Di catetan kali ini ane mau nulis sedikit tentang simulasi yang ane lakukan utk teknologi DMVPN, GETVPN dan GETVPN over DMVPN. Tujuannya yang jelas biar gak lupa kalo mau ada demo lagi hahaha. Ane gak akan bahas konsep dari semua teknologi tersebut karna kalian bisa dapat dokumentasi yang lengkap tentang hal-hal tersebut dari berbagai sumber.
GETVPN
DMVPN
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book.pdf
Sekarang kita langsung ke contoh topologinya yah, jadi idenya ialah.
- 1 Link menggunakan GETVPN.
- 1 Link menggunakan GETVPN over DMVPN.
Topologi logicalnya kira-kira seperti dibawah ini.
Topologi di GNS3 kira-kira seperti dibawah ini.
Konfigurasinya kira-kira seperti dibawah ini
Key-Server
Key-Server#sh run
Building configuration...
Current configuration : 2663 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Key-Server
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
crypto ipsec profile IPSEC
set transform-set TRANS
crypto gdoi group GDOI
identity number 1234
server local
rekey algorithm aes 256
rekey lifetime seconds 3600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa VPNKEYS
rekey transport unicast
sa ipsec 10
profile IPSEC
match address ipv4 GETVPN-ACL
replay counter window-size 64
address ipv4 10.10.20.2
crypto map CRYPTO 10 gdoi
set group GDOI
ip tcp synwait-time 5
interface Loopback0
description KEY-SERVER-ADDRESS
ip address 10.10.19.28 255.255.255.255
ip ospf network point-to-point
ip ospf 1 area 0
interface FastEthernet0/0
description TO-HQ-ROUTER
ip address 10.10.20.2 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
duplex auto
speed auto
crypto map CRYPTO
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
router ospf 1
router-id 10.10.20.2
log-adjacency-changes
ip forward-protocol nd
no ip http server
no ip http secure-server
ip access-list extended GETVPN-ACL
deny esp any any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny ospf any any
deny eigrp any any
deny tcp any any eq 22
deny tcp any eq 22 any
deny udp any any eq 848
deny udp any eq 848 any eq 848
deny udp any eq isakmp any eq isakmp
deny gre any any
deny tcp any eq 992 any
deny tcp any any eq 992
deny tcp any eq 990 any
deny tcp any any eq 990
deny udp any eq 9996 any
deny udp any any eq 9996
deny udp any any eq 1645
deny udp any any eq 1646
deny udp any any eq 1813
deny tcp any eq 443 any
deny tcp any any eq 443
permit ip any any
no cdp log mismatch duplex
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
HQ-Router
HQ-Router#sh run
Building configuration...
Current configuration : 3352 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HQ-Router
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 10.10.20.2
crypto gdoi group GDOI
identity number 1234
server address ipv4 10.10.20.2
crypto map CRYPTO 10 gdoi
set group GDOI
ip tcp synwait-time 5
interface Loopback0
description CORE-BANKING
ip address 172.16.16.1 255.255.255.255
interface Loopback1
description ATM-SEGMENT
ip address 172.16.16.2 255.255.255.255
interface Loopback2
description WEB-KMS
ip address 172.16.16.3 255.255.255.255
interface Loopback3
description MAIL-SERVER
ip address 172.16.16.4 255.255.255.255
interface Tunnel100
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100
crypto map CRYPTO
interface FastEthernet0/0
description TO-BRANCH-VIA-MPLS
ip address 10.10.12.1 255.255.255.252
duplex auto
speed auto
crypto map CRYPTO
interface FastEthernet0/1
description TO-BRANCH-VIA-INTERNET
ip address 10.10.12.5 255.255.255.252
duplex auto
speed auto
interface FastEthernet1/0
description TO-KEY-SERVER
ip address 10.10.20.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
duplex auto
speed auto
crypto map CRYPTO
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
router ospf 1
router-id 10.10.20.1
log-adjacency-changes
redistribute bgp 65511 subnets
router bgp 65511
no synchronization
bgp log-neighbor-changes
network 10.10.12.0 mask 255.255.255.252
network 10.10.12.4 mask 255.255.255.252
network 172.16.16.1 mask 255.255.255.255
network 172.16.16.2 mask 255.255.255.255
network 172.16.16.3 mask 255.255.255.255
network 172.16.16.4 mask 255.255.255.255
redistribute ospf 1 metric 100
neighbor 10.10.12.2 remote-as 65512
neighbor 10.10.12.2 description TO-BRANCH-MPLS-PEERING
neighbor 10.10.12.2 soft-reconfiguration inbound
neighbor 10.10.12.2 route-map ADVERTISE-TO-BRANCH out
neighbor 192.168.100.2 remote-as 65512
neighbor 192.168.100.2 description TO-BRANCH-VIA-INTERNET
neighbor 192.168.100.2 soft-reconfiguration inbound
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
ip prefix-list CORE-ATM seq 1 permit 172.16.16.1/32
ip prefix-list CORE-ATM seq 2 permit 172.16.16.2/32
ip prefix-list WEB-MAIL seq 1 permit 172.16.16.3/32
ip prefix-list WEB-MAIL seq 2 permit 172.16.16.4/32
no cdp log mismatch duplex
route-map ADVERTISE-TO-BRANCH permit 10
match ip address prefix-list WEB-MAIL
set as-path prepend 65511 65511 65511 65511
route-map ADVERTISE-TO-BRANCH permit 20
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login local
transport input telnet
end
Branch-Router
Branch-Router#sh run
Building configuration...
Current configuration : 2649 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Branch-Router
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 10.10.20.2
crypto gdoi group GDOI
identity number 1234
server address ipv4 10.10.20.2
crypto map CRYPTO 10 gdoi
set group GDOI
ip tcp synwait-time 5
interface Loopback0
description SEGMENT-BRANCH
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Tunnel100
ip address 192.168.100.2 255.255.255.0
no ip redirects
ip nat outside
ip nhrp map 192.168.100.1 10.10.12.5
ip nhrp map multicast 10.10.12.5
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip virtual-reassembly
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100
crypto map CRYPTO
interface FastEthernet0/0
description TO-HQ-VIA-MPLS
ip address 10.10.12.2 255.255.255.252
duplex auto
speed auto
crypto map CRYPTO
interface FastEthernet0/1
description TO-HQ-VIA-INTERNET
ip address 10.10.12.6 255.255.255.252
duplex auto
speed auto
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
router bgp 65512
no synchronization
bgp log-neighbor-changes
network 192.168.1.0
neighbor 10.10.12.1 remote-as 65511
neighbor 10.10.12.1 description TO-HQ-MPLS-PEERING
neighbor 10.10.12.1 soft-reconfiguration inbound
neighbor 192.168.100.1 remote-as 65511
neighbor 192.168.100.1 description TO-HQ-VIA-INTERNET
neighbor 192.168.100.1 soft-reconfiguration inbound
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Tunnel100 overload
ip prefix-list WEB-MAIL seq 1 permit 172.16.16.3/32
ip prefix-list WEB-MAIL seq 2 permit 172.16.16.4/32
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp log mismatch duplex
route-map RM_ADD_AS_PATH permit 10
match ip address prefix-list WEB-MAIL
set as-path prepend 65512 65512 65512 65512
route-map RM_ADD_AS_PATH permit 20
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Semoga bermanfaat.....
No comments:
Post a Comment