Posts tagged VPN
In this article we’ll go over a simple AToM (Any Transport over MPLS) configuration. I’ve been studying MPLS a lot lately and this is my first time playing with AToM and it’s very cool stuff. This article could be useful for anyone studying MPLS and/or CCIP/CCIE topics, or just someone who is interested in learning new things. I will be including my Dynagen/GNS3 .net file with this. Here is our topology:
Let’s go through the config:
hostname P ! mpls label protocol ldp mpls ldp router-id lo0 force ! interface Loopback0 ip address 220.127.116.11 255.255.255.255 ! interface FastEthernet1/0 ip address 10.1.1.1 255.255.255.252 duplex auto speed auto mpls ip ! interface FastEthernet1/1 ip address 10.1.2.1 255.255.255.252 duplex auto speed auto mpls ip ! router ospf 100 router-id 18.104.22.168 log-adjacency-changes network 22.214.171.124 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0 network 10.1.2.0 0.0.0.3 area 0
Here we’ve set the hostname, configured the MPLS label protocol (note: LDP is the default on new IOSes), we set a loopback interface that will be our RID for MPLS and OSPF. We also configured our connections to the PE routers and brought up OSPF as our IGP.
hostname PE1 ! mpls label protocol ldp mpls ldp router-id lo0 force ! pseudowire-class one encapsulation mpls ! interface Loopback0 ip address 126.96.36.199 255.255.255.255 ! interface FastEthernet1/0 ip address 10.1.1.2 255.255.255.252 duplex auto speed auto mpls ip ! interface Serial2/0 no ip address xconnect 188.8.131.52 100 pw-class one ! router ospf 100 router-id 184.108.40.206 log-adjacency-changes network 220.127.116.11 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0
hostname PE2 ! mpls label protocol ldp mpls ldp router-id lo0 force ! pseudowire-class one encapsulation mpls ! interface Loopback0 ip address 18.104.22.168 255.255.255.255 ! interface FastEthernet1/0 ip address 10.1.2.2 255.255.255.252 duplex auto speed auto mpls ip ! interface Serial2/0 no ip address xconnect 22.214.171.124 100 pw-class one ! router ospf 100 router-id 126.96.36.199 log-adjacency-changes network 188.8.131.52 0.0.0.0 area 0 network 10.1.2.0 0.0.0.3 area 0
I got this over at Networking-Forum.com, a member named Fred created it, he was even kind enough to provide the Visio diagram, IP scheme spreadsheet and, most importantly, the .net file for Dynagen/GNS3. I spent a lot of my Saturday working on this beast. I thought I should share it here as it is great practice for MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure.
* The two Internet routers should serve as transit AS’s. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IP’s.
In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.
First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.
Here’s our ISAKMP Policy:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5
We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.
Next we create a key and associate it with a peer:
crypto isakmp key Sup3rS3cr3tK3y address 184.108.40.206
Now we build the Transform Set:
crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac
Next we make our ACL:
ip access-list extended GRE_IPSEC_TRAFFIC permit gre host 220.127.116.11 host 18.104.22.168
This is catching GRE traffic from 22.214.171.124 (us, the source) to 126.96.36.199 (our peer, the destination).