Topology:
Use configuration from Overlay VPN task #6 as initial configuration for this task.
Requirements:
Change the configuration produced in the previous task to comply with the new requirements.
The goal is to increase the scalability of the previous solution, to allow support for large number of spoke sites.
1. Replace the OSPF based routing with BGP routing. Use AS6500X for each site, when X is the router number.
2. Each branch router shall advertise its 10.X/16 network to HQ router.
3. HQ router shall only advertise network 10/8 to branch routers.
4. Branch to branch traffic shall be allowed to follow direct path, and not via HQ router.
5. Ensure confidentiality and integrity of customers traffic traversing the AS30 and AS31.
Solution:
Highlight the text below to reveal the solution.
This task requires understanding of DMVPN phase III, and understanding of using IPsec to protect DMVPN traffic. It also requires an understanding of basic BGP configuration and aggregation.
Requirements #1 - 3 - remove OSPF configuration and configure BGP on each router. On R6, use aggregate-address + summary-only to advertise the aggregate and suppress the individual prefixes of 10/8 network.
Requirement #4 - direct branch to branch router traffic requires DMVPN phase III configuration. Another DMVPN option that supports suppressing routing information at the spokes is DMVPN phase I.
Requirement #5 - Providing both data confidentiality and integrity requires using IPsec with ESP headers (note that AH headers will only provide integrity, but not confidentiality).Configure ISAKMP policy, transform-set and profile. Apply profile on the tunnel interface using tunnel protection command.
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set TS
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set TS
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set TS
!
This task requires understanding of DMVPN phase III, and understanding of using IPsec to protect DMVPN traffic. It also requires an understanding of basic BGP configuration and aggregation.
Requirements #1 - 3 - remove OSPF configuration and configure BGP on each router. On R6, use aggregate-address + summary-only to advertise the aggregate and suppress the individual prefixes of 10/8 network.
Requirement #4 - direct branch to branch router traffic requires DMVPN phase III configuration. Another DMVPN option that supports suppressing routing information at the spokes is DMVPN phase I.
Requirement #5 - Providing both data confidentiality and integrity requires using IPsec with ESP headers (note that AH headers will only provide integrity, but not confidentiality).Configure ISAKMP policy, transform-set and profile. Apply profile on the tunnel interface using tunnel protection command.
R6:
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set TS
!
!
interface Tunnel1
ip address 10.0.0.6 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile PROTECT
!
!
router bgp 65006
bgp log-neighbor-changes
network 10.6.0.0 mask 255.255.0.0
aggregate-address 10.0.0.0 255.0.0.0 summary-only
neighbor 10.0.0.7 remote-as 65007
neighbor 10.0.0.8 remote-as 65008
!
ip route 10.6.0.0 255.255.0.0 Null0
R7:
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set TS
!
!
interface Tunnel1
ip address 10.0.0.7 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.6 30.0.16.6
ip nhrp map multicast 30.0.16.6
ip nhrp network-id 100
ip nhrp nhs 10.0.0.6
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile PROTECT
!
!
router bgp 65007
bgp log-neighbor-changes
network 10.7.0.0 mask 255.255.0.0
neighbor 10.0.0.6 remote-as 65006
!
ip route 10.7.0.0 255.255.0.0 Null0
R8:
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set TS
!
!
interface Tunnel1
ip address 10.0.0.8 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.6 30.0.16.6
ip nhrp map multicast 30.0.16.6
ip nhrp network-id 100
ip nhrp nhs 10.0.0.6
ip nhrp shortcut
ip ospf network point-to-multipoint
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile PROTECT
!
!
router bgp 65008
bgp log-neighbor-changes
network 10.8.0.0 mask 255.255.0.0
neighbor 10.0.0.6 remote-as 65006
!
ip route 10.8.0.0 255.255.0.0 Null0
Verification:
R7# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 31.0.57.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 31.0.57.5
10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
B 10.0.0.0/8 [20/0] via 10.0.0.6, 00:46:49
C 10.0.0.0/24 is directly connected, Tunnel1
L 10.0.0.7/32 is directly connected, Tunnel1
S 10.7.0.0/16 is directly connected, Null0
C 10.7.1.0/24 is directly connected, Ethernet0/1
L 10.7.1.1/32 is directly connected, Ethernet0/1
C 10.7.7.7/32 is directly connected, Loopback0
H 10.8.1.0/24 [250/1] via 10.0.0.8, 00:46:32, Tunnel1
H 10.8.8.8/32 [250/1] via 10.0.0.8, 00:40:52, Tunnel1
31.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 31.0.57.0/24 is directly connected, Ethernet0/0
L 31.0.57.7/32 is directly connected, Ethernet0/0
R7# traceroute 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.8.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.8 [AS 65006] 6 msec 6 msec 5 msec
R6# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 30.0.16.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 30.0.16.1
10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
B 10.0.0.0/8 [200/0] via 0.0.0.0, 00:50:15, Null0
C 10.0.0.0/24 is directly connected, Tunnel1
L 10.0.0.6/32 is directly connected, Tunnel1
S 10.6.0.0/16 is directly connected, Null0
C 10.6.1.0/24 is directly connected, Ethernet0/1
L 10.6.1.1/32 is directly connected, Ethernet0/1
C 10.6.6.6/32 is directly connected, Loopback0
B 10.7.0.0/16 [20/0] via 10.0.0.7, 00:47:19
B 10.8.0.0/16 [20/0] via 10.0.0.8, 00:47:19
30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 30.0.16.0/24 is directly connected, Ethernet0/0
L 30.0.16.6/32 is directly connected, Ethernet0/0
R6# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
30.0.16.6 30.0.38.8 QM_IDLE 1001 ACTIVE
30.0.16.6 31.0.57.7 QM_IDLE 1002 ACTIVE
R6#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 30.0.16.6
protected vrf: (none)
local ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
current_peer 31.0.57.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.0.16.6, remote crypto endpt.: 31.0.57.7
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x66AFBB2D(1722792749)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4371DE8C(1131536012)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4215914/2423)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x66AFBB2D(1722792749)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4215914/2423)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (30.0.38.8/255.255.255.255/47/0)
current_peer 30.0.38.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.0.16.6, remote crypto endpt.: 30.0.38.8
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x36039CEC(906206444)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFEE943A(267293754)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4249146/2413)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x36039CEC(906206444)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4249146/2413)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R7#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 31.0.57.7
protected vrf: (none)
local ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (30.0.38.8/255.255.255.255/47/0)
current_peer 30.0.38.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 31.0.57.7, remote crypto endpt.: 30.0.38.8
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x9A5210E0(2589069536)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x400F81E6(1074758118)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4371174/2369)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9A5210E0(2589069536)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4371174/2369)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
current_peer 30.0.16.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 52, #pkts encrypt: 52, #pkts digest: 52
#pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 31.0.57.7, remote crypto endpt.: 30.0.16.6
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x4371DE8C(1131536012)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x66AFBB2D(1722792749)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4217048/2369)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4371DE8C(1131536012)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4217048/2369)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: