ADVANCED NETWORKING III

TUNNELING

Advanced Networking III | Luis Flor Gonza | luis.flor@inacapmail.cl

Section 1: VRF
1. Generar un segundo enlace entre R4 y R5 asociando la red 10.220.54.0/24 y la interface ETH0/0.54
2. Crear la VRF llamada A y asociar hacia la inteface ETH0/0.54
3. Crear la VRF llamada B y asociar hacia la interface ETH0/0.45

R4

vrf definition B
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

ip vrf A
!
interface Ethernet0/0.54
encapsulation dot1Q 54
ip vrf forwarding A
ip address 10.220.54.4 255.255.255.0
!
interface Ethernet0/0.45
encapsulation dot1Q 45
vrf forwarding B
ip address 10.220.45.4 255.255.255.0
ipv6 address 2850:10:220:45::4/64

R5

vrf definition B
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

ip vrf A
!
interface Ethernet0/0.54
encapsulation dot1Q 54
ip vrf forwarding A
ip address 10.220.54.5 255.255.255.0
!
interface Ethernet0/0.45
encapsulation dot1Q 45
vrf forwarding B
ip address 10.220.45.5 255.255.255.0
ipv6 address 2850:10:220:45::5/64

Advanced Networking III | Luis Flor Gonza | luis.flor@inacapmail.cl

 CHECK
R4#sho ip route vrf A | be Gate
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.220.54.0/24 is directly connected, Ethernet0/0.54
L 10.220.54.4/32 is directly connected, Ethernet0/0.54

R4#sho ip route vrf B | be Gate

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.220.45.0/24 is directly connected, Ethernet0/0.45
L 10.220.45.4/32 is directly connected, Ethernet0/0.45

Section 2: GRE
1. Crear una conexión GRE entre R4 y R7 considerando sus interfaces físicas como orígenes y destinos
2. Utilizar el segmento 1.1.1.0/24 como dirección del túnel

R4

ip route 10.220.67.7 255.255.255.255 10.220.146.6

!
interface Tunnel0
ip address 1.1.1.4 255.255.255.0
tunnel source Ethernet0/0.146
tunnel destination 10.220.67.7

R7
ip route 10.220.146.4 255.255.255.255 10.220.67.6
!
interface Tunnel0
ip address 1.1.1.7 255.255.255.0
tunnel source Ethernet0/0.67
tunnel destination 10.220.146.4

CHECK
R4#ping 1.1.1.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

R4#show int tu 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 1.1.1.4/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255

Advanced Networking III | Luis Flor Gonza | luis.flor@inacapmail.cl

 Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 10.220.146.4 (Ethernet0/0.146), destination 10.220.67.7
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with Ethernet0/0.146
Set of tunnels with source Ethernet0/0.146, 1 member (includes iterators), on
interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:23, output 00:00:23, output hang never
Last clearing of "show interface" counters 00:17:01
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
10 packets input, 1240 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
10 packets output, 1240 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

Section 3: IPSEC
1. Genere una conexión VPN S2S entre R4 y R6 usando como PSK “cisco”
2. El trafico cifrado debe ser determinado por las interface loopback de ambos equipos
3. Considere la interface ETH0/0.146 como interfaces asociadas al tunnel
4. Utilice los algoritmos necesarios considerando que los SA deben durar 1 hora

R4

ip route 10.220.1.6 255.255.255.255 10.220.146.6

!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key cisco address 10.220.146.6
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
ip access-list extended VPN-ACL

Advanced Networking III | Luis Flor Gonza | luis.flor@inacapmail.cl

 permit ip host 10.220.1.4 host 10.220.1.6
!
crypto map MAP 1 ipsec-isakmp
set peer 10.220.146.6
set transform-set TS
match address ACL-VPN
!
interface Ethernet0/0.146
crypto map MAP

R6

ip route 10.220.1.4 255.255.255.255 10.220.146.4

!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key cisco address 10.220.146.4
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
ip access-list extended VPN-ACL
permit ip host 10.220.1.6 host 10.220.1.4
!
crypto map MAP 1 ipsec-isakmp
set peer 10.220.146.4
set transform-set TS
match address ACL-VPN
!
interface Ethernet0/0.146
crypto map MAP

CHECK
R6#show crypto ipsec sa | i ident|pkts
local ident (addr/mask/prot/port): (10.220.1.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.220.1.4/255.255.255.255/0/0)
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0

Advanced Networking III | Luis Flor Gonza | luis.flor@inacapmail.cl