Saturday, June 11, 2016

Konfigurasi DMVPN Dengan EIGRP Routing Over GRE + IPSEC Protection

Sekalian untuk catatan biar gak lupa, karna bakal sering banged demoin teknologi WAN salah satunya DMVPN + IPSec ini makanya bikin notes ini biar praktis pas butuh tinggal buka dari internet deh.

Dalam LAB ini kira-kira Logical Topology dari LAB kita kali ini yang kira-kira seperti dibawah ini.



















Lab di IOU saya Physical Topologi nya seperti dibawah ini.


















KONFIGURASI INTERNET (INTERNET ROUTER)

 Internet#sh run
Building configuration...

 Current configuration : 1851 bytes
!
! Last configuration change at 17:00:54 CET Sat Jun 11 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Internet
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
ip dhcp excluded-address 40.40.40.3 40.40.40.254
!
ip dhcp pool public
 network 40.40.40.0 255.255.255.0
 default-router 40.40.40.1
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 20.20.20.1 255.255.255.0
!
interface Ethernet0/1
 ip address 30.30.30.1 255.255.255.0
!
interface Ethernet0/2
 ip address 40.40.40.1 255.255.255.0
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!

end



KONFIGURASI R1 (HUB & NHRP SERVER)

R1#sh run
Building configuration...

 Current configuration : 2475 bytes
!
! Last configuration change at 17:33:56 CET Sat Jun 11 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key strongsecretkey address 0.0.0.0
!
!
crypto ipsec transform-set TRSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile PROTECT-DMVPN
 set transform-set TRSET
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 90
 no ip split-horizon eigrp 90
 ip nhrp authentication NHRPkey
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile PROTECT-DMVPN
!
interface Ethernet0/0
 ip address 20.20.20.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
!
router eigrp 90
 network 10.0.0.0 0.0.0.255
 network 192.168.1.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end

KONFIGURASI R2 (SPOKE & NHRP CLIENT)
R2#sh run
Building configuration...

 Current configuration : 2564 bytes
!
! Last configuration change at 17:32:43 CET Sat Jun 11 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key strongsecretkey address 0.0.0.0
!
!
crypto ipsec transform-set TRSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile PROTECT-DMVPN
 set transform-set TRSET
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 90
 no ip split-horizon eigrp 90
 ip nhrp authentication NHRPkey
 ip nhrp map multicast dynamic
 ip nhrp map 10.0.0.1 20.20.20.2
 ip nhrp map multicast 20.20.20.2
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile PROTECT-DMVPN
!
interface Ethernet0/0
 ip address 30.30.30.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
!
router eigrp 90
 network 10.0.0.0 0.0.0.255
 network 192.168.2.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 30.30.30.1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end


KONFIGURASI R3 (SPOKE & NHRP CLIENT)

R3#sh run
Building configuration...

Current configuration : 2544 bytes
!
! Last configuration change at 18:09:11 CET Sat Jun 11 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key strongsecretkey address 0.0.0.0
!
!
crypto ipsec transform-set TRSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile PROTECT-DMVPN
 set transform-set TRSET
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
 ip address 10.0.0.3 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 90
 no ip split-horizon eigrp 90
 ip nhrp authentication NHRPkey
 ip nhrp map multicast dynamic
 ip nhrp map 10.0.0.1 20.20.20.2
 ip nhrp map multicast 20.20.20.2
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile PROTECT-DMVPN
!
interface Ethernet0/0
 ip address dhcp
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
!
router eigrp 90
 network 10.0.0.0 0.0.0.255
 network 192.168.3.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 40.40.40.1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end



VERIFIKASI COMMAND

Cek IPSEC Connection
# show crypto isakmp sa
# show crypto ipsec sa
# show crypto session

Cek Routing & Connectivity
# show ip route
# ping 
# traceroute


Done!
Posted by at No comments:
Labels: ,

Thursday, June 2, 2016

Sekilas Catatan Tentang VMware NSX

Saya belum tau begitu dalam tentang VMware NSX tapi saya yakin sekali konsep network virtualization dan SDN adalah masa depan dunia network dan data center. Dimana semuanya menjadi lebih konvergen, flexibel dan cepat karna provisioning di dalam virtualization sangat cepat dan ini bener2 menguntungkan organisasi karna bisa expand bisnis mereka lebih cepat dan secara bisnis time-to-market meningkat secara drastis.

Yah seperti biasa karna saya pelupa saya bikin catatan. Beberapa point dibawah ini adalah catatan saya sepulang dari VMware NSX Experience Days

1) Ada 4 fungsi yg bisa di virtual kan oleh NSX :
- Routing
- Switching
- Firewall
- Load Balancer

2) Vmware bisa berfungsi sebagai SDN juga, tapi fungsi sebeneranya adalah network virtualization.

3) Dengan NSX maka akan ada di vCenter plugin tambahan untuk network & security.

4) Vmware tidak terikat dengan protokol karna dia menggunakan teknologi overlay yg berdiri diatas infrastruktur/hypervisor yang ada. Tidak seperti SDN yg terikat dengan protokol openflow.

5) Untuk deployment masing2 minimal butuh 3 controller.

6) Ketika diaktifkan license NSX maka akan aktif fitur "vxlan, logical router, firewall".

7) Deployment Step
- Install NSX Manager supaya muncul menu baru di vCenter.
Setelah install NSX Manager baru install.
- Install NSX Controller.
- Install NSX Edge Service Gateway.

8) Minimal Requirement MTU untuk deploment VXLAN di NSX adalah 1600 MTU karna VXLAN nambah 50 bytes di framenya

9) VTEP ada di setiap host, fungsinya untuk gateway VXLAN Overlay

10) VXLAN hanya berguna untuk komunikasi antara host, makana butuh VTEP tiap host. Kalo masih satu host pake VLAN biasa aja

11) Ada 3 mode VXLAN Replication Modes
- Unicast
- Multicast
- Hybrid

12) Ada 2 jenis routing di NSX yaitu :
- Centralized, VM mau ngbrol dengan VM lain meskipun satu host trafiknya keluar dulu ke switch physical lalu balik lagi ke host.
- Distributed, nah kalo mau dynamic routing harus masang DLR ( Yang cuma nerima forwarding table) dan Control VM (Yang menghitung proses routing table).

Notes : DLR ada di setiap host dan control VM itu ada cuma satu.

13) Ada fitur bridging untuk bridge VXLAN to VLAN L2 Bridging. Jadi menghubungkan virtual dan physical, ini karna VXLAN gak bisa terhubung ke physical network.

14) Kalo mau deploy NSX minimal ada 2 host buat yg dijadiin 1 cluster sebagai Edge Cluster. Jadi arsitektur yg bener itu
- Compute Cluster, Buat VM-VM
- Edge Cluster, Buat Deploy Logical Control VM. Statenya harus active-standby supaya engga looping.
- Host vCenter buat vCenter server

15) Throughtput maximal per-edge 10Gigabit

16) Dengan deployment NSX gak perlu switch physical yg punya fitur intelegent karna fitur2 tersebut bisa dijalankan oleh si NSX.

17) Sebenernya ada 2 tipe NSX, yaitu yang berjalan di 1 hypervisor which is ada di vCenter. Dan multi-hypervisor yg berjalan di Openstack.

18) Firewall di NSX hanya L2-L4 saja tidak support sampai L7 firewall

19) Untuk membantu membuat solusi security firewall di NSX ada tool Flow Monitoring yg bisa analisa flow trafik antara VM dalam DC.


Nah kalo ada yang salah pembaca yang lebih expert mungkin bisa komen agar saya bisa perbaiki dan kalo ada yg mau diskusi silahkan. ^^
Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)