The Journey of a Network Engineer


September 10, 2013  4:15 AM

How to configure Cisco DMVPN? Part-3

Sulaiman Syed Profile: Sulaiman Syed

We have seen how in the first part how DMVPN works, the dynamic tunnels and how we can peer Spokes to each other to allow direct traffic. But all will fail if our Hub goes down, as it is critical in keeping the DMVPN network up. For redundancy Dual Hub DMVPN networks were designed, we would look at such network in this entry. The Diagram shows how we will use CE1 and CE5 routers to be Hubs, while the rest of routers to be Spokes. Let’s have a look at the network used for this:

 photo DualDMVPN_zps8afce7eb.png

We have not protected our traffic in part 1, so in this entry we would protect our tunnels with IPsec. Let’s see a sample configurations i made for IPsec

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 0 test123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec profile ASA
set security-association lifetime seconds 120
set transform-set strong

Here, we are using single key to authenticate everyone, of course this is a bad design security wise, i highly recommend NOT to do it. we created a profile calling it ASA, this profile will be associated in the tunnel interface to protect the tunnel.

int tu 1
tunnel protection ipsec profile ASA

For the dual Hub configrations, few lines need to be added to the Hubs. they are highlighted in different color in the configs below: CE1#show run int tu 1 Building configuration…

Current configuration : 358 bytes
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map multicast 10.0.0.30
ip nhrp map 192.168.1.5 10.0.0.30
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile ASA
end

Similar configs are required at the other Hub (CE5).  Lets see the configs below:

CE5#show run int tu1
Building configuration…

Current configuration : 358 bytes
!
interface Tunnel1
ip address 192.168.1.5 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map multicast 10.0.0.14
ip nhrp map 192.168.1.1 10.0.0.14
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile ASA
end

The Spokes now need to be configured for both Hubs:

!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 10.0.0.14  // Hub one
ip nhrp map multicast 10.0.0.14       // Hub one
ip nhrp map multicast 10.0.0.30      // Hub two
ip nhrp map 192.168.1.5 10.0.0.30 // Hub two
ip nhrp network-id 10
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.5
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile ASA // ipsec
end

I hope this post was informative. If there are any questions, just let me know.

August 27, 2013  6:05 AM

How to configure Cisco DMVPN? Part-2

Sulaiman Syed Profile: Sulaiman Syed

In the previous entry, we saw how to configure a basic DMVPN network. Let’s see the effect of adding the extra multicast mapping on our network table, and EIGRP adjuncies.

DMVPN Network photo diagram_zpse823e5d5.png

Since CE4 was configured with multicast mappings for CE3, and vice versa. let’s see the complete tunnel configuration for clarification

interface Tunnel1
ip address 192.168.1.4 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 10.0.0.14
ip nhrp map multicast 10.0.0.14
ip nhrp map multicast 10.0.0.22
ip nhrp network-id 10
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/1
tunnel mode gre multipoint

let’s see our routing table in CE4, do few ping tests. and lastly see the Eigrp neighbors

CE4#show ip route eigrp
100.0.0.0/32 is subnetted, 4 subnets
D 100.100.3.3 [90/297372416] via 192.168.1.3, 00:03:42, Tunnel1
D 100.100.2.2 [90/310172416] via 192.168.1.1, 00:03:43, Tunnel1
D 100.100.1.1 [90/297372416] via 192.168.1.1, 00:03:43, Tunnel1

Traceroutes to CE3, and CE2 loopback addresses.

CE4#traceroute 100.100.3.3

Type escape sequence to abort.
Tracing the route to 100.100.3.3

1 192.168.1.3 96 msec 80 msec 100 msec

CE4#traceroute 100.100.2.2

Type escape sequence to abort.
Tracing the route to 100.100.2.2

1 192.168.1.1 112 msec 100 msec 72 msec
2 192.168.1.2 144 msec 180 msec 152 msec

Eigrp neighbor table

CE4#show ip ei ne
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.1.1 Tu1 14 00:04:25 157 5000 0 10
0 192.168.1.3 Tu1 12 00:04:33 80 5000 0 7

Since CE4 had CE3 mapping, we can see how the traffic went spoke to spoke without the need of going to HUB, this will of course save bandwidth. While going to CE2, it had to travel to CE1 (Hub) as we didn’t add the multicast mapping for it. But even for CE4, and CE3 to communicate they should first establish connection to CE1.

In the next entry, I will add the authentication/ encryption of tunnels, and configure a dual Hub scenario. If you ever required the topology and configurations, just drop a comment!


August 18, 2013  12:15 AM

How to configure Cisco DMVPN? Part-1

Sulaiman Syed Profile: Sulaiman Syed

Configuring Site-to-Site VPN although straight forward, but it fails to scale. just imagine how many tunnels should be created to connected to 10 sites, specially if inter-site communication is desired. A better solution for interconnecting multiple sites, is the use of Dynamic Multipoint Virtual Private Network (DMVPN).

DMVPN relays on Next Hop Resolution Protocol (NHRP), something very similar to the use of Reverse-ARP in Frame-relay networks. The protection of the traffic can be done using the IPsec tunnel.

DMVPN usese Hub and spoke topology, for that. we have chosen CE1 as the HUB, while routers CE2, CE3, and CE4 are the Spokes. Note the CE routers will always take the higher IP from the subnet. so PE3-CE4 the IP used by CE4 is 10.0.0.26. We also have added the Loopback interfaces to test the connectivity among the CEs.
DMVPN Network photo diagram_zpse823e5d5.png

Network Diagram: DMVPN Topology

At the provider network we are running OSPF, while the CEs will use EIGRP to communicate with each other. Lets configure the Hup Tunnel Interface:

interface Tunnel1

ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO                                    \\ Authentication
ip nhrp map multicast dynamic                                 \\ dynamic mapping for the spokes IP
ip nhrp network-id 10                                                     \\ Group number Unique among the Hub-Spokes
no ip split-horizon eigrp 10                                          \\ we would like to have direct spoke to spoke traffic.
tunnel source FastEthernet0/0
tunnel mode gre multipoint

Hup configurations are straight forward. Define the Tunnel, IP address. Use the WAN IP as the source. No destrination, as this is Multipoint GRE. the no ip split-horizon is required as we want to advertise the routes received from that interface to the other spokes. this is something similar to frame-relay using multipoint interfaces.

The spoke tunnel interface will have a similar configuration, but there are added commands.

interface Tunnel1
ip address 192.168.1.4 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 10.0.0.14                         \\ static mapping the tunnel IP of Hub to the WAN IP.
ip nhrp map multicast 10.0.0.14                              \\ Defining the nhrp as multicast.
ip nhrp map multicast 10.0.0.22                              \\ Defining the nhrp as multicast, CE3.
ip nhrp network-id 10
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/1
tunnel mode gre multipoint

First, we need to give static mapping for Hub Tunnel interface and the WAN IP. Second, we see the multicast for the WAN IPs. this is essential so that the router treats these mapping as multicast. So Routing protocol traffic can be sent to these mappings. Remember that Router protocols use multicast to communicate among themselves.

What happens if we just map to the Hub? All traffic will first go to Hub before going to other spokes. So we would be wasting WAN bandwidth. But by defining other routers mapping. We enable the traffic to go directly to between the spokes without going to the Hub.

In this example, i have made CE3 ip address, thus i made sure that CE3, and CE4 will have direct route information. while CE4 will traverse the Hub to reach to CE2.

The complete CE1 Hub configurations.

interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
!
interface FastEthernet0/0
ip address 10.0.0.14 255.255.255.252
speed 100
full-duplex
!
router eigrp 10
network 100.0.0.0
network 192.168.1.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0

The complete CE4 spoke configuration.

interface Tunnel1
ip address 192.168.1.4 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 10.0.0.14
ip nhrp map multicast 10.0.0.14
ip nhrp map multicast 10.0.0.22
ip nhrp network-id 10
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/1
tunnel mode gre multipoint
!
interface FastEthernet0/1
ip address 10.0.0.26 255.255.255.252
speed 100
full-duplex
!
router eigrp 10
network 100.0.0.0
network 192.168.1.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0

I would recommend to test the configurations without the nhrp map 10.0.0.22, as this would let you see how the traffic is going between routers.


August 7, 2013  12:19 AM

Configuring Cisco GRE over Site to site VPN

Sulaiman Syed Profile: Sulaiman Syed

Previously we have seen how the site to site VPN works. in this example, I would use the topology below to configure Site to Site VPN. Then we would create a GRE Tunnel and secure it with the IPsec tunnel, called GRE over IPSec. thus providing routing protocols the ability to transverse the sites securely.

IPVPN

First, we need to create Phase 1 using isakmp to secure IP sec communication.

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.18

phase 2 will be used to negotiate the secure communication. apply the policy to the physical interface. Create the access list to match the GRE tunnel traffic, and lastly configure the GRE tunnel

crypto ipsec transform-set ASA esp-des esp-sha-hmac
!
crypto map SDM 1 ipsec-isakmp
set peer 10.0.0.18
set transform-set ASA
match address 100
!
access-list 100 permit gre host 10.0.0.14 host 10.0.0.18
!
interface FastEthernet0/0
ip address 10.0.0.14 255.255.255.252
crypto map SDM

The tunnel configurations are straight forward.

interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.18

similarly we would configure a the second router

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.14
!
!
crypto ipsec transform-set ASA esp-des esp-sha-hmac
!
crypto map SDM 1 ipsec-isakmp
set peer 10.0.0.14
set transform-set ASA
match address 100
interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.14
!
interface FastEthernet0/0
ip address 10.0.0.18 255.255.255.252
speed 100
full-duplex
crypto map SDM

access-list 100 permit gre host 10.0.0.18 host 10.0.0.14

In this method, we have created the IPsec tunnel between the physical interfaces, and picked the GRE traffic as the interesting traffic. and lastly created the tunnel.

Another method exist where the IPsec policy would be defined, then the GRE Tunnel interface would be protected. there would be slight changes in the configuration as shown below.

Phase 1 will be used to set the transport-set to “mode transport”. There will be no crypto Map. lastly, the Tunnel will be protected with a new profile.

crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport

crypto ipsec profile ASA
set security-association lifetime seconds 120
set transform-set ASA

tunnel int 1
tunnel protection ipsec profile protect-gre

a complete configuration for GRE protected with IPsec can be seen below

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.14
!
!
crypto ipsec transform-set ASA esp-des esp-sha-hmac
mode transport
!
crypto ipsec profile ASA
set security-association lifetime seconds 120
set transform-set ASA
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.14
tunnel protection ipsec profile ASA
!

In general, it is better to use the second method to protect the GRE tunnel. This will give us shorter configurations, and when doing multiple sites, that will come in handy.


July 22, 2013  11:17 PM

How Cisco Site-to-Site IPsec VPN Works?

Sulaiman Syed Profile: Sulaiman Syed

Branch connectivity to the HQ or the Datacenter is one of the essential topics that almost all businesses have to deal with. Various methods has been developed to connect Branches. All these methods fall under the WAN connectivity module. Wan connectivity can be achieved using:

  • MPLS VPN
  • Dedicated Leased Lines
  • Internet

Even when the internet is used to provide Branch Connectivity. various methods and models can’t be used. from Dynamic Multipoint VPN (DMVPN), SSL VPN for clients, IPsec VPN, etc. We would discuss IPsec VPN here, and later would see a sample configurations.

Site-to-Site VPN uses Internet Security Association and Key Management Protocol (ISAKMP) and IPSec to create the tunnel. ISAKMP is a negotiation protocol that allow two routers to secure the tunnel. This negotiation is done in Two phases.

Phase one creates the first tunnel, this tunnel will protect the negotiations of the second phase (Second Tunnel). Phase one will protect the IPSec parameters that are being negotiated between the end points.

Phase two is the IPSec Tunnel, where the encryption of data, and authentication methods are negotiated and applied for the interesting traffic.

 


February 26, 2013  6:03 AM

Setting up CUCM in VMware workstation – part 2

Sulaiman Syed Profile: Sulaiman Syed

In part one we seen how to configure GNS3, to integrate the router with the virtual environment that we would be running in VMware. Next, would be the creation of VMware machine.

Initially you would require the ISO image of the CUCM. The process is rather simple, to install CUCM the required hardware is:

Ram: 2GB, Harddisk: 80GB, CPU:1. Click on the image below, as it would open photobucket and the other stream of pics can be seen from there.

 photo 01_zps0e654388.png

Figure 1: Start screen

To have a functioning CUCM VM, you should choose Workstation 6.5-7.x, as CUCM will work with ESX 4.x only. I ran with all sort of problems with ESX5 only (workstation 8).

 photo 02_zps345430c2.png
Figure 2: Workstation 6-7.x

Before finalizing the Setup, select Customize Hardware.

 photo 12_zps4d0fd107.png
Figure 3: Customize Hardware

At this point, choose the network that you have connected the GNS3 with. In my case i have setup VMnet 8, as seen in figure 4.

 photo 13_zps57d65f6e.png

Figure 4: Choosing the correct network

The ISO which was downloaded will run Unity Server too, the only difference between the two components are the hardware requirements.

Unity will require: RAM: 4GB, Harddisk: 160GB, CPU: 1. The rest of steps would be the same.

This conclude the setup steps to configure the Virtual Machine. Once that is done, we would proceed with the installation of CUCM.


February 25, 2013  2:38 AM

Setting up CUCM in VMware workstation – part 1

Sulaiman Syed Profile: Sulaiman Syed

Although setting up Cisco Unified Communication Manager (CUCM) in VMware is pretty easy and straight forward, I had to struggle to get it up and running. Partially cause i was creating the VM wrongly. In this series, I would show the steps required to install CUCM. As a prerequisite to have a fully operational CUCM is:

1- ISO image of CUCM, it can be found at www.cisco.com

2- VMware workstation, as it is the compatible virtualization tool.

3- GNS3 with a router IOS.

For the setup of CUCM there are few components that are required, there is the essential part that without it CUCM will not install. It is NTP. We would use GNS3, to connect the CUCM to Router with NTP configurations on it. Figure one shows the essential configurations, and the connectivity.

Network for CUCM.png

Figure 1: GNS3

The Cloud would be configured with port that is connecting to the VMware network. Alternately, a Windows Server can be installed in VMware, configured as Domain Controller, DNS server, and NTP server.

Second component that might require is DNS. While configuring CUCM there is the option of installing DNS client, if you isntall it. then the hostname of CUCM should be resolvable. For this tutorial i have not done that. Although, for a real practice it is best to configure the Windows Server. As other operations can be practiced as well. Such as user authentications, and user related activities.

In part two, We would look into how to create the VMware machine, as that is the second step. Mistakes in creating the VM is equal to many hours wasted in trial and error solution.


February 23, 2013  12:34 AM

Server NIC teaming to multiple switches

Sulaiman Syed Profile: Sulaiman Syed

Server network redundancy been a hot topic for a while now. It is an ideal situation when we imagine that a server can be connected to multiple switches, with multiple links to provide higher bandwidth, and fault tolerance.

But doing so, creates multiple challenges from both the network and the servers.   Simply to put it, there is no protocol that can run between server and switches so that it can be spanning-tree loop free. If we use LACP, to connect two switches, Server will not have any issue, but the network will break with mac address flaps. If we connect the server with LACP to single switch, the bandwidth will increase , but fault tolerance will be lost.

Cisco has their answer to this solution by providing the VSS with Catalyst 6500 where two switches become one, and the Nexus Switches with the VPC.

Another  solution to this scenario, is using Advance Networking Services from Intel.  They have incorporated many modes of load balancing. The mode that interest us is Switch Fault Tolerance “SFT”.

Switch Fault Tolerance “SFT”

It uses two adapters to connect to to switches. Only the Primary link will be active, and in case of link, adapter failure, second adapter will take the active role. Uses two adapters connected to two switches to provide a fault tolerant network connection in the event that the first adapter, its cabling or the switch fail. Only two adapters can be assigned to an SFT team.

Switch Fault Tolerance

Figure 1: SFT Network Settings

The image shows the basic configuration. Switches will be configured with portfast and LACP in dynamic mode. The switch uplinks will have STP running. When operational, the Etherchannel will have single link being utilized, while second will be on standby.

Providing the virtual switching solution, such as VSS, VPC, is still the best solution for providing high bandwidth and fault tolerance.


February 20, 2013  5:30 AM

How to configure On-Demand Routing in Cisco routers?

Sulaiman Syed Profile: Sulaiman Syed

On-Demand Routing (ODR) is one of the few simple routing methods. It is not a protocol by itself as it uses Cisco Discovery Protocol (CDP) to gather and propagate the route information.

ODR is designed for Hub-spoke networks, where the spokes are stub networks with nothing connecting them. As ODR is not a protocol to propagate routes to different routers.

ODR

Enabling ODR in the HUB router, the HUB router will install a default route into each Spoke router. This will eliminate the need for manual static route in each spoke router.  The Spoke routers will send the prefixes  to the HUB router. Prefixes insure that these routes are Variable Length Subnet Mask (VLSM). Furthermore, ODR routes can be redistributed into dynamic IP protocols.

For the above diagram. the required configuration would be

R2#conf t
R2(config)#router odr
R2(config)#router ospf 1
R2(config)#redistribute odr subnets

It really is straight forward. Hope this was informative.


February 16, 2013  2:17 AM

How to configure VSS?

Sulaiman Syed Profile: Sulaiman Syed

Virtual Switching System (VSS) was one of the early technologies that introduced in the datacenter world to eliminate spanning tree protocol (STP). Thus, giving networks and servers multiple active links with non-blocking ports architecture.

The configurations are quite simple and straight forward. First, VSS domain, assign priority for the primary switch to be the master. Second, create the Virtual Switching Link (VSL). It is basically an etherchannel. Lastly, convert the switch from standalone to virtual switch.

Lets see the configurations.

 Switch 1

switch virtual domain 10
switch mode virtual
switch 1 priority 150
mac-address use-virtual

Switch 2

switch virtual domain 10
switch mode virtual
switch 2 priority 100
mac-address use-virtual

the Portchannel configurations

Swtich 1

!
interface Port-channel11
description >>>>> ISL on SWITCH1 <<<<<
no switchport
no ip address
switch virtual link 1
mls qos trust cos
no mls qos channel-consistency
!

Switch 2

interface Port-channel22
description >>>>> ISL on SWITCH2 <<<<<
no switchport
no ip address
switch virtual link 2
mls qos trust cos
no mls qos channel-consistency

adding interfaces to the port channels

Switch 1

interface TenGigabitEthernet1/5/5
description —->ISL LINK
no switchport
no ip address
mls qos trust cos
channel-group 11 mode on
end
interface TenGigabitEthernet1/5/4
description —->ISL LINK
no switchport
no ip address
mls qos trust cos
channel-group 11 mode on
end

Switch 2

interface TenGigabitEthernet1/5/5
description —->ISL LINK
no switchport
no ip address
mls qos trust cos
channel-group 22 mode on
end
interface TenGigabitEthernet1/5/4
description —->ISL LINK
no switchport
no ip address
mls qos trust cos
channel-group 22 mode on
end

lastly, converting into virtual switch system

switch 1

switch convert mode virtual

Switch 2

switch convert mode virtual

Done. wait for the switches to reload. it takes a while. sometimes upto 10 min for the VSS to be in full operational state. I would write other entries on the operation of VSS, and how SUP failures or chassis failures affect the operation of the VSS.

Lets see the state of our VSS

#show redundancy
Redundant System Information :
——————————
Available system uptime = 3 weeks, 2 days, 15 hours, 58 minutes
Switchovers system experienced = 0
Standby failures = 0
Last switchover reason = none

Hardware Mode = Duplex
Configured Redundancy Mode = sso
Operating Redundancy Mode = sso
Maintenance Mode = Disabled
Communications = Up

Current Processor Information :
——————————-
Active Location = slot 1/5
Current Software state = ACTIVE
Uptime in current state = 3 weeks, 2 days, 15 hours, 57 minutes
Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI8a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 03-Dec-11 07:53 by prod_rel_team
BOOT =
Configuration register = 0x2102

Peer Processor Information :
—————————-
Standby Location = slot 2/6
Current Software state = STANDBY HOT
Uptime in current state = 3 weeks, 2 days, 15 hours, 53 minutes
Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI8a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 03-Dec-11 07:53 by prod_rel_team
BOOT =
Configuration register = 0x2102

This was successful configurations, as our VSS is up, and showing the standby peer as well.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: