Saturday, June 18, 2016

Overlay VPN task #7. GRE based VPN part 3.

Topology:



Use configuration from Overlay VPN  task #6 as initial configuration for this task.

Requirements: 

Change the configuration produced in the previous task to comply with the new requirements. 
The goal is to increase the scalability of the previous solution, to allow support for large number of spoke sites. 

1. Replace the OSPF based routing with BGP routing. Use AS6500X for each site, when X is the router number. 
2. Each branch router  shall advertise its 10.X/16 network to  HQ router. 
3. HQ router shall only advertise network 10/8 to branch routers. 
4. Branch to branch traffic shall be allowed to follow direct path, and not via HQ router. 
5. Ensure confidentiality and integrity of customers traffic traversing the AS30 and AS31. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of DMVPN phase III, and understanding of using IPsec to protect DMVPN traffic. It also requires an understanding of basic BGP configuration and aggregation.

Requirements #1 - 3 - remove OSPF configuration and configure BGP on each router. On R6, use aggregate-address + summary-only to advertise the aggregate and suppress the individual prefixes of 10/8 network.
Requirement #4 - direct branch to branch router traffic requires DMVPN phase III configuration. Another DMVPN option that supports suppressing routing information at the spokes is DMVPN phase I.
Requirement #5 - Providing both data confidentiality and integrity requires using IPsec with ESP headers (note that AH headers will only provide integrity, but not confidentiality).Configure ISAKMP policy, transform-set and profile. Apply profile on the tunnel interface using tunnel protection command.


R6:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
 set transform-set TS
!
!
interface Tunnel1
 ip address 10.0.0.6 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile PROTECT
!
!
router bgp 65006
 bgp log-neighbor-changes
 network 10.6.0.0 mask 255.255.0.0
 aggregate-address 10.0.0.0 255.0.0.0 summary-only
 neighbor 10.0.0.7 remote-as 65007
 neighbor 10.0.0.8 remote-as 65008
!
ip route 10.6.0.0 255.255.0.0 Null0


R7:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
 set transform-set TS
!
!
interface Tunnel1
 ip address 10.0.0.7 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.6 30.0.16.6
 ip nhrp map multicast 30.0.16.6
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.6
 ip nhrp shortcut
 ip nhrp redirect
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile PROTECT
!
!
router bgp 65007
 bgp log-neighbor-changes
 network 10.7.0.0 mask 255.255.0.0
 neighbor 10.0.0.6 remote-as 65006
!
ip route 10.7.0.0 255.255.0.0 Null0


R8:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
 set transform-set TS
!
!
interface Tunnel1
 ip address 10.0.0.8 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.6 30.0.16.6
 ip nhrp map multicast 30.0.16.6
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.6
 ip nhrp shortcut
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile PROTECT
!
!
router bgp 65008
 bgp log-neighbor-changes
 network 10.8.0.0 mask 255.255.0.0
 neighbor 10.0.0.6 remote-as 65006
!
ip route 10.8.0.0 255.255.0.0 Null0

Verification:



R7#        sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 31.0.57.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 31.0.57.5
      10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
B        10.0.0.0/8 [20/0] via 10.0.0.6, 00:46:49
C        10.0.0.0/24 is directly connected, Tunnel1
L        10.0.0.7/32 is directly connected, Tunnel1
S        10.7.0.0/16 is directly connected, Null0
C        10.7.1.0/24 is directly connected, Ethernet0/1
L        10.7.1.1/32 is directly connected, Ethernet0/1
C        10.7.7.7/32 is directly connected, Loopback0
H        10.8.1.0/24 [250/1] via 10.0.0.8, 00:46:32, Tunnel1
H        10.8.8.8/32 [250/1] via 10.0.0.8, 00:40:52, Tunnel1
      31.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        31.0.57.0/24 is directly connected, Ethernet0/0
L        31.0.57.7/32 is directly connected, Ethernet0/0

R7#  traceroute 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.8.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.8 [AS 65006] 6 msec 6 msec 5 msec

R6#              sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 30.0.16.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 30.0.16.1
      10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
B        10.0.0.0/8 [200/0] via 0.0.0.0, 00:50:15, Null0
C        10.0.0.0/24 is directly connected, Tunnel1
L        10.0.0.6/32 is directly connected, Tunnel1
S        10.6.0.0/16 is directly connected, Null0
C        10.6.1.0/24 is directly connected, Ethernet0/1
L        10.6.1.1/32 is directly connected, Ethernet0/1
C        10.6.6.6/32 is directly connected, Loopback0
B        10.7.0.0/16 [20/0] via 10.0.0.7, 00:47:19
B        10.8.0.0/16 [20/0] via 10.0.0.8, 00:47:19
      30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        30.0.16.0/24 is directly connected, Ethernet0/0
L        30.0.16.6/32 is directly connected, Ethernet0/0

R6# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
30.0.16.6       30.0.38.8       QM_IDLE           1001 ACTIVE
30.0.16.6       31.0.57.7       QM_IDLE           1002 ACTIVE

R6#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 30.0.16.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
   current_peer 31.0.57.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
    #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.0.16.6, remote crypto endpt.: 31.0.57.7
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x66AFBB2D(1722792749)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4371DE8C(1131536012)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4215914/2423)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x66AFBB2D(1722792749)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4215914/2423)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.0.38.8/255.255.255.255/47/0)
   current_peer 30.0.38.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
    #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.0.16.6, remote crypto endpt.: 30.0.38.8
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x36039CEC(906206444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xFEE943A(267293754)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4249146/2413)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x36039CEC(906206444)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4249146/2413)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:



R7#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 31.0.57.7

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.0.38.8/255.255.255.255/47/0)
   current_peer 30.0.38.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 31.0.57.7, remote crypto endpt.: 30.0.38.8
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x9A5210E0(2589069536)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x400F81E6(1074758118)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4371174/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9A5210E0(2589069536)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4371174/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
   current_peer 30.0.16.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 52, #pkts encrypt: 52, #pkts digest: 52
    #pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 31.0.57.7, remote crypto endpt.: 30.0.16.6
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x4371DE8C(1131536012)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x66AFBB2D(1722792749)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4217048/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4371DE8C(1131536012)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4217048/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:


No comments:

Post a Comment