Kamis, 29 September 2011

DMVPN



Penasaran dari dulu pengen coba DMVPN, akhirnya kesampaian dan bisa:

berikut DMVPN yang katanya didukukung penuh oleh cisco dan tidak oleh vendor lainya, boleh cek di google. hehe :P

dari topology diatas bisa kita lihat sebenarnya DMVPN itu terbagi atas apa itu yang disebut HUB dan SPOKE, HUB = HQ atau kantor pusat, sementara SPOKE = Kantor cabang.
hubungan keduanya dijalankan melalui tunnel multipoint (tunnel mode gre multipoint)
yang nantinya akan di encryp kembali dengan ipsec.

berikut untuk konfigurasi 1 router DMVPN HUB dan 3 SPOKE yang bertindak sebagai router edge cabang. Perlu di ketahui sebenarnya hubungan spoke ke spoke hanya membutuhkan hub sekali saja, selebihnya akan cros langsung dengan tunnel.

R1 :

R1#sh run
Building configuration...

Current configuration : 1386 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.15.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.15.1
ip route 192.168.30.1 255.255.255.255 192.168.0.3
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

R2 :

R2#sh run
Building configuration...

Current configuration : 1135 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.15.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.45.1 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.16.25.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
ip address 172.16.35.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
!
!
end

R3 :
R3#sh run
Building configuration...

Current configuration : 1451 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.20.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.25.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.25.1
!
!
end

R4 :

R4#sh run
Building configuration...

Current configuration : 1547 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
--More--
*Mar 1 00:48:59.331: %SYS-5-CONFIG_I: Configured from console by console
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.30.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.35.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.35.1
ip route 192.168.10.2 255.255.255.255 Tunnel0
ip route 192.168.10.2 255.255.255.255 192.168.0.1
!
!
no ip http server
no ip http secure-server
---------------------------------------------------

mari lihat buktinya :P
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 172.16.15.2 192.168.0.1 UP 00:32:01 S
1 172.16.25.2 192.168.0.2 UP never D
----------------------------------------------------------

R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.25.2 192.168.0.2 UP never D
1 172.16.35.2 192.168.0.3 UP never D
----------------------------------------------------------
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.15.2 172.16.25.2 QM_IDLE 1001 0 ACTIVE
172.16.15.2 172.16.35.2 QM_IDLE 1002 0 ACTIVE

R1#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.15.2

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.15.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.35.2/255.255.255.255/47/0)
current_peer 172.16.35.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 117, #pkts encrypt: 117, #pkts digest: 117
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.15.2, remote crypto endpt.: 172.16.35.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF048AEC0(4031295168)



Dan ingat pastikan semua di routing melalui tunnel interface atau ip tunnel neighboornya, dan show deh cryptonya. C U,,
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)