Frame relay configuration on router FWSW:
FRSW(config) # frame-relay switching
FRSW(config)#int s1/0
FRSW (config-if) # encapsulation frame-relay IETF
FRSW (config-if) # clock rate 2016000
FRSW(config-if)#frame-relay lmi-type cisco
FRSW (config-if) # frame-relay intf-type dce
FRSW(config-if)#frame-relay route 102 interface s1/1 201
FRSW(config-if)#no sh
FRSW (config-if) # exit
FRSW(config)#int s1/1
FRSW(config-if)#encapsulation frame-relay IETF
FRSW(config-if)#clock rate 2016000
FRSW (config-if) # frame-relay lmi-type cisco
FRSW(config-if)#frame-relay intf-type dce
FRSW(config-if)#frame-relay route 201 interface s1/0 102
FRSW(config-if)#no sh
FRSW(config-if)#exit
Frame relay are generally rented from ISP. You get two DLCI values for the identification of the frame relay circuits.
Configuratin on router BJ to enable frame relay:
BJ(config)#interface f0/0a
BJ(config-if)#ip add 10.1.1.254 255.255.255.0
BJ(config-if)#no sh
BJ(config-if)#exit
BJ(config)#int s1/0
BJ(config-if)#ip add 172.161.1.1 255.255.255.0
BJ(config-if)#encapsulation frame-relay IETF
BJ (config-if) # frame-relay map ip 172.161.1.2 102 broadcast
BJ(config-if)#no sh
BJ(config-if)#exit
BJ (config) # ip route 0.0.0.0 0.0.0.0 172.161.1.2
Configuratin on router GZ to enable frame relay:
GZ(config)#interface f0/0
GZ(config-if)#ip add 10.2.2.254 255.255.255.0
GZ (config-if) # no sh
GZ(config-if)#exit
GZ(config)#int s1/1
GZ(config-if)#ip add 172.161.1.2 255.255.255.0
GZ(config-if)#encapsulation frame-relay IETF
GZ(config-if)#frame-relay map ip 172.161.1.1 201 broadcast
GZ(config-if)#no sh
GZ(config-if)#exit
GZ (config) # ip route 0.0.0.0 0.0.0.0 172.161.1.1
So we can ping from BJ’ to GZ.
BJ#ping 10.2.2.254
Type escape sequence to abort. Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/90/184 ms Success rate is 100 percent (5 / 5), round-trip min / avg / max = 56/90/184 ms
For VPN configuritaion we nedd to apply below commands on BJ and GZ
BJ (config) # crypto isakmp enable
BJ(config)#crypto isakmp policy 10
BJ (config-isakmp) # hash md5
BJ(config-isakmp)#authentication pre-share
BJ (config-isakmp) # encryption 3des
BJ(config-isakmp)#exit
BJ (config) # crypto isakmp key cisco address 172.161.1.2
BJ(config)#crypto ipsec transform-set trset esp-des esp-md5-hmac
BJ (cfg-crypto-trans) # exit
BJ(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
BJ (config) # crypto map eric86 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
BJ(config-crypto-map)#set peer 172.161.1.2
BJ (config-crypto-map) # set transform-set trset
BJ (config-crypto-map) # match address 101
BJ(config-crypto-map)#exit
BJ(config)#interface Serial1/0
BJ(config-if)#crypto map eric86
Some of the red: IKE allocation strategy consultation
Blue: pre-shared key and set on the address side
PSECCRYPTOGreen: transfer mode IPSEC configured with a list of visits CRYPTO
BJ (config-if) #
[Red: IKE allocation strategy consultation
Blue: pre-shared key and set on the address side
IPSECRYPTO Green: transfer mode IPSEC configured with a list of visits
CRYPTO Orange: CRYPTO create and automatically set in consultation with the parameters]
GZ(config)#crypto isakmp enable
GZ (config) # crypto isakmp policy 10
GZ(config-isakmp)#hash md5
GZ (config-isakmp) # authentication pre-share
GZ(config-isakmp)#encryption 3des
GZ (config-isakmp) # exit
GZ(config)#crypto isakmp key cisco address 172.161.1.1
GZ (config) # crypto ipsec transform-set trset esp-des esp-md5-hmac
GZ(cfg-crypto-trans)#exit
GZ (config) # access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
GZ(config)#crypto map eric86 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
GZ (config-crypto-map) # set peer 172.161.1.1
GZ(config-crypto-map)#set transform-set trset
GZ (config-crypto-map) # match address 101
GZ(config-crypto-map)#exit
GZ (config) # interface Serial1 / 1
GZ (config-if) # crypto map eric86
GZ(config-if)#
* Oct 14 23:07:28.067:% CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Then VPN configuration is done.To verify VPN ,an extended ping is applied.
BJ # ping
Protocol [ip]: Target IP address: 10.2.2.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]: y
Extended commands [n]: y
Source address or interface: 10.1.1.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record,
Timestamp, Verbose [none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/164/240 ms