhrp authentication thaiciscoclub
ip nhrp map multicast dynamic
ip nhrp network-id 1000
ip nhrp holdtime 550
no ip split-horizon eigrp 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp map group EAST service-policy output EAST_QOS
ip nhrp map group WEST service-policy output WEST_QOS
!
interface Ethernet0/0
desc # Interface CE to PE #
ip address 10.1.1.2 255.255.255.252
!
interface Ethernet0/1
desc # Internal interface #
ip address 10.1.2.2 255.255.255.0
standby 1 ip 10.1.2.1
standby 1 timers msec 200 msec 600
standby 1 priority 120
standby 1 preempt delay minimum 180
standby 1 name dmvpn
standby 1 track Ethernet0/0 30
standby 1 authentication md5 key-string 24991
!
router eigrp 10
variance 4
network 10.1.2.0 0.0.0.255
network 100.1.1.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.2 0.0.0.0 area 0
!
ip access-list extended CPP
permit ospf any any
permit eigrp any any
permit icmp any any
!
control-plane
service-policy input CPP
!
!
R2-DMVPN (Hub)
!
class-map match-all CPP
match access-group name CPP
!
class-map match-all PRIORITY
match ip dscp af43
!
policy-map PRIORITY_QOS
class PRIORITY
priority 512
!
policy-map WEST_QOS
class class-default
shape average 1000000
!
policy-map EAST_QOS
class class-default
shape average 1000000
service-policy PRIORITY_QOS
!
policy-map CPP
class CPP
police rate 10000000 conform-action transmit exceed-action drop violate-action drop
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
desc # DMVPN Tunnel #
ip address 100.1.2.1 255.255.255.0
no ip redirects
ip mtu 1428
no ip next-hop-self eigrp 10
ip nhrp authentication thaiciscoclub
ip nhrp map multicast dynamic
ip nhrp network-id 1001
ip nhrp holdtime 600
no ip split-horizon eigrp 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp map group EAST service-policy output EAST_QOS
ip nhrp map group WEST service-policy output WEST_QOS
!
interface Ethernet0/0
desc # Interface CE to PE #
ip address 10.1.1.6 255.255.255.252
!
interface Ethernet0/1
desc # Internal interface #
ip address 10.1.2.3 255.255.255.0
standby 1 ip 10.1.2.1
standby 1 timers msec 200 msec 600
standby 1 preempt delay minimum 180
standby 1 name dmvpn
standby 1 authentication md5 key-string 24991
!
router eigrp 10
variance 4
network 10.1.2.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.6 0.0.0.0 area 0
!
ip access-list extended CPP
permit ospf any any
permit eigrp any any
permit icmp any any
!
control-plane
service-policy input CPP
!
R3-DMVPN (DMVPN-SPOKE (EAST SITE))
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
description to HUB-1
ip address 100.1.1.3 255.255.255.0
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.2
ip nhrp map 100.1.1.1 10.1.1.2
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
tunnel source Ethernet0/0
tunnel destination 10.1.1.2
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp group EAST
!
interface Tunnel2
description to HUB-2
ip address 100.1.2.3 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.6
ip nhrp map 100.1.2.1 10.1.1.6
ip nhrp network-id 1001
ip nhrp holdtime 300
ip nhrp nhs 100.1.2.1
delay 1000
tunnel source Ethernet0/0
tunnel destination 10.1.1.6
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp group EAST
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.252
!
interface Ethernet0/1
ip address 10.3.3.1 255.255.255.0
!
router eigrp 10
variance 4
network 10.3.3.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.10 0.0.0.0 area 0
!
!
R4-DMVPN (DMVPN-SPOKE (WEST SITE))
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
description to HUB-1
ip address 100.1.1.4 255.255.255.0
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.2
ip nhrp map 100.1.1.1 10.1.1.2
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
tunnel source Ethernet0/0
tunnel destination 10.1.1.2
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp group WEST
!
interface Tunnel2
description to HUB-2
ip address 100.1.2.4 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.6
ip nhrp map 100.1.2.1 10.1.1.6
ip nhrp network-id 1001
ip nhrp holdtime 300
ip nhrp nhs 100.1.2.1
delay 1000
tunnel source Ethernet0/0
tunnel destination 10.1.1.6
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp group WEST
!
interface Ethernet0/0
ip address 10.1.1.14 255.255.255.252
!
interface Ethernet0/1
ip address 10.4.4.1 255.255.255.0
!
router eigrp 10
variance 4
network 10.4.4.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.14 0.0.0.0 area 0
!
##################################################################################
show dmvpn detail
show ip nhrp group-map
show policy-map multipoint
show crypto ipsec sa
show crypto isakmp sa
##################################################################################
ลูกค้า ใช้ R1,R2 เป็น Hub DMVPN และ R3,R4 เป็น Spoke โดย Hub เป็นแบบ redundancy dmvpn โดยตย. นี้ มีการทำ qos บน DMVPN ด้วย
R1-DMVPN (Hub)
!
class-map match-all CPP
match access-group name CPP
!
class-map match-all PRIORITY
match ip dscp af43
!
policy-map PRIORITY_QOS
class PRIORITY
priority 512
!
policy-map WEST_QOS
class class-default
shape average 1000000
!
policy-map EAST_QOS
class class-default
shape average 1000000
service-policy PRIORITY_QOS
!
policy-map CPP
class CPP
police rate 10000000 conform-action transmit exceed-action drop violate-action drop
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
desc # DMVPN Tunnel #
ip address 100.1.1.1 255.255.255.0
no ip redirects
ip mtu 1428
no ip next-hop-self eigrp 10
ip nhrp authentication thaiciscoclub
ip nhrp map multicast dynamic
ip nhrp network-id 1000
ip nhrp holdtime 550
no ip split-horizon eigrp 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp map group EAST service-policy output EAST_QOS
ip nhrp map group WEST service-policy output WEST_QOS
!
interface Ethernet0/0
desc # Interface CE to PE #
ip address 10.1.1.2 255.255.255.252
!
interface Ethernet0/1
desc # Internal interface #
ip address 10.1.2.2 255.255.255.0
standby 1 ip 10.1.2.1
standby 1 timers msec 200 msec 600
standby 1 priority 120
standby 1 preempt delay minimum 180
standby 1 name dmvpn
standby 1 track Ethernet0/0 30
standby 1 authentication md5 key-string 24991
!
router eigrp 10
variance 4
network 10.1.2.0 0.0.0.255
network 100.1.1.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.2 0.0.0.0 area 0
!
ip access-list extended CPP
permit ospf any any
permit eigrp any any
permit icmp any any
!
control-plane
service-policy input CPP
!
!
R2-DMVPN (Hub)
!
class-map match-all CPP
match access-group name CPP
!
class-map match-all PRIORITY
match ip dscp af43
!
policy-map PRIORITY_QOS
class PRIORITY
priority 512
!
policy-map WEST_QOS
class class-default
shape average 1000000
!
policy-map EAST_QOS
class class-default
shape average 1000000
service-policy PRIORITY_QOS
!
policy-map CPP
class CPP
police rate 10000000 conform-action transmit exceed-action drop violate-action drop
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
desc # DMVPN Tunnel #
ip address 100.1.2.1 255.255.255.0
no ip redirects
ip mtu 1428
no ip next-hop-self eigrp 10
ip nhrp authentication thaiciscoclub
ip nhrp map multicast dynamic
ip nhrp network-id 1001
ip nhrp holdtime 600
no ip split-horizon eigrp 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp map group EAST service-policy output EAST_QOS
ip nhrp map group WEST service-policy output WEST_QOS
!
interface Ethernet0/0
desc # Interface CE to PE #
ip address 10.1.1.6 255.255.255.252
!
interface Ethernet0/1
desc # Internal interface #
ip address 10.1.2.3 255.255.255.0
standby 1 ip 10.1.2.1
standby 1 timers msec 200 msec 600
standby 1 preempt delay minimum 180
standby 1 name dmvpn
standby 1 authentication md5 key-string 24991
!
router eigrp 10
variance 4
network 10.1.2.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.6 0.0.0.0 area 0
!
ip access-list extended CPP
permit ospf any any
permit eigrp any any
permit icmp any any
!
control-plane
service-policy input CPP
!
R3-DMVPN (DMVPN-SPOKE (EAST SITE))
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
description to HUB-1
ip address 100.1.1.3 255.255.255.0
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.2
ip nhrp map 100.1.1.1 10.1.1.2
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
tunnel source Ethernet0/0
tunnel destination 10.1.1.2
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp group EAST
!
interface Tunnel2
description to HUB-2
ip address 100.1.2.3 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.6
ip nhrp map 100.1.2.1 10.1.1.6
ip nhrp network-id 1001
ip nhrp holdtime 300
ip nhrp nhs 100.1.2.1
delay 1000
tunnel source Ethernet0/0
tunnel destination 10.1.1.6
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp group EAST
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.252
!
interface Ethernet0/1
ip address 10.3.3.1 255.255.255.0
!
router eigrp 10
variance 4
network 10.3.3.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.10 0.0.0.0 area 0
!
!
R4-DMVPN (DMVPN-SPOKE (WEST SITE))
!
crypto isakmp policy 7
encr aes
authentication pre-share
crypto isakmp key thaiciscoclub address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set dmvpn_base esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set dmvpn_base
!
interface Tunnel1
description to HUB-1
ip address 100.1.1.4 255.255.255.0
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.2
ip nhrp map 100.1.1.1 10.1.1.2
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
tunnel source Ethernet0/0
tunnel destination 10.1.1.2
tunnel key 1000
tunnel protection ipsec profile DMVPN
ip nhrp group WEST
!
interface Tunnel2
description to HUB-2
ip address 100.1.2.4 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication thaiciscoclub
ip nhrp map multicast 10.1.1.6
ip nhrp map 100.1.2.1 10.1.1.6
ip nhrp network-id 1001
ip nhrp holdtime 300
ip nhrp nhs 100.1.2.1
delay 1000
tunnel source Ethernet0/0
tunnel destination 10.1.1.6
tunnel key 1001
tunnel protection ipsec profile DMVPN
ip nhrp group WEST
!
interface Ethernet0/0
ip address 10.1.1.14 255.255.255.252
!
interface Ethernet0/1
ip address 10.4.4.1 255.255.255.0
!
router eigrp 10
variance 4
network 10.4.4.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
no auto-summary
!
router ospf 10
log-adjacency-changes
network 10.1.1.14 0.0.0.0 area 0
!
##################################################################################
show dmvpn detail
show ip nhrp group-map
show policy-map multipoint
show crypto ipsec sa
show crypto isakmp sa
##################################################################################
สมัครสมาชิก:
บทความ (Atom)