May 18, 2012

Posts Comments

You are here: Home / 2008 / Archives for August 2008

DMVPN Notes- ipexpert CCIE Security WB lab 7b.

August 25, 2008 By 1 Comment

First thing to mention about this lab is that the wording is horrible.

“Activate Frame Relay interfaces should have IP address 150.50.99.x/24.”

What??? Oh Well, on with the lab:

  1. I think so far I prefer to break the DMVPN into 4 parts:
    1. GRE Tunnel
    2. NHRP Configuration
    3. Dynamic Routing Protocol
    4. IPSec
  2. GRE needs the following:
    1. IP Address
    2. Tunnel Source
    3. Tunnel Mode since there is not set destination
  3. NHRP is broken down into the HUB Configuration and the Spoke Configuration and they differ slightly.
    1. NHRP HUB Configuration has the following:
      1. ip mtu bytes
      2. ip nhrp authentication string
      3. ip nhrp map multicast dynamic
      4. ip nhrp network-id number
      5. ip nhrp holdtime seconds
    2. NHRP Spoke has the following:
      1. ip mtu bytes
      2. ip nhrp authentication string
      3. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
      4. ip nhrp map multicast hub-physical-ip-address
      5. ip nhrp nhs hub-tunnel-ip-address (totally unique to the spoke)
      6. ip nhrp network-id number
  4. Dynamic Routing Protocol includes the Private Networks that you want advertised and the Tunnel interface.  Routing Protocol does NOT include the NBMA network.
  5. EIGRP has some gotchas that are hard to find documentation on.
    1. You probably need to turn CEF off on the spokes.  If you dont the NHRP times out and drops the neighbor.  You get a really annoying EIGRP timeout message and routing breaks.  You can confirm the EIGRP thing by shutting the tunnel interface and bringing it back up in which the EIGRP neighbor will come back up.  5 minutes later (default NHRP timer) the neighbor goes away again.  For some reason shutting off CEF fixes this and You only need to do this on the Spokes.
    2. Dont forget to turn off EIGRP split horizon on the HUB and more specifically dont forget to put the AS number on the no ip split-horizon command.
    3. If you want to build a direct spoke to spoke tunnel make sure you do a no ip eigrp next-hop-self or everything will still go through the hub.  You can verify the next-hop with the show ip route command.
  6. The IPSEC configuration could vary:
    1. The ISAKMP policy is pretty much the same as it always is.  Hash, Encryption, Authentication
    2. If you do the easy pre-shared key configuration the command is crypto isakmp key 0 the_key address 0.0.0.0 0.0.0.0
    3. You can also do authentication with XAUTH by creating an isakmp profile.
    4. You need to create an ipsec profile to attach the transform set and optionally the isakmp profile.  You do not need the set peer command or the match address command because its dynamic.
    5. You do not use the crypto map commad to apply ipsec, rather you apply ipsec with the command tunnel protection ipsec profile Name_of_Profile

Well that turned out to be a ton of notes.  But still for posterity sake lets throw in an example. This example uses simple pre-shared keys.

Example 1: DMVPN with Pre-shared Keys

Hub Config:

hostname R6
!
ip cef
!
The Following Creates the ISAKMP Policy and defines the pre-shared key. 
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
The following Creates the Transform Set.  This is later tied to the IPSEC profile: 
!



crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
mode transport
!
The following Creates the IPSEC Profile 
!



crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
The Following Creates the Tunnel Interface on the HUB and sets the NHRP Parameters.  Refer to the bullet list above for the details. 
!
interface Tunnel0
ip address 100.0.0.6 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 7
ip nhrp authentication ccie
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip tcp adjust-mss 1360
no ip split-horizon eigrp 7
tunnel source Serial0/1/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
ip address 60.0.0.6 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1/0
ip address 150.50.99.6 255.255.255.0
encapsulation frame-relay
frame-relay map ip 150.50.99.4 602
frame-relay map ip 150.50.99.5 605
no frame-relay inverse-arp
!
The Following Enables EIGRP.  Since you dont set a Crypto ACL whatever you specify here should be encrypted along with all the EIGRP routes that you learn from other DMVPN devices 
!
router eigrp 7
network 60.0.0.0
network 100.0.0.0 0.0.0.255
no auto-summary
!

Spoke Config:

This configuration will resemble that of the other spokes.  Change the tunnel interface to reflect a unique host IP and of course you will have a different private network. 

hostname R2
!
!
Note on the spoke that CEF has been disabled. 
!



no ip cef
!
!
The Following defines the ISAKMP Policy 
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
The Following defines the transform set. 
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
mode transport
!
The Following Defines the IPSEC Profile: 
!



crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
!
!
The following defines the tunnel interface and the NHRP parameters on the spoke. 
!
!
interface Tunnel0
ip address 100.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ccie
ip nhrp map multicast 150.50.99.6
ip nhrp map 100.0.0.6 150.50.99.6
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 100.0.0.6
tunnel source Serial0/1/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
!
interface Serial0/1/0
ip address 150.50.99.4 255.255.255.0
encapsulation frame-relay
frame-relay map ip 150.50.99.4 206
frame-relay map ip 150.50.99.5 205
frame-relay map ip 150.50.99.6 206
no frame-relay inverse-arp
!
!
interface FastEthernet1/0
no switchport
ip address 192.1.24.4 255.255.255.0
!
!
Enable EIGRP 
!



router eigrp 7
network 100.0.0.0 0.0.0.255
network 192.1.24.0
no auto-summary
Thats it for this example.  I’ll probably add the ISAKMP Profile later or in another post.

For my own personal study I have used the Cisco Documentation, as well as the three books in the Amazon Widget Below.  Of course I used them on my kindle.  :)

Filed Under: CCIE Security, IPExpert Labs Tagged With:

Kudos to IPExpert

August 25, 2008 By 2 Comments

Gotta give kudos to IPexpert.  As Tweeted by IPexpert themselves, they are ranked #1137 among Americas 5000 fastest growing companies.  Their commitment to all of us in delivering quality products is evident.  How often do you see the President and Founder along with the Vice President of a Company directly interact with Customers?  Well they do and I have to say that because they are involved I am drawn to do business with them.

Kudos Guys and keep up the good work.

Filed Under: CCIE Security

CCIE: No more Univercd.

August 24, 2008 By 1 Comment

News from Cisco thats probably not a big suprise:

http://www.cisco.com/web/learning/le3/ccie/announcements/index.html#universcd

CCIE labs changing from UniversCD to Cisco Documentation On Sept 24 2008 CCIE labs will no longer support using the UniversCD documentation for the lab exam. All labs are migrating to Cisco Documentation only. For those scheduled to take the CCIE lab prior to Sept 24 access will still be available for UniversCD. The Cisco Documentation pages have the same information that currently resides on UniversCD, please refer to the links on the CCIE web pages to view these pages and become familiar with the new format. After Sept 24 2008 only the Cisco Documentation web pages will be available for CCIE labs.

Time to change my practice plan!

Filed Under: CCIE General Tagged With: , ,
« Older Posts
Newer Posts »