Sunday, April 10, 2016

Overlay VPN task #6. GRE based VPN part 2.

Topology:



Use configuration from Overlay VPN task #5 as initial configuration for this task.

Requirements: 

Change the configuration from previous task to comply with new requirements: 

1. Allow direct branch to branch communication. 
2. Protect customer sites, so that attacker located in public network (AS30, AS31) cannot inject traffic to GRE tunnel by spoofing source & destination addresses. Don't use IPsec to complete this requirement.
3. You are only allowed to change configuration of R7 and R8 to complete this task. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of DMVPN phase II, and tunnel key mechanisms. 

Requirement #1 - switching from Spoke-Hub-Spoke to direct Spoke-Spoke path requires DMVPN phase II or phase III configuration. Since phase III would require to make configuration changes also to router R6, the solution for this task is using DMVPN phase II. Change the spoke tunnels from GRE to mGRE mode and remove tunnel destination configuration. 


Requirement #2 - Tunnel key provides a "weak" protection mechanism from injecting spoofed packets towards GRE tunnel end. Tunnel key value must match between all peers. 


R6: 


!
interface Tunnel1
 ip address 10.0.0.6 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip ospf network broadcast
 ip ospf priority 255
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
!

R7:


!
interface Tunnel1
 ip address 10.0.0.7 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.6 30.0.16.6
 ip nhrp map multicast 30.0.16.6
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.6
 ip ospf network broadcast
 ip ospf priority 0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
!

R8: 


!
interface Tunnel1
 ip address 10.0.0.8 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.6 30.0.16.6
 ip nhrp map multicast 30.0.16.6
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.6
 ip ospf network broadcast
 ip ospf priority 0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
!


Verification:

Note the change of path from spoke-hub-spoke to direct spoke-spoke,  in two consecutive traces

R8#  traceroute 10.7.1.1 source 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.7.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.6 5 msec 5 msec 5 msec
  2 10.0.0.7 5 msec 5 msec 5 msec

R8#  traceroute 10.7.1.1 source 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.7.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.7 0 msec 5 msec 6 msec

No comments:

Post a Comment