Can you explain what Cisco ACI is and its key features?
Cisco ACI, or Application Centric Infrastructure, is a software-defined networking (SDN) solution that aims to simplify and automate network infrastructure management. It provides a centralized policy-based approach to managing network resources, allowing users to easily control and manage their network environments.
Some key features of Cisco ACI include:
Centralized policy management: Cisco ACI allows users to define policies for network resources and applications, which are automatically enforced across the entire network. This allows for consistent, predictable network behavior and helps to ensure compliance with security and other policies.
Automated network provisioning: Cisco ACI allows users to quickly and easily provision network resources, such as virtual machines and storage, without having to manually configure each device. This can help to reduce deployment times and improve the efficiency of network operations.
Integrated security: Cisco ACI includes built-in security features, such as advanced firewalls and intrusion detection systems, which can help to protect network resources from cyber threats.
Multi-cloud support: Cisco ACI is designed to work with multiple cloud platforms, including public clouds, private clouds, and hybrid environments. This allows users to easily integrate their network infrastructure with different cloud services and environments.
Open ecosystem: Cisco ACI is part of the open, multi-vendor ACI ecosystem, which includes a range of third-party tools and services that can be easily integrated with the platform. This allows users to choose from a variety of solutions to meet their specific networking needs
How does Cisco ACI integrate with other Cisco technologies and solutions?
Cisco ACI integrates with other Cisco technologies and solutions using APIs and the Cisco Application Policy Infrastructure Controller (APIC), which acts as the central management and policy enforcement point for the ACI ecosystem. This allows for seamless integration and communication between ACI and other Cisco technologies, such as Cisco Nexus switches, Cisco UCS servers, and Cisco ACI virtual appliances. Additionally, Cisco ACI can be integrated with third-party solutions using the ACI Multi-Site Manager and ACI Fabric Connectors.
How does Cisco ACI support security and compliance in the network?
Cisco ACI supports security and compliance in the network through several key features:
Role-based access control (RBAC) - ACI allows administrators to define user roles and permissions, ensuring that only authorized users have access to sensitive network resources.
Micro-segmentation - ACI uses network segmentation to create small, isolated security zones within the network, reducing the potential attack surface and limiting the spread of potential threats.
Access control policies - ACI allows administrators to create and enforce access control policies, ensuring that only authorized traffic is allowed to enter and exit the network.
Encryption - ACI uses encryption technologies to protect data in transit, ensuring that sensitive information is not compromised while being transmitted across the network.
Threat detection and response - ACI includes built-in threat detection and response capabilities, allowing administrators to quickly identify and respond to potential security threats.
Compliance reporting - ACI provides detailed reporting and analytics capabilities, allowing administrators to track compliance with industry regulations and standards.
How do Cisco ACI support multi-cloud and hybrid cloud environments?
Cisco ACI supports multi-cloud and hybrid cloud environments through several key features:
Cloud integration - ACI integrates with popular cloud platforms, such as AWS and Azure, allowing administrators to easily manage and connect to cloud resources.
Cloud-agnostic policy management - ACI allows administrators to create and enforce consistent network policies across multiple clouds, regardless of the underlying technology or infrastructure.
Hybrid cloud management - ACI provides a unified interface for managing both on-premises and cloud-based resources, simplifying the management of hybrid cloud environments.
Cloud bursting - ACI allows administrators to seamlessly extend on-premises workloads to the cloud, allowing for flexible and scalable deployment of applications and services.
Cloud security - ACI includes built-in security features, such as encryption and access control, to protect data and workloads in the cloud.
Can you discuss the scalability and performance capabilities of Cisco ACI?
Cisco ACI is highly scalable and offers excellent performance capabilities. Some key features that support these capabilities include:
Distributed architecture - ACI uses a distributed architecture, with policy and control functions distributed across multiple nodes in the network. This allows for scalable and highly available operation, with no single point of failure.
High-speed data plane - ACI uses high-speed switching technology, such as Cisco's Nexus 9000 series switches, to provide low-latency, high-bandwidth data plane performance.
Flexible deployment options - ACI can be deployed in several ways, including as a leaf-spine fabric, a two-tier design, or a single-tier design. This allows administrators to choose the deployment option that best fits their needs and requirements.
Centralized policy management - ACI allows administrators to create and manage network policies from a single, centralized location, simplifying the management of large and complex networks.
Analytics and reporting - ACI include detailed analytics and reporting capabilities, allowing administrators to monitor network performance and identify potential performance bottlenecks.
IPING
The iping command is used to test the connectivity and latency between two hosts on a network. The -V option specifies the tenant and VRF (Virtual Routing and Forwarding) to use for the ping, the -S option specifies the source IP address to use for the ping, and the -c option specifies the number of ping packets to send.
For example, if you want to ping the destination IP address 192.168.0.1 using tenant T1 and VRF VRF1, with a source IP address of 10.0.0.1 and a count of 10 ping packets, you will use the following command:
Log in to the Leaf Switch via SSH.
iping 192.168.0.1 -V T1:VRF1 -S 10.0.0.1 -c 10
This command would send 10 ping packets from the source IP address 10.0.0.1 to the destination IP address 192.168.0.1, using tenant T1 and VRF VRF1 for the ping request. The command would then display the results of the ping, including the round-trip time for each packet and any packet loss.
To perform a Ping in Cisco ACI GUI, follow these steps:
Log in to the Cisco ACI controller.
Navigate to the "Fabric" tab and select the "Endpoints" sub-tab.
Select the desired endpoint and click the "Actions" dropdown menu.
Select "ICMP Ping" from the options and enter the IP address of the destination endpoint.
Click "Ping" to start the ping test. The results will be displayed in the window.
To perform an ICMP ping test on Cisco ACI with specific parameters using the command line interface, follow these steps:
How do troubleshoot connectivity between endpoints in cisco ACI?
Check the physical connectivity of the endpoints by verifying that the cables are properly connected and functioning.
Check the ACI fabric configuration to ensure that the endpoints are properly configured and associated with the correct network policies.
Verify that the endpoints are reachable by pinging them from the ACI fabric.
Check the ACI fabric logs for any errors or issues related to the connectivity between the endpoints.
If the issue persists, try resetting the endpoints and re-establishing the connectivity.
What is Cisco Express Forwarding (CEF)?
Cisco Express Forwarding (CEF) is a routing technology used in Cisco routers to increase the speed and efficiency of packet forwarding. It is a hardware-based packet-switching method that uses a forwarding information base (FIB) and adjacency table to quickly determine the next hop for a packet and forward it to its destination.
CEF provides several benefits over traditional routing methods, such as improved forwarding performance, scalability, and flexibility. It allows routers to forward packets at wire speed, without having to process them in software, which reduces the CPU and memory usage on the router. It also supports load balancing and equal-cost multi-path routing, allowing for improved network resiliency and redundancy.
What are cisco Datacenter technologies?
Cisco Datacenter technologies are a suite of products and solutions designed to help organizations build, manage, and secure their data centers. These technologies include networking and switching solutions, storage and data management solutions, security and access control solutions, as well as virtualization and cloud computing solutions.
Some examples of Cisco Datacenter technologies include:
Cisco UCS (Unified Computing System): A set of products and solutions that provide a single, integrated computing platform for data centers.
Cisco ACI (Application Centric Infrastructure): A software-defined networking platform that allows organizations to automate and manage the networking of their data center.
Cisco Nexus: A series of switches and routers that provide high-speed connectivity and networking capabilities for data centers.
Cisco HyperFlex: A hyper-converged infrastructure solution that combines computing, storage, and networking in a single platform.
Cisco Security: A range of products and solutions that help organizations protect their data centers from cyber threats.
Difference between IOS, IOS-XE & IOS-XR?
IOS is the standard operating system used on most Cisco routers and switches. It is a versatile and feature-rich OS that supports a wide range of networking functions and protocols.
IOS-XE is an enhanced version of IOS that is designed for use on more advanced Cisco devices, such as the Catalyst 9000 series switches. It offers additional features and functionality, such as support for multiple virtual machines and improved performance.
IOS-XR is a specialized version of IOS that is designed for use on high-end Cisco routers, such as the CRS-1 and CRS-3. It is a highly scalable and modular OS that is optimized for high-performance routing and network services. It also offers advanced features such as fault tolerance and network management capabilities.
What Is EVPN?
Ethernet VPN (EVPN) is defined as Layer 2 forwarding over VXLAN and Virtual Private LAN Service (VPLS) tunnels using MPLS over BGP as a control plane. EVPN is a standards-based way to implement a fabric that is functionally similar to ACI. EVPN works on the Cisco Nexus 9300/9500 in NX/OS mode, but it has also been adopted on other Cisco platforms, as well as on switches from Arista, Juniper, and others. Cisco’s Data Center Network Manager (DCNM) is optional software used to orchestrate and manage an EVPN fabric, similar to the role APIC plays with ACI.
What is the difference between MACsec and IPsec?
IPsec works on IP packets, at layer 3, while MACsec (Media Access Control Security) operates at layer 2, on ethernet frames. Thus, MACsec can protect all DHCP and ARP traffic, which IPsec cannot secure. On the other hand, IPsec can work across routers, while MACsec is limited to a LAN.
Difference between Precision Time Protocol & Network Time Protocol.
Precision Time Protocol (PTP) and Network Time Protocol (NTP) are both protocols that are used to synchronize clocks on a network. However, there are a few key differences between the two:
Precision: PTP is designed to provide a higher level of precision in clock synchronization compared to NTP. This is important for applications that require perfectly accurate time-stamping of data or events.
Network topology: PTP is typically used on a smaller, more controlled network, where devices are connected directly to each other in a hierarchy. NTP, on the other hand, is designed to work on a larger, more distributed network, where devices can be connected in a variety of ways.
Protocol specifics: PTP uses a separate set of messages and algorithms for clock synchronization compared to NTP. For example, PTP uses a master-slave hierarchy for clock synchronization, whereas NTP uses a distributed, peer-to-peer approach.
Operating system support: PTP is supported on a variety of operating systems, including Linux, Windows, and VxWorks. NTP, on the other hand, is supported on a wider range of operating systems, including all major operating systems, as well as many embedded systems.
Difference between LACP (Link Aggregation Control Protocol) and PAGP (Port Aggregation Protocol)?
LACP (Link Aggregation Control Protocol) and PAGP (Port Aggregation Protocol) are both protocols used to create link aggregation groups (LAGs), which combine multiple physical Ethernet links into a single logical link to provide increased bandwidth and redundancy.
The main difference between LACP and PAGP is the way they operate. LACP is a standards-based protocol, defined in the IEEE 802.3ad specification, and is supported by most networking equipment vendors. It uses a controlled negotiation process to dynamically establish and maintain LAGs and allows for flexibility in the type and number of links that can be included in a LAG.
PAGP, on the other hand, is a Cisco proprietary protocol and is only supported on Cisco equipment. It uses a more simplistic approach to LAG formation, relying on the devices at each end of the LAG to agree on the formation of a LAG and the links that will be included. This can lead to potential compatibility issues between Cisco and non-Cisco equipment.
In summary, LACP is a more widely supported and flexible protocol, while PAGP is more limited in its compatibility and capabilities.
What are Layer 3 Overlay Protocols?
Layer 3 overlay protocols are networking technologies that enable the creation of virtual networks on top of existing physical infrastructure. They allow for the encapsulation of data packets from one network into a format that can be transmitted over another network, allowing for efficient and secure communication between different network segments. Some common examples of layer 3 overlay protocols include:
Virtual Extensible LAN (VXLAN): This protocol uses UDP to encapsulate layer 2 frames into layer 3 packets, allowing for the creation of large virtual networks over a shared physical infrastructure.
Network Virtualization using Generic Routing Encapsulation (NVGRE): This protocol uses a tunneling approach to encapsulate layer 2 frames into layer 3 packets, allowing for the creation of multiple virtual networks over a shared physical infrastructure.
Generic Routing Encapsulation (GRE): This protocol provides a simple and efficient method for tunneling layer 3 packets over an IP network. It is commonly used to create virtual private networks (VPNs) or to extend the reach of a network across multiple sites.
Internet Protocol Security (IPSec): This protocol provides encryption and authentication for IP data packets, allowing for secure communication over an IP network. It is commonly used in VPNs to provide end-to-end security for network communications.
Interconnectivity of Various ACI Components
In Cisco ACI, a VRF can only be associated with a single tenant but vice-versa isn't true i.e. a tenant can have multiple VRFs, allowing the tenant to create multiple isolated virtual networks within the ACI fabric. This allows organizations to create multi-tenant environments where different tenants can have their virtual networks within the same physical infrastructure.
For example, a tenant in an ACI fabric might have one VRF for their production environment, another VRF for their development environment, and another VRF for their testing environment.
In Cisco ACI, a bridge domain can only be associated with a single VRF. This means that a bridge domain cannot be shared by multiple VRFs within the ACI fabric.
For example, if an ACI fabric has three VRFs (VRF1, VRF2, and VRF3), each VRF can have its own set of bridge domains. VRF1 might have Bridge Domain1 and Bridge Domain2, VRF2 might have Bridge Domain3 and Bridge Domain4, and VRF3 might have Bridge Domain5 and Bridge Domain6.
An application profile is associated with a tenant and defines the network and security requirements for the application, as well as the desired behavior and performance characteristics.
Application Profile linked with Tenant and contains EPG
EGP is linked with Bridge Domain
Bridge Domain is linked with VRF
VRF is linked with Tenant.
How to Collect ACI Tech Supports?
Step 1: Create On-demand tech support
It will take some time to generate a tech support bundle.
Please ensure to check "export to controller" & "Include All Controllers in Tech Support".
Then simply click the URL of "Export Location" and download.
Step 2: Take Out the "tech support bundle" from the APIC controller
If there is an issue in downloading the tech-support using the browser link, directly download the files from APIC storage using an SCP or sftp clients such as WinSCP or FileZilla.
1. Connect (sftp) to each APIC. The collected tech-support files are stored across all available APICs, so it is important to check each APIC for the collected tech-support files.
2. Navigate to /data/tech support folder in the connected APIC (repeat this step in all APIC controllers).
Look for the files with a name that contains the On-demand TechSupport policy name and download those files to your computer,
ASR & ISR Routers
Cisco ASR(Aggregation Services Routers) routers are designed for use in large WAN environments used by large enterprises and service providers, while ISR(integrated Service Routers) routers are designed for use in small and medium-sized businesses. Both types of routers are equipped with various features and technologies to support their intended functions.
Install mode Vs Bundle mode
Install mode refers to the process of installing a package or dependency individually, while bundle mode refers to the process of installing all of a project's dependencies at once, typically as part of a bundle or package.
Install mode is best for upgrading or downgrading the Cisco IOS image on a single device, while bundle mode is best for deploying multiple devices with the same configuration.
Device# show version
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24T Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24T Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 INSTALL
Install Mode
Install mode is the newer and recommended mode to run. This breaks the .bin file up into smaller .pkg files that must be loaded into memory independently of each other, and allows you to boot faster and utilize memory better. The .bin file that you download from software.cisco.com has all the .pkg files you need inside.
Install mode work on IOS-XE images.
Here auto upgrade is supported i.e. when new switch is added in stack it will be auto upgraded to current image.
Step 1 : Copy image from tftp to flash
Step 2 : install add file flash://cat.bin active commit
Note: Think of the .bin file as a .zip file. It is able be extracted to obtain the .pkg files. There is also a configuration file that is used to indicate what .pkg files are needed. This is the process that is used when you boot in install mode.
Bundle Mode
This section describes the classic method of software upgrade with the use of a boot statement that point to the .bin file (versus a .pkg file).
If you want to upgrade a switch to bundle mode, ensure you have copied the .bin to EVERY switch in the stack!
After you have loaded the Cisco IOS file, all you need to do is change the boot statement and reload.
configure terminal
no boot system
boot system bootflash:<new filename>
end
write
reload
What is sham link ?
A sham link is a virtual link in an Open Shortest Path First (OSPF) network that is used to connect two OSPF areas. This is typically used when there is a need to connect two areas that are separated by a non-OSPF network, such as a network using a different routing protocol.
Yes, an OSPF sham link can act as an overlay network, in the sense that it creates a virtual link between two OSPF routers that is separate from the underlying physical network. This can be useful when you want to create a virtual link between two routers that are not directly connected.By creating a virtual link, you can effectively "overlay" a logical network on top of the physical network, allowing the OSPF routers to exchange routing information even if they are not directly connected. This can help to improve network performance and reliability, and can also provide additional security by hiding the internal details of your network from external routers.
The use of sham links can be an effective way to improve the design and efficiency of an OSPF network.
Reason of OSPF routers are stuck in a "2-way" state
First : OSPF routers will create full mesh with DR & BDR only in broadcast network.
Second : If priority in broadcast network of two routers is zero then it will stuck in "2-way" state.
Reason of OSPF routers are stuck in a "ex-start" or "exchange-start" state.
First : MTU mismatch in transit devices i.e. switches.
Second : Unicast Reachability
Let's say Slave is unable to receive unicast traffic so it will be in "exchange-start" state while master receive unicast traffic so it will move in Exchange state.
FILTERING TYPE 3 LSA IN OSPF
FILTERING TYPE 3 LSA IN OSPF - Method 1
R3#
ip prefix-list BLOCK_INTER_AREA_PREFIX deny 9.9.0.4/32
ip prefix-list BLOCK_INTER_AREA_PREFIX permit 0.0.0.0/0 le 32
router OSPF 1
area 1 filter-list prefix BLOCK_INTER_AREA_PREFIX out
We see now that R3 will have route to 9.9.0.4/32 as LSA1 (under area 1) but has no LSA3 for 9.9.0.4/32. Additionally, We will also not see the 9.9.0.4/32 route on R1 and R2 in Area 0 and also not the summary LSA for 9.9.0.4.
R3#show ip ospf database summary 9.9.0.4
OSPF Router with ID (9.9.0.3) (Process ID 1)
R2#show ip route 9.9.0.4
% Subnet not in table
FILTERING TYPE 3 LSA IN OSPF - Method 2
R3#
ip prefix-list BLOCK_INTER_AREA_PREFIX deny 9.9.0.4/32
ip prefix-list BLOCK_INTER_AREA_PREFIX permit 0.0.0.0/0 le 32
router OSPF 1
area 0 filter-list prefix BLOCK_INTER_AREA_PREFIX in
We see now that R3 will have route to 9.9.0.4/32 as LSA1 (under area 1) but has no LSA3 for 9.9.0.4. We’ll also not see the 9.9.0.4/32 route on R1 and R2 in Area 0 and also not the summary LSA for 9.9.0.4.
R3#show ip ospf database summary 9.9.0.4
OSPF Router with ID (9.9.0.3) (Process ID 1)
R2#show ip route 9.9.0.4
% Subnet not in table
How to do packet capture in cisco ASA ?
To capture packets on a Cisco ASA, you can use the "capture" command. Here is an example of how to use this command to capture packets on an interface:
First, connect to the Cisco ASA using a command-line interface (CLI) such as a console or Telnet/SSH client.
Enter enable mode by entering the "enable" command and entering the enable password when prompted.
Create a capture buffer by entering the following command:
capture buffer_name interface interface_name
Replace "buffer_name" with a name for the capture buffer, and "interface_name" with the name of the interface on which you want to capture packets.
For example, to create a capture buffer named "mycapture" on interface "outside", you would enter the following command:
capture mycapture interface outside
Start the capture by entering the following command:
capture mycapture start
Stop the capture by entering the following command:
capture mycapture stop
View the captured packets by entering the following command:
show capture buffer_name
Replace "buffer_name" with the name of the capture buffer you created in step 3. This will display a list of the packets that were captured in the buffer.
Diffie-Hellman is a key exchange algorithm that allows two parties to securely generate a shared secret key over an unsecured communication channel. This key can then be used to encrypt subsequent communications between the two parties.
EIGRP Route Summary
Hello#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.12.0/24 is directly connected, FastEthernet0/0
D 192.168.0.0/24 [90/156160] via 192.168.12.1, 00:00:06, FastEthernet0/0
D 192.168.1.0/24 [90/156160] via 192.168.12.1, 00:00:06, FastEthernet0/0
D 192.168.2.0/24 [90/156160] via 192.168.12.1, 00:00:06, FastEthernet0/0
D 192.168.3.0/24 [90/156160] via 192.168.12.1, 00:00:06, FastEthernet0/0
Hello(config)#interface fastEthernet 0/0
Hello(config-if)# ip summary-address eigrp 1 192.168.0.0 255.255.252.0
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.2 (FastEthernet0/0)
is resync: summary configured
EIGRP STUB
EIGRP stubs are not an “all or nothing” solution. We have different flavors so you can
choose to which types of routes the stub router should receive queries or not.
Here are the flavors we have:
Receive-only: The stub router will not advertise any network.
Connected: allows the stub router to advertise directly connected networks.
Static: allows the stub router to advertise static routes (you have to redistribute
them).
Summary: allows the stub router to advertise summary routes.
Redistribute: allows the stub router to advertise redistributed routes
The default is connected + summary
What is F5 X-Forwarded-For is used ?
Enabling the Insert X-Forwarded-For option in the HTTP profile
To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, perform the following procedure:
Log in to the Configuration utility.
Go to Local Traffic > Profiles.
For Services, select HTTP.
Select Create.
Enter a name for the HTTP profile.
Select the Insert X-Forwarded-For check box.
For Insert X-Forwarded-For, select Enabled.
Select Finished.
You must now associate the new HTTP profile with the virtual server.
Using an iRule to insert the original client IP address in an X-Forwarded-For HTTP header
Log in to the Configuration utility.
Go to Local Traffic > iRules.
Select Create.
Enter a name for the iRule.
For Definition, enter the following iRule:
when HTTP_REQUEST {
HTTP::header insert X-Forwarded-For [IP::remote_addr]
DMPVN
Explain next Hope resolution protocol, NHRP. It is a layer 2 protocol which is used to map tunnel IP address to the known broadcast Multi Access address. It functions similar to ARP. Hub maintains the NHRP database of the public IP address of each spoke. When the spoke boots up, it register its real address to the hub and queries the HSRP database for the real ip address of other spoke, so that they can build direct tunnels to them.
What are three phases of DMVPN?
In phase one we use NHRP so that spoke can register themselves with the hub. Only Hub uses a multipoint GRE interface, spokes will be using regular point to point GRE tunnel interfaces, which means that there will be no direct spoke to spoke communication. All traffic has to go by hub. The only advantage of phase one setup is the fact that hubs auto configuration is much simpler & Summarization is possible in phase one.
In phase two, all spoke routers also use multipoint GRE tunnels, so we do have direct spoke to spoke tunneling. When spoke router wants to communicate with other spoke, it will send NHRP resolution requests to the hub to find the NBMA IP address of the other spoke. Summarization is not possible in phase two.
In Phase three NHRP redirect configured on the hub. Tells the initiator spoke to look for a better path to the destination spoke. On receiving the NHRP redirect message. Thus, spoke communicates with other over the hub and they have their NHRP replies for the NHRP Resolution Request that they send out.
NHRP shortcut configure on those spoke Updates the CEF table. It changes the next-hop value for a remote spoke from the initial hub tunnel IP address to the NHRP resolved tunnel IP address of the remote spoke summarization is possible in phase three.
R1 (HUB)
Router eigrp 666
no auto-summary
network 10.0.0.0
network 172.16.0.0
exit
int tunnel 0
no ip next-hop-self eigrp 666
no ip split-horizon eigrp 666
tunnel source Gig1/0
tunnel mode gre multipoint
tunnel key 6783
ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp map multicast dynamic
ip nhrp redirect
ip address 172.16.0.1 255.255.255.0
tunnel path-mtu-discovery (everytime doesn't work correctly)
OR
ip mtu 1400
ip tcp adjust-mss 1360 (works fantastic for 95+ networks)
end
R2 (SPOKE)
Router eigrp 666
no auto-summary
network 10.0.0.0
network 172.16.0.0
exit
int tunnel 0
no ip next-hop-self eigrp 666
no ip split-horizon eigrp 666
tunnel source Gig1/0
tunnel mode gre multipoint
tunnel key 6783
ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
end
R3 (SPOKE)
Router eigrp 666
no auto-summary
network 10.0.0.0
network 172.16.0.0
exit
int tunnel 0
no ip next-hop-self eigrp 666
no ip split-horizon eigrp 666
tunnel source Gig1/0
tunnel mode gre multipoint
tunnel key 6783
ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip address 172.16.0.3 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
end
R4 (SPOKE)
Router eigrp 666
no auto-summary
network 10.0.0.0
network 172.16.0.0
exit
int tunnel 0
no ip next-hop-self eigrp 666
no ip split-horizon eigrp 666
tunnel source Gig1/0
tunnel mode gre multipoint
tunnel key 6783
ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip address 172.16.0.4 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
end
Monitoring & Verification
Show ip nhrp
Note: We have configured unencrypted DMVPN
Let's Encrypt it now
Config must be applied on all routers i.e. R1=R2=R3=R4
Crypto isakmp policy 6
hash sha
authentication pre-share
group 14
lifetime 86400
encryption aes 256
crypto isakmp key cisco123 address 0.0.0.0
crypto ipsec transform-set OURSET esp-aes256 esp-sha-hmac
mode transport (default tunnel)
exit
crypto ipsec profile OUR_IPSEC_PROFILE
set transform-set OURSET
exit
interface tunnel 0
tunnel protection ipsec profile OUR_IPSEC_PROFILE
exit
Comments