******************************* Lab # 1 - GRE ******************************* ------------------------------------------------------ ! 1. Configure a Tunnel Interface to connect R1 & R3 ------------------------------------------------------ ----- R1 ----- Interface Tunnel 1 tunnel source 199.1.1.1 tunnel destination 200.1.1.3 ip address 192.168.1.1 255.255.255.0 ----- R3 ----- Interface Tunnel 1 tunnel source 200.1.1.3 tunnel destination 199.1.1.1 ip address 192.168.1.3 255.255.255.0 ------------------------------------------------------ ! 2. Configure Routing to route the internal networks ------------------------------------------------------ ----- R1 ----- router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R3 ----- router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 EIGRP Hello Packet= GRE Packet Size: 98 Bytes ---------------------------------------------------------------------------- | GRE | 199.1.1.1 | 200.1.1.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | ---------------------------------------------------------------------------- Note: Clear Text Packet ******************************* Lab # 2 - GRE Over IPSec ******************************* ----- R1 ----- ! 1. Configure the Parameters for Phase I crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 200.1.1.3 ! 2. Configure the Parameters for Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile - It calls the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. All traffic leaving the tunnel will be encrypted interface tunnel 1 tunnel protection ipsec profile IPROF ----- R3 ----- ! 1. Configure the Parameters for Phase I crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 199.1.1.1 ! 2. Configure the Parameters for Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile - It calls the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. All traffic leaving the tunnel will be encrypted interface tunnel 1 tunnel protection ipsec profile IPROF ++++++++++++++++++++++++++++ Tunnel Mode ++++++++++++++++++++++++++++ -> In this mode, IPSec takes the Packets and adds the new header without considering the duplication of the IP Header -> This is the default IPSec Mode EIGRP Hello Packet= GRE Over IPSec Packet Size: 150 Bytes -------------------------------------------------------------------------------------------------------- | ESP | 199.1.1.1 | 200.1.1.3 | GRE | 199.1.1.1 | 200.1.1.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | -------------------------------------------------------------------------------------------------------- ++++++++++++++++++++++++++++ Transport Mode ++++++++++++++++++++++++++++ -> In this mode, IPSec looks at the inner header. If it matches the outer header, it eliminates the duplication (16 Bytes) -> If you are running GRE Over IPSec, it is recommended to use Transport Mode. ----- R1 ----- crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ----- R3 ----- crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport EIGRP Hello Packet= GRE Over IPSec Packet Size: 134 Bytes -------------------------------------------------------------------------------------------------------- | ESP | 199.1.1.1 | 200.1.1.3 | GRE | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | -------------------------------------------------------------------------------------------------------- ****************************************** Lab # 3 - Native IPSec Tunnel Interface ****************************************** ----- R1 ----- Interface Tunnel1 tunnel mode ipsec ipv4 ----- R3 ----- Interface Tunnel1 tunnel mode ipsec ipv4 EIGRP Hello Packet= Native IPSec-Tunnel Packet Size: 126 Bytes -------------------------------------------------------------------------------------------------------- | ESP | 199.1.1.1 | 200.1.1.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | -------------------------------------------------------------------------------------------------------- ---------------------------------- Native IPSec Tunnel from scratch ---------------------------------- ----- R1 ----- ! 1. Configure the Parameters for Phase I crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 200.1.1.3 ! 2. Configure the Parameters for Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile - It calls the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Configure the Tunnel Interface Interface Tunnel1 tunnel source E 0/0 tunnel destination 200.1.1.3 tunnel mode ipsec ipv4 ip address 192.168.1.1 255.255.255.0 tunnel protection ipsec profile IPROF ! 5. Routing Configuration router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R3 ----- ! 1. Configure the Parameters for Phase I crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 199.1.1.1 ! 2. Configure the Parameters for Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile - It calls the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Configure the Tunnel Interface Interface Tunnel1 tunnel source E 0/0 tunnel destination 199.1.1.1 tunnel mode ipsec ipv4 ip address 192.168.1.3 255.255.255.0 tunnel protection ipsec profile IPROF ! 5. Routing Configuration router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ****************************************** Lab # 4 - mGRE ****************************************** ----- R1 ----- Interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.4 192.1.40.4 ip nhrp map 192.168.1.5 192.1.50.5 ----- R2 ----- Interface Tunnel 1 ip address 192.168.1.2 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 22 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.4 192.1.40.4 ip nhrp map 192.168.1.5 192.1.50.5 ----- R3 ----- Interface Tunnel 1 ip address 192.168.1.3 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 22 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.4 192.1.40.4 ip nhrp map 192.168.1.5 192.1.50.5 ----- R4 ----- Interface Tunnel 1 ip address 192.168.1.4 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 22 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.5 192.1.50.5 ----- R5 ----- Interface Tunnel 1 ip address 192.168.1.5 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 22 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.4 192.1.40.4 Note: -> mGRE requires each device to have a static IP. -> Not scalable ****************************************** Lab # 5 - DMVPN ****************************************** ================================================ 1. Configure a Basic DMVPN Setup ================================================ --------------------- R1 - NHS --------------------- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic no ip split-horizon eigrp 123 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 --------------------- R2 - Client --------------------- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.2 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 --------------------- R3 - Client --------------------- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.3 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 --------------------- R4 - Client --------------------- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.4 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 --------------------- R5 - Client --------------------- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.5 255.255.255.0 tunnel source E 0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ================================================ 2. Understanding the DMVPN Phases ================================================ ++++++++++++++++++++++++ DMVPN Phase I ++++++++++++++++++++++++ -> In this Phase, all Data traffic is transmitted in a Hub-n-spoke manner -> This is the default Phase in DMVPN -> Used in case the Hub needs to control traffic between the spokes ++++++++++++++++++++++++ DMVPN Phase II ++++++++++++++++++++++++ -> In this Phase, Data Traffic is transmitted directly between the spokes -> In this phase, this is accomplished by tuning the Routing protocol to keep the next-hop unchanged. -> In this phase, each site needs to have a complete routing table ------------ R1 - Hub ------------ Interface Tunnel 1 no ip next-hop-self eigrp 123 ++++++++++++++++++++++++ DMVPN Phase III ++++++++++++++++++++++++ -> In this Phase, Data Traffic is transmitted directly between the spokes -> In this phase, this is accomplished by using the NHRP protocol (NHRP Redirection) -> In this phase, the hub can summarize the networks to create a smaller routing table at the spokes ------------ R1 - Hub ------------ Interface Tunnel 1 ip next-hop-self eigrp 123 ip nhrp redirect ip summary-address eigrp 123 10.0.0.0 255.0.0.0 ip summary-address eigrp 123 172.16.0.0 255.255.0.0 --------------------- R2 - R5 - Spokes --------------------- Interface Tunnel 1 ip nhrp shortcut ****************************************** Lab # 6 - DMVPN with IPSec ****************************************** -------------- All Devices -------------- ! 1. Configure the Parameters for Phase I crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 0.0.0.0 ! 2. Configure the Parameters for Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. Configure an IPSec Profile - It calls the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. All traffic leaving the tunnel will be encrypted interface tunnel 1 tunnel protection ipsec profile IPROF