7200emu.hacki.at Forum Index 7200emu.hacki.at
Dynamips, Dynagen and all that stuff
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
7200emu.hacki.at Forum Index

hackibr>

DMVPN Challenge

 
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> sample lab topologies
View previous topic :: View next topic  
Author Message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Sun Jan 20, 2008 4:54 am    Post subject: DMVPN Challenge Reply with quote

OK, thought I would make my little experiment available to the masses...while studying the DMVPN configurations and Idea's I created this lab to test myself. So, I thought I'd also make it available to those whom are studying for CCIE Security or advance CCSP. tell me what you think, please please...keep the thread clean don't bombard it with babble typing...PLEASE!

I'll post my configuration and .net files in a few days...Good Luck. Please PM me if you have questions about the options and requirements. Again, this is for those who are studying CCIE and Strong CCNP configurations, if you are not good with Frame-relay, Eigrp, Ospf, GRE tunnels, or IPSec this lab will be very hard for you........"wink, wink"....Thanks again for the awesome support everyone...!

Quote:
DUAL HUB DMVPN Challenge: A customer has hired you to configure 4 routers for them. Their requirements are listed below, keep in mind that this is only the start and many more routers will follow as the company begins to expand.

Equipment Needed:
4 routers (IOS must be at minimum 12.3 and support cryptographic services)
min 1 FastEthernet
min 1 Serial Interface
1 FRS
1 lan device

1.) Configure 2 hub Routers HUB-A & HUB-B at a Central site, 2 remote site Routers Spoke1 & Spoke2 each should have redundant links to each HUB Router
2.) Each router will have a private RFC 1918 Lan subnet using a CIDR /24 they cannot be overlapping, the HQ lan segment must have redundancy to the L3 gateway.
3.) Public interfaces should be multipoint Frame-relay connections, IP addressing for each WAN interface should be a public routable ip's each wan interface can be in the same subnet range
4.) No Dynamic routing and no static routes allowed openly on the public internet, all private ip address will be dropped by your ISP
5.) You must allow your Corporate Lan Subnets the ability to reach each remote site dynamically
6.) All routing must be dynamic
7.) All lan to lan traffic must be encrypted
8.) HQ lan segment must always be reachable from a remote site perspective


Remember you are using Dynamic Multipoint VPN configuration, good luck.
A complete configuration will be provide, you should also submit your configuration once you believe you have achieved the end result.
Back to top
View user's profile Send private message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Wed Jan 23, 2008 3:29 am    Post subject: Reply with quote

ok, No takers......HMMMMM ok, here is the lab that I put together check it out if you want and let me know what you think...

There are two labs if you want them...
Back to top
View user's profile Send private message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Wed Jan 23, 2008 3:31 am    Post subject: Reply with quote

Here are the labs for the Dual HUB DMVPN configuration
Back to top
View user's profile Send private message
x-men2
Guest





PostPosted: Thu Jan 24, 2008 11:20 pm    Post subject: Reply with quote

Only one question:
Does these configs work?
(I´m not a english men and i miss the "spoke" router)
Back to top
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Sat Jan 26, 2008 10:58 pm    Post subject: Reply with quote

Yes, the .net file works great. and the configs are complete....
Back to top
View user's profile Send private message
Us3rN4me



Joined: 01 Jun 2007
Posts: 22
Location: USA

PostPosted: Thu Feb 07, 2008 3:14 am    Post subject: Reply with quote

Thank you for your post. I am working with your configs so as to understand DMVPN.

I've been tasked with setting up DMVPN as a backup link to the primary ethernet wireless connection. It is a single hub with eight spokes. The routing protocl is EIGRP.

My question involves at what point does traffic begin using the DMVPN tunnel if setup as a backup link? It sounds as if it isn't a DMVPN issue but rather an EIGRP config and which link has preference. Again, thanks for your post.

HUB
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key password address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ts_dmvpn esp-aes 256 esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set ts_dmvpn
!
interface Tunnel0
description DMVPN Connection to the Internet
ip address 172.16.31.1 255.255.255.0
ip mtu 1400
ip nhrp authentication password123
ip nhrp map multicast dynamic
ip nhrp network-id 1234
tunnel source Gi0/1
tunnel key 2332
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
bandwidth 100000
ip tcp adjust-mss 1360
ip nhrp holdtime 450
delay 1000
no ip split-horizon eigrp 100

spoke
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key password address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ts_dmvpn esp-aes 256 esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set ts_dmvpn

interface Tunnel0
description DMVPN backup Link to Main
ip address 172.16.31.3 255.255.255.0
ip mtu 1400
ip nhrp authentication password123
ip nhrp map 172.16.31.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp nhs 172.16.31.1
ip nhrp network-id 1234
tunnel source vlan203
tunnel key 2332
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
bandwidth 100000
ip tcp adjust-mss 1360
ip nhrp holdtime 450
delay 1000[/img]
Back to top
View user's profile Send private message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Sun Feb 10, 2008 4:02 am    Post subject: Reply with quote

What type of internet backup circuits are you using...FR, ISDN, EVDO, ?
Back to top
View user's profile Send private message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Sun Feb 10, 2008 4:47 am    Post subject: Reply with quote

What type of internet backup circuits are you using...FR, ISDN, EVDO, ?
Back to top
View user's profile Send private message
Us3rN4me



Joined: 01 Jun 2007
Posts: 22
Location: USA

PostPosted: Sun Feb 10, 2008 9:44 am    Post subject: Reply with quote

Cable Modem / DSL approx - 3 Mbps. up 1 Mbps down.

I have DMVPN setup and EIGRP recognizing both links. The current issue is EIGRP has equal cost load balancing and it is causing a slow down. What I'd like to do is setup Policy Based Routing so the Ethernet Wireless is the prefered route. Also, I am working with the Variance option too. Last, I am looking into whether two instances of EIGRP with Redist would help. My task involves optimizing EIGRP so the following takes place -

1.) Wireless is preferred Route
2.) Configure for fast convergence
3.) Or Configure unequal load balancing without performance hits.
Back to top
View user's profile Send private message
nd0627



Joined: 15 Aug 2006
Posts: 13

PostPosted: Sun Feb 10, 2008 10:59 pm    Post subject: Reply with quote

does anyone here know what software was used to draw dmvpn.png and dmvpn2.png ?

i'm currently using ms office visio 2k3. i am not sure if i'm just missing some modules.

thanks.
Back to top
View user's profile Send private message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Sun Feb 10, 2008 11:53 pm    Post subject: Reply with quote

You can use MS Visio to save a copy of your visio as a .png. or you can use GNS3 and export the diagram which shows you a .png file.


Us3rN4me, I'm researching the answer to your question as it is a interesting one. If you want the DMVPN to be up all the time with the bulk of your traffic going over the Wireless link? Then the easiest way would be to use the varience command. If you looking for the DMVPN to only come-up when the primary link goes down, "this would be hard" I was looking at using a form of what we do in BGP with route watching, to bring up the DMVPN connections, but the answer is illusive. I wil lcontinue to try and formulate a working config, and if you find a solution I would be interested in seeing it. Thanks SanKilla
Back to top
View user's profile Send private message
Us3rN4me



Joined: 01 Jun 2007
Posts: 22
Location: USA

PostPosted: Mon Feb 11, 2008 2:57 am    Post subject: Reply with quote

nd0627
Packet Icons for Visio can be found here
http://www.cisco.com/web/about/ac50/ac47/2.html

sankilla - thank you for giving it some thought. For convergence time - having the DMVPN up all the time will be essestial - I'll go with the variance cmd.

Question: how do you enable "show DMVPN" cmd? I am using a C3640-JK9S-M 12.4(16) for my test lab. Cisco documentation states the command is not enabled.
Back to top
View user's profile Send private message
sankilla



Joined: 21 Dec 2006
Posts: 140
Location: United States

PostPosted: Mon Feb 11, 2008 4:58 am    Post subject: Reply with quote

Well, there is no DMVPN show commands, you will need to use the protocol show commands, remember nhrp is the protocol that really makes DMVPN work,,,much like TED from the old days...

router#show ip nhrp
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> sample lab topologies All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


 


Powered by phpBB © 2001, 2005 phpBB Group