The CCIE examination room, which made people wait impatient, finally reopened in September.
I have to say that various training institutions and platforms have stopped, and perhaps they are secretly trying to figure out a solution.
I have always been not very humble, and enjoy sharing my learning and work experience. Although I also work in a training organization, this does not prevent me from sharing some of my experience publicly.
The topics brought to you today are neither new nor old, neither true nor false. (Everyone who takes the CCIE test will automatically sign an agreement, and the test taker shall not disclose the content of the test questions)
The subject we want to discuss is to be understood as an application scenario for the transition from traditional networks to SDN under the new network form where traditional networks and SDN networks coexist.
This content is involved in the EI-CCIE v1.0 exam. In line with the original intention of training for the rise of China, I will share my personal experience. Even if you are not my student, even if you are a lecturer of a friend business, even if you are a technology enthusiast. You can refer to it so that everyone can broaden their horizons and learn more technology is really good. (I’ll hurt people when I talk, I’m not steady enough, it’s okay, I’ll hurt you, the grasshopper after autumn will not be tumbling for a few days, please be steady.)
The simulation device version used in this subject is IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.8(3)M2, RELEASE SOFTWARE (fc2);
If there are my students among the readers, you can pay attention to the IE theory class ipsec topic that will be held on the 12th of this month. I will make a more detailed interpretation of this case in class.
The experiment topic topology is as follows:
Introduction to network planning:
Multiple sites of an enterprise are interconnected through MPLS VVV;
BGP protocol is used between PE and CE;
The enterprise plans two business networks, one is dedicated for internal employees, and the other is dedicated for visitors; (names just for explaining the business, and don’t actually bring them into the live network)
The guest network uses the BGP protocol to provide routing services;
At the same time, the BGP protocol injects the loopback interface route of the gateway router into the BGP table to serve the dynamic private network service for employees;
Use the loopback ports of three gateway routers to establish dynamic private network services for internal employees;
The employe network uses the EIGRP protocol to update routes through the tunnel interface;
Use ipsec to reinforce service traffic forwarded through the tunnel;
The key configuration of each device is shown below:
MPLS_Core#show running-config
interface Loopback0
ip address 100.100.100.100 255.255.255.255
interface GigabitEthernet0/1
ip address 61.128.1.254 255.255.255.0
interface GigabitEthernet0/2
ip address 202.100.1.254 255.255.255.0
interface GigabitEthernet0/3
ip address 137.78.100.254 255.255.255.0
router bgp 1000
neighbor 61.128.1.1 remote-as 100
neighbor 137.78.100.1 remote-as 300
neighbor 202.100.1.1 remote-as 200
HUB#show running-config
interface Loopback0
ip address 10.1.1.1 255.255.255.255
interface GigabitEthernet0/0.1
encapsulation dot1Q 101
ip address 10.1.101.1 255.255.255.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 102
ip address 10.1.102.1 255.255.255.0
interface GigabitEthernet0/1
ip address 61.128.1.1 255.255.255.0
router bgp 100
network 10.1.1.1 mask 255.255.255.255
network 10.1.101.0 mask 255.255.255.0
neighbor 61.128.1.254 remote-as 1000
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DM
set transform-set IPSEC
interface Tunnel0
ip address 10.0.123.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp network-id 1
ip nhrp nhs 10.0.123.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile DM
router eigrp 1
network 10.0.123.0 0.0.0.255
network 10.1.102.0 0.0.0.255
Spoke1#show running-config
interface Loopback0
ip address 10.2.1.1 255.255.255.255
interface GigabitEthernet0/0.1
encapsulation dot1Q 101
ip address 10.2.101.1 255.255.255.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 102
ip address 10.2.102.1 255.255.255.0
interface GigabitEthernet0/1
ip address 202.100.1.1 255.255.255.0
router bgp 200
network 10.2.1.1 mask 255.255.255.255
network 10.2.101.0 mask 255.255.255.0
neighbor 202.100.1.254 remote-as 1000
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DM
set transform-set IPSEC
interface Tunnel0
ip address 10.0.123.2 255.255.255.0
ip man 1400
ip nhrp map 10.0.123.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 1
ip nhrp nhs 10.0.123.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile DM
router eigrp 1
network 10.0.123.0 0.0.0.255
network 10.2.102.0 0.0.0.255
Spoke2#show running-config
interface Loopback0
ip address 10.3.1.1 255.255.255.255
interface GigabitEthernet0/0.1
encapsulation dot1Q 101
ip address 10.3.101.1 255.255.255.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 102
ip address 10.3.102.1 255.255.255.0
interface GigabitEthernet0/1
ip address 137.78.100.1 255.255.255.0
router bgp 300
network 10.3.1.1 mask 255.255.255.255
network 10.3.101.0 mask 255.255.255.0
neighbor 137.78.100.254 remote-as 1000
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DM
set transform-set IPSEC
interface Tunnel0
ip address 10.0.123.3 255.255.255.0
ip man 1400
ip nhrp map 10.0.123.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 1
ip nhrp nhs 10.0.123.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile DM
router eigrp 1
network 10.0.123.0 0.0.0.255
network 10.3.102.0 0.0.0.255
After the above configuration is completed, there will be the following entries:
HUB#show dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.2.1.1 10.0.123.2 UP 00:52:29 D
1 10.3.1.1 10.0.123.3 UP 00:52:28 D
HUB#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.0.123.3 Tu0 11 00:52:39 31 1434 0 13
0 10.0.123.2 Tu0 12 00:52:41 26 1434 0 13
HUB#show ip route | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
C 10.0.123.0/24 is directly connected, Tunnel0
L 10.0.123.1/32 is directly connected, Tunnel0
C 10.1.1.1/32 is directly connected, Loopback0
C 10.1.101.0/24 is directly connected, GigabitEthernet0/0.1
L 10.1.101.1/32 is directly connected, GigabitEthernet0/0.1
C 10.1.102.0/24 is directly connected, GigabitEthernet0/0.2
L 10.1.102.1/32 is directly connected, GigabitEthernet0/0.2
B 10.2.1.1/32 [20/0] via 61.128.1.254, 01:07:11
B 10.2.101.0/24 [20/0] via 61.128.1.254, 01:00:11
D 10.2.102.0/24 [90/26880256] via 10.0.123.2, 00:52:47, Tunnel0
B 10.3.1.1/32 [20/0] via 61.128.1.254, 01:06:40
B 10.3.101.0/24 [20/0] via 61.128.1.254, 00:59:28
D 10.3.102.0/24 [90/26880256] via 10.0.123.3, 00:52:52, Tunnel0
61.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 61.128.1.0/24 is directly connected, GigabitEthernet0/1
L 61.128.1.1/32 is directly connected, GigabitEthernet0/1
Note that although the guest network and the employe network are forwarded from the same physical link, in fact, the traffic of the employe network will be reinforced by ipsec.
From the perspective of having completed this experiment, if the f-vrf scheme, i-vrf scheme, policy routing, NBAR, MPLS label control, MPLS TE, etc. are incorporated into this case for a more comprehensive application, it will be able to achieve more complex Overlay network requirements.
In my opinion, this also reflects the advantages of the current hot SDA and SDWAN solutions to achieve the same requirements as traditional networks.
If you use a traditional network environment, focus on this topic and combine the actual business needs to discuss it, I think it is worth talking about it at least ten days and eight days, and if I switch to an SDN environment, I only need to spend three to five days Time will allow everyone to master the operation and main points of the SDN controller from scratch.
Dear friends from the Internet, the future is here, let us use our efforts to build a great wall against programmers.
For more wonderful experience sharing, welcome to follow me.