R1 ! ip multicast-routing ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ip pim sparse-mode ! interface FastEthernet1/0 description wan ip address 10.0.12.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! interface FastEthernet2/0 description lan ip address 192.168.1.1 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 1 network 10.0.12.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 1 ! !Define this router as a RP ip pim rp-candidate Loopback0 !
R2 ip multicast-routing ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ip pim sparse-mode ! ! interface FastEthernet1/0 description wan ip address 10.0.12.2 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! interface FastEthernet1/1 description lan ip address 192.168.2.2 255.255.255.0 ip pim sparse-mode duplex auto speed auto ! router ospf 1 router-id 2.2.2.2 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 2 network 10.0.12.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 2 ! !Define router as a Bootstrap Router Candidate ip pim bsr-candidate Loopback0 0 !
Note: ip pim bsr-candidate and ip pim rp-candidate can both be added to the same router if you wish. Therefore in this lab we could of defines both on R1 and left R2 with only ip pim sparse on its interfaces.
Here are the batch files used in VLC: StartMulticast.bat: "C:\Program Files\VideoLAN\VLC\vlc.exe" -vvv test.m4v :sout=#transcode{vcodec=h264,vb=800,scale=1,acodec=mp4a,ab=128,channels=2,samplerate=44100}:std{access=udp,mux=ts,dst=239.0.0.1:1234} --ttl 12
FW1 ! interface Ethernet0 nameif outside security-level 0 ip address 142.100.123.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! !For Testing Allow pings/ICMP through access-list WAN_IN extended permit icmp any any access-group WAN_IN in interface outside ! !NAT global (outside) 2 interface nat (inside) 2 0.0.0.0 0.0.0.0 ! !Default Route route outside 0.0.0.0 0.0.0.0 142.100.123.99 !
FW2 ! interface Ethernet0 nameif outside security-level 0 ip address 208.69.34.2 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! access-list WAN_IN extended permit icmp any any access-group WAN_IN in interface outside ! global (outside) 2 interface nat (inside) 2 0.0.0.0 0.0.0.0 ! route outside 0.0.0.0 0.0.0.0 208.69.34.99 1 !
Now the interesting part, we want a user at site 1 to ping 192.168.102.100 and it reach 192.168.1.100 (at site 2) and a user at site 2 to ping 192.168.101.100 and it reach 192.168.1.100 (at site1).
Here is how:
FW1 !ACL defining traffic for static nat access-list site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0 !ACL for the IPSec Tunnel access-list IPSEC-TUN extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0 ! Static NAT static (inside,outside) 192.168.101.0 access-list site2
Now the tunnel itself crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-md5-hmac crypto map FW1 10 match address IPSEC-TUN crypto map FW1 10 set peer 208.69.34.2 crypto map FW1 10 set transform-set FW1-TRANSFORM crypto map FW1 interface outside crypto isakmp enable outside crypto isakmp policy 100 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group 208.69.34.2 type ipsec-l2l tunnel-group 208.69.34.2 ipsec-attributes pre-shared-key letmein
First the boring stuff, setting up IP connectivity:
R1 interface FastEthernet1/0 description WAN ip address 10.0.1.1 255.255.255.0 interface FastEthernet1/1 ! description LAN ip address 192.168.1.1 255.255.255.0 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! ip route 0.0.0.0 0.0.0.0 10.0.1.99 !
R2 interface FastEthernet1/1 description lan ip address 192.168.1.2 255.255.255.0 ! interface FastEthernet1/0 description wan ip address 10.0.2.2 255.255.255.0 ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! ip route 0.0.0.0 0.0.0.0 10.0.2.99 !
R10 ! interface Loopback0 ip address 10.10.10.10 255.255.255.255 ! ! interface FastEthernet1/0 description wan ip address 10.0.10.10 255.255.255.0 ! interface FastEthernet1/1 description lan ip address 192.168.2.10 255.255.255.0 delay 1000 !
R11 interface Loopback0 ip address 11.11.11.11 255.255.255.255 ! interface FastEthernet1/0 description wan ip address 10.0.11.11 255.255.255.0 ! interface FastEthernet1/1 description lan ip address 192.168.2.11 255.255.255.0 delay 1050 ! ip route 0.0.0.0 0.0.0.0 10.0.11.99 !
R20 ! interface Loopback0 ip address 20.20.20.20 255.255.255.255 ! interface FastEthernet1/0 description wan ip address 10.0.20.20 255.255.255.0 ! interface FastEthernet1/1 description lan ip address 192.168.3.20 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 10.0.20.99 !
Let start with HSRP on Hubs:
R1 interface FastEthernet1/1 description LAN ip address 192.168.1.1 255.255.255.0 delay 1000 duplex full speed auto !virtual ip standby 1 ip 192.168.1.254 !Virtual set priority for this router higher than R2 standby 1 priority 20 !If R1 has a highier priority become the active router standby 1 preempt standby 1 name HAGroup !If Fa1/0 fails R1 is useless and needs to become standby standby 1 track FastEthernet1/0 !
R2 interface FastEthernet1/1 description lan ip address 192.168.1.2 255.255.255.0 delay 1050 duplex auto speed auto standby 1 ip 192.168.1.254 standby 1 priority 19 standby 1 preempt standby 1 name HAGroup standby 1 track FastEthernet1/0 !
The above setup is almost identical at Site2 (the other site with HSRP)
Now on to the Tunnels and the DMVPN networks itself. Here is the basic layout of the network:
As you can see, we are infact running two DMVPN networks, and each spoke as an interface to each network.
Lets do the Hubs first:
R1
interface Tunnel0 !IP of tunnel interface ip address 172.12.123.1 255.255.255.0 !Stop IP from taking "shortcuts" no ip redirects ip mtu 1400 ip nhrp map multicast dynamic !Unique to the network, same number on each hub,spoke ip nhrp network-id 1 ip nhrp holdtime 450 ip tcp adjust-mss 1360 !Needed for EIGRP no ip split-horizon eigrp 100 !Tweak EIGRP metrics to prefer this router delay 1000 !Tunnels out interface tunnel source FastEthernet1/0 !Set tunnel mode tunnel mode gre multipoint !Each tunnel has its own "password" tunnel key 100000 !Add IPSec tunnel protection ipsec profile TUN-PROFILE
Notice that R1 is the Hub spoke for 172.12.123.0/24 network
R2 ! interface Tunnel0 ip address 172.12.124.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp holdtime 450 ip tcp adjust-mss 1360 no ip split-horizon eigrp 100 !tweak EIGRP metric so that R1 is preferred delay 1050 tunnel source FastEthernet1/0 tunnel mode gre multipoint !Password tunnel key 100001 tunnel protection ipsec profile TUN-PROFILE !
Now R20
First tunnel to join network 1 interface Tunnel0 ip address 172.12.123.20 255.255.255.0 ip mtu 1400 ip nhrp map 172.12.123.1 10.0.1.1 ip nhrp network-id 1 ip nhrp holdtime 450 ip nhrp nhs 172.12.123.1 ip tcp adjust-mss 1360 tunnel source FastEthernet1/0 tunnel destination 10.0.1.1 tunnel key 100000 tunnel protection ipsec profile TUN-PROFILE !
Second Tunnel to join network 2 ! interface Tunnel1 ip address 172.12.124.20 255.255.255.0 ip mtu 1400 ip nhrp map 172.12.124.2 10.0.2.2 ip nhrp network-id 2 ip nhrp holdtime 450 ip nhrp nhs 172.12.124.2 ip tcp adjust-mss 1360 tunnel source FastEthernet1/0 tunnel destination 10.0.2.2 tunnel key 100001 tunnel protection ipsec profile TUN-PROFILE !
Now R10 !network 1 --> interface Tunnel0 ip address 172.12.123.10 255.255.255.0 ip mtu 1400 ip nhrp map 172.12.123.1 10.0.1.1 ip nhrp network-id 1 ip nhrp holdtime 450 ip nhrp nhs 172.12.123.1 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet1/0 tunnel destination 10.0.1.1 tunnel key 100000 tunnel protection ipsec profile TUN-PROFILE ! ! !Network 2 -----> interface Tunnel1 ip address 172.12.124.10 255.255.255.0 ip mtu 1400 ip nhrp map 172.12.124.2 10.0.2.2 ip nhrp network-id 2 ip nhrp holdtime 450 ip nhrp nhs 172.12.124.2 ip tcp adjust-mss 1360 tunnel source FastEthernet1/0 tunnel destination 10.0.2.2 tunnel key 100001 tunnel protection ipsec profile TUN-PROFILE !
R11 !Network 1 ---> interface Tunnel0 ip address 172.12.123.11 255.255.255.0 ip mtu 1400 ip nhrp map 172.12.123.1 10.0.1.1 ip nhrp network-id 1 ip nhrp holdtime 450 ip nhrp nhs 172.12.123.1 ip tcp adjust-mss 1360 delay 1050 tunnel source FastEthernet1/0 tunnel destination 10.0.1.1 tunnel key 100000 tunnel protection ipsec profile TUN-PROFILE !Network 2---> interface Tunnel1 ip address 172.12.124.11 255.255.255.0 ip mtu 1400 ip nhrp map 172.12.124.2 10.0.2.2 ip nhrp network-id 2 ip nhrp holdtime 450 ip nhrp nhs 172.12.124.2 ip tcp adjust-mss 1360 tunnel source FastEthernet1/0 tunnel destination 10.0.2.2 tunnel key 100001 tunnel protection ipsec profile TUN-PROFILE !
Now EIGRP network configuration, notice how we do not bring in the WAN network: R1 router eigrp 100 network 1.1.1.1 0.0.0.0 network 172.12.123.0 0.0.0.255 network 192.168.1.0 no auto-summary !
IPSec Configuration is almost identical for each router so here is just one example: ! crypto isakmp policy 100 encr aes authentication pre-share group 2 crypto isakmp key letmein address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set TUN-TRANSFORM esp-aes esp-sha-hmac ! crypto ipsec profile TUN-PROFILE set transform-set TUN-TRANSFORM !
And that should be it!
Here is a video of me with the lab,trying to break it!
