https://wiki.ihitc.net/mediawiki/api.php?action=feedcontributions&feedformat=atom&user=MtsegaITCwiki - User contributions [en]2026-04-30T17:27:44ZUser contributionsMediaWiki 1.38.5https://wiki.ihitc.net/mediawiki/index.php?title=Franske_CNT-2311&diff=3932Franske CNT-23112010-12-18T04:49:17Z<p>Mtsega: /* Projects */</p>
<hr />
<div>This is the homepage for the CNT-2311 classes taught by Dr. Ben Franske.<br />
<br />
== General Course Information ==<br />
* [[Franske CNT-2311 Syllabus|Course Syllabus]]<br />
* [[Franske CNT-2311 FA10 Schedule|Fall 2010 Course Schedule]]<br />
* [[Franske CNT-2311 Labs|Lab List]]<br />
* [[Franske CNT Service Project Assignment|Service Project Assignment]]<br />
* [[Franske Lab Report Format|Lab Report Format]]<br />
<br />
== Projects ==<br />
<br />
* [[Dual Booting Ubuntu and Windows 7]]<br />
* [[GUID Partiton Table]]<br />
* [[Linux VLAN Trunking]]<br />
* [[Installing Webmin]]<br />
* [[Nat Masquerading and Firewall]]<br />
* [[Control Web Access With Squid]]<br />
* [[Installing MyBB Forum]]<br />
* [[openvpn]]<br />
* [[Zoneminder]]<br />
* [[Understanding Linux Permission Sets]]<br />
* [[Franske CNT-2311 SP10 Commands|Spring 2010 Commands by Session]]<br />
* [[Converting VMWare .vmdk To VirtualBox .vdi Using Qemu+ and VBoxManage]]<br />
* [[Linux command guide]]<br />
* [[Windows File Sharing and Printer Sharing with SAMBA]]<br />
* [[How to Setup NAT]]<br />
<br />
== Resources ==<br />
* [[Writing Moodle Questions]]<br />
=== Software ===<br />
* [http://www.virtualbox.org Virtualbox]<br />
** [[VirtualBox Startup Script]]<br />
=== Major Linux Distributions ===<br />
* [http://www.debian.org Debian]<br />
** [http://www.ubuntu.com Ubuntu]<br />
* [http://www.redhat.com Redhat Enterprise Linux (RHEL)]<br />
** [http://centos.org CentOS]<br />
** [http://fedoraproject.org Fedora]<br />
* [http://www.gentoo.org Gentoo]<br />
* [http://www.opensuse.org OpenSUSE (Novell)]<br />
=== Online Linux Tutuorials ===<br />
* [http://www.linux.org/lessons/beginner Beginning Linux from Linux.org]<br />
* [https://help.ubuntu.com/community/PostfixBasicSetupHowto Postfix Basic Setup]</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=User:Mtsega&diff=3931User:Mtsega2010-12-18T04:36:00Z<p>Mtsega: moved User:Mtsega to How to Setup NAT</p>
<hr />
<div>#REDIRECT [[How to Setup NAT]]</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Setup_NAT&diff=3930How to Setup NAT2010-12-18T04:36:00Z<p>Mtsega: moved User:Mtsega to How to Setup NAT</p>
<hr />
<div>== Introduction ==<br />
Network Address Translation (NAT) configuration with iptables firewall on Linux operating system. This system can act as gateway and provide Internet access to multiple hosts in Local Area Network (LAN) using a single public IP address.<br />
<br />
<br />
== Requirement ==<br />
<br />
*Two Network interface cards (NICs)<br />
*Iptables <br />
*Linux operating system <br />
<br />
<br />
== Network Configuration ==<br />
<br />
Edit configuration file /etc/network/interfaces using text editor like nano and add eth0 and eth1 configuration. <br />
<br />
*'''WAN interface (eth0 - connection to ISP)'''<br />
This is IP address, subnet mask, default gateway, and network address from your Internet Service Provider (ISP). If you get static IP address from your ISP follow step 1 and replace this addresses with your addresses otherwise go to step 2.<br />
<br />
*'''Step 1'''<br />
auto eth0<br />
iface eth0 inet static<br />
address 172.16.1.2<br />
netmask 255.255.255.0<br />
network 172.16.1.0 <br />
gateway 172.16.1.1<br />
<br />
*'''Step 2'''<br />
auto eth0<br />
iface eth0 inet dhcp <br />
<br />
*'''LAN interface (eth1 - LAN connection and default gateway for local hosts)''' <br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
network 192.168.1.0 <br />
<br />
*'''DNS setup'''<br />
Set up Domain Name System servers IP addresses by editing /etc/resolv.conf<br />
<br />
nameserver 172.16.2.254 (replace this with your Domain Name System servers IP addresses)<br />
<br />
<br />
== NAT configuration with iptables ==<br />
<br />
To delete existing rules from every iptables table, execute the following commands:<br />
iptables -F<br />
iptables -t nat -F<br />
iptables -t mangle -F<br />
<br />
*Enable NAT:<br />
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
iptables -A FORWARD -i eth1 -j ACCEPT<br />
<br />
<br />
== Enable IP Forwarding ==<br />
<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
<br />
== Local host configuration ==<br />
<br />
Configure LAN hosts to access Internet through the gateway.<br />
address 192.168.1.254<br />
netmask: 255.255.255.0<br />
dns 172.16.2.254<br />
network 192.168.1.0 <br />
gateway: 192.168.1.1</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Setup_NAT&diff=3929How to Setup NAT2010-12-18T04:24:06Z<p>Mtsega: </p>
<hr />
<div>== Introduction ==<br />
Network Address Translation (NAT) configuration with iptables firewall on Linux operating system. This system can act as gateway and provide Internet access to multiple hosts in Local Area Network (LAN) using a single public IP address.<br />
<br />
<br />
== Requirement ==<br />
<br />
*Two Network interface cards (NICs)<br />
*Iptables <br />
*Linux operating system <br />
<br />
<br />
== Network Configuration ==<br />
<br />
Edit configuration file /etc/network/interfaces using text editor like nano and add eth0 and eth1 configuration. <br />
<br />
*'''WAN interface (eth0 - connection to ISP)'''<br />
This is IP address, subnet mask, default gateway, and network address from your Internet Service Provider (ISP). If you get static IP address from your ISP follow step 1 and replace this addresses with your addresses otherwise go to step 2.<br />
<br />
*'''Step 1'''<br />
auto eth0<br />
iface eth0 inet static<br />
address 172.16.1.2<br />
netmask 255.255.255.0<br />
network 172.16.1.0 <br />
gateway 172.16.1.1<br />
<br />
*'''Step 2'''<br />
auto eth0<br />
iface eth0 inet dhcp <br />
<br />
*'''LAN interface (eth1 - LAN connection and default gateway for local hosts)''' <br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
network 192.168.1.0 <br />
<br />
*'''DNS setup'''<br />
Set up Domain Name System servers IP addresses by editing /etc/resolv.conf<br />
<br />
nameserver 172.16.2.254 (replace this with your Domain Name System servers IP addresses)<br />
<br />
<br />
== NAT configuration with iptables ==<br />
<br />
To delete existing rules from every iptables table, execute the following commands:<br />
iptables -F<br />
iptables -t nat -F<br />
iptables -t mangle -F<br />
<br />
*Enable NAT:<br />
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
iptables -A FORWARD -i eth1 -j ACCEPT<br />
<br />
<br />
== Enable IP Forwarding ==<br />
<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
<br />
== Local host configuration ==<br />
<br />
Configure LAN hosts to access Internet through the gateway.<br />
address 192.168.1.254<br />
netmask: 255.255.255.0<br />
dns 172.16.2.254<br />
network 192.168.1.0 <br />
gateway: 192.168.1.1</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Setup_NAT&diff=3928How to Setup NAT2010-12-18T04:22:17Z<p>Mtsega: </p>
<hr />
<div>== Introduction ==<br />
Network Address Translation (NAT) configuration with iptables firewall on Linux operating system. This system can act as gateway and provide Internet access to multiple hosts in Local Area Network (LAN) using a single public IP address.<br />
<br />
<br />
== Requirement ==<br />
<br />
*Two Network interface cards (NICs)<br />
*Iptables <br />
*Linux operating system <br />
<br />
<br />
== Network Configuration ==<br />
<br />
Edit configuration file /etc/network/interfaces using text editor like nano and add eth0 and eth1 configuration. <br />
<br />
*'''WAN interface (eth0 - connection to ISP)'''<br />
This is IP address, subnet mask, default gateway, and network address from your Internet Service Provider (ISP). If you get static IP address from your ISP follow step 1 and replace this addresses with your addresses otherwise go to step 2.<br />
<br />
*'''Step 1'''<br />
auto eth0<br />
iface eth0 inet static<br />
address 172.16.1.2<br />
netmask 255.255.255.0<br />
network 172.16.1.0 <br />
gateway 172.16.1.1<br />
<br />
*'''Step 2'''<br />
auto eth0<br />
iface eth0 inet dhcp <br />
<br />
*'''LAN interface (eth1 - LAN connection and default gateway for local hosts)''' <br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
network 192.168.1.0 <br />
<br />
*'''DNS setup'''<br />
Set up Domain Name System servers IP addresses by editing /etc/resolv.conf<br />
<br />
nameserver 172.16.2.254 (replace this with your Domain Name System servers IP addresses)<br />
<br />
<br />
== NAT configuration with iptables ==<br />
<br />
To delete existing rules from every iptables table, execute the following commands:<br />
iptables -F<br />
iptables -t nat -F<br />
iptables -t mangle -F<br />
<br />
*Enable NAT:<br />
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
iptables -A FORWARD -i eth1 -j ACCEPT<br />
<br />
<br />
== Enable IP Forwarding ==<br />
<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
<br />
== Local host configuration ==<br />
<br />
<br />
== Configure LAN hosts to access Internet through the gateway. ==<br />
address 192.168.1.254<br />
netmask: 255.255.255.0<br />
dns 172.16.2.254<br />
network 192.168.1.0 <br />
gateway: 192.168.1.1</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Setup_NAT&diff=3927How to Setup NAT2010-12-18T04:14:28Z<p>Mtsega: </p>
<hr />
<div><br />
== Introduction ==<br />
Network Address Translation (NAT) configuration with iptables firewall on Linux operating system. This system can act as gateway and provide Internet access to multiple hosts in Local Area Network (LAN) using a single public IP address.<br />
<br />
<br />
== Requirement ==<br />
<br />
Two Network interface cards (NICs)<br />
Iptables <br />
Linux operating system <br />
<br />
<br />
== Network Configuration ==<br />
<br />
Edit configuration file /etc/network/interfaces using text editor like nano and add eth0 and eth1 configuration. <br />
<br />
*'''WAN interface (eth0 - connection to ISP)'''<br />
This is IP address, subnet mask, default gateway, and network address from your Internet Service Provider (ISP). If you get static IP address from your ISP follow step 1 and replace this addresses with your addresses otherwise go to step 2.<br />
<br />
**'''Step 1'''<br />
auto eth0<br />
iface eth0 inet static<br />
address 172.16.1.2<br />
netmask 255.255.255.0<br />
network 172.16.1.0 <br />
gateway 172.16.1.1<br />
<br />
**'''Step 2'''<br />
auto eth0<br />
iface eth0 inet dhcp <br />
<br />
LAN interface (eth1 - LAN connection and default gateway for local hosts)<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
network 192.168.1.0 <br />
<br />
*'''DNS setup'''<br />
Set up Domain Name System servers IP addresses by editing /etc/resolv.conf<br />
<br />
nameserver 172.16.2.254 (replace this with your Domain Name System servers IP addresses)<br />
<br />
<br />
== NAT configuration with iptables ==<br />
<br />
To delete existing rules from every iptables table, execute the following commands:<br />
iptables -F<br />
iptables -t nat -F<br />
iptables -t mangle -F<br />
Enable NAT:<br />
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
iptables -A FORWARD -i eth1 -j ACCEPT<br />
<br />
<br />
== Enable IP Forwarding ==<br />
<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
<br />
== Local host configuration ==<br />
<br />
Configure LAN hosts to access Internet through a gateway:<br />
address 192.168.1.254<br />
netmask: 255.255.255.0<br />
dns 172.16.2.254<br />
network 192.168.1.0 <br />
gateway: 192.168.1.1</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=Franske_CNT-2540&diff=3856Franske CNT-25402010-12-13T15:33:18Z<p>Mtsega: </p>
<hr />
<div>This is the homepage for the CNT-2540: Accessing the WAN classes taught by Dr. Ben Franske.<br />
<br />
= General Course Information =<br />
* [[Franske CNT-2540 Syllabus|Course Syllabus]]<br />
* [[Franske CNT-2540 FA10 Schedule|Fall 2010 Course Schedule]]<br />
* [[Franske CNT-2540 Labs and Homework|Lab and Homework List]]<br />
* [[Franske CNT Service Project Assignment|Service Project Assignment]]<br />
* [[Franske Lab Report Format|Lab Report Format]]<br />
* Assessments and online curriculum available at [http://cisco.netacad.net http://cisco.netacad.net]<br />
<br />
= Projects =<br />
*[[Frame relay multipoint lab]]<br />
*[[How to configure SDM to secure a router]]<br />
*[[ISDN WAN Connections]]<br />
*[[IEEE 802.1x Port-Based Authentication]]<br />
*[[Password Recovery and Device Reset Procedures]]<br />
*[[How to Configure GRE VPN]]<br />
= Resources =<br />
== Certification ==<br />
* [[CCNA Voucher Information]]<br />
== General WAN Information ==<br />
* [http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1915.html Cisco Guide to Troubleshooting Serial Line Problems]<br />
== WAN Protocols ==<br />
=== Frame Relay ===<br />
* [http://www.cisco.com/en/US/tech/tk713/tk237/tsd_technology_support_protocol_home.html Cisco Frame Relay Technology Pages]<br />
* [http://www.cisco.com/en/US/docs/internetworking/design/guide/nd2009.html Cisco Frame Relay Internetwork Design Guide]<br />
* [http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1918.html Cisco Guide to Troubleshooting Frame Relay Connections]<br />
* [http://www.cisco.com/en/US/tech/tk713/tk237/technologies_tech_note09186a008014f8a7.shtml Cisco Comprehensive Guide to Configuring and Troubleshooting Frame Relay with configuration examples]<br />
<br />
== Subnetting ==<br />
* [http://www.learntosubnet.com LearnToSubnet.com] (Requires using Internet Explorer)</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3855How to Configure GRE VPN2010-12-13T15:21:50Z<p>Mtsega: /* Test and Verify VPN Connectivity */</p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
*Cable the network according the topology diagram.<br />
<br />
*Clear existing configurations on the routers.<br />
<br />
*Perform basic router configuration.<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
*'''Configure R1, R2 and ISP routers with IP addresses and masks.''' <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
*'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
*'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
*Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
*Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
*Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
*Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
*Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
*Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
*Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
*Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
*Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
*Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
*Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
*Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
*Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
inbound ah sas:<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
outbound ah sas:<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3854How to Configure GRE VPN2010-12-13T15:17:29Z<p>Mtsega: </p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
*Cable the network according the topology diagram.<br />
<br />
*Clear existing configurations on the routers.<br />
<br />
*Perform basic router configuration.<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
*'''Configure R1, R2 and ISP routers with IP addresses and masks.''' <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
*'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
*'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
*Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
*Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
*Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
*Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
*Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
*Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
*Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
*Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
*Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
*Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
*Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
*Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
*Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
inbound ah sas:<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
outbound ah sas:<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3853How to Configure GRE VPN2010-12-13T15:07:18Z<p>Mtsega: /* Configure Router and GRE Tunnel Interfaces */</p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
*Cable the network according the topology diagram.<br />
<br />
*Clear existing configurations on the routers.<br />
<br />
*Perform basic router configuration.<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
*'''Configure R1, R2 and ISP routers with IP addresses and masks.''' <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
*'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
*'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3852How to Configure GRE VPN2010-12-13T15:05:15Z<p>Mtsega: /* Prepare the Network and Basic Configurations */</p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
*Cable the network according the topology diagram.<br />
<br />
*Clear existing configurations on the routers.<br />
<br />
*Perform basic router configuration.<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3851How to Configure GRE VPN2010-12-13T15:04:08Z<p>Mtsega: /* Prepare the Network and Basic Configurations */</p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
*[Cable the network according the topology diagram.]<br />
<br />
*[Clear existing configurations on the routers.]<br />
<br />
*[Perform basic router configuration.]<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3850How to Configure GRE VPN2010-12-13T15:03:00Z<p>Mtsega: /* Prepare the Network and Basic Configurations */</p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
*[[Cable the network according the topology diagram.]]<br />
<br />
*[[Clear existing configurations on the routers.]]<br />
<br />
*[[Perform basic router configuration.]]<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3849How to Configure GRE VPN2010-12-13T08:57:09Z<p>Mtsega: </p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
Cable the network according the topology diagram.<br />
<br />
Clear existing configurations on the routers.<br />
<br />
Perform basic router configuration.<br />
<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Setup_NAT&diff=3848How to Setup NAT2010-12-13T08:55:21Z<p>Mtsega: moved User:Mtsega to How to Configure GRE VPN</p>
<hr />
<div>#REDIRECT [[How to Configure GRE VPN]]</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3847How to Configure GRE VPN2010-12-13T08:55:21Z<p>Mtsega: moved User:Mtsega to How to Configure GRE VPN</p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
Cable the network according the topology diagram.<br />
Clear existing configurations on the routers.<br />
Perform basic router configuration.<br />
<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3846How to Configure GRE VPN2010-12-13T08:53:42Z<p>Mtsega: </p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
Cable the network according the topology diagram.<br />
Clear existing configurations on the routers.<br />
Perform basic router configuration.<br />
<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3845How to Configure GRE VPN2010-12-13T08:49:13Z<p>Mtsega: </p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
Cable the network according the topology diagram.<br />
Clear existing configurations on the routers.<br />
Perform basic router configuration.<br />
<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
<br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3844How to Configure GRE VPN2010-12-13T08:34:56Z<p>Mtsega: </p>
<hr />
<div>[[File:Cnt2540.png]]<br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
Cable the network according the topology diagram.<br />
Clear existing configurations on the routers.<br />
Perform basic router configuration.<br />
<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=File:Cnt2540.png&diff=3843File:Cnt2540.png2010-12-13T08:32:22Z<p>Mtsega: </p>
<hr />
<div></div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Configure_GRE_VPN&diff=3842How to Configure GRE VPN2010-12-13T08:17:13Z<p>Mtsega: Created page with ' == '''Introduction''' == This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP t…'</p>
<hr />
<div><br />
== '''Introduction''' ==<br />
This network create a VPN tunnel between R1 and R2 using GRE tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols can be used over a GRE tunnel just as though it were a point to point circuit. <br />
<br />
<br />
==''' Prepare the Network and Basic Configurations''' ==<br />
<br />
Cable the network according the topology diagram.<br />
Clear existing configurations on the routers.<br />
Perform basic router configuration.<br />
<br />
<br />
== '''Configure Router and GRE Tunnel Interfaces ''' ==<br />
<br />
Configure R1, R2 and ISP routers with IP addresses and masks. <br />
<br />
R1#configure terminal<br />
R1(config)#interface f0/0<br />
R1(config-if)#ip address 192.168.10.1 255.255.255.0<br />
R1(config-if)#no shut<br />
R1(config-if)#<br />
<br />
R1(config)#interface s0/0/0<br />
R1(config-if)#ip address 10.2.2.2 255.255.255.252<br />
R1(config-if)#no shutdown<br />
R1(config-if)#<br />
<br />
R2#configure terminal<br />
R2(config)#int s0/0/1<br />
R2(config-if)#ip address 10.1.1.2 255.255.255.252<br />
R2(config-if)#no shut<br />
R2(config-if)#<br />
<br />
R2(config-if)#int f0/0<br />
R2(config-if)#ip address 192.168.20.1 255.255.255.0<br />
R2(config-if)#no shut<br />
R2(config-if)#end<br />
R2#<br />
<br />
ISP#configure terminal<br />
ISP(config)#interface s0/0/0<br />
ISP(config-if)#ip address 10.2.2.1 255.255.255.252<br />
ISP(config-if)#no shutdown<br />
ISP(config-if)#<br />
<br />
ISP(config-if)#inte s0/0/1<br />
ISP(config-if)#ip address 10.1.1.1 255.255.255.252<br />
ISP(config-if)#no shut<br />
ISP(config-if)#end<br />
ISP#<br />
<br />
'''Configure PC1 and PC2 with IP address and default gateway'''.<br />
<br />
<br />
'''Configure GRE Tunnel interface on R1 and R2'''<br />
<br />
R1(config)#interface tunnel 0<br />
R1(config-if)#description GRE-Tunnel to R2<br />
R1(config-if)#ip address 192.168.1.1 255.255.255.252<br />
<br />
<br />
R1(config-if)#tunnel source 10.2.2.2<br />
R1(config-if)#tunnel destination 10.1.1.2<br />
R1(config-if)#end<br />
Tunnel source is R1’s serial 0/0/0 interface and tunnel destination is R2’s serial 0/0/1 interface.<br />
<br />
R2(config)#interface tunnel 0<br />
R2(config-if)#description GRE-Tunnel to R1<br />
R2(config-if)#ip address 192.168.1.2 255.255.255.252<br />
<br />
R2(config-if)#tunnel source 10.1.1.2<br />
R2(config-if)#tunnel destination 10.2.2.2<br />
R2(config-if)#end<br />
Tunnel source is R2’s serial 0/0/1 interface and tunnel destination is R1’s serial 0/0/0 interface.<br />
<br />
<br />
== '''Enable EIGRP with process ID 1 on R1 and R2''' ==<br />
<br />
Advertise the LAN interface Fa0/0 and the tunnel interfaces on both R1 and R2. Do not advertise to ISP router. <br />
R1(config)#router eigrp 1<br />
R1(config-router)#no auto-summary<br />
R1(config-router)#network 192.168.1.0 0.0.0.3<br />
R1(config-router)#network 192.168.10.0 0.0.0.255<br />
R1(config-router)#end<br />
<br />
<br />
R2#conf ter<br />
R2(config)#router eigrp 1<br />
R2(config-router)#no auto-summary<br />
R2(config-router)#network 192.168.20.0<br />
R2(config-router)#network 192.168.1.0 0.0.0.3<br />
R2(config-router)#end<br />
<br />
Apply default route on R1 and R2<br />
<br />
R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
<br />
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0<br />
Before you configure authentication and encryption test that the network is working as planned. So that you will know what to troubleshoot incase you encounter a problem at the end and It is easier to troubleshootin before you apply authentication and encryption.<br />
<br />
Check the interfaces on R1, R2, and ISP routers using show ip interface brief command.<br />
<br />
R2#show ip int brief<br />
<br />
Interface IP-Address OK? Method Status Protocol<br />
FastEthernet0/0 192.168.20.1 YES manual up up<br />
FastEthernet0/1 unassigned YES unset administratively down down<br />
Serial0/0/0 unassigned YES unset administratively down down<br />
Serial0/0/1 10.1.1.2 YES manual up up<br />
Tunnel0 192.168.1.2 YES manual up up<br />
<br />
<br />
<br />
Use show ip route command to check the routing table on R1 and R2.<br />
<br />
R1#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.2.2.1 to network 0.0.0.0<br />
<br />
C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />
D 192.168.20.0/24 [90/26882560] via 192.168.1.2, 00:01:33, Tunnel0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.2.2.0 is directly connected, Serial0/0/0<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.2.2.1<br />
<br />
Test connectivity using ping command between PC1 and PC2 or use extended ping from R1 LAN interface Fa0/0 to R2 LAN interface and vice-versa.<br />
<br />
R2#ping ip<br />
Target IP address: 192.168.10.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.20.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.20.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
== '''IPsec Encryption and Authentication''' ==<br />
<br />
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.<br />
<br />
R1(config)#crypto isakmp policy 1<br />
R1(config-isakmp)#authentication pre-share<br />
R1(config-isakmp)#group 5<br />
R1(config-isakmp)#encryption aes<br />
R1(config-isakmp)#hash sha<br />
R1(config-isakmp)#exit<br />
<br />
R1(config)#crypto isakmp key 0 blindhog address 10.1.1.2<br />
<br />
R1(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
<br />
Extended access control list that permit ip only from R2 serial 0/0/1 to R1 serial 0/0/0 interface.<br />
R1(config)#access-list 101 permit GRE host 10.2.2.2 host 10.1.1.2<br />
<br />
Configure the crypto map on R1<br />
<br />
R1(config)#crypto map vpn 11 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R1(config-crypto-map)#description VPN from R1 to R2<br />
<br />
R1(config-crypto-map)#set peer 10.1.1.2<br />
<br />
R1(config-crypto-map)#set transform-set aes-sha<br />
R1(config-crypto-map)#match add 101<br />
R1(config-crypto-map)#exit<br />
<br />
R1(config)#int s0/0/0<br />
R1(config-if)#crypto map vpn<br />
R1(config-if)#end<br />
R1#<br />
<br />
<br />
R2(config)#crypto isakmp policy 1<br />
R2(config-isakmp)#authentication pre-sha<br />
R2(config-isakmp)#group 5<br />
R2(config-isakmp)#encryption aes<br />
R2(config-isakmp)#hash sha<br />
R2(config-isakmp)#exit<br />
<br />
R2(config)#crypto isakmp key 0 blindhog address 10.2.2.2<br />
<br />
R2(config)#crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac<br />
R2(cfg-crypto-trans)#exit<br />
<br />
Extended access control list that permit ip only from R1 serial 0/0/0 to R2 serial 0/0/1 interface. <br />
R2(config)#access-list 102 permit GRE host 10.1.1.2 host 10.2.2.2<br />
<br />
<br />
Configure the crypto map on R2<br />
<br />
R2(config)#crypto map vpn 12 ipsec-isakmp<br />
% NOTE: This new crypto map will remain disabled until a peer<br />
and a valid access list have been configured.<br />
<br />
R2(config-crypto-map)#description VPN from R2 to R1<br />
<br />
R2(config-crypto-map)#set peer 10.2.2.2<br />
<br />
R2(config-crypto-map)#set transform-set aes-sha<br />
R2(config-crypto-map)#match add 102<br />
R2(config-crypto-map)#exit<br />
<br />
R2(config)#int s0/0/1<br />
R2(config-if)#crypto map vpn<br />
<br />
R2(config-if)#end<br />
<br />
<br />
<br />
== '''Test and Verify VPN Connectivity''' ==<br />
<br />
<br />
Use show ip route command on R1 to check that a route exist to 192.168.20.0/24 network through the tunnel interface. Do the same on R2 to verify that a route exist to 192.168.10.0/24 network through the tunnel interface.<br />
<br />
R2#show ip route<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
<br />
Gateway of last resort is 10.1.1.1 to network 0.0.0.0<br />
<br />
D 192.168.10.0/24 [90/26882560] via 192.168.1.1, 00:13:17, Tunnel0<br />
C 192.168.20.0/24 is directly connected, FastEthernet0/0<br />
10.0.0.0/30 is subnetted, 1 subnets<br />
C 10.1.1.0 is directly connected, Serial0/0/1<br />
192.168.1.0/30 is subnetted, 1 subnets<br />
C 192.168.1.0 is directly connected, Tunnel0<br />
S* 0.0.0.0/0 [1/0] via 10.1.1.1<br />
<br />
Use ping or extended ping command to test connectivity between 192.168.10.0/24 and 192.168.20.0/24 network.<br />
<br />
R1#ping ip<br />
Target IP address: 192.168.20.1<br />
Repeat count [5]:<br />
Datagram size [100]:<br />
Timeout in seconds [2]:<br />
Extended commands [n]: y<br />
Source address or interface: 192.168.10.1<br />
Type of service [0]:<br />
Set DF bit in IP header? [no]:<br />
Validate reply data? [no]:<br />
Data pattern [0xABCD]:<br />
Loose, Strict, Record, Timestamp, Verbose[none]:<br />
Sweep range of sizes [n]:<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.10.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms<br />
<br />
<br />
<br />
<br />
<br />
<br />
Use show crypto engine connections active, show crypto map and show crypto ipsec sa command s to verify connection.<br />
R2#show crypto engine connections active<br />
Crypto Engine Connections<br />
ID Type Algorithm Encrypt Decrypt IP-Address<br />
1 IPsec AES+SHA 0 81 10.1.1.2<br />
2 IPsec AES+SHA 82 0 10.1.1.2<br />
2001 IKE SHA+AES 0 0 10.1.1.2<br />
<br />
<br />
R2# show crypto map<br />
Crypto Map "vpn" 12 ipsec-isakmp<br />
Description: VPN from R2 to R1<br />
Peer = 10.2.2.2<br />
Extended IP access list 102<br />
access-list 102 permit gre host 10.1.1.2 host 10.2.2.2<br />
Current peer: 10.2.2.2<br />
Security association lifetime: 4608000 kilobytes/3600 seconds<br />
Responder-Only (Y/N): N<br />
PFS (Y/N): N<br />
Transform sets={<br />
aes-sha: { esp-aes esp-sha-hmac } ,<br />
}<br />
Interfaces using crypto map vpn:<br />
Serial0/0/1<br />
<br />
<br />
R2#show crypto ipsec sa<br />
<br />
interface: Serial0/0/1<br />
Crypto map tag: vpn, local addr 10.1.1.2<br />
<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)<br />
remote ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/47/0)<br />
current_peer 10.2.2.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
#pkts encaps: 304, #pkts encrypt: 304, #pkts digest: 304<br />
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 168, #recv errors 0<br />
<br />
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.2.2.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1<br />
current outbound spi: 0x192C42F5(422331125)<br />
PFS (Y/N): N, DH group: none<br />
<br />
inbound esp sas:<br />
spi: 0xF0333FAE(4029890478)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: AIM-VPN/SSL-1:1, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473306/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
inbound ah sas:<br />
<br />
inbound pcp sas:<br />
<br />
outbound esp sas:<br />
spi: 0x192C42F5(422331125)<br />
transform: esp-aes esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: AIM-VPN/SSL-1:2, sibling_flags 80000046, crypto map: v<br />
sa timing: remaining key lifetime (k/sec): (4473305/2869)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
<br />
outbound ah sas:<br />
<br />
outbound pcp sas:</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=Franske_CNT-2520&diff=3441Franske CNT-25202010-10-17T04:39:42Z<p>Mtsega: /* Projects */</p>
<hr />
<div>This is the homepage for the CNT-2520 classes taught by Dr. Ben Franske.<br />
<br />
== General Course Information ==<br />
* [http://spreadsheets.google.com/viewform?formkey=dG5TdVF2c0hiU19jSGNvX2xtbXFfZ2c6MA First Day Sign-In]<br />
* [[Franske CNT-2520 SP10 Syllabus|Spring 2010 Course Syllabus]]<br />
* [[Franske CNT-2520 SP10 Schedule|Spring 2010 Course Schedule]]<br />
* [[Franske CNT-2520 Labs|Lab List]]<br />
* [[Franske CNT-2520 Lab Point Sheet|Lab/Homework Point Sheet]]<br />
* [[Franske CNT-2520 Homework|Homework Assignments]]<br />
* [[Franske CNT Service Project Assignment|Service Project Assignment]]<br />
* [[Franske Lab Report Format|Lab Report Format]]<br />
* Assessments and online curriculum available at [http://cisco.netacad.net http://cisco.netacad.net]<br />
<br />
== Projects ==<br />
* [[Xmodem Console IOS Download Procedure using ROMMON]]<br />
* [[Vyatta]]<br />
* [[Chapter Command List (chapters 1.5.1-11.6.3)]]<br />
* [[VMWare Setup|Instructions for creating VMWare machines from the CNT template]]<br />
* [[Securing Router Logins with SSH]]<br />
* [[Password Recovery Instructions]]<br />
* [[Third Party Firmware]]<br />
<br />
== Resources ==<br />
=== Subnetting ===<br />
* [http://www.learntosubnet.com LearnToSubnet.com] (Requires using Internet Explorer)<br />
<br />
== Old Course Information ==<br />
=== Fall 2009 ===<br />
* [[Franske CNT-2520 FA09 Syllabus|Fall 2009 Course Syllabus]]<br />
* [[Franske CNT-2520 FA09 Schedule|Fall 2009 Course Schedule]]</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=Franske_CNT-2530&diff=3440Franske CNT-25302010-10-17T04:36:55Z<p>Mtsega: /* Projects */</p>
<hr />
<div>This is the homepage for the CNT-2530: Switching Fundamentals and Intermediate Routing classes taught by Dr. Ben Franske.<br />
<br />
== General Course Information ==<br />
* [[Franske CNT-2530 Syllabus|Course Syllabus]]<br />
* [[Franske CNT-2530 FA10 Schedule|Fall 2010 Course Schedule]]<br />
* [[Franske CNT-2530 Labs|Lab List]]<br />
* [[Franske CNT-2530 Lab Point Sheet|Lab Point Sheet]]<br />
* [[Franske CNT Service Project Assignment|Service Project Assignment]]<br />
* [[Franske Lab Report Format|Lab Report Format]]<br />
* Assessments and online curriculum available at [http://cisco.netacad.net http://cisco.netacad.net]<br />
<br />
== Projects ==<br />
*[[Cacti]]<br />
*[[How to Setup Security on a Home Wireless Router]]<br />
*[[Cisco Wireless Access Points]]<br />
*[[Network Access Control]]<br />
*[[Lab Report Example]]<br />
*[[How to Clear Switch Configuration]]<br />
<br />
== Resources ==<br />
=== Subnetting ===<br />
* [http://www.learntosubnet.com LearnToSubnet.com] (Requires using Internet Explorer)<br />
=== Multilayer Switching ===<br />
* [http://www.zurich.ibm.com/pdf/AnritsuGlossary.pdf "Must Have Reference On Multi-Layer Switching", Anritsu Corp.]<br />
* [http://www.pulsewan.com/data101/pdfs/layer3_switching.pdf Layer-3 Switching: An Introduction by Robert Ciampa]<br />
* [http://www.routeralley.com/ra/docs/multilayer_switching.pdf MultiLayer Switching v1.11 by Aaron Balchunas]<br />
* [http://www.cisco.com/application/pdf/paws/41860/howto_L3_intervlanrouting.pdf How To Configure InterVLAN Routing on Layer 3 Switches]<br />
* [http://faculty.ccri.edu/tonyrashid/Files/CCNP/Layer3Switching.pdf Layer 3 Switching Demystified]<br />
=== Enterprise Wireless ===<br />
* [http://www.ecsl.cs.sunysb.edu/tr/TR166.pdf Coverage and Capacity Issues in Enterprise Wireless LAN Deployment, Raniwala, A. and Chiueh, T.]<br />
* [http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps6301/ps6305/product_data_sheet0900aecd802570d0.html Cisco Wireless Control System (WCS)]<br />
* [http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_white_paper0900aecd8040f7b2_ps6108_Products_White_Paper.html The Benefits of Centralization in Wireless LANs]<br />
* [http://www.danielmkrueger.com/Docs/The%20Lightweight%20Access%20Point%20Protocol.pdf The Light Weight Access Point Protocol, Krueger, D.]<br />
* [http://www.conticomp.com/PDF/LWAPP_td.pdf Understanding the Lightweight Access Point Protocol (LWAPP)]<br />
* [http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807112e2.shtml Wireless LAN Controller Module (WLCM) Configuration Examples]</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3439How to Clear Switch Configuration2010-10-17T04:27:25Z<p>Mtsega: </p>
<hr />
<div>To clear switch configuration you need access to the Cisco Catalyst Switch console through either a physical console or a Telnet connection.<br />
<br />
== Clear switch configuration ==<br />
<br />
Issue the erase starting-config command in Privileged EXEC mode.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration is cleared except the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM).<br />
<br />
== Verify the VLAN information Before deletion ==<br />
<br />
Issue the show vlan brief command in Privileged EXEC mode.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
At the prompt press Enter.<br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
----<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
Would you like to terminate autoinstall? [yes]: y<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
----<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3438How to Clear Switch Configuration2010-10-17T04:17:37Z<p>Mtsega: </p>
<hr />
<div><br />
To clear switch configuration you need access to the Cisco Catalyst Switch console through either a physical console or a Telnet connection.<br />
<br />
== Clear switch configuration ==<br />
<br />
Issue the erase starting-config command in Privileged EXEC mode.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration is cleared except the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM).<br />
<br />
== Verify the VLAN information Before deletion ==<br />
<br />
Issue the show vlan brief command in Privileged EXEC mode.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
----<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
Would you like to terminate autoinstall? [yes]: y<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
----<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3437How to Clear Switch Configuration2010-10-16T19:10:48Z<p>Mtsega: </p>
<hr />
<div>== Clear switch configuration ==<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration is cleared except the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM).<br />
<br />
== Verify the VLAN information ==<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
----<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
Would you like to terminate autoinstall? [yes]: y<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
----<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3436How to Clear Switch Configuration2010-10-16T17:28:02Z<p>Mtsega: /* To clear switch configuration */</p>
<hr />
<div>== To clear switch configuration ==<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration is cleared except the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM).<br />
<br />
== To verify the VLAN information ==<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
----<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
Would you like to terminate autoinstall? [yes]: y<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
----<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3435How to Clear Switch Configuration2010-10-16T17:23:52Z<p>Mtsega: /* Reload the switch */</p>
<hr />
<div>== To clear switch configuration ==<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
== To verify the VLAN information ==<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
----<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
Would you like to terminate autoinstall? [yes]: y<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
----<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3434How to Clear Switch Configuration2010-10-16T17:22:49Z<p>Mtsega: /* Reload the switch */</p>
<hr />
<div>== To clear switch configuration ==<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
== To verify the VLAN information ==<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
----<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
----<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3433How to Clear Switch Configuration2010-10-16T17:21:11Z<p>Mtsega: </p>
<hr />
<div>== To clear switch configuration ==<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
== To verify the VLAN information ==<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
Switch# <br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<output omitted><br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
--- System Configuration Dialog ---<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3432How to Clear Switch Configuration2010-10-16T17:17:30Z<p>Mtsega: </p>
<hr />
<div><br />
== To clear switch configuration ==<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
<br />
== To verify the VLAN information ==<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Switch#<br />
<br />
<br />
== Delete the VLAN information from Flash ==<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
<br />
== Reload the switch ==<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
<br />
== After reload check the vlan information ==<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3431How to Clear Switch Configuration2010-10-16T04:26:29Z<p>Mtsega: </p>
<hr />
<div>'''To clear switch configuration'''<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
'''To verify the VLAN information'''<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Switch#<br />
<br />
'''Delete the VLAN information from Flash'''<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
'''Reload the switch'''<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
'''After reload'''<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3430How to Clear Switch Configuration2010-10-16T04:24:48Z<p>Mtsega: </p>
<hr />
<div>'''To clear switch configuration'''<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
'''To verify the VLAN information'''<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Switch#<br />
<br />
'''Delete the VLAN information from Flash'''<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
'''Reload the switch'''<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
'''After reload'''<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
<br />
1003 token-ring-default act/unsup<br />
<br />
1004 fddinet-default act/unsup<br />
<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3429How to Clear Switch Configuration2010-10-16T04:21:46Z<p>Mtsega: </p>
<hr />
<div>'''To clear switch configuration'''<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
'''To verify the VLAN information'''<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
<br />
20 Students active<br />
<br />
30 Wireless active<br />
<br />
99 Management active<br />
<br />
1002 fddi-default act/unsup<br />
<br />
1003 token-ring-default act/unsup<br />
<br />
1004 fddinet-default act/unsup<br />
<br />
1005 trnet-default act/unsup<br />
<br />
Switch#<br />
<br />
'''Delete the VLAN information from Flash'''<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
'''Reload the switch'''<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
'''After reload'''<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
<br />
1003 token-ring-default act/unsup<br />
<br />
1004 fddinet-default act/unsup<br />
<br />
1005 trnet-default act/unsup<br />
<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3428How to Clear Switch Configuration2010-10-16T04:20:23Z<p>Mtsega: </p>
<hr />
<div>'''To clear switch configuration'''<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
'''To verify the VLAN information'''<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
<br />
Switch#<br />
<br />
'''Delete the VLAN information from Flash'''<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
'''Reload the switch'''<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
'''After reload'''<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=VHD_Backup&diff=3427VHD Backup2010-10-16T04:16:47Z<p>Mtsega: moved VHD Backup to How to Clear Switch Configuration</p>
<hr />
<div>#REDIRECT [[How to Clear Switch Configuration]]</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3426How to Clear Switch Configuration2010-10-16T04:16:47Z<p>Mtsega: moved VHD Backup to How to Clear Switch Configuration</p>
<hr />
<div>'''To clear switch configuration'''<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
'''To verify the VLAN information'''<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
'''Delete the VLAN information from Flash'''<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
'''Reload the switch'''<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
'''After reload'''<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Clear_Switch_Configuration&diff=3425How to Clear Switch Configuration2010-10-16T04:13:12Z<p>Mtsega: </p>
<hr />
<div>'''To clear switch configuration'''<br />
<br />
Issue the erase starting-config command.<br />
<br />
Switch#erase startup-config<br />
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<br />
[OK]<br />
Erase of nvram: complete<br />
Switch#<br />
<br />
<br />
<br />
At this stage, the switch configuration has reset to the factory defaults, with the exclusion of the VLAN information. VLANs are kept in a seperate file from the startup-config (NVRAM). <br />
<br />
<br />
<br />
'''To verify the VLAN information'''<br />
<br />
Issue the show vlan brief command<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
10 Faculty/Staff active<br />
20 Students active<br />
30 Wireless active<br />
99 Management active<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Switch#<br />
<br />
'''Delete the VLAN information from Flash'''<br />
<br />
Switch#delete flash:vlan.dat<br />
Delete filename [vlan.dat]?<br />
Delete flash:vlan.dat? [confirm]<br />
<br />
Switch# <br />
<br />
'''Reload the switch'''<br />
<br />
Do not save at the prompt. Otherwise, the switch reloads with the current running configuration and does not clear the switch configuration.<br />
<br />
Switch#reload<br />
<br />
System configuration has been modified. Save? [yes/no]: n<br />
Proceed with reload? [confirm]<br />
<br />
<br />
<output omitted><br />
<br />
<br />
<br />
<br />
Would you like to terminate autoinstall? [yes]: y<br />
<br />
<br />
--- System Configuration Dialog ---<br />
<br />
Would you like to enter the initial configuration dialog? [yes/no]: n<br />
Switch><br />
<br />
<br />
<br />
'''After reload'''<br />
<br />
check the VLAN information with the show vlan brief command.<br />
<br />
Switch#show vlan brief<br />
<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4<br />
Fa0/5, Fa0/6, Fa0/7, Fa0/8<br />
Fa0/9, Fa0/10, Fa0/11, Fa0/12<br />
Fa0/13, Fa0/14, Fa0/15, Fa0/16<br />
Fa0/17, Fa0/18, Fa0/19, Fa0/20<br />
Fa0/21, Fa0/22, Fa0/23, Fa0/24<br />
Gi0/1, Gi0/2<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
1004 fddinet-default act/unsup<br />
1005 trnet-default act/unsup<br />
Compiled Thu 19-Jul-07 20:06 by nachen</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=Franske_CNT-2530_FA10_Schedule&diff=3336Franske CNT-2530 FA10 Schedule2010-10-01T21:18:14Z<p>Mtsega: </p>
<hr />
<div>{{SyllabusInfo<br />
|coursename = Switching Fundamentals and Intermediate Routing<br />
|coursenumber = CNT-2530<br />
|numcredits = 3<br />
|instructor = Dr. Ben Franske<br />
|term = Fall 2010 Q1 (8/23/2010-10/15/2010)<br />
|meetings = M W 9:00am-11:30am, F 9:00am-10:40am<br />
|location = B143<br />
}}<br />
<br />
This schedule provides an outline of the topics expected to be covered in this course as well as the readings and assignments due each week. Topics and readings may change in which case you will be notified in class or by e-mail and the latest version of this document is always available from the course wiki. '''Please have all readings completed prior to the start of each class and be prepared to take part in the discussion.''' Unless otherwise noted online quizzes and exams are due at 11:59pm on the date indicated.<br />
<br />
==Session 1: August 23==<br />
'''Topics:'''<br />
* Cisco Network Academy Course Enrollment<br />
* Course Overview, Syllabus and Schedule<br />
* Introduction to Switching Fundamentals & Intermediate Routing<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 2: August 25==<br />
'''Topics:'''<br />
* LAN Design<br />
**Switched LAN Architecture<br />
**Matching Switches to Specific LAN Functions<br />
<br />
'''Readings:'''<br />
* Chapter 1: LAN Design<br />
<br />
'''Due:'''<br />
<br />
==Session 3: August 27==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 1 Online Assessment<br />
<br />
==Session 4: August 30==<br />
'''Topics:'''<br />
* Basic Switch Concepts & Configuration<br />
**Introduction to Ethernet/802.3 LANs<br />
**Forwarding Frames Using a Switch<br />
**Switch Management Configuration<br />
**Configuring Switch Security<br />
<br />
'''Readings:'''<br />
* Chapter 2<br />
<br />
'''Due:'''<br />
<br />
==Session 5: September 1==<br />
'''Topics:'''<br />
* VLANs<br />
**Introducing VLANs<br />
**VLAN Trunking<br />
**Configure VLANs and Trunks<br />
**Troubleshooting VLANs and Trunks<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
* Chapter 3<br />
<br />
'''Due:'''<br />
* Chapter 2 Online Assessment<br />
<br />
==Session 6: September 3==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 3 Online Assessment<br />
<br />
==NO CLASS: September 6==<br />
* Labor Day - NO CLASS<br />
<br />
<br />
==Session 7: September 8==<br />
'''Topics:'''<br />
* VTP<br />
**VTP Concepts<br />
**VTP Operation<br />
**Configure VTP<br />
<br />
'''Readings:'''<br />
* Chapter 4<br />
<br />
'''Due:'''<br />
<br />
==Session 8: September 10==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 4 Online Assessment<br />
* Service Project Idea Submitted<br />
<br />
==Session 9: September 13==<br />
'''Topics:'''<br />
* STP<br />
**Redundant Layer 2 Topologies<br />
**Introduction to STP<br />
**STP Convergence<br />
**PVST+, RSTP, and Rapid PVST+<br />
<br />
'''Readings:'''<br />
* Chapter 5<br />
<br />
'''Due:'''<br />
<br />
==Session 10: September 15==<br />
'''Topics:'''<br />
* Inter-VLAN Routing<br />
**Inter-VLAN Routing<br />
**Configuring Inter-VLAN Routing<br />
**Troubleshooting Inter-VLAN Routing<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
* Chapter 6<br />
<br />
'''Due:'''<br />
* Chapter 5 Online Assessment<br />
<br />
==Session 11: September 17==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 6 Online Assessment<br />
<br />
==Session 12: September 20==<br />
'''Topics:'''<br />
* Basic Wireless Concepts & Configuration<br />
**The Wireless LAN<br />
**Wireless LAN Security<br />
**Configure Wireless LAN Access<br />
**Troubleshooting Simple WLAN Problems<br />
'''Readings:'''<br />
* Chapter 7<br />
<br />
'''Due:'''<br />
<br />
==NO CLASS: September 22==<br />
* Student Success Day - Make sure to attend at least two sessions for homework credit!<br />
<br />
==Session 13: September 24==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 7 Online Assessment<br />
<br />
==Session 14: September 27==<br />
'''Topics:'''<br />
* Open Lab Time / Project Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 15: September 29==<br />
'''Topics:'''<br />
* Introduction to Multi-Layer Switching<br />
* Multi-layer Switching Lab<br />
<br />
'''Readings:'''<br />
* [http://www.pulsewan.com/data101/pdfs/layer3_switching.pdf Layer-3 Switching: An Introduction by Robert Ciampa]<br />
* [http://www.cisco.com/application/pdf/paws/41860/howto_L3_intervlanrouting.pdf How To Configure InterVLAN Routing on Layer 3 Switches]<br />
<br />
'''Due:'''<br />
<br />
==Session 16: October 1==<br />
'''Topics:'''<br />
* Internet History<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
==Session 17: October 4==<br />
'''Topics:'''<br />
* Introduction to Enterprise Wireless<br />
* Enterprise Wireless Lab<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 18: October 6==<br />
'''Topics:'''<br />
* Internet History<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 19: October 8==<br />
'''Topics:'''<br />
* Internet History<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Online Final Exam '''(Open 12:00pm-8:00pm)'''<br />
<br />
==Session 20: October 11==<br />
'''Topics:'''<br />
* Final Skills Assessment By Appointment <br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 21: October 13==<br />
'''Topics:'''<br />
* Final Skills Assessment By Appointment <br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 22: October 15==<br />
'''Topics:'''<br />
* Final Skills Assessment By Appointment <br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Lab Reports (All Labs/Homework Due!)<br />
* CNT Service Project(s)<br />
<br />
----<br />
The instructor reserves the right to modify and adjust the schedule and assignments as needed during the course of this class. The most up to date version will always be available on the course website or from the instructor.</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=Franske_CNT-2530_FA10_Schedule&diff=3335Franske CNT-2530 FA10 Schedule2010-10-01T21:01:02Z<p>Mtsega: </p>
<hr />
<div>{{SyllabusInfo<br />
|coursename = Switching Fundamentals and Intermediate Routing<br />
|coursenumber = CNT-2530<br />
|numcredits = 3<br />
|instructor = Dr. Ben Franske<br />
|term = Fall 2010 Q1 (8/23/2010-10/15/2010)<br />
|meetings = M W 9:00am-11:30am, F 9:00am-10:40am<br />
|location = B143<br />
}}<br />
<br />
This schedule provides an outline of the topics expected to be covered in this course as well as the readings and assignments due each week. Topics and readings may change in which case you will be notified in class or by e-mail and the latest version of this document is always available from the course wiki. '''Please have all readings completed prior to the start of each class and be prepared to take part in the discussion.''' Unless otherwise noted online quizzes and exams are due at 11:59pm on the date indicated.<br />
<br />
==Session 1: August 23==<br />
'''Topics:'''<br />
* Cisco Network Academy Course Enrollment<br />
* Course Overview, Syllabus and Schedule<br />
* Introduction to Switching Fundamentals & Intermediate Routing<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 2: August 25==<br />
'''Topics:'''<br />
* LAN Design<br />
**Switched LAN Architecture<br />
**Matching Switches to Specific LAN Functions<br />
<br />
'''Readings:'''<br />
* Chapter 1: LAN Design<br />
<br />
'''Due:'''<br />
<br />
==Session 3: August 27==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 1 Online Assessment<br />
<br />
==Session 4: August 30==<br />
'''Topics:'''<br />
* Basic Switch Concepts & Configuration<br />
**Introduction to Ethernet/802.3 LANs<br />
**Forwarding Frames Using a Switch<br />
**Switch Management Configuration<br />
**Configuring Switch Security<br />
<br />
'''Readings:'''<br />
* Chapter 2<br />
<br />
'''Due:'''<br />
<br />
==Session 5: September 1==<br />
'''Topics:'''<br />
* VLANs<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
* Chapter 3<br />
<br />
'''Due:'''<br />
* Chapter 2 Online Assessment<br />
<br />
==Session 6: September 3==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 3 Online Assessment<br />
<br />
==NO CLASS: September 6==<br />
* Labor Day - NO CLASS<br />
<br />
<br />
==Session 7: September 8==<br />
'''Topics:'''<br />
* VTP<br />
<br />
'''Readings:'''<br />
* Chapter 4<br />
<br />
'''Due:'''<br />
<br />
==Session 8: September 10==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 4 Online Assessment<br />
* Service Project Idea Submitted<br />
<br />
==Session 9: September 13==<br />
'''Topics:'''<br />
* STP<br />
<br />
'''Readings:'''<br />
* Chapter 5<br />
<br />
'''Due:'''<br />
<br />
==Session 10: September 15==<br />
'''Topics:'''<br />
* Inter-VLAN Routing<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
* Chapter 6<br />
<br />
'''Due:'''<br />
* Chapter 5 Online Assessment<br />
<br />
==Session 11: September 17==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 6 Online Assessment<br />
<br />
==Session 12: September 20==<br />
'''Topics:'''<br />
* Basic Wireless Concepts & Configuration<br />
<br />
'''Readings:'''<br />
* Chapter 7<br />
<br />
'''Due:'''<br />
<br />
==NO CLASS: September 22==<br />
* Student Success Day - Make sure to attend at least two sessions for homework credit!<br />
<br />
==Session 13: September 24==<br />
'''Topics:'''<br />
* Open Lab Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Chapter 7 Online Assessment<br />
<br />
==Session 14: September 27==<br />
'''Topics:'''<br />
* Open Lab Time / Project Time<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 15: September 29==<br />
'''Topics:'''<br />
* Introduction to Multi-Layer Switching<br />
* Multi-layer Switching Lab<br />
<br />
'''Readings:'''<br />
* [http://www.pulsewan.com/data101/pdfs/layer3_switching.pdf Layer-3 Switching: An Introduction by Robert Ciampa]<br />
* [http://www.cisco.com/application/pdf/paws/41860/howto_L3_intervlanrouting.pdf How To Configure InterVLAN Routing on Layer 3 Switches]<br />
<br />
'''Due:'''<br />
<br />
==Session 16: October 1==<br />
'''Topics:'''<br />
* Internet History<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
==Session 17: October 4==<br />
'''Topics:'''<br />
* Introduction to Enterprise Wireless<br />
* Enterprise Wireless Lab<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 18: October 6==<br />
'''Topics:'''<br />
* Internet History<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 19: October 8==<br />
'''Topics:'''<br />
* Internet History<br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Online Final Exam '''(Open 12:00pm-8:00pm)'''<br />
<br />
==Session 20: October 11==<br />
'''Topics:'''<br />
* Final Skills Assessment By Appointment <br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 21: October 13==<br />
'''Topics:'''<br />
* Final Skills Assessment By Appointment <br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
<br />
<br />
==Session 22: October 15==<br />
'''Topics:'''<br />
* Final Skills Assessment By Appointment <br />
<br />
'''Readings:'''<br />
<br />
'''Due:'''<br />
* Lab Reports (All Labs/Homework Due!)<br />
* CNT Service Project(s)<br />
<br />
----<br />
The instructor reserves the right to modify and adjust the schedule and assignments as needed during the course of this class. The most up to date version will always be available on the course website or from the instructor.</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=File:Vt1.jpg&diff=3018File:Vt1.jpg2010-07-31T02:47:30Z<p>Mtsega: </p>
<hr />
<div></div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3017How to Install a Printer2010-07-31T00:34:16Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png|600px|thumb|left|alt text]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3016How to Install a Printer2010-07-31T00:33:41Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png|600px*600px|thumb|left|alt text]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3015How to Install a Printer2010-07-31T00:32:00Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png|500px|thumb|left|alt text]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3014How to Install a Printer2010-07-31T00:31:21Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png|200px|thumb|left|alt text]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3013How to Install a Printer2010-07-31T00:22:40Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png]][[File:Cnt_vb2_0001.png]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3011How to Install a Printer2010-07-31T00:15:08Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3010How to Install a Printer2010-07-31T00:13:34Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[File:Cnt_vb2_0001.png]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=How_to_Install_a_Printer&diff=3009How to Install a Printer2010-07-31T00:12:30Z<p>Mtsega: </p>
<hr />
<div>== '''VHD Backup'''==<br />
ViertuaBox 1 :- Double click Network and select your adapter (Adapter1). <br />
Under Adapter 1 .<br />
Attached to - select Host-only Adapter.<br />
Name - Virtualbox Host-only Ethernet Adapter.<br />
Click Advanced - choose adapter type and then press OK.<br />
<br />
[[File:Cnt_vb2_0001.png]]<br />
For configuring the network - Start >> Control Panel >> Under Network and Internet click view network status and tasks >> double click Local Area connection >> select properties >> TCP/IP4 >> Then Properties. Depanding on your network type you can assign static IP address by selecting use the following IP address or you can set to obtain an IP address automaticaly.<br />
<br />
<br />
<br />
<br />
<br />
Follow the same step as VirtualBox 1 for configuring network on ViertualBox 2. <br />
<br />
On your local machine - Go to Start >> Control Panel >> under Network and Internet double click View network status and tasks >> clieck VirtualBox-only Network >> Select Properties >> TCP/IP4 >> Properties then configure the IP settings.<br />
<br />
<br />
<br />
<br />
Turn on the network discovery and file sharing on the VirtualBoxs and local machine. You can see all the devices within the network when you turn on network discovery. You can also use the Ping command to check connection between the systems. Check your Firewall, if Firewall is blocking the network from being discovered.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can view the network map by going to - Start >> Control Panel >> under Network and Internet double click View network status and tasks >> see ful map.<br />
<br />
<br />
Once you make sure VirtualBOX 1 and VirtualBox 2 are communicating, you can backup the image and files from one VirtualBox to VHD of the other VirtualBox using the network. On my case I used CNT_Ente machine as a VirtualBox 2 and CNT_VB1 machine as a VirtualBox 1 which is the machine the VHD attached. <br />
On VirtualBox 1 (CNT_VB1) attach the VHD to do that go to -<br />
Start >> Right click Computer >> Manage >> Disk Management >> right click Disk management >> select Attach VHD >> Browse and locate your VHD (C:\VHDs\myvhd.vhd) >> then click Ok.<br />
<br />
<br />
<br />
For the VHD to be accesed by other machines in the network.<br />
Computer >> Right click Virtual Hard Disk (myvhd(H:)) >> Properties >> select sharing tab >> In Advanced sharing >> Mark share this folder. <br />
<br />
<br />
<br />
Then click Permissions under Advaned sharing>> under permissions - Allow Full control, change and read.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On VirtualBox 2 (CNT_Ente) to start the backup go to:<br />
Start >> Control Panel >> Under System and Security click Backup your computer >> Browse and select a network location. You need to provied username and password of VirtualBox 1.<br />
You can Set up Backup or backup a system image<br />
<br />
<br />
Select the network location that you are going to save the backup. To backup system image -<br />
Select Create a system image >> On a network location Browse and select VHD (\\Cnt_vb1-pc\h\) >> Then click OK >>Confirm your backup setting and press Next >> press Start backup. This will take several minits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Backup on prograss.<br />
<br />
<br />
Once the back is done it will ask you if you want to create a system repair disc?<br />
<br />
<br />
</div>Mtsegahttps://wiki.ihitc.net/mediawiki/index.php?title=File:Cnt_vb2_0001.png&diff=3008File:Cnt vb2 0001.png2010-07-31T00:10:18Z<p>Mtsega: </p>
<hr />
<div></div>Mtsega