I've done enough dmvpn turn ups now that having some scripts is really useful. The first one is for the hub configuration. I have left it with an eigrp routing protocol configuration but it isn't that different to use ospf and it will give you something to look up and figure out. I'll post a separate entry for the spoke configuration next.
!#####
! - DMVPN Hub script - sample 2821/51 or 3825/45 routers running 12.2.x ios code
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname {router hostname}
!
logging count
logging message-counter syslog
logging buffered 4096
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
no ip source-route
!
ip cef
!
no ip domain lookup
ip domain name {example.com}
no ipv6 cef
!
username {name} privilege 15 secret {some super secret password}
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key {some long preshared key} address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set {some string like companyname-tset} esp-aes esp-sha-hmac
!
crypto ipsec profile {some string like companyname-prof}
set transform-set {same string like companyname-tset}
!
interface Loopback0
ip address {loopback IP} 255.255.255.255
no shut
!
interface Tunnel0
description - DMVPN Tunnel Interface - Hub configuration
bandwidth {set to the same as the internet bw - like 1544}
ip address 10.100.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication {some string - has to match on the spokes}
ip nhrp map multicast dynamic
ip nhrp network-id {some id - match it to the eigrp AS}
ip nhrp holdtime 300
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon eigrp {eigrp AS number}
no ip mroute-cache
load-interval 60
delay 400
keepalive 5 4
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key {some number - needs to match the hub}
tunnel protection ipsec profile {same string like companyname-prof}
no shut
!
interface GigabitEthernet0/0
description ***Internal LAN connection to switching core***
ip address {LAN IP} 255.255.255.0
no ip redirects
! - sample summary route statement
! ip summary-address eigrp 10.10.0.0 255.255.0.0 5
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1
description ***External Internet connection to outside switch***
ip address {Public IP of Hub} {Subnet of Public IP}
ip access-group inet in
no ip redirects
duplex auto
speed auto
no shut
!
router eigrp {eigrp AS number}
redistribute connected route-map redistribute-connected-rm
network 10.100.100.0 0.0.0.255
network {LAN IP} 0.0.0.255
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 {DG of Public IP}
no ip http server
no ip http secure-server
!
ip access-list standard redistribute-connected
permit {Lookback IP}
!
ip access-list standard vty_access
! - permit remote IP's
permit {public ip} {inverse public subnet} log
! - permit internal IP's
permit 10.0.0.0 0.255.255.255 log
!
ip access-list extended inet
remark Access list for Internet interface - permits DMVPN
permit udp any host {public IP of hub} eq non500-isakmp
permit udp any host {public IP of hub} eq isakmp
permit esp any host {public IP of hub}
permit ahp any host {public IP of hub}
permit gre any host {public IP of hub}
! allow ssh to the public interface
permit tcp {remote public ip} {inverse public subnet} host {public IP of hub} eq 22
! allow icmp if you want
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
!
snmp-server community {some string} RO
snmp-server location {some location}
snmp-server contact {some contact and number}
!
route-map redistribute-connected-rm permit 10
match ip address redistribute-connected
!
banner login ^
--------------------------------------------------------------------------
{Some Company Name}
{some threatening statement telling people to go away}
{some statement claiming everything is being logged}
----------------------------------------------------------------------------
^
!
alias exec st sh ip int brief
!
line con 0
login local
line aux 0
login local
line vty 0 4
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
line vty 5 15
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
!
ntp server {public NTP server IP}
end
!
!#####
The script doesn't have any CBAC or Zone Based Firewalling configured on it - honestly that is easier to set up after you have the dmvpn up and working. This is for a preshared key configuration which is the easiest to get up and running but is nowhere near as secure as certificate based dmvpn deployments. Just setting up the certificate server on the router deserves its own post so I will wait on that one. This is provided as is, it isn't perfect but should get you started in getting something up and running with minimal effort.
- Ed
No comments:
Post a Comment