DMVPN

 

Aim :-  To run full DMVPN setup between  International Information Heart and  distant areas . Distant location can use  3G dongel and/or ADSL connection.

 

{Hardware} Used :- Cisco 1941 router (Product ID – CISCO1941/K9)

Cisco 881W router (Product ID – C881W-E-K9)

 

IOS Used :- Cisco 881W :- c800-universalk9-mz.SPA.152-4.M4.bin

CIsco 1941 :- c1900-universalk9-mz.SPA.152-4.M5.bin

 

Licenses Used :- Superior Safety  license on cisco 881W and 1941.

Additionally for Unified wi-fi picture Superior IP Providers license on C881W router. License portal URL and different info associated to licensing.

 

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9000827

 

 

 

Check 1:-  DMVPN with distant location having ADSL connection :-

 

 

 

 

GDC Setup:- 

Now we have a public ip on cisco 1941 exterior interface and inside interface is related to DMZ firewall on vlan 31, by which LAN is accessible. Default route in the direction of web.

 

Distant Setup:-

Now we have cisco 881W router , exterior interface has a static public ip assigned and a static route in the direction of DSL router.

That is easy DMVPN setup with static public ip on either side , I’ve taken reference from Firewall.cx weblog.

Check 2:-  DMVPN with distant location having 3G dongel. Right here we have now used IPSEC over GRE with Nat traversal.

 

GDC Setup:-

Now we have a public ip on cisco 1941 exterior interface and inside interface is related to DMZ firewall on vlan 31, by which LAN is accessible. Default route in the direction of web.

 

Distant Setup:-

C 881W –> Wi-fi router –> 3G Dongel

Now we have cisco 881W router , exterior interface has a static personal ip assigned and a static route in the direction of wi-fi router inside interface. Though we have now DHCP configured on wi-fi router , as an alternative we have now used static ip task.

3G dongel is related to exterior interface of wi-fi router.

 

Configuration:-

 

GDC 1941 router:-

 

L00DC1BAR01#sh run
Constructing configuration…

Present configuration : 4201 bytes
!
! Final configuration change at 07:18:39 UTC Fri Feb 21 2014 by admin
model 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L00DC1BAR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip area title yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4147504180
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificates-4147504180
revocation-check none
rsakeypair TP-self-signed-4147504180
!
!
crypto pki certificates chain TP-self-signed-4147504180
certificates self-signed 01
*Alphanumeric Characters right here*
stop
license udi pid CISCO1941/K9 sn FCZf2218py
license boot module c1900 technology-package securityk9
!
!
username admin privilege 15 password 0 admin
!
redundancy
!
!
!
!
!
!
!
crypto isakmp coverage 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO deal with 0.0.0.0
!
!
crypto ipsec transform-set DELTA esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DELTA1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile DELTA
set transform-set DELTA
!
!
!
!
!
!
!
interface Tunnel0
description #mGRE- DMVPN Tunnel#
ip deal with 10.110.72.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
cdp allow
tunnel supply y.y.y.y
tunnel mode gre multipoint
tunnel safety ipsec profile DELTA
!
interface Embedded-Service-Engine0/0
no ip deal with
shutdown
!
interface GigabitEthernet0/0
description #Linked to L00DC1EXTSW01#
ip deal with y.y.y.y 255.255.255.224
duplex auto
velocity auto
!
interface GigabitEthernet0/1
description #Linked to L00DC1DMZSW01#
ip deal with d.d.d.d 255.255.255.0
duplex auto
velocity auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication native
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 z.z.z.z (Outdoors interface of exterior web change)
ip route 10.110.74.4 255.255.255.255 192.194.135.1
ip route 10.240.1.0 255.255.255.0 10.110.72.2 (distant tunnel interface)
ip route 141.172.0.0 255.255.0.0 c.c.c.c (Inside interface of DMZ FW)
ip route 141.172.191.0 255.255.255.0 c.c.c.c (Inside interface of DMZ FW)
ip route 192.194.154.0 255.255.255.0 c.c.c.c (Inside interface of DMZ FW)
ip route 194.252.225.32 255.255.255.224 z.z.z.z (Outdoors interface of exterior web change)
!
ip access-list prolonged GRE
allow gre any any
!
access-list 101 allow gre any any
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login native
line aux 0
line 2
no activation-character
no exec
transport most well-liked none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege degree 15
login native
transport enter all
line vty 5 15
privilege degree 15
login native
transport enter all
!
scheduler allocate 20000 1000
!
finish

 

Distant C881W router:-

 

Reference:- http://www.cisco.com/en/US/docs/routers/access/800/880/software/configuration/guide/880_basic_device_wireless_config.html

 

https://supportforums.cisco.com/docs/DOC-16145

 

http://www.nerdosaur.com/wireless/cisco-881w-router-with-built-in-access-point/

 

Learnings:-

 

1.Be sure that AP needs to be in unified mode, else LWAPP wil not work.

 

Changing wi-fi service-module into unified mode.

Step 1 To alter the entry level boot picture to a Cisco Unified improve picture (often known as a restoration picture), challenge the service-module wlan-ap 0 bootimage unified command in international configuration mode.

 

Router# configure terminal

 

Router(config)# service-module wlan-ap 0 bootimage unified

 

Router(config)# finish

 


Observe If the service-module wlan-ap 0 bootimage unified command doesn’t work, test whether or not the advipservices or advipsevices_npe software program license is enabled or not.


To determine the entry level’s boot picture path, use the present boot command in privileged EXEC mode on the entry level console:

 

autonomous-AP# present boot

BOOT path-list: flash:/ap802-rcvk9w8-mx/ap802-rcvk9w8-mx

Step 2 To carry out a swish shutdown and reboot of the entry level to finish the improve course of, challenge the service-module wlan-ap 0 reload command in privileged EXEC mode. Set up a session into the entry level and monitor the improve course of.

 

2.After changing picture into unified:-

You have to assign ip deal with in Administration vary (vlan 10, 10.240.1.2 ) into AP BVI interface and set default gateway in the direction of vlan 10 ip , right here 10.240.1.1.

Additionally configure router wlan-gig0 interface like this.

interface Wlan-GigabitEthernet0
description Inner change interface connecting to the embedded AP
switchport trunk native vlan 10
switchport mode trunk

Make it possible for ip deal with of controller is reachable, by merely pinging the WLC.

Kind “capwap ap controller ip deal with a.a.a.a” or “lwap ap controller ip deal with a.a.a.a” in an effort to be part of the WLC.

 

BA-LAB#sh run
Constructing configuration…

Present configuration : 6095 bytes
!
model 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BA-LAB
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
service-module wlan-ap 0 bootimage unified
!
crypto pki trustpoint TP-self-signed-3930288585
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificates-3930288585
revocation-check none
rsakeypair TP-self-signed-3930288585
!
!
crypto pki certificates chain TP-self-signed-3930288585
certificates self-signed 01
*Alphanumeric Characters right here*
stop
ip cef
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.240.1.97
ip dhcp excluded-address 10.240.1.129
!
ip dhcp pool GUEST-VLAN
community 10.240.1.96 255.255.255.224
dns-server 8.8.8.8 8.8.4.4
default-router 10.240.1.97
lease 0 6
!
ip dhcp pool USER-VLAN
community 10.240.1.128 255.255.255.224
default-router 10.240.1.129
dns-server (inside DNS servers)
lease 0 6
!
!
!
no ip area lookup
ip area title yourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C881W-E-K9 sn FCZf3348rr
license settle for finish person settlement
license boot module c800 degree advipservices
!
!
username admin privilege 15 secret 4 7.jZ4Dex7mHRhj/CulqZZbF6pyUlk6mDe08.brH568Y
!
!
!
!
!
!
!
crypto isakmp coverage 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO deal with y.y.y.y
!
!
crypto ipsec transform-set DELTA esp-3des esp-md5-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile DELTA
set transform-set DELTA
!
!
!
!
!
!
!
interface Loopback0
ip deal with 10.240.1.254 255.255.255.255
!
interface Tunnel0
description #Distant mGRE + DMVPN Tunnel#
ip deal with 10.110.72.2 255.255.255.0
ip nhrp map 10.110.72.1 y.y.y.y
ip nhrp map multicast y.y.y.y
ip nhrp network-id 1
ip nhrp nhs 10.110.72.1
cdp allow
tunnel supply FastEthernet4
tunnel vacation spot y.y.y.y
tunnel safety ipsec profile DELTA
!
interface FastEthernet0
description USER-WIRED-PC
switchport entry vlan 50
no ip deal with
!
interface FastEthernet1
description WIRELESS AP
switchport entry vlan 10
no ip deal with
!
interface FastEthernet2
description PRINTER
switchport entry vlan 20
no ip deal with
!
interface FastEthernet3
description GUEST WIRED PC
switchport entry vlan 40
no ip deal with
!
interface FastEthernet4
description OUTSIDE INTERFACE
ip deal with 192.168.20.100 255.255.255.0
ip nat exterior
ip virtual-reassembly in
duplex auto
velocity auto
!
interface Wlan-GigabitEthernet0
description Inner change interface connecting to the embedded AP
switchport trunk native vlan 10
switchport mode trunk
no ip deal with
!
interface wlan-ap0
description Service module interface to handle the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip deal with 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan10
description MGMT-VLAN
ip deal with 10.240.1.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Vlan20
description PRINTER-VLAN
ip deal with 10.240.1.33 255.255.255.224
no autostate
!
interface Vlan30
description VOICE-VLAN
ip deal with 10.240.1.65 255.255.255.224
no autostate
!
interface Vlan40
description GUEST-VLAN
ip deal with 10.240.1.97 255.255.255.224
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Vlan50
description USER-VLAN
ip deal with 10.240.1.129 255.255.255.224
ip nat inside
ip virtual-reassembly in
no autostate
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication native
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside supply record guestlan interface FastEthernet4 overload
ip nat inside supply record mgmtlan interface FastEthernet4 overload
ip nat inside supply record userlan interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 10.110.74.4 255.255.255.255 10.110.72.1
ip route 141.172.0.0 255.255.0.0 10.110.72.1
ip route 192.194.135.0 255.255.255.0 10.110.72.1
ip route 192.194.154.0 255.255.255.0 10.110.72.1
!
ip access-list normal guestlan
allow 10.240.1.96 0.0.0.31
ip access-list normal mgmtlan
allow 10.240.1.0 0.0.0.31
ip access-list normal userlan
allow 10.240.1.128 0.0.0.31
!
access-list 23 allow 10.10.10.0 0.0.0.7
access-list 101 allow ip any host y.y.y.y
!
!
control-plane
!
!
!
line con 0
logging synchronous
login native
no modem allow
line aux 0
line 2
no activation-character
no exec
transport most well-liked none
transport enter all
stopbits 1
line vty 0 4
login native
transport enter telnet ssh
line vty 5 15
login native
transport enter telnet ssh
!
scheduler allocate 20000 1000
!
finish

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.