Topology:
Use configuration from Overlay VPN task #5 as initial configuration for this task.
Requirements:
Change the configuration from previous task to comply with new requirements:
1. Allow direct branch to branch communication.
2. Protect customer sites, so that attacker located in public network (AS30, AS31) cannot inject traffic to GRE tunnel by spoofing source & destination addresses. Don't use IPsec to complete this requirement.
3. You are only allowed to change configuration of R7 and R8 to complete this task.
3. You are only allowed to change configuration of R7 and R8 to complete this task.
Solution:
Highlight the text below to reveal the solution.
This task requires understanding of DMVPN phase II, and tunnel key mechanisms.
Requirement #1 - switching from Spoke-Hub-Spoke to direct Spoke-Spoke path requires DMVPN phase II or phase III configuration. Since phase III would require to make configuration changes also to router R6, the solution for this task is using DMVPN phase II. Change the spoke tunnels from GRE to mGRE mode and remove tunnel destination configuration.
Requirement #2 - Tunnel key provides a "weak" protection mechanism from injecting spoofed packets towards GRE tunnel end. Tunnel key value must match between all peers.
!
interface Tunnel1
ip address 10.0.0.6 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip ospf network broadcast
ip ospf priority 255
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
!
This task requires understanding of DMVPN phase II, and tunnel key mechanisms.
Requirement #1 - switching from Spoke-Hub-Spoke to direct Spoke-Spoke path requires DMVPN phase II or phase III configuration. Since phase III would require to make configuration changes also to router R6, the solution for this task is using DMVPN phase II. Change the spoke tunnels from GRE to mGRE mode and remove tunnel destination configuration.
Requirement #2 - Tunnel key provides a "weak" protection mechanism from injecting spoofed packets towards GRE tunnel end. Tunnel key value must match between all peers.
R6:
!
interface Tunnel1
ip address 10.0.0.6 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip ospf network broadcast
ip ospf priority 255
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
!
R7:
!
interface Tunnel1
ip address 10.0.0.7 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.6 30.0.16.6
ip nhrp map multicast 30.0.16.6
ip nhrp network-id 100
ip nhrp nhs 10.0.0.6
ip ospf network broadcast
ip ospf priority 0
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
!
R8:
!
interface Tunnel1
ip address 10.0.0.8 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.6 30.0.16.6
ip nhrp map multicast 30.0.16.6
ip nhrp network-id 100
ip nhrp nhs 10.0.0.6
ip ospf network broadcast
ip ospf priority 0
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
!
Verification:
Note the change of path from spoke-hub-spoke to direct spoke-spoke, in two consecutive traces:
R8# traceroute 10.7.1.1 source 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.7.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.6 5 msec 5 msec 5 msec
2 10.0.0.7 5 msec 5 msec 5 msec
R8# traceroute 10.7.1.1 source 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.7.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.7 0 msec 5 msec 6 msec
