Cisco, Dynamic Multipoint VPN (DMVPN) Phase 2 - HUB, SPOKES, mGRE Protection and Routing

Các kiến thức dùng trong bài lab: ospf, mGRE, static route

Yêu cầu:
1. Đấu dây và đặt IP như hình (qui ước cách đặt ip theo số của Router),  cấu hình OSPF sao cho các IP public phải ping thấy nhau


Gợi ý cấu hình

• R1

!
interface Ethernet0/1
 ip address 1.1.1.1 255.255.255.0
 ip ospf 1 area 0
end
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
end
!
router ospf 1
router-id 1.1.1.1

• R2

!
interface Ethernet0/2
 ip address 2.2.2.2 255.255.255.0
 ip ospf 1 area 0
end
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
end
!
router ospf 1
router-id 2.2.2.2

• R3

!

interface Ethernet0/3
 ip address 3.3.3.3 255.255.255.0
 ip ospf 1 area 0
end
!

interface Loopback0

 ip address 192.168.3.1 255.255.255.0

end

!

router ospf 1

router-id 3.3.3.3

• R4

!

interface Ethernet0/1

 ip address 1.1.1.4 255.255.255.0

 ip ospf 1 area 0

end

!

interface Ethernet0/2

 ip address 2.2.2.4 255.255.255.0

 ip ospf 1 area 0

end

!

interface Ethernet0/3

 ip address 3.3.3.4 255.255.255.0

 ip ospf 1 area 0

end

!

router ospf 1

router-id 4.4.4.4

!Kiểm tra sau khi cấu hình OSPF

!R1

R1#show ip route ospf

đã xóa 1 số dòng không cần thiết

      2.0.0.0/24 is subnetted, 1 subnets

O        2.2.2.0 [110/20] via 1.1.1.4, 00:01:32, Ethernet0/1

      3.0.0.0/24 is subnetted, 1 subnets

O        3.3.3.0 [110/20] via 1.1.1.4, 00:01:32, Ethernet0/1

!R2

R2#show ip route ospf 

đã xóa 1 số dòng không cần thiết

      1.0.0.0/24 is subnetted, 1 subnets

O        1.1.1.0 [110/20] via 2.2.2.4, 00:00:53, Ethernet0/2

      3.0.0.0/24 is subnetted, 1 subnets

O        3.3.3.0 [110/20] via 2.2.2.4, 00:02:42, Ethernet0/2

!R3

R3#show ip route ospf

đã xóa 1 số dòng không cần thiết

      1.0.0.0/24 is subnetted, 1 subnets

O        1.1.1.0 [110/20] via 3.3.3.4, 00:01:17, Ethernet0/3

      2.0.0.0/24 is subnetted, 1 subnets

O        2.2.2.0 [110/20] via 3.3.3.4, 00:03:06, Ethernet0/3

2. Cấu hình mGRE giữa R1, R2, R3 
Gợi ý cấu hình

• R1

!
interface Tunnel0
 description ===mGRE - DMVPN Tunnel===
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source 1.1.1.1
 tunnel mode gre multipoint
end

• R2

!

interface Tunnel0
 description ===R2 mGRE - DMVPN Tunnel===
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 1.1.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1

 tunnel source Ethernet0/2

 tunnel mode gre multipoint

end

• R3

!

interface Tunnel0

 description ===R3 mGRE - DMVPN Tunnel===

 ip address 172.16.0.3 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco

 ip nhrp map multicast dynamic

 ip nhrp map 172.16.0.1 1.1.1.1

 ip nhrp network-id 1

 ip nhrp nhs 172.16.0.1

 tunnel source Ethernet0/3

 tunnel mode gre multipoint

end

Kiểm tra sau khi cấu hình mGRE

!R1

R1#show dmvpn 

đã xóa 1 số dòng không cần thiết

Interface: Tunnel0, IPv4 NHRP Details 

Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 2.2.2.2              172.16.0.2    UP 01:31:58     D

     1 3.3.3.3              172.16.0.3    UP 01:27:41     D

R1#show ip nhrp 

172.16.0.2/32 via 172.16.0.2

   Tunnel0 created 01:36:55, expire 01:43:04

   Type: dynamic, Flags: unique registered used 

   NBMA address: 2.2.2.2 

172.16.0.3/32 via 172.16.0.3

   Tunnel0 created 01:33:23, expire 01:47:23

   Type: dynamic, Flags: unique registered used 

   NBMA address: 3.3.3.3 

!R2

R2#show dmvpn 

đã xóa 1 số dòng không cần thiết

Interface: Tunnel0, IPv4 NHRP Details 

Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 1.1.1.1              172.16.0.1    UP 01:34:10     S

     1 3.3.3.3              172.16.0.3    UP 01:29:44     D
!Tunnel được thiết lập từ SPOKES đến HUB là S

R2#show ip nhrp 

172.16.0.1/32 via 172.16.0.1

   Tunnel0 created 01:39:02, never expire 

   Type: static, Flags: used 

   NBMA address: 1.1.1.1 

172.16.0.2/32 via 172.16.0.2

   Tunnel0 created 01:34:08, expire 00:25:51

   Type: dynamic, Flags: router unique local 

   NBMA address: 2.2.2.2 

    (no-socket) 

172.16.0.3/32 via 172.16.0.3

   Tunnel0 created 01:35:34, expire 00:25:51

   Type: dynamic, Flags: router implicit used 

   NBMA address: 3.3.3.3 

!R3

R3#show dmvpn 

đã xóa 1 số dòng không cần thiết

Interface: Tunnel0, IPv4 NHRP Details 

Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 1.1.1.1              172.16.0.1    UP 01:31:05     S

     1 2.2.2.2              172.16.0.2    UP 01:30:56     D
!Tunnel được thiết lập từ SPOKES đến HUB là S

R3#show ip nhrp 

172.16.0.1/32 via 172.16.0.1

   Tunnel0 created 01:33:35, never expire 

   Type: static, Flags: used 

   NBMA address: 1.1.1.1 

172.16.0.2/32 via 172.16.0.2

   Tunnel0 created 01:33:26, expire 00:26:33

   Type: dynamic, Flags: router used 

   NBMA address: 2.2.2.2 

3. Cấu hình static route để các loopback 0 phải ping thấy nhau
Gợi ý cấu hình:
!R1
ip route 192.168.2.0 255.255.255.0 172.16.0.2
ip route 192.168.3.0 255.255.255.0 172.16.0.3

!R2
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.3.0 255.255.255.0 172.16.0.3

!R3
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.2.0 255.255.255.0 172.16.0.2

Kiểm tra sau khi cấu hình static route
!R1
R1#show ip route static 
đã xóa 1 số dòng không cần thiết
S     192.168.2.0/24 [1/0] via 172.16.0.2
S     192.168.3.0/24 [1/0] via 172.16.0.3
R1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#ping 192.168.3.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

!R2
R2#show ip route static 
đã xóa 1 số dòng không cần thiết
S     192.168.1.0/24 [1/0] via 172.16.0.1
S     192.168.3.0/24 [1/0] via 172.16.0.3
R2#ping 192.168.3.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#ping 192.168.1.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1 
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
!R3
R3#show ip route static 
đã xóa 1 số dòng không cần thiết
S     192.168.1.0/24 [1/0] via 172.16.0.1
S     192.168.2.0/24 [1/0] via 172.16.0.2
R3#ping 192.168.2.1 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R3#ping 192.168.1.1 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

4. Protecting - Encrypting DMVPN mGRE Tunnel with IPSEC
!Gợi ý cấu hình:
!R1, R2, R3
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0     
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS
! gán vào interface tunnel 0
interface Tunnel0
 tunnel protection ipsec profile protect-gre

!Kiểm tra
R1#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 3.3.3.3 port 500 
  IKEv1 SA: local 1.1.1.1/500 remote 3.3.3.3/500 Active 
  IPSEC FLOW: permit 47 host 1.1.1.1 host 3.3.3.3 
        Active SAs: 2, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 2.2.2.2 port 500 
  IKEv1 SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active 
  IPSEC FLOW: permit 47 host 1.1.1.1 host 2.2.2.2 
        Active SAs: 2, origin: crypto map


!R2#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 3.3.3.3 port 500 
  IKEv1 SA: local 2.2.2.2/500 remote 3.3.3.3/500 Active 
  IKEv1 SA: local 2.2.2.2/500 remote 3.3.3.3/500 Active 
  IPSEC FLOW: permit 47 host 2.2.2.2 host 3.3.3.3 
        Active SAs: 6, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 1.1.1.1 port 500 
  IKEv1 SA: local 2.2.2.2/500 remote 1.1.1.1/500 Active 
  IPSEC FLOW: permit 47 host 2.2.2.2 host 1.1.1.1 
        Active SAs: 2, origin: crypto map

!R3#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 2.2.2.2 port 500 
  IKEv1 SA: local 3.3.3.3/500 remote 2.2.2.2/500 Active 
  IKEv1 SA: local 3.3.3.3/500 remote 2.2.2.2/500 Active 
  IPSEC FLOW: permit 47 host 3.3.3.3 host 2.2.2.2 
        Active SAs: 6, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 1.1.1.1 port 500 
  IKEv1 SA: local 3.3.3.3/500 remote 1.1.1.1/500 Active 
  IPSEC FLOW: permit 47 host 3.3.3.3 host 1.1.1.1 
        Active SAs: 2, origin: crypto map


! so sánh kết quả trước và sau khi cấu hình IPSec