♦ The customer also mentions that Site 2 has just a dumb-hub and all users need to be able to communicate with the HQs, and the hardware will not be changed.. ♦ Configure ieMentor Bank’s
Trang 1This lab is challenging because it requires knowledge of both security and MPLS We did not include many solution notes with this lab because it is very difficult to address the various levels of our readers’ expertise If any of this lab’s configuration outputs and/or tasks are unclear, please e-mail your specific questions to
17 2.1 6.1 3.0
.3
E0/0.31 FE 0/3 3550
.1
MPLS SP1
♦ The customer requires Site 1 and Site 2 to not send any routing
or exchange any information/networks with SP1
♦ The customer also requires to pass Multicast from Site 1 to Site
2 Knowing there requirements, you realize that your core is not Multicast enabled Provide alternatives to accommodate their requirements
♦ The customer mentions they have one 3550 switch with 1 VLAN
at Site 1
Trang 2♦ The customer also mentions that Site 2 has just a dumb-hub and all users need to be able to communicate with the HQs, and the hardware will not be changed
This side is not allowed to use Dot1q because the dumb-hub has no way to accept and examine the Dot1q trunk
♦ Configure this task such that when the customer on CE2 executes show cdp neighbors they see CE4 as directly connected
♦ To verify this task, ensure that CE4 and CE2 can ping each other’s Loopbacks without advertising them in the SP1 core
PE1-RACK1(config)#pseudowire-class inter-working PE1-RACK1(config-pw-class)# encapsulation mpls PE1-RACK1(config-pw-class)# interworking ip
PE1-RACK1(config-subif)#xconnect 10.1.1.3 100 pw-class inter-working
Enable CEF before configuring xconnect
PE1-RACK1(config-subif)#ip cef PE1-RACK1(config)#int Fastethernet 2/0.100 PE1-RACK1 (config-subif)#xconnect 10.1.1.3 100 pw-class inter-working
PE3-RACK1(config)#pseudowire-class inter-working PE3-RACK1(config-pw-class)# encapsulation mpls PE3-RACK1(config-pw-class)# interworking ip
PE3-RACK1(config-pw-class)#interface Ethernet0/0 PE3-RACK1(config-if)# no ip address
PE3-RACK1(config-if)# no ip directed-broadcast PE3-RACK1(config-if)# no cdp enable
PE3-RACK1(config-if)# xconnect 10.1.1.1 100 pw-class inter-working
PE1-RACK1#sho mpls l2transport vc Local intf Local circuit Dest address VC ID Status - - - - - Ft2/0.100 Feth VLAN 100 10.1.1.3 100 UP
PE1#sho mpls l2transport vc de Local interface: Ft2/0.100 up, line protocol up, Eth VLAN 100 up MPLS VC type is IP, interworking type is IP
Destination address: 10.1.1.3, VC ID: 100, VC status: up Preferred path: not configured
Trang 3Default path: active Next hop: 172.16.13.1 Output interface: Ft1/0, imposed label stack {22}
Create time: 00:01:18, last status change time: 00:00:16 Signaling protocol: LDP, peer 10.1.1.3:0 up
MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0
MTU: local 1500, remote 1500 Å make sure MTU matches otherwise
AC want come up
Remote interface description:
Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0
VC statistics:
packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0
PE3-RACK1#sho mpls l2transport vc Local intf Local circuit Dest address VC ID Status - - - - -
PE3-RACK1#sho mpls l2transport vc de Local interface: Ft2/0 up, line protocol up, Ethernet up MPLS VC type is IP, interworking type is IP
Destination address: 10.1.1.1, VC ID: 100, VC status: up Preferred path: not configured
Default path: active Next hop: 172.16.13.2 Output interface: Et1/0.31, imposed label stack {22}
Create time: 00:04:54, last status change time: 00:00:42 Signaling protocol: LDP, peer 10.1.1.1:0 up
MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0
MTU: local 1500, remote 1500 Remote interface description:
Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0
PE3-RACK1#config t
Trang 4Enter configuration commands, one per line End with CNTL/Z
PE3-RACK1(config)#int e 0/0 PE3-RACK1(config-if)#no shutdown 00:10:55: AToM LDP [10.1.1.1]: Sending label withdraw msg
vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu
1500 00:10:56: AToM LDP [10.1.1.1]: Received label release msg, id 20, graceful restart instance 0
vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu 0 00:10:56: AToM LDP [10.1.1.1]: Sending label mapping msg
vc type 11, cbit 1, vc id 100, group id 0, vc label 22, status 0, mtu
E0/0.13 - FE0/3 3550
.1
E0/0.23 FE0/03 3550
VLAN 31
172.16.13.0VLA
N 21 172 16.12.0
Encrypt Layer 2
ieMentor Bank Site 1 HQ
VLAN 123 172.16.123.0
♦ Remove all MPLS related commands from SP1 and disable MPLS per interface
♦ Configure ieMentor Bank’s Customer Requirements
♦ Customer ieMentor Bank requires Site 2 to communicate with their Site 1 HQ
♦ The customer requires Site 1 HQ and Site 2 not to send any routing or exchange any information/networks with SP1
Trang 5♦ The customer also requires to pass AppleTalk for the designers
in their design department from Site 1 to Site 2
♦ The customer has 2600 and 2800 routers in Site 1 and Site 2 They want SP1 to establish Layer 2 connectivity such that in the future they can bring multiple sites in to HQ without adding additional ports or modules
♦ Configure SP1 PE2 and PE3 to accommodate all of the above requirements SP1 is allowed to allocate a VLAN for Site 1 and Site
password 7 060F0A2C cookie size 4
! pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class
ip local interface Loopback0
!
Trang 6! crypto isakmp policy 10 hash md5q
authentication rsa-sig crypto isakmp key iem6727 address 10.1.1.2
!
! crypto ipsec transform-set iem esp-des esp-md5-hmac
! crypto map combines 10 ipsec-isakmp description to PE1
set peer 10.1.1.2 set transform-set iem match address 115
! interface Loopback0
ip address 10.1.1.3 255.255.255.255 crypto map combines
! interface Ethernet0/0.31
ip address 172.16.13.1 255.255.255.0 crypto map combines
! interface Ethernet0/0.13
no ip address
no cdp enable xconnect 10.1.1.2 100 pw-class PE3-PE2
! interface Ethernet0/0.30
ip address 172.16.30.2 255.255.255.0 crypto map combines
! interface Ethernet0/0.123
ip address 172.16.123.3 255.255.255.0 crypto map combines
! access-list 115 permit 115 any any log
hostname PE2-RACK1
ip cef
! l2tp-class iementor-class authentication
password 7 151B0E01 cookie size 4
! pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class
ip local interface Loopback0
! crypto isakmp policy 10 hash md5
Trang 7authentication rsa-sig
! crypto isakmp key iem6727 address 10.1.1.3
! crypto ipsec transform-set iem esp-des esp-md5-hmac
! crypto map combines 10 ipsec-isakmp description to PE3
set peer 10.1.1.3 set transform-set iem match address 115
! interface Loopback0
ip address 10.1.1.2 255.255.255.255 crypto map combines
! interface Ethernet0/0.21
ip address 172.16.12.1 255.255.255.0 crypto map combines
! interface Ethernet0/0.123
ip address 172.16.123.2 255.255.255.0 crypto map combines
! interface ethernet0/0.82
no ip address
no cdp enable xconnect 10.1.1.3 100 pw-class PE3-PE2
PE3-RACK1#sho debugging Cryptographic Subsystem:
Crypto ISAKMP debugging is on Crypto IPSEC debugging is on
01:50:05: ISAKMP:(0):Notify has no hash Rejected
01:50:05: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: stat
e = IKE_I_MM1 01:50:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 01:50:05: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 01:50:05: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed w
ith peer at 10.1.1.2 01:50:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp
PE3-RACK1#clear crypto 01:51:35: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA
01:51:43: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA
Trang 8PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status 10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted)
10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted)
As you can see there is an issue to keep ISAKMP up and active IPSEC is missing IKE_MESG_FROM_PEER Based on the debug above you can see that source peering is the issue
To resolve this issue, follow the steps bellow:
PE2-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status 10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted)
PE3-RACK1#sho crypto isakmp policy Global IKE policy
Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
PE2-RACK1#sho crypto isakmp policy Global IKE policy
Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite
Trang 9encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
PE3-RACK1#sho crypto session Crypto session current status Interface: Ethernet0/0
Session status: DOWN-NEGOTIATING Peer: 10.1.1.2 port 500
IKE SA: local 172.16.13.1/500 remote 10.1.1.2/500 Inactive IKE SA: local 172.16.13.1/500 remote 10.1.1.2/500 Inactive IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map
Interface: Ethernet3/0 Session status: DOWN Peer: 10.1.1.2 port 500 IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map
Interface: Ethernet4/0 Session status: DOWN Peer: 10.1.1.2 port 500 IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map
Interface: Loopback0 Session status: DOWN Peer: 10.1.1.2 port 500 IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map
PE3-RACK1#sho crypto session 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:52: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 172.16.13.1, remote= 10.1.1.2,
local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4) 01:54:52: IPSEC(sa_request): ,
PE3-RACK1#sho crypto session 01:54:52: ISAKMP:(0):SA is still budding Attached new ipsec request to
it (loc
al 172.16.13.1, remote 10.1.1.2) 01:54:52: ISAKMP: Error while processing SA request: Failed to initialize
SA 01:54:52: ISAKMP: Error while processing KMI message 0, error 2
Trang 10PE3-RACK1#sho crypto session 01:54:54: ISAKMP:(0):purging node -1243206952 01:54:54: ISAKMP:(0):purging node -1914778357
PE3-RACK1#sho crypto session 01:55:01: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DAcofnig t
Below is what you are missing It is very common for people to forget to source the crypto map correctly Because of L2TPv3, we are using Loopbacks as source and destination We must source the crypto map the same as our peering points
PE2-RACK1(config)#crypto map combines local-address loopback 0 PE3-RACK1(config)#crypto map combines local-address loopback 0
Here we go!
01:55:08: ISAKMP:(0):peer does not do paranoid keepalives
01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA
TE (peer 10.1.1.2) 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA
TE (peer 10.1.1.2) 01:55:08: ISAKMP: Unlocking peer struct 0x3D89390 for isadb_mark_sa_deleted(), c
ount 0 01:55:08: ISAKMP: Deleting peer node by peer_reap for 10.1.1.2: 3D89390 01:55:08: ISAKMP:(0):deleting node -1091408871 error FALSE reason "IKE deleted"
01:55:08: ISAKMP:(0):deleting node 1412236188 error FALSE reason "IKE deleted"
01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(sa_request): ,
(key eng msg.) OUTBOUND local= 10.1.1.3, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb,
01:55:08: ISAKMP:(0): SA request profile is (NULL) 01:55:08: ISAKMP: Created a peer struct for 10.1.1.2, peer port 500 01:55:08: ISAKMP: New peer created peer = 0x3CC4618 peer_handle = 0x80000076
Trang 1101:55:08: ISAKMP: Locking peer struct 0x3CC4618, refcount 1 for isakmp_initiator
01:55:08: ISAKMP: local port 500, remote port 500 01:55:08: ISAKMP: set new node 0 to QM_IDLE 01:55:08: insert sa successfully sa = 3E07118 01:55:08: ISAKMP:(0):Can not start Aggressive mode, trying Main mode 01:55:08: ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 01:55:08: ISAKMP:(0): constructed NAT-T vendor-07 ID
01:55:08: ISAKMP:(0): constructed NAT-T vendor-03 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-02 ID 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 01:55:08: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 01:55:08: ISAKMP:(0): beginning Main Mode exchange
01:55:08: ISAKMP:(0): sending packet to 10.1.1.2 my_port 500 peer_port
500 (I) M M_NO_STATE 01:55:08: ISAKMP (0:0): received packet from 10.1.1.2 dport 500 sport 500 Global
(I) MM_NO_STATE 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): processing SA payload message ID = 0 01:55:08: ISAKMP:(0): processing vendor id payload
01:55:08: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 01:55:08: ISAKMP (0:0): vendor ID is NAT-T v7
01:55:08: ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 01:55:08: ISAKMP:(0): local preshared key found
01:55:08: ISAKMP : Scanning profiles for xauth
01:55:08: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
01:55:08: ISAKMP: encryption DES-CBC 01:55:08: ISAKMP: hash MD5
01:55:08: ISAKMP: default group 1 01:55:08: ISAKMP: auth pre-share 01:55:08: ISAKMP: life type in seconds 01:55:08: ISAKMP:(0):atts are acceptable Next payload is 0 01:55:08: ISAKMP:(0): processing vendor id payload
01:55:08: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 01:55:08: ISAKMP (0:0): vendor ID is NAT-T v7
01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): sending packet to 10.1.1.2 my_port 500 peer_port
500 (I) M M_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 01:55:08: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1
.1.3 dst 10.1.1.2 for SPI 0xD07B32DA 01:55:08: ISAKMP (0:0): received packet from 10.1.1.2 dport 500 sport 500 Global