Materi DMVPN

  • Uploaded by: afrizal lazuardi ichsan
  • Size: 200.1 KB
  • Type: PDF
  • Words: 1,350
  • Pages: 8
Report this file Bookmark

* The preview only shows a few pages of manuals at random. You can get the complete content by filling out the form below.

The preview is currently being created... Please pause for a moment!

Description

Lab DMVPN - Configure DMVPN

Loopback-1 HUB Fa1/0 Fa1/0

NXT-R1 Fa0/1 Fa0/0 Fa0/0

Fa0/1 Fa0/1 Fa0/0

Fa1/0

NXT-R2

Fa1/0

INTERNET EIGRP AS 100

NXT-R3

Fa1/0 Fa1/0

Loopback-2

Loopback-3

SPOKE-A SPOKE-B

Device NXT-R1 Fa0/0 NXT-R1 Fa0/1 NXT-R1 Fa1/0 NXT-R2 Fa0/0 NXT-R2 Fa0/1 NXT-R2 Fa1/0 NXT-R3 Fa0/0 NXT-R3 Fa0/1 NXT-R3 Fa1/0 HUB Fa1/0 SPOKE-A Fa1/0 SPOKE-B Fa1/0 Loopback-1 Loopback-2 Loopback-3

IP Address 121.0.0.1 131.0.0.1 192.168.1.2 121.0.0.2 132.0.0.1 192.168.2.2 132.0.0.2 131.0.0.2 192.168.3.2 192.168.1.1 192.168.2.1 192.168.3.1 10.10.10.1 20.20.20.1 30.30.30.1

Subnet Mask 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway -

1. Konfigurasi IP address sesuai topologi diatas 2. Konfigurasi EIGRP AS 100 pada area INTERNET (NXT-R1, NXT-R2, NXT-R3) di semua interface 3. Konfigurasi default-route dari HUB, SPOKE-A, SPOKE-B

1

Dynamic Multipoint VPN (DMVPN) merupakan solusi VPN dengan administrasi overhead yang rendah dan lebih scalable. DMVPN salah satu fitur Cisco IOS yang menyediakan kemampuan membuat tunneling IPSec antar peer secara dinamis. DMVPN menggunakan kombinasi teknologi : 1. 2. 3. 4.

Dynamic IPsec encryption Multipoint GRE (mGRE) Next-Hop Resolution Protocol (NHRP) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)

Konfigurasi HUB router ISAKMP Policy & Profile Seperti membuat VPN point-to-point pada umumnya, kita buat terlebih dahulu parameter enkripsi : AES 256, DH group 5, SHA-1 HUB(config)#crypto isakmp policy 10 HUB(config-isakmp)#encryption aes 256 HUB(config-isakmp)#group 5 HUB(config-isakmp)#hash sha HUB(config-isakmp)#authentication pre-share HUB(config-isakmp)#exit HUB(config)#crypto isakmp key 0 NIXTRAIN address 0.0.0.0 0.0.0.0

Transform Set / IPSEC profile Konfigurasi transform set custom untuk menggunakan mode tunnel. Implementasikan IPSEC pada profile. HUB(config)#crypto ipsec transform-set AES_128-SHA esp-aes 128 ah-shahmac HUB(cfg-crypto-trans)#exit HUB(config)#crypto ipsec profile IPsecProfile HUB(ipsec-profile)#set transform-set AES_128-SHA HUB(ipsec-profile)#int tun 0 HUB(config-if)#tunnel protection ipsec profile IPsecProfile

mGRE interface Konfigurasi interface tunnel dan tambahkan interface fisik sebagai bounding interface tunnel. HUB(config)#interface HUB(config-if)#tunnel HUB(config-if)#tunnel HUB(config-if)#tunnel

tunnel 0 mode gre multipoint key 1 source fa1/0

NHRP Server NHRP Server di konfigurasi pada tunnel interface. Dengan network-id memungkinan memiliki multiple network NHRP dan tambahkan password untuk autentikasi. 2

HUB(config)#interface tunnel 0 HUB(config-if)#ip nhrp network-id 1 HUB(config-if)#ip nhrp authentication NIXTRAIN HUB(config-if)#ip nhrp map multicast dynamic

Addressing / MTU Konfigurasi IP address pada interface mGRE. Catatan penting: semua interface tunnel yang menggunakan DMVPN harus memiliki subnet yang sama. Misalkan network DMVPN menggunakan network address 172.16.16.0/24. HUB(config)#interface tunnel 0 HUB(config-if)#ip address 172.16.16.1 255.255.255.0 HUB(config-if)#ip mtu 1450 HUB(config-if)#ip tcp adjust-mss 1410

Konfigurasi SPOKE router ISAKMP / Transform set / IPSEC profile Copy paste command dibawah ini di SPOKE-A dan SPOKE-B crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key NIXTRAIN address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set AES_128-SHA ah-sha-hmac esp-aes ! crypto ipsec profile IPsecProfile set transform-set AES_128-SHA

mGRE interface Konfigurasi sama seperti HUB router namun berbeda IP address saja. Copy paste command dibawah ini di SPOKE-A dan SPOKE-B. Ganti IP address di SPOKE-B 172.16.16.3 interface Tunnel0 ip address 172.16.16.2 255.255.255.0 no ip redirects ip mtu 1450 ip nhrp authentication NIXTRAIN ip nhrp network-id 1 ip tcp adjust-mss 1410 tunnel source FastEthernet1/0 tunnel mode gre multipoint 3

tunnel key 1 tunnel protection ipsec profile IPsecProfile

NHRP Client Konfigurasi NHRP ada perbedaan sedikit antara Hub dan Spoke. Pastikan network-id dan autentikasi sama. Untuk NHR Client harus di konfigurasi NHRP Server sehingga bisa resolve next-hop IP. Pada lab ini, IP address interface fa1/0 HUB: 192.168.1.1 untuk command map. interface tunnel 0 ip nhrp nhs 172.16.16.1 ip nhrp map multicast 192.168.1.1 ip nhrp map 172.16.16.1 192.168.1.1

Inputkan command diatas ke semua router SPOKE. Verifikasi dmvpn HUB#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel0, Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----1 192.168.2.1 172.16.16.2 UP never D 1 192.168.3.1 172.16.16.3 UP never D SPOKE-A#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel0, Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----1 192.168.1.1 172.16.16.1 UP 00:07:42 S SPOKE-B#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel0, Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----1 192.168.1.1 172.16.16.1 UP 00:06:41 S

4

Verifikasi ISAKMP dan IPSEC HUB#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 192.168.1.1 192.168.2.1 192.168.1.1 192.168.3.1

state QM_IDLE QM_IDLE

conn-id slot status 1001 0 ACTIVE 1002 0 ACTIVE

state QM_IDLE

conn-id slot status 1001 0 ACTIVE

state QM_IDLE

conn-id slot status 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA SPOKE-A#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 192.168.1.1 192.168.2.1 IPv6 Crypto ISAKMP SA SPOKE-B#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 192.168.1.1 192.168.3.1 IPv6 Crypto ISAKMP SA

5

Lab DMVPN - Routing / Dynamic Mesh

Loopback-1 HUB Fa1/0 Fa1/0

NXT-R1 Fa0/1 Fa0/0 Fa0/0

Fa0/1 Fa0/1 Fa0/0

Fa1/0 Fa1/0

NXT-R2

INTERNET EIGRP AS 100

NXT-R3

Fa1/0 Fa1/0

Loopback-2

Loopback-3

SPOKE-A SPOKE-B

Melanjutkan topologi Lab 65 sebelumnya, lakukan konfigurasi EIGRP AS 200 antara HUB dan SPOKE router. EIGRP menggunakan multicast address 224.0.0.10 untuk mengirimkan update, akan tetapi jika semua update di inisialisasi dari HUB router, maka HUB router akan selalu menjadi next-hop. Untuk mencegah hal ini, gunakan command no ip next-hop-self eigrp. Karena HUB menggunakan interface tunnel0 untuk mengirimkan update atau menerima update, disable split horizon untuk mencegah re-advertise route. Tujuan disable split horizon untuk mencegah terjadinya routing loop. HUB(config)#router eigrp 200 HUB(config-router)#network 10.10.10.0 0.0.0.255 HUB(config-router)#network 172.16.16.0 0.0.0.255 HUB(config-router)#no auto-summary HUB(config-router)# HUB(config-router)#interface tunnel 0 HUB(config-if)#no ip next-hop-self eigrp 200 HUB(config-if)#no ip split-horizon eigrp 200

6

Konfigurasi SPOKE router menggunakan EIGRP standard SPOKE-A(config)#router eigrp 200 SPOKE-A(config-router)#network 20.20.20.0 0.0.0.255 SPOKE-A(config-router)#network 172.16.16.0 0.0.0.255 SPOKE-A(config-router)#no au *Mar 1 00:30:44.723: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 172.16.16.1 (Tunnel0) is up: new adjacency SPOKE-A(config-router)#no auto-summary SPOKE-A(config-router)# *Mar 1 00:30:47.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 172.16.16.1 (Tunnel0) is resync: summary configured SPOKE-B(config)#router eigrp 200 SPOKE-B(config-router)#network 30.30.30.0 0.0.0.255 SPOKE-B(config-router)#network 172.16.16.0 0.0.0.255 SPOKE-B(config-router)#no aut*Mar 1 00:31:45.743: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 172.16.16.1 (Tunnel0) is up: new adjacency SPOKE-B(config-router)#no auto-summary SPOKE-B(config-router)# *Mar 1 00:31:49.555: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 172.16.16.1 (Tunnel0) is resync: summary configured

200:

Neighbor

200:

Neighbor

200:

Neighbor

200:

Neighbor

Verifikasi routing table SPOKE-A#show ip route | b Gate Gateway of last resort is 192.168.2.2 to network 0.0.0.0

C C D C D S*

20.0.0.0/24 is subnetted, 1 subnets 20.20.20.0 is directly connected, Loopback2 172.16.0.0/24 is subnetted, 1 subnets 172.16.16.0 is directly connected, Tunnel0 10.0.0.0/24 is subnetted, 1 subnets 10.10.10.0 [90/297372416] via 172.16.16.1, 00:00:23, Tunnel0 192.168.2.0/24 is directly connected, FastEthernet1/0 30.0.0.0/24 is subnetted, 1 subnets 30.30.30.0 [90/310172416] via 172.16.16.3, 00:00:16, Tunnel0 0.0.0.0/0 [1/0] via 192.168.2.2

SPOKE-B#show ip route | b Gate Gateway of last resort is 192.168.3.2 to network 0.0.0.0 D C D C

20.0.0.0/24 is subnetted, 1 subnets 20.20.20.0 [90/310172416] via 172.16.16.2, 00:00:56, Tunnel0 172.16.0.0/24 is subnetted, 1 subnets 172.16.16.0 is directly connected, Tunnel0 10.0.0.0/24 is subnetted, 1 subnets 10.10.10.0 [90/297372416] via 172.16.16.1, 00:00:56, Tunnel0 192.168.3.0/24 is directly connected, FastEthernet1/0 30.0.0.0/24 is subnetted, 1 subnets 7

C S*

30.30.30.0 is directly connected, Loopback3 0.0.0.0/0 [1/0] via 192.168.3.2

Verifikasi ping antar loopback SPOKE-A#ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 112/118/128 ms SPOKE-A#ping 30.30.30.1

=

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.30.30.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 200/231/276 ms SPOKE-A#ping 10.10.10.1 source loopback2

=

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: Packet sent with a source address of 20.20.20.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/112/136 ms SPOKE-A#ping 30.30.30.1 source loopback2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.30.30.1, timeout is 2 seconds: Packet sent with a source address of 20.20.20.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 100/122/152 ms

=

8

Similar documents

Materi DMVPN

afrizal lazuardi ichsan - 200.1 KB

Materi

Dede Supriyanto - 1.6 MB

materi 2

dew jirawat - 83.1 KB

materi 1

Rif'an Adha - 2.4 MB

Materi 3

alfiah fajriani - 722.4 KB

Materi 3

Febrianthie Resthy - 337.5 KB

MATERI VEKTOR

ekarahmawati gunar - 1.9 MB

materi 8

Andri Matius - 198.7 KB

materi pkn

unik susan - 122.3 KB

Materi 1

Gledis Lambehe - 1.7 MB

materi evjab

arifin simo - 7.4 MB

Materi 4

Febrianthie Resthy - 924.3 KB

© 2024 VDOCS.RO. Our members: VDOCS.TIPS [GLOBAL] | VDOCS.CZ [CZ] | VDOCS.MX [ES] | VDOCS.PL [PL] | VDOCS.RO [RO]