Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 5

  • By
  • January 26, 2023
0 Comment

10. DMVPN PHASE 3 MEGA

And here’s my lab that I put together. It took me a while but I put it together and as you can see right here, we are going to have the Kirk headquarters. These are company that acquired three more companies and the companies want to build a hope to spoke communication, also a spoke to spoke communication or Tono or Dmvp in Tonal. And seems they want to do help and spoke and spoke to spoke. We need to configure either Face version two or Phase version three but we are going to be configuring Face version three for this video and as you can see when we are done configuring and with all that from this PC we should be able to reach Kirk Webb, this website right here.

From this PC we should be able to reach this website right here and also we should be able to reach this website over here and this PC should be able to reach in this headquarters website right here. And the company that I just came out with this name Kirk, that’s going to be the name of the website that I’m using or the company that we are configuring for. So let’s go ahead and start with this configuration and also like to start from the Hub. So the hub is going to be this Kirk HQ. So we are going to start from here and I have configured all the IP addresses for all the interfaces and also all the websites and all the computers have their IP address as well.

So let’s go ahead and start with this configuration and the first thing that we need to do is we need to go ahead and configure since we are going to have an encrypted Dmvp internal hope to spoke toner is going to encrypt it. Spoke to spoke tunnels are going to be encrypted and we are going to encrypt this using Ike version one. Okay? So let’s go ahead and start with that configuration of Ike version one. And the first thing that we need to do is we need to do a crypto Isaac amp and we need to create a policy and we are just going to call this policy number ten and this policy will need to provide the authentication method, the encryption method, also the hashtag algorithm and their form and group number.

So let’s go ahead and start with that. Authentication is going to be a free shirt key that we’re going to be using. Encryption is going to be three desk and this needs to match on all the spokes routers they need to match or we won’t be able to form that encryption or that IPsec tunnel. So we did authentication encryption, now we do the hashing algorithm which is going to be let’s just do MD five and the DFI homework. Group number is going to be two. After that is done we need to go ahead and create a crypto. Isaacamp what is the key there?

We go Isaacamp Key, and we’re going to call this key DMVPN key. And the key is going to authenticate these IP addresses, which means that we are going to authenticate any IP address. So that means that we are going to be able to authenticate with this key with any IP address. So we are going to be able to authenticate with Kirk Two, Kirk Three, and Kirk Four. Okay? So that’s what it means, any IP address, and this is done. So now what we need to do is this is phase version one of Ike version one.

So now what we need to do is that we need to configure Ike version one, phase two. In phase two, we need to create a transform set. So let’s go ahead and do that crypto IPsec transform set, and we’re going to call this transform set Tseet. And we need to provide the encryption that we’re going to be using. It’s going to be AES 26. And the Hashtag algorithm to provide data integrity is going to be shot with HMAC, and the mode is going to be a transformer mode. After we do that, we need to go ahead and create an IPsec profile, IPsec profile, and we’re going to be calling this profile DMVPN profile.

And over here, what we need to do is we need to attach the transform set that we just created, which is called TSET. There it is. So give me just 1 second. All right, so we are done with Ike version one, phase one, and phase two. Since we’re going to be using the same configuration for Kirk Two, kirk Three, and Kirk Four, what I’m going to be doing is I’m just going to copy and paste this Ike version one and Aggression Two configuration so we can do a do show run section and do crypto. And from here, we’re going to be able to see everything. We configure aggregation One and aggregation two. So we’re going to copy this configuration. We’re going to go to Kirk Two, and we’re going to just paste it over here. We’re going to go to Kirk Three, and we’re going to paste it over here. We’re going to cure four, and we’re going to paste it over here. So now all the routers have Aggression One, phase one, and phase two configure on all the devices. So they all have the same parameters, as you can see, because I just copy and paste it from Kirk HQ. So that’s good. So after that is done, we need to start configuring the tono, the Dmvp and toner that we are going to be using.

So let’s go ahead and start with that. We need to do an interface tonal. It’s going to be tunnel zero. We need to provide an IP address which is going to be 1921 681-252-5250. And as you can see right here, the tunnel IP address for each one of them is the tonal IP address right here for this one for this one and for this one. Okay? So press enter. Now let’s go ahead and do an IP NhRP network ID is going to be ten. Then we’re going to do no IP split horizon, ERG ten. So what this does, the no IP split horizon is that by default, ERG does split horizon. And that means that if we learn a route from this interface, we are not going to share it back out. So if we learn Ten two, one, we’re not going to share it with the rest, but we want to share it and therefore we need to do no IP split horizon. Because if you learn this IP, right, we’re not going to share it with Kirk Three or Kirk Four. And if you learn this IP address from Kirk Four, we won’t share it with Kirk Three and Kirk Two, but we want to share it. And that’s why you want to do no split horizon. Okay? And after that is done, what we need to configure is going to be from the hub, we need to do an IP NhRP NhRP map multicast, and it’s going to be a dynamic multicast. And what that means is that the multicast that we get, we are just going to set it dynamically. So multicast packets are packets coming from ERP, all right?

So IPN SRP map multicast dynamic IP network ID, we need to do the source, which is gigabyte, and that has been configured. So we did the Nospirison multicast network ID. Now we need to do an IP redirect or IPN redirect. And what this does is that since we’re using phase version three Ipnsrp redirect, what happened is that whenever the spoke sends those NSRP requests, what it’s going to do is it’s going to redirect to the spoke so they can create those spoke to spoke tonal themselves. So the headquarters is not going to help. It’s not going to create those spoke to spoke for them like in face version two or DMVPN face version two. What’s going to happen is what it does is it just sends it to the spoke that they want to build the spoke to spoke with.

Okay, hopefully I explained that, right? If I did not, just leave me a comment below and I can explain a little bit better for you guys. And then we can do a ton of mode and then GRE multi point. And this means this tonal mode, GRE multi point means that this turnover here is going to be multipoint and it is multipoint because we are going to have multiple connections with this source IP with the source interface right here, right? Because we’re going to build a hub to spoke with Kirk Two, Kirk Three and Kirk Four, and therefore it’s going to be a multipoint tunnel. All right? So after that is done, we need to do an IPone protection IPsec and profile and we need to attach that profile that we just created, which we named DMVPN profile. And we’re going to attach that IPsec configuration with Iqbal one that we just did. And now you can see the Isaac Amp is on and we can do a show IP NhRP. And we don’t have any NhRP tones yet, so let’s go ahead and configure the first spoke first so we can see that. So let’s go ahead and go into interface tonal and actually I forgot to do something like I always do. Let’s do a config G router ERP ten and this number, this autonomous number needs to be the same as the one that we configure right here.

No split horizon ERP ten so that’s correctly no auto summary network. We need to configure a couple of networks and one of the networks is going to be the Tonal network and the other network is going to be my internal network. There we go. So we can advertise that we have this network right here and we advertise that this is our tonal. That is done. Let’s go ahead to curb two and let’s go and configure the IP address 1st 1928 that one two that’s correctly slash 24. Let’s do an Ipnsrp network. ID ten ipnsrp NHS. And what we’re going to tell is that we are telling this router which one is the next half server. And the next half server needs to be the I’m sorry, it needs to be the Hub IP address or the Hub Tunnel IP address which is 192168 and now we need to add it. We need to create a map and we are going to tell which one is the MBMA IP address and the NBMA IP address is this IP address, which is the IP address of gigabyte 110 one. And we are just going to call this multicast because it is going to be the multicast IP address as well and we are telling it that the next app is this one and the map to reach this tunnel is going to be this MBMA IP address and it is also multicast. Multicast means that whenever we create a ERP or OSPF or iGRP packet it’s going to send it to the Hub which is map to the next app server which is this one right here. Okay, this is done.

Then we can do an IP and SRP shortcut. And this shortcut works with the IP and SRP redirect that we created on Kirkhq. And what that does is that it’s like switching to discovery, to shorter paths to a destination network after receiving an NhRP redirect message from the hub. And this allows the routers to communicate directly with each other without the need for an alternative hub. Not a hub or a hub. Okay? So what I’m telling it is whenever we get that IP NSRP redirect message from the Hub I want to communicate directly with that router. So if I sent a packet that I want to communicate with ten, four one and the Hub is going to know that it’s not in its network because its network is ten one. So if we get Kirk two trying to reach 1010 four one, what the Hub is going to do is going to send that redirect message to Kirk Four and then Kirk Four is going to directly communicate with Kirk Two and it’s going to form a spoke to spoke tunnel.

Okay? So that’s how it works. Now let’s do an IP, actually a ton of source tonal sources. Then the tonal mode GRE multi point because we’re going to have a multipoint connection from Kirk Two. We are going to have multipoint connection because we are going to form a spoke to a Hub to spoke with the Hub and a spoke to spoke with the other routers. All right, so you can see that the interface came up and I would need to turn on the turn on the Isaacamp configuration or the Isaacamp yeah, the IPsec tunnel with IP version one. So what we need to do is we need to attach a profile so we can encrypt everything. So Tonal protection IPsec Profile We attach a profile that we’re creating, then Isaac IP is now on and if we go to Kirkhq, we will end it. Before we do that, let’s go ahead and do router ERP ten no auto summary.

We need to add the network of the tunnel and then we need to add our internal network, which is this one right here. And now we form an ERP network adjacency. Now we can go to Kirkhq and if we do a show IP and HRP, you can see that we have created a tunnel. And the tunnel that we created, it is coming from 1921-6812, which is the IP address. And the MBMA address is one nine 2121 and it is a dynamic tunnel. But if we go over here, show IPN SRP, we can see that the tunnel type is static. And that means that we manually created this tunnel. And we did because we mapped it, we set at IP and HRP, NHS and the MVMA and we said multicast and that means that it is a static map. We did not do this one from the, from the headquarters, right? It would just create it dynamically. Okay, so that is done. Let’s go ahead to move on to Curk three interface tonal zero IP address 1920 ipnsrp Network ID ten ipnsrp NHS 192 eight one MBMA 192 10 one and then multicast. Good. Then we do a mode. Let’s see what tunnel starts first. Then we do IP NhRP and NhRP shortcut.

And so we did the all of that. We did the NHS network ID shortcut source mode. Okay? And now what we need to do is we need to turn on IPsec and we do it like this. Tunnel mode IPsec profile section IPsec Profile there it is. And now Isaac on. Isaac campus on. Let’s go into Kirk headquarters if we do a show IP and SRP you can see that now we have two tones and they were created dynamically. We can see 1921-6813 which is the correct three that we just configured and it was created dynamically and the MBMA IP address is one nine 2131. Okay good. And now let’s go ahead and do router JRP ten and we are just going to start with auto summary. We need to add the networks, the total first and the network 1010 30 to show ID NHRB and we can see that we have a toner created statically created to the hub which is one i, two eight one and the MBMA IP address is one i, two one. So everything is working and also if you go over here, if you do a show IP, your IP neighbors which you see Kirk two and Kirk three and via the tonal interface and since they are going via the toner interface that means that everything is going to be encrypted, right? Because we attach that profile there. Now let’s go ahead and Curk three do I interface network ID ten Ipnhrp NHS MBMA oh that is good. You can see that the tunnel came up. Now we need to do a tonal protection IPsec profile profile.

We need to attach that profile here and now. Isaac app is on. And if you go ahead into Kirk headquarters, you can see that we have received a new tunnel. And if we do a show IP and HRP, you can see that we have three now 1212, kirk three, and the last one to kirk four. And you can see that it was created dynamically as well. And now let’s go ahead and that configuration iPerp auto system ten nowadays summary network 12810, network ten, dot 40 that two by five. So that is good. Configuration is all done. You can see that we have a new neighbor. If you do show IP as your P neighbors, you can see that we have three neighbors. One is two, kirk four, kirk three and kirk two. So now we have a connection and all it’s good if you do show IP routes and just erjp you can see now that we have access to 1010 two, Kirk 310 four, Kirk four and this is via the Tonos and since they are via the tonal you can see right here, tonal zero.

That means that every time we try to reach these networks is going to go via the tunnel and since the tunnel are encrypted, everything is going to be encrypted. It’s going to provide data, confidentiality data integrity, interreplay and all that good stuff. So nobody can just sniff on your network and see what you are doing whenever you are trying to reach those networks, right? So we are done. And what we could do to verify those IPsec configuration and to verify Isaacamp or IC version one, phase one you can do a show crypto Isaacamp SA and you can see this is for Ike version one, phase one, you can see the destinations all to the hub and the sources where they’re coming from. 41, kirk 431, kirk three and 21. Which is kirk two? And if you want to verify the Ike version one, face two, you can do a crypto IP. Sega and you can see right here that we are sending traffic because we are sending those hello packets from ERG and they are being encrypted.

Okay, you can see all that good stuff encapsulating 77, the capsule in 69. And you can see that this is coming from the remote identity. This is coming from 31. So this is coming from Kirk three. And the other one that we just passed, if you want to take a look at it, one nine, 2141, which is the remote identity of that router, it is coming for Kirk Four. Okay, so this is Kirk three. If you keep going down, you can see the transform set, what it has set, which is ESP two, five, six with AESP, with HMAC. You can see all that good stuff right here. And if you want to see the last one, which is Kirk Two, you can see that it has a lot more encapsulated package and the capital package. And that’s because that was the first one that came on. And we have sent 119 hello package. And we have received 116 hello package. From the RP, you can see the remote identity. That way you can see which one is the one that is coming from. You can see the local crypto endpoint, which is the hub, and the remote crypto endpoint, which is curb two. You can see the transform set configure, and you can see all that good stuff over here. Okay, so that is done. And if you do show IP and SRP, you only have those.

And if you do it front, let’s start with from Kirk Two and do a trace search. And I want to ping 1010 four one. Before we do that, let’s do a Show IP and SRP. We can see that we only have one tone of grater, but if we do a traceroute, 210 four one, which is the IP address of Kirk Four, you can see that the first packet went through the hub and then it went straight to the tunnel. But now, since remember before we did the tracer, before we send that thing, we only had one tunnel. But now, if we do show up in SRP, you can see that we have a couple of tunnels that has been created and they were created, dynamically created, as you can see. The ones that they were set and they made a connection, as you can see, with ourselves, which is the rather unique local. That this one right here. And this one is Ford Kirk four. It was built dynamically. You can see the MBMA IP address and the Tonal IP address it was created dynamically and it is a router next half rib. And now if we do another trace route, it’s going to go straight to Kirk Four. And that’s because we have created a Spoke to Spoke Tunnel. And since we created a Spoke to Spoke Tunnel, we do not go to the Hub and then to Kirkford since we created that tunnel after that right here. Now we go straight to Kirk Four because we created that tonal. Okay, so now if we go into PC Four or PC, which one was the one that we just did? Kirk Two.

So let’s go to Kirk Two PC and let’s go ahead to the website of Kirk Four, which is the IP addresses. It says that we are unable to connect ten four three. We are unable to reach that website. Let’s go ahead and do that website and see what’s going on. Let’s do Iacon Bing. And we do have that IP address right here. Are we able to ping ten four one? We are. Are we able to ping three one? We are. Two one we are. Ten two we are not. So let’s see what’s going on with this PC though. This PC, there’s something going on over here. Let’s do an if config. It probably doesn’t have an IP address. If config. Yeah, we don’t see an IP address. So let’s configure an IP address. You can do if confconfig interface zero of ten two. And this one is to say netmask. And then we do router ad default gateway one or route add. There we go. Now we should be able to reach this website. There we go. So now we were able to reach the welcome to Kirkford website. And now I know you were probably wondering now it’s working. Let’s go ahead and close it. Now you’re wondering if this is being encrypted. And the way that you can do that is from Kirk Four. You can do a show or not show.

We can do a debug crypto engine package and if we do a reload, you can see that everything is being encrypted and decrypted. You can see right here because I’m reloading this website and I’m sending packets every time and it is being encrypted and decrypted. You can see right here, you can see on all to stop the debugging. It’s still going to keep going because it keeps sending packets and all that good stuff, right? You can see it is working the way we want at it, right? So we have a connection right here. That’s good. Oops. Let’s go ahead and go back. Let’s go ahead and go back and open Kirk Two. And let’s try now to go to Kirk One website, which is one three. So ten one three. There we go. And now you can see welcome to Kirk headquarters website.

And if you want to see if the packets are being encrypted and decrypted, you can do a crypto or not. Debug crypto engine packet. And you can do a reload. And if you reload, you can see that everything is being encrypted and decrypted over here, other traffic that’s coming through it. So it is working the way we wanted it. Okay, so as you can see right now, we have a connection between all of them, between Kirk Two, Kirk Three and Kirk Four. And if you want to build more spoke to spoke, let’s go ahead and do motion was the one that we did. Let’s do a show IP and SRP. You can see that we have a local. Oh, not a local. These the remote one for ten to ten one or two, the ten to ten for the network right here, Kirk Four. So we have created two for them. Now let’s do a trace route. And we want to ping Kirk Three, right? And it’s ping ten three one. You can see the first one went through the first one went through the hub, because we did not have that spoke to spoke communication with Kirk Three.

When I would do a trace out again, you can see that since we built the spoke to spoke communication, you do show IP and HRP. And now you see that we have two new tunnels. The one is fork 192. That one is eight one to three, Kirk Three, and the other one is for ten 30, which is also in Kirk Three. And we also have one for tena ten, the four to zero, Kirk Four and 1921 state that one, the four, which is Kirkfork. Right. So you can see that we are building, we are dynamically building tones. And in those DMVPN tonals, we are also encrypting all the data that’s going through between Kirk Two, Kirk Three, Kirk Four and Kirk HUD quotas. I believe this is it for this video, guys. I hope.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img