A project has been started to configure VPN between head office and remote branches. This was done simply by configuring site-to-site VPN (See my Blog) between remote branch (Peshawar) and Faisalabad (next hope) as we (Peshawar hope) are using it as our next hope to reach head office. After the basic configuration of site-to-site VPN, we done with it and the communication were successful between two remote offices. The problem arises when Faisalabad configured VPN with another remote office (Abbotabad) now when they start communication with them by giving their peer address under crypto map as shown below, as the link established between the two sites, ping (communication) breaks between Peshawar and Faisalabad when again peer address of Peshawar was given here so communication breaks with the other remote offices.
Hub-Router (config) # crypto map VPN_MAP 10 ipsec-isakmp
Hub-Router (config-crypto-map) # set peer 130.13.x.x
Problem:
The main problem was that we had multiple sites which are using Faisalabad as their next hop, so it becomes HUB, now we required some method to configure VPN for HUB and SPOKE topology. After searching and goggling we came with the solution that DMVPN is the right choice for it.
Solution:
A Dynamic Multipoint Virtual Private Network (DMVPN) is an up gradation of the virtual private network (VPN) configuration process of Cisco IOS-based routers. What DMVPN does is that it prevents the need of configuration of pre-defined static peers in crypto-map and ISAKMP peer statement. An IPsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router or between spokes.
DMVPN Spoke is configured with one or more hub IP addresses. DMVPN hub IP addresses are typically static. DMVPN spoke IP addresses may be static, or dynamic. The spoke router is configured with the hub's IP address and allowing the spoke to connect to hub when it is online. The hub router does not need to be configured with the IP addresses of the spoke routers. This allows many-spoke VPN routers to be deployed without the need to configure additional peers on the hub.
For ROUTING we use dynamic routing protocol between the spokes and the hub, as well as other spokes. We can have the choice of using EIGRP or OSPF routing protocols between them as it is used commonly now a days, one of the reason is scalability. We used EIGRP for our internal routing.
Configurations:
I suppose that you are familiar with GRE tunneling configuration and sit-to-site VPN configuration, if not then look at here my blogs for step wise configuration of GRE and VPN as I will be talking about the remaining configuration that are required for DMVPN.
HUB Configuration:
HUB-Router (config) # interface tunnel 0
HUB-Router (config) # ip nhrp authentication cisco120
HUB-Router (config) # ip nhrp map multicast dynamic
HUB-Router (config) # ip nhrp network-id 10
HUB-Router (config) # no ip split-horizon eigrp 100
There is a reason why we use “no ip split-horizon” on hub, see here
HUB-Router (config) # tunnel source fastethernet 0/0
HUB-Router (config) # tunnel mode gre multipoint
HUB-Router (config) # tunnel key 0
Tunnel key is used on Point-to-Point or Multipoint
HUB-Router (config) # tunnel protection ipsec profile Cisco
Spoke Configuration:
SPOKE -Router (config) # interface tunnel 0
SPOKE -Router (config) # ip nhrp authentication cisco120
SPOKE -Router (config) # ip nhrp map multicast dynamic
Note: We can choose either static ip address or multicast (broadcasting/multicasting), if we choose dynamic it means that learn the destination address that are from client registration on hub
SPOKE -Router (config) # ip nhrp map 172.16.2.1 221.120.x.x
The first is the destination tunnel address and second is the public address of destination.
SPOKE-Router (config) # ip nhrp map multicast 221.120.x.x
SPOKE -Router (config) # ip nhrp network-id 10
SPOKE -Router (config) # ip nhrp nhs 172.16.2.1
Where “nhs” is the next hope server address
SPOKE -Router (config) # tunnel source fastethernet 0/0
SPOKE -Router (config) # tunnel mode gre multipoint
SPOKE -Router (config) # tunnel protection ipsec profile Cisco
NHRP is next-hope resolution protocol; not a routing protocol but it make use of routing information. The most prominent feature of NHRP is that it avoids extra router hopes in an NBMA.
Commands:
You can further use the following command to verify and troubleshoot the configurations.
1. show crypto socket ("Display the crypto sockect between NHRP and IPSec)
2. show ip nhrp ("Display the next hope resolution protocol cache entries etc)
3. show ip route
4. show ip eigrp neighbor
5. show crypto ipsec sa ("Display the active channel)
6. show crypto engine connection active ("Display the total encrypted / decrypted SA)
7. show crypto isakmp sa ("Display isalmp security association state (SA)")
You can also do DEBUG for further understanding and logs
1. debug crypto ipsec
2. debig crypto isakmp
3. debug crypto engine
4. debug crypto socket
I hope this will be informative for you !
Cheers :)
Friday, November 20, 2009
Saturday, November 14, 2009
Monitoring Network Interface Traffic / Resource
MRTG can be use to monitor our Linux machine or any other machine network interfcae traffic or even we can monitor our network devices interface traffic like Routers, Switches etc.
MRTG configuration on Linux, to see the interface traffic flow in both in and out direction see my blog, Click here
We can use MRTG on routers and swithces also but for that we have to configure SNMP first and the client side configuration etc. see my blog on detail stpes of SNMP configuration on cisco router and switches, Click here
But we can make it very simple by using Bytemon to monitor network interface traffic, we will install bytemon on client machine and there we can identify the remote device IP Address or Hostname of which traffci we want to analyze, in my case i use my Backup Production Router IP-Address.
1. The following graph shows the overall protocol traffic on both in and out interfaces.
2. The following graph shows HTTP traffic Data.
3. The folowing show the traffic of interface "IN"
4. The following show the traffcie of "OUT" interface.
I Hope this will be informative for you !
Cheers :)
MRTG configuration on Linux, to see the interface traffic flow in both in and out direction see my blog, Click here
We can use MRTG on routers and swithces also but for that we have to configure SNMP first and the client side configuration etc. see my blog on detail stpes of SNMP configuration on cisco router and switches, Click here
But we can make it very simple by using Bytemon to monitor network interface traffic, we will install bytemon on client machine and there we can identify the remote device IP Address or Hostname of which traffci we want to analyze, in my case i use my Backup Production Router IP-Address.
1. The following graph shows the overall protocol traffic on both in and out interfaces.
2. The following graph shows HTTP traffic Data.
3. The folowing show the traffic of interface "IN"
4. The following show the traffcie of "OUT" interface.
I Hope this will be informative for you !
Cheers :)
SNMP configuration on Cisco IOS for routers and switches
Simple Network Management Protocol (SNMP) is a UDP-based network protocol. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
An SNMP-managed network consists of three key components:
1. Managed device = Slave device
2. Agent = software which runs on Slave device
3. Network management system (NMS) = software which runs on Master
A Managed Device is a network node that implements an SNMP interface that allows unidirectional (read-only, ro) or bidirectional access to node-specific information.
Managed devices exchange node-specific information with the NMSs. Sometimes called network elements, the managed devices can be any type of device, including, but not limited to, routers, access servers, switches, bridges, hubs, IP telephones, computer hosts, and printers etc.
An Agent is a network-management software module that resides on a managed device. An agent has local knowledge of management information and translates that information to or from an SNMP specific form.
A Network Management System (NMS) executes applications that monitor and control managed devices or use Bytemon.
SNMP version available are v1, v2 and v3 with SNMPv3 being th most secure. Now a days either SNMPv2 or 3 is using. Following are the basic steps for the configuration of SNMP on cisco devices.
Configuration Stpes:
1. SNMP Community
In the following line CommunnityName is PUBLIC bydefault and its like a password between SNMP management system and the device, while RW means READ and WRITE permission while 10 specify the access-list that you already define on your system or to be defined right now.
PSW-DXX(config)#snmp-server community [CommunityName] RW 10
PSW-DXX(config)#access-list 10 permit 10.0.0.0
2. Chassi-ID Location and Contacts (Optional)
PSW-DXX(config)# snmp-server chassis-id cisco1841
PSW-DXX(config)# snmp-server location PSHsngpl
PSW-DXX(config)# snmp-server contact EngineerNetSysSohail
3. SNMP Trap Setup
Now that SNMP is enabled. It is important and more necessary to send alert messages also known as SNMP traps to the manager so the Network manager can be alerted. This is mostly the case of most of the SNMP Management/Monitoring system.
PSW-DXX(config)# snmp-server host 10.110.1.2 version ?
1 : Version1
2 : Version 2c
3 : Version 3
Note: If you use version 3 then it will ask for auth, noauth or priv(use the SNMPv3 authprov security level). I used SNMPv3 and it will now authenticate by either using v1/v2c community string and sets up the Management server to which the trap messages needs to be sent, The Community Name will be the one that you define above.
PSW-DXX(config)# snmp-server host 10.110.1.2 version 3 auth [CommunityName]
Also sets up the traps and the type of traps to be sent. Here Link up/down status and system reboot traps are sent to the management server.
PSW-DXX(config)# snmp-server enable traps snmp linkup linkdown coldstart warmstart
We can also configure a very good frriend of my and may be your also SYSLOG to monitor your device.
PSW-DXX(config)# snmp-server enable trap syslog
And we also use the following friend which will help us in finding who access with illegal community string.
PSW-DXX(config)# snmp-server trap authentication
I hope this will be informative for you!
Cheers
An SNMP-managed network consists of three key components:
1. Managed device = Slave device
2. Agent = software which runs on Slave device
3. Network management system (NMS) = software which runs on Master
A Managed Device is a network node that implements an SNMP interface that allows unidirectional (read-only, ro) or bidirectional access to node-specific information.
Managed devices exchange node-specific information with the NMSs. Sometimes called network elements, the managed devices can be any type of device, including, but not limited to, routers, access servers, switches, bridges, hubs, IP telephones, computer hosts, and printers etc.
An Agent is a network-management software module that resides on a managed device. An agent has local knowledge of management information and translates that information to or from an SNMP specific form.
A Network Management System (NMS) executes applications that monitor and control managed devices or use Bytemon.
SNMP version available are v1, v2 and v3 with SNMPv3 being th most secure. Now a days either SNMPv2 or 3 is using. Following are the basic steps for the configuration of SNMP on cisco devices.
Configuration Stpes:
1. SNMP Community
In the following line CommunnityName is PUBLIC bydefault and its like a password between SNMP management system and the device, while RW means READ and WRITE permission while 10 specify the access-list that you already define on your system or to be defined right now.
PSW-DXX(config)#snmp-server community [CommunityName] RW 10
PSW-DXX(config)#access-list 10 permit 10.0.0.0
2. Chassi-ID Location and Contacts (Optional)
PSW-DXX(config)# snmp-server chassis-id cisco1841
PSW-DXX(config)# snmp-server location PSHsngpl
PSW-DXX(config)# snmp-server contact EngineerNetSysSohail
3. SNMP Trap Setup
Now that SNMP is enabled. It is important and more necessary to send alert messages also known as SNMP traps to the manager so the Network manager can be alerted. This is mostly the case of most of the SNMP Management/Monitoring system.
PSW-DXX(config)# snmp-server host 10.110.1.2 version ?
1 : Version1
2 : Version 2c
3 : Version 3
Note: If you use version 3 then it will ask for auth, noauth or priv(use the SNMPv3 authprov security level). I used SNMPv3 and it will now authenticate by either using v1/v2c community string and sets up the Management server to which the trap messages needs to be sent, The Community Name will be the one that you define above.
PSW-DXX(config)# snmp-server host 10.110.1.2 version 3 auth [CommunityName]
Also sets up the traps and the type of traps to be sent. Here Link up/down status and system reboot traps are sent to the management server.
PSW-DXX(config)# snmp-server enable traps snmp linkup linkdown coldstart warmstart
We can also configure a very good frriend of my and may be your also SYSLOG to monitor your device.
PSW-DXX(config)# snmp-server enable trap syslog
And we also use the following friend which will help us in finding who access with illegal community string.
PSW-DXX(config)# snmp-server trap authentication
I hope this will be informative for you!
Cheers
Subscribe to:
Posts (Atom)