CLC CCIE Security v6.0 Practice Lab v3.0

CCIE Security v6 Practice Lab v3.
0 Updated: 29-October-2020
1|Page
Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

CCIE Security v6 Practice Lab v3.0 Updated: 29-October-2020
Workbook Description
Author: CCIE Lab Center (CLC)
Focus: Practice
Level: Expert (CCIE)
Stream: CCIE Security v6: DMVPN Technology
Lab: Lab v 3.0
Content: Topology, Questions, Initial Configuration, Solutions, Verifications.
Format: PDF
Protection: N/A
Price/Cost: $50 USD
2|Page

Table of Contents Page No
1. Lab Details 4
1.1 Lab Summary 4
1.2 Lab Objective 10
2. Deployment of Singapore DC 12
2.1 Initial Configuration 12
2.2 DMVPN Dual HUB Phase3 basic configuration 14
3. Deployment of USA Spoke site 20

3.2 Configuring DMVPN basic configuration 21
3.3 Redistributing OSPF into RIP & vice versa 22
3.4 Tunnel 0 should PRI path for all outgoing traffic 22
4. Deployment of Japan Spoke site 25

4.2 DMVPN Basic configuration 26
4.3 Redistributing Static, Connected Routes into OSPF 27
4.5 Redistributing Static, connected routes into OSPF 29
4.6 Configuring IPSLA & make tunnel 0 has PRI path (10.10.10.17) 30
5. Deployment of UAE Spoke site 34

5.2 Redistributing EIGRP into OSPF & vice versa 35
6. Deployment of Hong Kong Spoke site 42

6.3 VPN Basic configuration 43
7. Deployment of London Spoke site 50

8. Configuring DMVPN Phase3 in all Hubs & Spokes 59

8.1 Phase3 configuration on R1 & R2 (Hubs) 59
8.2 Phase3 configuration on R18,R3,4,6,7,9,10,12 & 13 (Spokes) 60
8.3 Verification of DMVPN Phase3 61
3|Page

1: LAB Details
2.
1.1: LAB Summary
1.1. a: Hardware details
Phase3:Hub & spoke with spoke to spoke direct communication allowed with better scalability using
NHRP redirect.
CPU 4 core
RAM 8 GB
HDD 500 GB
Note: After starting all nodes wait for 10 minutes for CPU utilization getting back to normal.
dsdsdsdsd
4|Page

1.1. b: How to upload images into EVE-NG

server
Step1: After starting eve-ng instance Login with filezilla (with your displayed ip address using username &
password as root & eve respectively)
Step2: Upload qemu images as shown below
Step3: Login to your eve-ng server/hypervisor/vmware/etc. with username root & password eve
Step4: Run below command using cli
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
5|Page

Step5: Uploading IOL images as shown below
Step6: Run below command using cli
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
For more details on uploading images you can visit the below link.
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-iol-ios-on-linux/
6|Page

1.1. c: Lab Topology in Light Mode
7|Page

1.1. d: Lab Topology in Dark Mode
8|Page

1.1. e: IP Details
S/N Router Hub/Spoke Tunnel0 Tunnel1 ASN Loopback0

1 R1 Hub1 100.100.100.1/24 NA 12 1.1.1.1/24
2 R2 Hub2 NA 200.200.200.1/24 12 1.1.1.2/24
3 R18 Spoke 100.100.100.18/24 200.200.200.18/24 18 1.1.1.18/24
2 R3 Spoke 100.100.100.3/24 NA 34 1.1.1.3/24
3 R4 Spoke NA 200.200.200.4/24 34 1.1.1.4/24
2 R6 Spoke 100.100.100.6/24 NA 67 1.1.1.6/24
3 R7 Spoke NA 200.200.200.7/24 67 1.1.1.7/24
3 R9 Spoke NA 200.200.200.9/24 109 1.1.1.9/24
2 R10 Spoke 100.100.100.10/24 NA 109 1.1.1.10/24
3 R12 Spoke 100.100.100.12/24 NA 1213 1.1.1.12/24
3 R13 Spoke NA 200.200.200.13/24 1213 1.1.1.13/24
1.1. f: Lab Nodes Used
Image versions used in Lab.

 ISP Router: i86bi-linux-l3-adventerprisek9-15.5.bin
 HUB & Spoke Router: i86bi-linux-l3-adventerprisek9-15.5.bin
9|Page

1.2: Lab Objective
Configure DMVPN Phase 3 network between R1,R2,R18,R3,R4,R6,R7,R9,R10,R12 &

R13 with below configuration
1. R1 & R2 are DMVPN Hubs
2. R18,R3,R4,R6,R7,R9,R10,R12 & R13 are DMVPN spokes.
3. Source the tunnel from the router’s Ethernet0/0 & Ethernet0/1 interfaces
4. Use IP addressing of PRI Tunnel 0 100.100.100.X/24, & 200.200.200.X/24 where X is the

router number.
5. Use an NHRP network ID of 100 of PRI & 200 of SEC.
6. Use an NHRP authentication string of CLC@123
7. Use GRE tunnel key of 100 of PRI & 200 of SEC.
8. Configure the DMVPN Hub to redirect NHRP requests for spoke-to-spoke resolutions.
9. Configure the DMVPN Spokes to be able to install NHRP shortcut routes for spoke-to-spoke
routing.
10. Ensure that the spokes can send multicast traffic to the hub, and vice versa.
11. To prevent the tunnel endpoints from having to do IPsec fragmentation, configure the GRE
tunnel's IP MTU to 1400 bytes, and set them to adjust the TCP MSS 1360 accordingly.
12. Configure point to multipoint @all Hubs & Spokes
Configure IGP routing over the DMVPN tunnel as follows:
1 Configuring OSPF Area 0 @all Routers in Singapore DC R1,R2,R17

2 Configuring OSPF Area 0 in R18 Router & RIP v2 in R19 router.
3 Configuring OSPF Area 0 in R3 & R4 Routers & R5 as Static routes using IPSLA.
4 Configuring OSPF & Name EIGRP of AS 100 in R7,R7 & R8 Routers.
5 Configuring OSPF & EIGRP of AS 100 in R9,R10 & R11 Routers.
6 Configuring OSPF Area 0 in R12,13,14,15,16 Routers
10 | P a g e

Configure IPsec over the DMVPN tunnels as follows:
1 Use an ISAKMP Policy with the following options:
2 Pre-Shared Key: CLC@123
3 Encryption: AES
4 Hash: SHA1
5 Diffie-Hellman Group: 2
6 Use a single wildcard Pre-Shared Key for all DMVPN peers.
7 Use a Crypto IPsec Profile named CLC with the following options:
8 Encrypt the traffic using AES
9 Authenticate the traffic using SHA1
10 Use ESP Transport mode to save additional encapsulation overhead.
When all tasks are completed, ensure that R1,R2,R18,R3,R4,R6,R7,R9,R10,R12 & R13
can reach each other's Loopback0 network over the DMVPN network.
Additionally, ensure that spoke-to-spoke traffic does not transit the hub after initial NHRP
mappings are formed.
11 | P a g e

2. Deployment of Singapore DC
3.
2.1: Initial Configuration
R1,R2 & R17 are normal router

configurations are given below.
Start-up Configuration
I. Hub R1
Hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/0
description *** Connected to PRI MPLS ***
ip address 192.168.100.1 255.255.255.0
ip ospf network point-to-multipoint
description *** Connected to R2 ***
ip address 10.10.10.9 255.255.255.252
ip ospf network point-to-point
!
ip address 10.10.10.1 255.255.255.252
router ospf 10
router-id 1.1.1.1
network 1.1.1.1 0.0.0.0 area 0
network 10.10.10.0 0.0.0.3 area 0
network 10.10.10.8 0.0.0.3 area 0
II. R2 (Hub)
hostname R2
12 | P a g e

interface Loopback0
ip address 1.1.1.2 255.255.255.0
description *** Connected to SEC MPLS ***
ip address 192.168.200.2 255.255.255.0
!
ip address 10.10.10.10 255.255.255.252
!
ip address 10.10.10.5 255.255.255.252
!
router ospf 10
router-id 1.1.1.2
network 1.1.1.2 0.0.0.0 area 0
network 10.10.10.4 0.0.0.3 area 0
network 10.10.10.8 0.0.0.3 area 0
III. R17
interface Loopback10
ip address 172.16.10.1 255.255.255.0
!
ip address 172.16.20.1 255.255.255.0
!
ip address 10.10.10.2 255.255.255.252
!
ip address 10.10.10.6 255.255.255.252
router ospf 10
network 10.10.10.0 0.0.0.3 area 0
network 10.10.10.4 0.0.0.3 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
13 | P a g e

2.2: DMVPN Dual HUB Phase3 basic configuration
QUESTION
 Configure Hub-and-Spoke mGRE tunnels between R1 and R2 (hubs)
is acting as a Hub.
 Use the following settings when configuring tunnels.
Solution
On Hub1 (R1)
Tunnel Parameters:
 IP address : 100.100.100.1/24
 IP MTU : 1400
 Tunnel Authentication Key : 100
NHRP Parameters
 NHRP ID : 100
 NHRP Authentication key : clc@123
 NHRP Hub : R1
 NHRP dynamic mapping :ip nhrp map multicast dynamic
Use the following settings when configuring tunnels.
ISAKMP Parameters:
 Authentication : Pre-Shared
 Encryption : AES
 Hashing : SHA
 DH Group : 2
 Pre-Shared Key : clc@123
IPSec Parameters
 Encryption : ESP-aes
 Authentication : ESP-SHA-HMAC
Others parameter
ip tcp adjust-mss 1360

14 | P a g e

ip ospf dead-interval 4
ip ospf hello-interval 1
tunnel source Ethernet0/0
tunnel mode gre multipoint
Final Configuration on R1
crypto isakmp policy 10

encr aes
authentication pre-share
group 2
crypto isakmp key clc@123 address 0.0.0.0
!
!
crypto ipsec transform-set CLC esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CLC
set transform-set CLC
interface Tunnel0
description *** PRI Tunnel ***
bandwidth 102400
ip address 100.100.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication clc@123
ip nhrp map multicast dynamic
ip nhrp network-id 100
tunnel key 100
tunnel protection ipsec profile CLC
On Hub1 (R2)
Tunnel Parameters:
 IP address : 200.200.200.1/24
 IP MTU : 1400
 Tunnel Authentication Key : 200
NHRP Parameters
 NHRP ID : 200
 NHRP Authentication key : clc@123
 NHRP Hub : R2
 NHRP dynamic mapping :ip nhrp map multicast dynamic
15 | P a g e

Use the following settings when configuring tunnels.
ISAKMP Parameters:
 Authentication : Pre-Shared
 Encryption : AES
 Hashing : SHA
 DH Group : 2
 Pre-Shared Key : clc@123
IPSec Parameters
 Encryption : ESP-aes
 Authentication : ESP-SHA-HMAC
Others parameter

Final Configuration on R2

encr aes
group 2
!
!
mode transport
!
interface Tunnel1
description *** SEC Tunnel ***
bandwidth 92160
ip address 200.200.200.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
16 | P a g e


tunnel key 200
Verification
On R1
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

1.1.1.2 0 FULL/ - 00:00:35 10.10.10.10 Ethernet0/2
172.16.20.1 0 FULL/ - 00:00:35 10.10.10.2 Ethernet0/3
17 | P a g e

On R2
R2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

1.1.1.1 0 FULL/ - 00:00:39 10.10.10.9 Ethernet0/2
172.16.20.1 0 FULL/ - 00:00:38 10.10.10.6 Ethernet0/3
18 | P a g e

19 | P a g e

4. 3. Deployment of USA Spoke site
I. Spoke R18
hostname R18
interface Loopback0
ip address 1.1.1.18 255.255.255.0
!
description *** Connected to PRI DMVPN Cloud ***
ip address 192.168.100.18 255.255.255.0
!
description *** Connected to SEC DMVPN Cloud ***
ip address 192.168.200.18 255.255.255.0
!
ip address 10.10.10.13 255.255.255.252
router ospf 10
router-id 1.1.1.18
network 1.1.1.18 0.0.0.0 area 0
network 100.100.100.0 0.0.0.255 area 0
network 200.200.200.0 0.0.0.255 area 0
!
router rip
version 2
network 10.0.0.0
no auto-summary
20 | P a g e

3.2: Configuring DMVPN basic configuration

On R18
interface Tunnel0
ip address 100.100.100.18 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 100.100.100.1 192.168.100.1
ip nhrp map multicast 192.168.100.1
ip nhrp nhs 100.100.100.1
tunnel key 100
interface Tunnel1
ip address 200.200.200.18 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 200.200.200.2 192.168.200.2
ip nhrp nhs 200.200.200.2
tunnel key 200

encr aes
group 2
!
mode transport

21 | P a g e

3.3: Redistributing OSPF into RIP & vice versa
On R18
router ospf 10
redistribute rip metric 20 subnets
router rip
redistribute ospf 10 metric 10
3.4: Tunnel 0 should PRI path for all outgoing traffic
On R18
interface Tunnel0
ip ospf cost 50
On R19
hostname R19
ip address 172.16.30.1 255.255.255.0
!
ip address 172.16.40.1 255.255.255.0
!
ip address 10.10.10.14 255.255.255.252
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
22 | P a g e

Verification
On R19
23 | P a g e

On R18
24 | P a g e

5. 4. Deployment of Japan Spoke site
I. Spoke R3
interface Loopback0
ip address 1.1.1.3 255.255.255.0
ip address 192.168.100.3 255.255.255.0
ip address 10.10.10.17 255.255.255.252
router ospf 10
router-id 1.1.1.3
network 1.1.1.3 0.0.0.0 area 0
network 100.100.100.0 0.0.0.255 area 0
!
ip route 172.16.50.0 255.255.255.0 10.10.10.18

ip route 172.16.60.0 255.255.255.0 10.10.10.18
25 | P a g e

4.2: DMVPN Basic configuration

On R3

encr aes
group 2
!
!
mode transport
!
!
interface Tunnel0
ip address 100.100.100.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 100.100.100.1 192.168.100.1
ip nhrp nhs 100.100.100.1
ip ospf cost 50
tunnel key 100
!
26 | P a g e

4.3: Redistributing Static, Connected Routes into

OSPF
On R3
router ospf 10
redistribute connected subnets
redistribute static subnets
I. Spoke R4
interface Loopback0
ip address 1.1.1.4 255.255.255.0
description *** Connected to Sec DMVPN Cloud ***
ip address 192.168.200.4 255.255.255.0
ip address 10.10.10.21 255.255.255.252
!
router ospf 10
router-id 1.1.1.4
network 1.1.1.4 0.0.0.0 area 0
network 200.200.200.0 0.0.0.255 area 0
ip route 172.16.50.0 255.255.255.0 10.10.10.22

ip route 172.16.60.0 255.255.255.0 10.10.10.22
27 | P a g e


On R4

encr aes
group 2
!
!
mode transport
!
interface Tunnel1
ip address 200.200.200.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 200.200.200.2 192.168.200.2
ip nhrp nhs 200.200.200.2
tunnel key 200
28 | P a g e

4.5 : Redistributing Static, connected routes into

OSPF
On R4
router ospf 10
router-id 1.1.1.4
redistribute connected subnets
redistribute static subnets
On R5
ip address 172.16.50.1 255.255.255.0
!
ip address 172.16.60.1 255.255.255.0
!
ip address 10.10.10.18 255.255.255.252
!
ip address 10.10.10.22 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.10.10.17 name PRI-MPLS

ip route 0.0.0.0 0.0.0.0 10.10.10.21 10 name SEC-MPLS
29 | P a g e

4.6: Configuring IPSLA & make tunnel 0 has PRI

path (10.10.10.17)
On R5
ip sla 1
icmp-echo 100.100.100.1 source-interface Ethernet0/0
threshold 2
frequency 5
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 10.10.10.17 name PRI-MPLS track 1

ip route 0.0.0.0 0.0.0.0 10.10.10.21 10 name SEC-MPLS
Verification
On R5
Now PRI path is 10.10.10.17
30 | P a g e

Lets suspended 10.10.10.17
Traffic shifted to 10.10.10.21 on Secondary Path
31 | P a g e

On R3
32 | P a g e

On R4
33 | P a g e

6. 5. Deployment of UAE Spoke site
On R6
ip address 192.168.100.6 255.255.255.0
!
ip address 10.10.10.29 255.255.255.252
!
ip address 10.10.10.25 255.255.255.252
!
!
router eigrp CLC
!
address-family ipv4 unicast autonomous-system 100
!
topology base
exit-af-topology
network 10.10.10.24 0.0.0.3
network 10.10.10.28 0.0.0.3
exit-address-family
!
router ospf 10
router-id 1.1.1.6
network 1.1.1.6 0.0.0.0 area 0
network 100.100.100.0 0.0.0.255 area 0
34 | P a g e

5.2: Redistributing EIGRP into OSPF & vice versa
On R6
router eigrp CLC

!
!
topology base
redistribute ospf 10 metric 10000 1000 255 1 1500
router ospf 10
redistribute eigrp 100 metric 50 subnets

On R6

encr aes
group 2
!
!
mode transport
!
nterface Tunnel0
ip address 100.100.100.6 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 100.100.100.1 192.168.100.1
ip nhrp nhs 100.100.100.1
35 | P a g e


ip ospf cost 50
tunnel key 100
On R7
interface Loopback0
ip address 1.1.1.7 255.255.255.0
description *** Connected to SEC MPLS ***
ip address 192.168.200.7 255.255.255.0
!
ip address 10.10.10.30 255.255.255.252
!
ip address 10.10.10.33 255.255.255.252
router eigrp CLC

!
!
topology base
exit-af-topology
network 10.10.10.28 0.0.0.3
network 10.10.10.32 0.0.0.3
exit-address-family
!
router ospf 10
router-id 1.1.1.7
network 1.1.1.7 0.0.0.0 area 0
network 50.50.50.12 0.0.0.3 area 0
network 200.200.200.0 0.0.0.255 area 0
36 | P a g e

On R7
router eigrp CLC

!
!
topology base
router ospf 10

On R7

encr aes
group 2
!
mode transport
!
interface Tunnel1
ip address 200.200.200.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 200.200.200.2 192.168.200.2
ip nhrp nhs 200.200.200.2
37 | P a g e


tunnel key 200
On R8
nterface Loopback10
ip address 172.16.70.1 255.255.255.0
!
ip address 172.16.80.1 255.255.255.0
!
ip address 10.10.10.26 255.255.255.252
!
ip address 10.10.10.34 255.255.255.252
router eigrp CLC

!
!
topology base
exit-af-topology
network 10.10.10.24 0.0.0.3
network 10.10.10.32 0.0.0.3
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
exit-address-family
38 | P a g e

Verification
On R6
39 | P a g e

On R7
40 | P a g e

On R8
41 | P a g e

6. Deployment of Hong Kong Spoke site

7.
On R10
interface Loopback0
ip address 1.1.1.10 255.255.255.0
ip address 192.168.100.10 255.255.255.0
!
description connected to R9 ***
ip address 10.10.10.37 255.255.255.252
!
description connected to R11 ***
ip address 10.10.10.41 255.255.255.252
!
!
router eigrp 200
network 10.10.10.36 0.0.0.3
network 10.10.10.40 0.0.0.3
!
router ospf 10
router-id 1.1.1.10
network 1.1.1.10 0.0.0.0 area 1
network 100.100.100.0 0.0.0.255 area 0
network 192.168.10.16 0.0.0.3 area 0
42 | P a g e

On R10
router eigrp 200

!
router ospf 10
On R10

encr aes
group 2
!
!
mode transport
!
!
interface Tunnel0
ip address 100.100.100.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 100.100.100.1 192.168.100.1
ip nhrp nhs 100.100.100.1
ip ospf cost 50
tunnel key 100
43 | P a g e

on R9
interface Loopback0
ip address 1.1.1.9 255.255.255.0
description *** Connected to SEC-MPLS ***
ip address 192.168.200.9 255.255.255.0
!
no ip address
shutdown
!
description *** Conected to R10 ***
ip address 10.10.10.38 255.255.255.252
!
description *** Conected to R11 ***
ip address 10.10.10.45 255.255.255.252
!
!
router eigrp 200
network 10.10.10.36 0.0.0.3
network 10.10.10.44 0.0.0.3
router ospf 10
router-id 1.1.1.9
network 1.1.1.9 0.0.0.0 area 0
network 50.50.50.16 0.0.0.3 area 0
network 200.200.200.0 0.0.0.255 area 0
44 | P a g e

On R9
router eigrp 200

router ospf 10

On R9

encr aes
group 2
!
!
mode transport
!
interface Tunnel1
ip address 200.200.200.9 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 200.200.200.2 192.168.200.2
ip nhrp holdtime 300
ip nhrp nhs 200.200.200.2
45 | P a g e

tunnel key 200

On R11
ip address 172.16.90.1 255.255.255.0
!
ip address 172.16.100.1 255.255.255.0
!
ip address 10.10.10.42 255.255.255.252
!
ip address 10.10.10.46 255.255.255.252
router eigrp 200

network 10.10.10.40 0.0.0.3
network 10.10.10.44 0.0.0.3
network 172.16.90.0 0.0.0.255
network 172.16.100.0 0.0.0.255
46 | P a g e

Verification
On R10
47 | P a g e

On R9
48 | P a g e

On R11
49 | P a g e

8. 7. Deployment of London Spoke site

On R12
interface Loopback0
ip address 1.1.1.12 255.255.255.0
ip address 192.168.100.12 255.255.255.0
!
!
ip address 10.10.10.49 255.255.255.252
!
ip address 10.10.10.53 255.255.255.252
!
router ospf 10
router-id 1.1.1.12
network 1.1.1.12 0.0.0.0 area 0
network 10.10.10.48 0.0.0.3 area 0
network 10.10.10.52 0.0.0.3 area 0
network 100.100.100.0 0.0.0.255 area 0
50 | P a g e

On R12

encr aes
group 2
!
!
mode transport
!
!
interface Tunnel0
ip address 100.100.100.12 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 100.100.100.1 192.168.100.1
ip nhrp nhs 100.100.100.1
tunnel key 100
on R13
interface Loopback0
ip address 1.1.1.13 255.255.255.0
ip address 192.168.200.13 255.255.255.0
!
no ip address
shutdown
51 | P a g e

!
ip address 10.10.10.50 255.255.255.252
!
ip address 10.10.10.57 255.255.255.252
!
router ospf 10
router-id 1.1.1.13
network 1.1.1.13 0.0.0.0 area 0
network 10.10.10.48 0.0.0.3 area 0
network 10.10.10.56 0.0.0.3 area 0
network 50.50.50.20 0.0.0.3 area 0
network 200.200.200.0 0.0.0.255 area 0
52 | P a g e

On R13

encr aes
group 2
!
!
mode transport
!
!
interface Loopback0
ip address 1.1.1.13 255.255.255.0
!
interface Tunnel1
ip address 200.200.200.13 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 200.200.200.2 192.168.200.2
ip nhrp nhs 200.200.200.2
tunnel key 200
On R14
ip address 10.10.10.54 255.255.255.252
!
ip address 10.10.10.65 255.255.255.252
53 | P a g e


!
router ospf 10
network 10.10.10.52 0.0.0.3 area 0
network 10.10.10.64 0.0.0.3 area 1
On R16
ip address 172.16.110.1 255.255.255.0
!
ip address 172.16.120.1 255.255.255.0
!
ip address 10.10.10.62 255.255.255.252
!
ip address 10.10.10.66 255.255.255.252
!
!
router ospf 10
network 10.10.10.60 0.0.0.3 area 1
network 10.10.10.64 0.0.0.3 area 1
network 172.16.110.0 0.0.0.255 area 1
network 172.16.120.0 0.0.0.255 area 1
On R15
description *** COnnected to R13 ***
ip address 10.10.10.58 255.255.255.252
!
description *** COnnected to R16 ***
ip address 10.10.10.61 255.255.255.252
!
no ip address
shutdown
54 | P a g e

!
no ip address
shutdown
!
router ospf 10
network 10.10.10.56 0.0.0.3 area 0
network 10.10.10.60 0.0.0.3 area 1
Verification
On R12
55 | P a g e

On R13
56 | P a g e

On R16
Make PRI MPLS as preferred Secondary MPLS
Configuring ip ospf cost 50 on Tunnel0 at R12 router
Interface tunnel 0
Configuring ip ospf cost 50
Now its preferred
57 | P a g e

R16>R14>R12
58 | P a g e

9.
8. Configuring DMVPN Phase3 in all Hubs & Spokes
Configure DMVPN Hub to redirect NHRP requests for spoke-to-spoke resolutions.
8.1: Phase3 Configuration on R1 & R2 (Hubs)

On R1
interface Tunnel0
ip nhrp redirect
On R2
interface Tunnel1
ip nhrp redirect
59 | P a g e

8.2: Phase3 Configuration on R18,R3,4,6,7,9,10,12 &

13 (Spokes)
Configure the DMVPN Spokes to be able to install NHRP shortcut routes for spoke-to-spoke
routing.
On R18
interface Tunnel0
ip nhrp shortcut
on R2
interface Tunnel1
ip nhrp shortcut
on R3
interface Tunnel0
ip nhrp shortcut
on R4
interface Tunnel1
ip nhrp shortcut
on R6
interface Tunnel0
ip nhrp shortcut
on R7
interface Tunnel1
ip nhrp shortcut
on R12
interface Tunnel0
ip nhrp shortcut
on R13
interface Tunnel1
ip nhrp shortcut
60 | P a g e

8.3: Verification of DMVPN Phase3

On R18
Task
Ping 172.16.110.1,120.1 & check traceroute
1st time its goes via hub & 2nd time its goes to spoke directly
61 | P a g e

All traffic is going to PRI DMVPN
On R1
62 | P a g e

Lets check route % - next hop override
63 | P a g e

Let’s do the failover suspending PRI tunnel 0
64 | P a g e

Now it’s going to SEC DMVPN path.
On R2
65 | P a g e

On R3
Next hop override
66 | P a g e

67 | P a g e

On R1
Let’s check failover on R5
68 | P a g e

After suspending PRI tunnel 0
69 | P a g e

Let’s enable PRI Tunnel 0
On R4
70 | P a g e

On R6
Let’s do failover test, suspend PRI Tunnel 0 on R6
71 | P a g e

72 | P a g e

We can verify from R8
73 | P a g e

Let’s make it normal
On R7
74 | P a g e

On R10
75 | P a g e

76 | P a g e

Let’s do failover test of suspending tunnel 0 of R10
Before suspending tunnel 0
77 | P a g e

78 | P a g e

Lets make it normal
It switched to PRI tunnel
On R9
79 | P a g e

On R12
80 | P a g e

Let’s make it failover test to suspend tunnel 0 on R12
on R16
Before suspending PRI tunnel 0
81 | P a g e

Traffic shifted to Sec Tunnel 1
82 | P a g e

Traffic is going via
R16>R15>R13
Lets back to normal
Traffic shifted to PRI tunnel
83 | P a g e

On R13
84 | P a g e

We’ll shutdown PRI path.
85 | P a g e

86 | P a g e

CLC CCIE Security v6.0 Practice Lab v3.0

Uploaded by

Copyright:

Available Formats

CLC CCIE Security v6.0 Practice Lab v3.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CLC CCIE Security v6.0 Practice Lab v3.0

Uploaded by

Copyright:

Available Formats

What is the purpose of the lab?

What is the purpose of the lab?

What technologies are covered in the lab?

What technologies are covered in the lab?

CCIE Security v6 Practice Lab v3.

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

Table of Contents Page No

3. Deployment of USA Spoke site 20

4. Deployment of Japan Spoke site 25

5. Deployment of UAE Spoke site 34

6. Deployment of Hong Kong Spoke site 42

7. Deployment of London Spoke site 50

8. Configuring DMVPN Phase3 in all Hubs & Spokes 59

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

1.1: LAB Summary

1.1. a: Hardware details

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

1.1. b: How to upload images into EVE-NG

Step2: Upload qemu images as shown below

Step4: Run below command using cli

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

Step5: Uploading IOL images as shown below

Step6: Run below command using cli

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

1.1. c: Lab Topology in Light Mode

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

1.1. d: Lab Topology in Dark Mode

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

S/N Router Hub/Spoke Tunnel0 Tunnel1 ASN Loopback0

1.1. f: Lab Nodes Used

Image versions used in Lab.

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

1.2: Lab Objective

Configure DMVPN Phase 3 network between R1,R2,R18,R3,R4,R6,R7,R9,R10,R12 &

1. R1 & R2 are DMVPN Hubs

2. R18,R3,R4,R6,R7,R9,R10,R12 & R13 are DMVPN spokes.

4. Use IP addressing of PRI Tunnel 0 100.100.100.X/24, & 200.200.200.X/24 where X is the

5. Use an NHRP network ID of 100 of PRI & 200 of SEC.

6. Use an NHRP authentication string of CLC@123

7. Use GRE tunnel key of 100 of PRI & 200 of SEC.

12. Configure point to multipoint @all Hubs & Spokes

Configure IGP routing over the DMVPN tunnel as follows:

1 Configuring OSPF Area 0 @all Routers in Singapore DC R1,R2,R17

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

Configure IPsec over the DMVPN tunnels as follows:

1 Use an ISAKMP Policy with the following options:

2 Pre-Shared Key: CLC@123

6 Use a single wildcard Pre-Shared Key for all DMVPN peers.

8 Encrypt the traffic using AES

9 Authenticate the traffic using SHA1

10 Use ESP Transport mode to save additional encapsulation overhead.

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

R1,R2 & R17 are normal router

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

2.2: DMVPN Dual HUB Phase3 basic configuration

Use the following settings when configuring tunnels.

ip tcp adjust-mss 1360