Just another Cisco blog
Posts tagged VPN
Basic AToM Lab
Oct 14th
In this article we’ll go over a simple AToM (Any Transport over MPLS) configuration. I’ve been studying MPLS a lot lately and this is my first time playing with AToM and it’s very cool stuff. This article could be useful for anyone studying MPLS and/or CCIP/CCIE topics, or just someone who is interested in learning new things. I will be including my Dynagen/GNS3 .net file with this. Here is our topology:
Let’s go through the config:
P Router:
hostname P ! mpls label protocol ldp mpls ldp router-id lo0 force ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet1/0 ip address 10.1.1.1 255.255.255.252 duplex auto speed auto mpls ip ! interface FastEthernet1/1 ip address 10.1.2.1 255.255.255.252 duplex auto speed auto mpls ip ! router ospf 100 router-id 1.1.1.1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0 network 10.1.2.0 0.0.0.3 area 0 |
Here we’ve set the hostname, configured the MPLS label protocol (note: LDP is the default on new IOSes), we set a loopback interface that will be our RID for MPLS and OSPF. We also configured our connections to the PE routers and brought up OSPF as our IGP.
PE1 Router:
hostname PE1 ! mpls label protocol ldp mpls ldp router-id lo0 force ! pseudowire-class one encapsulation mpls ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface FastEthernet1/0 ip address 10.1.1.2 255.255.255.252 duplex auto speed auto mpls ip ! interface Serial2/0 no ip address xconnect 3.3.3.3 100 pw-class one ! router ospf 100 router-id 2.2.2.2 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0 |
PE2 Router:
hostname PE2 ! mpls label protocol ldp mpls ldp router-id lo0 force ! pseudowire-class one encapsulation mpls ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet1/0 ip address 10.1.2.2 255.255.255.252 duplex auto speed auto mpls ip ! interface Serial2/0 no ip address xconnect 2.2.2.2 100 pw-class one ! router ospf 100 router-id 3.3.3.3 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network 10.1.2.0 0.0.0.3 area 0 |
Great MPLS and BGP Lab
Oct 12th
I got this over at Networking-Forum.com, a member named Fred created it, he was even kind enough to provide the Visio diagram, IP scheme spreadsheet and, most importantly, the .net file for Dynagen/GNS3. I spent a lot of my Saturday working on this beast. I thought I should share it here as it is great practice for MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure.
(click image for fullsize)
Internet
* The two Internet routers should serve as transit AS’s. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IP’s.
GRE/IPSEC Tutorial
Aug 26th
In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.
First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.
Here’s our ISAKMP Policy:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 |
We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.
Next we create a key and associate it with a peer:
crypto isakmp key Sup3rS3cr3tK3y address 5.5.5.5 |
Now we build the Transform Set:
crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac |
Next we make our ACL:
ip access-list extended GRE_IPSEC_TRAFFIC permit gre host 4.4.4.4 host 5.5.5.5 |
This is catching GRE traffic from 4.4.4.4 (us, the source) to 5.5.5.5 (our peer, the destination).
Recent Comments