Cisco at Hannover Messe 2024: Know Before You Go
Hace 3 horas
En esta oportunidad se verá una tecnología que engloba varios protocolos, sin que esta misma sea un protocolo en sí. Nos referimos a DMVPN. Se utilizará la topología Hub and Spoke de la figura.
Se agrega la siguiente configuración, además de los seteos básicos (IGP, etc.), como base para formar los túneles como se mostrará a continuación.
R1#sh run int tun1
Building configuration...
Current configuration : 117 bytes
!
interface Tunnel1
ip address 192.168.0.1 255.255.255.0
ip mtu 1400
tunnel source Loopback0
tunnel key 123
end
R1#
R2#sh run int tun2
Building configuration...
Current configuration : 117 bytes
!
interface Tunnel2
ip address 192.168.0.2 255.255.255.0
ip mtu 1400
tunnel source Loopback0
tunnel key 123
end
R2#
R3#sh run int tun3
Building configuration...
Current configuration : 117 bytes
!
interface Tunnel3
ip address 192.168.0.3 255.255.255.0
ip mtu 1400
tunnel source Loopback0
tunnel key 123
end
R3#
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface tunnel3
R3(config-if)#tunnel destination 2.2.2.2
R3(config-if)#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface tunnel 2
R2(config-if)#tunnel dest 3.3.3.3
R2(config-if)#
*Nov 16 17:38:31.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
R2(config-if)#
R2(config-if)#do ping 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/76/116 ms
R2(config-if)#
R2(config-if)#
R2(config-if)#int tun2
R2(config-if)#ip nhrp nhs 192.168.0.3
R2(config-if)#ip nhrp map 192.168.0.3 3.3.3.3
R2(config-if)#ip nhrp network-id 100
R2(config-if)#ip nhrp authentication nicolas
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#
*Nov 16 17:50:34.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
R2(config-if)#
R3(config)#interface tunnel3
R3(config-if)#
R3(config-if)#ip nhrp authentication nicolas
R3(config-if)#ip nhrp map multicast dynamic
R3(config-if)#ip nhrp network-id 100
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#
*Nov 16 17:54:01.707: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed state to up
R3(config-if)#
R3(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/80/152 ms
R3(config-if)#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface tunnel1
R1(config-if)# ip nhrp authentication nicolas
R1(config-if)# ip nhrp map 192.168.0.3 3.3.3.3
R1(config-if)# ip nhrp network-id 100
R1(config-if)# ip nhrp nhs 192.168.0.3
R1(config-if)# tunnel mode gre multipoint
R1(config-if)#
*Nov 16 17:56:38.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R1(config-if)#
R1(config-if)#do ping 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/66/100 ms
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/301/428 ms
R1(config-if)#
R1#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:04:26, expire 01:55:33
Type: dynamic, Flags: router unique local
NBMA address: 1.1.1.1
(no-socket)
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:04:27, expire 01:55:32
Type: dynamic, Flags: router
NBMA address: 2.2.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:04:43, never expire
Type: static, Flags: used
NBMA address: 3.3.3.3
R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)#do sh run | b crypto
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
R1(config)#
R1(config)#crypto isakmp key ccie-en-espanol address 2.2.2.2
R1(config)#crypto isakmp key ccie-en-espanol address 3.3.3.3
R1(config)#
R2(config)#
R2(config)#crypto ipsec transform-set TRAN esp-?
esp-3des esp-aes esp-des esp-md5-hmac
esp-null esp-seal esp-sha-hmac
R2(config)#crypto ipsec transform-set TRAN esp-3des esp-?
esp-md5-hmac esp-sha-hmac
R2(config)#crypto ipsec transform-set TRAN esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#
R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec profile IPSEC
R2(ipsec-profile)#set transform-set TRAN
R2(ipsec-profile)#
R2(ipsec-profile)#int tun2
R2(config-if)#tunnel protection ipsec profile IPSEC
R2(config-if)#
*Nov 16 18:18:57.931: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#do ping 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config-if)#
R2(config-if)#do sh ip int b | i Tunnel
Tunnel2 192.168.0.2 YES manual up up
R2(config-if)#
R3(config)#
R3(config)#crypto ipsec transform-set TRAN esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#
R3(cfg-crypto-trans)#crypto ipsec profile IPSEC
R3(ipsec-profile)# set transform-set TRAN
R3(ipsec-profile)#
R3(ipsec-profile)#int tun3
R3(config-if)#tunnel protection ipsec profile IPSEC
R3(config-if)#
*Nov 16 18:23:08.687: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 156/230/356 ms
R3(config-if)#
R1#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:01:04, expire 00:02:00
Type: dynamic, Flags: temporary
NBMA address: 3.3.3.3
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:48:04, never expire
Type: static, Flags: used
NBMA address: 3.3.3.3
R1#ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 300/555/1080 ms
R1#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:01:14, expire 01:59:57
Type: dynamic, Flags: router unique local
NBMA address: 1.1.1.1
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:00:05, expire 01:59:57
Type: dynamic, Flags: router
NBMA address: 2.2.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:48:15, never expire
Type: static, Flags: used
NBMA address: 3.3.3.3
R1#
R1(config)#crypto call admission limit ike sa ?
<0-99999> IKE active SA limit
R1(config)#crypto call admission limit ike sa 1
R1(config)#^Z
R1#
*Nov 16 18:49:25.071: %CRYPTO-4-IKE_SA_LIMIT: IKE active SA count is 2 but SA limit has been set to 1.
R1#
*Nov 16 18:49:26.183: %SYS-5-CONFIG_I: Configured from console by console
R1#clear ip nhrp
R1#
*Nov 16 18:49:51.483: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an OUTGOING SA request from 1.1.1.1 to 2.2.2.2 due to IKE SA LIMIT REACHED
R1#
© 2010. CCIE en Español. All Rights Reserved.
Blogger Template by Blogger SEO Tools based on WP theme by CamelGraph.
really good.
He realizado configuraciones NHRP con routers Cisco pero he intentado realizar una niterconexion entre estos routers y un Equipo con LINUX y NHRP (con OpenNHRP) y no lo he logrado, ¿tienes alguna experiencia al respecto?
Hola Genghiz_Khan, la verdad nunca probé con OpenNHRP, voy a ver si uno de estos días ne animo a testearlo.
Thanks for sharing this informative information about bmvpn. Networking has changed the scenario of working in safe and secure way. Virtual private network is one of the best example for this.
____________
CCIE Security
Muy interesante, gracias!
Excelente aporte.... gracias