Apr 3

Solution

  • Uses hub-and-spoke design
  • Supports redundancy
  • Does not use crypto maps
  • Multipoint GRE Tunnel interfaces
  • Spokes connect to the hub and never vice versa
    • Multiple or single topology
    • Single topology: only one subnet on the hub side
    • Multiple topologies: multiple subnets on the hub side

Components

  • Multipoint GRE (mGRE) tunnel interface
  • Next Hop Resolution Protocol (NHRP)
    • 20 years old, originally designed for tunnels ATM/X.25
    • Before sending a packet, the spokes does an NHRP query to the hub That acts as an NHRP server
    • The server answers with the real IP address and advertise the destination network
    • If the destination is not the hub router, the spoke sets up an IPSec tunnel directly to the remote spoke, if using mGRE, Bypassing the router
    • Spoke-to Automatically-spoke tunnels are removed if idle for a Certain Time
  • IPSec profiles
  • Replace static crypto maps



rt (config) # crypto isakmp policy # priority_
RT (config-isakmp) # authentication rsa-sig | rsa-ENCR | pre-share
RT (config-isakmp) # encryption des | 3des | aes | aes 192 | aes 256
RT (config-isakmp) # group 1 | 2 | 5
RT (config-isakmp) # hash md5 | sha
RT (config-isakmp) # lifetime # _of_seconds
RT (config-isakmp) # exit
rt (config) # crypto isakmp key key address 0.0.0.0

rt (config) # crypto ipsec transform-set tsname ts_1 [ts2 [TS3]]
rt (config) # mode tunnel

  • INSTEAD OF View map

rt (config) # crypto ipsec profile profile_name
rt (ipsec-profile) # set transform-set tsname ts_1 [ts2 [TS3]]
rt (ipsec-profile) # set pfs group1 | group2 | Group3
rt (ipsec-profile) # set security-association lifetime ...

Configuration

  • Hub configuration

rt (config) # interface tunnel int_ #
RT (config-if) # ip address IP_ADDR
RT (config-if) # ip mtu 1416
RT (config-if) # ip nhrp authentication key
RT (config-if) # ip nhrp map multicast dynamic - needed for routing!
RT (config-if) # ip nhrp network-id id #
rt (config-if) # ip nhrp holdtime seconds
RT (config-if) # tunnel source public_int_name
RT (config-if) # tunnel key key_ #
RT (config-if) # tunnel mode gre multipoint
RT (config-if) # tunnel protection ipsec profile profile

  • Spoke configuration

rt (config) # interface tunnel int_ #
RT (config-if) # ip address IP_ADDR
RT (config-if) # ip mtu 1416
RT (config-if) # ip nhrp authentication key
RT (config-if) # ip nhrp map HUB_public_IP
RT (config-if) # ip nhrp map multicast HUB_public_IP
RT (config-if) # ip nhrp nhs HUB_tunnel_IP
RT (config-if) # ip nhrp network-id id #
RT (config-if) # ip nhrp holdtime seconds
RT (config-if) # tunnel source public_int_name
RT (config-if) # tunnel key key_ #
RT (config-if) # tunnel mode gre multipoint
RT (config-if) # tunnel protection ipsec profile profile

  • Routing considerations
    • Disable split horizon for EIGRP
    • no eigrp next-hop-self
    • eigrp stub connected
    • OSPF on, set the bandwidth parameter in the tunnel interface - But Does Not Affect functionality May help in limiting fragmentation and performance INCREASE
    • on OSPF, the hub needs to Have OSPF broadcast enabled
Posted in Networking Basics |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved