ISP Lab Tutorial 1

Start GNS3 and add 4 routers to lab with one in the middle. The middle router will represent the internet. Although it is just one router, we will configure ip schemes ondifferent subnets to represent different ISPs. Connect the other 3 routers to the ISProuter with a serial cable. Enter Emulation mode, start the routers. Verify interfaces.Configure the ISP router we just configure a small 30 bit subnet between ISP and each of the three routers.ISPR2R1R3S0/0S0/0S0/1S0/0S0/2S0/0

ISP Lab Tutorial 1

Configure interface s0/0 with an ip address of 12.34.56.1/30 and enable the interfacewith the no shut command.

Router# conf tRouter (config)# hostname ISPISP(config)# int s0/0ISP(config-if)# description ***Connection to R1***ISP(config-if)# ip address 12.34.56.1 255.255.255.252ISP(config-if)# no shutISP(config)# int s0/1ISP(config-if)# description ***Connection to R2***ISP(config-if)# ip address 23.45.67.1 255.255.255.252ISP(config-if)# no shutISP(config)# int s0/2ISP(config-if)# description ***Connection to R3***ISP(config-if)# ip address 34.56.78.1 255.255.255.252ISP(config-if)# no shut

ISP Lab Tutorial 2

In Part 1 of the Internet lab tutorial, we created a virtual internet using gns3. We builtthe infrastructure and configured a router to represent The Internet (ISP). This time,you will add switches and configure the internet routers at each customer site. ISPR2R1R3S0/0S0/0S0/1S0/0S0/2S0/0SWITCHSWITCHSWITCH

ISP Lab Tutorial 2

Router# conf tRouter(config)# hostname R1R1(config)# no logging consoleR1(config)# enable secret blindhogR1(config)# line vty 0 4R1(config-line)# password blindhogR1(config-line)# loginR1(config-line)# line vty 5 15R1(config-line)# password blindhogR1(config-line)# loginR1(config)# interface f1/0R1(config-if)# desc R1 LANR1(config-if)# ip address 192.168.1.1 255.255.255.0R1(config-if)# no shutR1(config)# interface s0/0R1(config-if)# description Internet ConnectionR1(config-if)# ip address 12.34.56.2 255.255.255.252R1(config-if)# no shutR1(config)# ip route 0.0.0.0 0.0.0.0 12.34.56.1R1# ping 12.34.56.1

ISP Lab Tutorial 2

Router# conf tRouter(config)# hostname R2R2(config)# no logging consoleR2(config)# enable secret blindhogR2(config)# line vty 0 4R2(config-line)# password blindhogR2(config-line)# loginR2(config-line)# line vty 5 15R2(config-line)# password blindhogR2(config-line)# loginR2(config)# interface f1/0R2(config-if)# desc R2 LANR2(config-if)# ip address 192.168.2.1 255.255.255.0R2(config-if)# no shutR2(config)# interface s0/0R2(config-if)# description Internet ConnectionR2(config-if)# ip address 23.45.67.2 255.255.255.252R2(config-if)# no shutR2(config)# ip route 0.0.0.0 0.0.0.0 23.45.67.1R2# ping 23.45.67.1R2# ping 12.34.56.2

ISP Lab Tutorial 2

Router# conf tRouter(config)# hostname R3R3(config)# no logging consoleR3(config)# enable secret blindhogR3(config)# line vty 0 4R3(config-line)# password blindhogR3(config-line)# loginR3(config-line)# line vty 5 15R3(config-line)# password blindhogR3(config-line)# loginR3(config)# interface f1/0R3(config-if)# desc R3 LANR3(config-if)# ip address 192.168.3.1 255.255.255.0R3(config-if)# no shutR3(config)# interface s0/0R3(config-if)# description Internet ConnectionR3(config-if)# ip address 34.56.78.2 255.255.255.252R3(config-if)# no shutR3(config)# ip route 0.0.0.0 0.0.0.0 34.56.78.1R3# ping 34.56.78.1R3# ping 12.34.56.2R3# ping 23.45.67.2

How to Configure a GRE / IPSec VPN

It is used when a customer needed to transmit IPX and mulitcast traffic over his VPN. Primarily used of GRE/IPSec tunnels for transmitting internal routing protocolover the internet. RIP, EIGRP or OSPF can be used over a GRE tunnel just as thought it were a point to point circuit. It is also very useful for multicast music on hold.

Configure R1: Setup GRE Infrastructure

Create a GRE Interface:

R1(config)# interface tunnel 0R1(config-if)# description GRE Tunnel to router R2R1(config-if)# ip address 192.168.200.1 255.255.255.0

Configure the Tunnel Source:

R1(config-if)# tunnel source 12.34.56.2

Configure the Tunnel Destination:

R1(config-if)# tunnel destination 23.45.67.2

How to Configure a GRE / IPSec VPN

Tunnel Interface to R3

R1(config)# interface tunnel 2R1(config-if)# description GRE Tunnel to router R3R1(config-if)# ip address 192.168.201.5 255.255.255.0R1(config-if)# tunnel source 12.34.56.2R1(config-if)# tunnel destination 34.56.78.2R1(config-if)# router eigrp 100R1(config-router)# no auto-summaryR1(config-router)# network 192.168.1.0R1(config-router)# network 192.168.200.0R1(config-router)# network 192.168.101.0

How to Configure a GRE / IPSec VPN

Configure R2

R2(config)# interface tunnel 0R2(config-if)# description GRE Tunnel to router R1R2(config-if)# ip address 192.168.200.2 255.255.255.0R2(config-if)# tunnel source 23.45.67.2R2(config-if)# tunnel destination 12.34.56.2R2(config-if)# router eigrp 100R2(config-router)# no auto-summaryR2(config-router)# network 192.168.2.0R2(config-router)# network 192.168.200.0R2# show ip route

R1# show ip route

R2# ping ip 192.168.1.1 source 192.168.2.1

How to Configure a GRE / IPSec VPN

Configure R3

R3(config)# interface tunnel 0R3(config-if)# description GRE Tunnel to router R1R3(config-if)# ip address 192.168.201.2 255.255.255.0R3(config-if)# tunnel source 34.56.78.2R3(config-if)# tunnel destination 12.34.56.2R3(config-if)# router eigrp 100R3(config-router)# no auto-summaryR3(config-router)# network 192.168.3.0R3(config-router)# network 192.168.201.0R3# show ip route

How to Configure a GRE / IPSec VPN

Configure R1 ISAKMP POLICY

R1(config)# crypto isakmp policyR1(config-isakmp)# authentication pre-shareR1(config-isakmp)# group 5R1(config-isakmp)# encryption aesR1(config-isakmp)# hash sha

PRE-SHARED Between the Branches

R1(config)# crypto isakmp key 0 blindhog address 23.45.67.2R1(config)# crypto isakmp key 0 blindhog address 34.56.78.2

IPSec Transform Set

R1(config)# crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

How to Configure a GRE / IPSec VPN

Configure ACL that Identify Traffic between R1 and R2

R1(config)# access-list 101 permit gre host 12.34.56.2 host 23.45.67.2R1(config)# access-list 102 permit gre host 12.34.56.2 host 34.56.78.2

Configure Crypto Map

R1(config)# crypto map vpn 10 ipsec-isakmp% Note: This new crypto map will remain disabled until a peer and a valid access listhave been configured.R1(config-crypto-map)# desc VPN from R1 to R2R1(config-crypto-map)# set peer 23.45.67.2R1(config-crypto-map)# set transfrom-set aes-shaR1(config-crypto-map)# match address 101R1(config)# crypto map vpn 11 ipsec-isakmp% Note: This new crypto map will remain disabled until a peer and a valid access listhave been configured.R1(config-crypto-map)# desc VPN from R1 to R3R1(config-crypto-map)# set peer 34.56.78.2R1(config-crypto-map)# set transfrom-set aes-shaR1(config-crypto-map)# match address 102

How to Configure a GRE / IPSec VPN

Apply Crypto Map to S0/0 Interface

R1(config)# interface s0/0R1(config-if)# crypto map vpnR1# term len 0

How to Configure a GRE / IPSec VPN

Configure R2 ISAKMP POLICY

R2(config)# crypto isakmp policyR2(config-isakmp)# authentication pre-shareR2(config-isakmp)# group 5R2(config-isakmp)# encryption aesR2(config-isakmp)# hash sha

PRE-SHARED Between the Branches

R2(config)# crypto isakmp key 0 blindhog address 12.34.56.2

IPSec Transform Set

R2(config)# crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

How to Configure a GRE / IPSec VPN

Configure ACL that Identify Traffic between R1 and R2

R2(config)# access-list 100 permit gre host 23.45.67.2 host 12.34.56.2

Configure Crypto Map

R2(config)# crypto map vpn 10 ipsec-isakmp% Note: This new crypto map will remain disabled until a peer and a valid access listhave been configured.R2(config-crypto-map)# desc VPN from R2 to R1R2(config-crypto-map)# set peer 12.34.56.2R2(config-crypto-map)# set transfrom-set aes-shaR2(config-crypto-map)# match address 100

Apply Crypto Map to S0/0 Interface

R2(config)# interface s0/0R2(config-if)# crypto map vpnR2# show crypto engine connect activeR2# show ip route

How to Configure a GRE / IPSec VPN

Configure R3 ISAKMP POLICY

R3(config)# crypto isakmp policyR3(config-isakmp)# authentication pre-shareR3(config-isakmp)# group 5R3(config-isakmp)# encryption aesR3(config-isakmp)# hash sha

PRE-SHARED Between the Branches

R3(config)# crypto isakmp key 0 blindhog address 12.34.56.2

IPSec Transform Set

R3(config)# crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

How to Configure a GRE / IPSec VPN

Configure ACL that Identify Traffic between R1 and R3

R3(config)# access-list 100 permit gre host 34.56.78.2 host 12.34.56.2

Configure Crypto Map

R3(config)# crypto map vpn 10 ipsec-isakmp% Note: This new crypto map will remain disabled until a peer and a valid access listhave been configured.R3(config-crypto-map)# desc VPN from R2 to R1R3(config-crypto-map)# set peer 12.34.56.2R3(config-crypto-map)# set transfrom-set aes-shaR3(config-crypto-map)# match address 100

Apply Crypto Map to S0/0 Interface

R3(config)# interface s0/0R3(config-if)# crypto map vpnR3# show crypto ipsec saR3# show crypto engine connect activeR3# show ip route

How to Configure a GRE / IPSec VPN

MTU Parameters

R1(config)# interface tunnel0R1(config-if)# ip mtu 1500%Warning: MTU set 1500 is greater than default 1476, fragments will happenR1(config-if)# ip tcp adjust-mss 1400R1(config-if)# keepalive 10 3R1(config)# interface tunnel1R1(config-if)# ip mtu 1500%Warning: MTU set 1500 is greater than default 1476, fragments will happenR1(config-if)# ip tcp adjust-mss 1400R1(config-if)# keepalive 10 3

How to Configure a GRE / IPSec VPN

MTU Parameters

R2(config)# interface tunnel0R2(config-if)# ip mtu 1500%Warning: MTU set 1500 is greater than default 1476, fragments will happenR2(config-if)# ip tcp adjust-mss 1400R2(config-if)# keepalive 10 3

R3(config)# interface tunnel0R3(config-if)# ip mtu 1500%Warning: MTU set 1500 is greater than default 1476, fragments will happenR3(config-if)# ip tcp adjust-mss 1400R3(config-if)# keepalive 10 3