Hello again, this is our lap to it is on how to protect dmvpn networks or tunnels with IPsec VPN. So basically in this topology I'm showing r1 to be the main site or to our three will be the spokes and basically this switch in the middle is the internet switch. So in this topology basically the internet switch is already configure dot 10 here will be basically the gateway for r one, r three and r two and we will be using the non broadcast IP address which is 110 dot 10 dot one Zero slash 24 subnet for all these sites dot 10 is basically for r one dot 20 or br two doctor the range will be for r three and then we have a VTi IP range which is 172 dot 10 dot one it should be dot x slash 24 where x will be basically the routers I number okay.

So we will configure first the topology and then we will configure the dmvpn tunnel between the sides and then we will use the dynamic routing protocol Ei GRP to advertise the loopback interfaces and we will secure dmvpn tunnel with IPsec. And now this is a new way of doing the dmvpn encryption for these tunnels and we'll be using something known as IPsec profile. Okay, so let's start. So I'll bring our one and we will start configuring now. Our one So first of all we will assign the loot packs. interface FA zero slash zero and IP address will be hundred dot 10 dot 10 125522552550 is the subnet mask no shirt.

Now one thing we will have to do is basically for our one to reach the other sites, we have to add static routes for to reach these segments here. So let's do that from now on IP route 110 dot 20 dot zero. Now hundred dot 10 dot 10 dot 10 is the IP address that's pointed towards the internet switch. We will do the same thing for all the routers. That's the subnet for r three. So basically we're done with r1.

Let's save the configuration now bring our two Now if you want to know more about dmvpn I have a detail training it's one of my courses that's available in the in the portal should be able to see it. If you have registered before. It should be there under your list of courses No shock. Now the same thing we will apply the static routes here to the other sides. again as I said hundred hundred 10 2010 is the gateway for our to me exit that. Let me save that now let me break Up are three do exactly the same steps.

I'll definitely recommend that if anyone has not done the dmvpn course with me To do it it will explain all the all the phases of dmvpn. That's my gateway for our three. Let me save that. Now basically we are done with the initial configuration for connectivity. I should be able to ping all the all the interfaces I want to say all the outside interfaces of the routers. So that's the right way of putting it.

So ping 110 dot 22. Okay, we can see that it's pinging all the sites. So that means there is a connectivity between all the sites just by using static routing, which is great. Now, we will start configuring the dmvpn tunnels. So let's do that. Now as you know, we have in the topology, the subnet that we will be using which is 172 dot 10 dot one dot x a slash 24 for our tunnels our first tunnel will be the one tunnel mode gr multipoint IP n h RP Click ID, we'll use 10 IP, an H RP map multicast dynamic.

Now again if you want to understand why we are using these command lines basically, you will have to go and study dmvpn topologies and design and architecture. My previous course that's available is on dmvpn in detail with all its phases. If you get a chance, please go ahead and review that course. So, that's it. All we have to do in r1. Let me save it.

Let me bring up our two IP address. Source GRP multimode is our protocol for the tunnel mode, IP and HRP network ID It's going to be 20 here. IP. next hop Resolution Protocol. An HS is the server on 72 dot 10 dot one dot one is our IP that's given to our ones tunnel interface being an HRP map, that's our mapping. Now, let's go to our three.

Let me save this Once again I'll recommend that you do step by step configuration at your own source. These are standard lines that we have to configure for dmvpn That's how we map the physical IP address to the tunnel IP address. Let me save. So basically we completed the first task which is to configure dmvpn tunnel between the sites. At this point let me Bring up r1. And let's verify a few things like if I do show IP and H RP and I do see there's two registered tunnels here.

Which is great. That's what we wanted. Now we are not done yet we have to do the eigrp implementation. So let's go back to r1. And let's apply the eigrp routing protocol, our GRP hundred. The two networks that we will advertise will be the loopback address as well as the VTi address.

There's one more configuration that we need to do in the tunnel for r1. Since r1 is the hub, we will basically disable IP split horizon and the next hop self. No IP, split horizon II II, II hundred. Now the reason we're doing that is to prevent loops in the eigrp. basically split horizon when you disable split horizon, the port that it's The port that's learning the route will not re advertise the same route back into that same port. So this will help no IP.

Next self hop AI GRP hundred and, and this other command that I put in which is the next hop self is basically disabled now so it will not use the local IP address to advertise the same route that it's learning from. So make a note of that. Let me save that I may bring our two Applying the eigrp routing protocol here as well. may do the same thing for our three as well. There you go established adjacency so that's good. We completed applying the eigrp routing protocol, which is great.

The one thing that I want to do is verify. So if I do show IP route Ei GRP Maybe missing here something um Oh, I think we didn't add the Okay, my apologies. It seems like it just really took a while to to bring up the adjacency with r1 Actually it's it's coming up and and it's losing its retrying as you can see, this is it is bound to happen I believe and Okay, so basically r1 is okay, it's fine. It's the r three and r two that are dropping the adjacency. And it's fine dmvpn requires that we do use IP n HRP multicast IP pointer so it If I go back to my tunnel interface and I use IP and HRP map, multicast and I use the interface IP address for r1. Let me just bring it down a little bit and I could see there's a adjacency here.

Let me save that. Let me bring up our three interface tunnel one IP nh RP map multicast so it's good that we wanted to verify the eigrp Let me bring back our one and as I can see now it has created Jason's see. Yes, I can see it. So this is good. It was a step that I missed and it's the IP n HRP map multicast. AGR GRP as you know, we're required that great, so we completed the task number two.

Now we will move to securing dmvpn. So let me bring our one and we'll start first by configuring the ISO camp policy. Use the hash mt five. Authentication be pretty sure group to encryption read us and one thing we will do is crypto. I said cam key, we'll make it Cisco 123 and the address will be zero dot zero dot zero dot zero. Let's create the transform set as well.

Crypto IPsec transform set. Let's call it Tran ESP does the SP mt five HMRC mode transport. Now let me let me add the crypto IPsec profile call it VPN set Transform set and we said we use Tran. Now we will add that to the tunnel interface tunnel one and I'll say, tunnel protection IPsec profile and we gave it VPN. Let me save that. Now one thing we noticed that once we applied to it IPsec profile to the interface.

The adjacency went down, which is fine. Let's keep that here. And let me bring in our two. Let's do the same thing. Let's create the crypto map and crypto is a KMP policy turn. Hash MD five encryption, three DS crypto.

That's done. crypto IPsec transform set train transport Let me first save it now get back to our two because it's saying something about the mode Okay, let me bring our three do the same thing. crypto ISO camp policy, 10 hash, MT five, authentication, pre share, group to encryption. Three das, again in encryption three deaths. My apologies. It's been Long day for me, but we have to get this done.

I said cam key Cisco 123 address dot zero crypto IPsec transform set Tran ESP does ESP mt five hm AC motor transport that is done. Let's create the crypto crypto IPsec IPsec profile VPN transform set. Now let's see if I will, I should apply this in the tunnel interface. tunnel one tunnel protection. All right IPsec profile VPN so it looks like our three day work. I know What I missed in our two I think we missed the diffie Hellman group.

So let me let me bring that that's the problem with the GNS doesn't bring. So let me go back to the configuration of the crypto ISO camp policy 10 group two So it did stablish the tunnel now, I my mic cut was right here I can see that did it great as you can see, can see the tunnel okay. So basically now it's a time to verify things what we can do is basically Look at the crypto security associations for IPsec IPsec I say and I can see as it has done a lot of encryption, encryption of the tunnel is there local identity or remote identities here. The other commands we could use is basically show crypto I said cam as a you could see that are too established connectivity with r1 which is great and it's encrypting as well. So if I ping I apologize it was out of the screen.

So if I ping the source with the loopback zero from the loopback, zero you can see it's pinging. And if I do show, crypto ISO camp essay, I can see Most of the destinations are active. on marketing we could do a show crypto IPsec as a I can include local, remote and the number of packets to verify. And yes, I can see all these all this information of packets of encryption and decryption. So with this actually I conclude this lab I know it was a lot but what I would recommend is using topology at home at your own leisure in your lab and following the steps That I have shown basically configuring the dmvpn, applying the eigrp and following the steps for the IPsec VPN. Now, there was a mode of change that I applied which was more transport.

You don't have to do that because by default, the mode is always in a tunnel mode. But this is the way I would do it in real world. And I hope you have gained a lot from this from this lab. Thank you and I hope to see you joining me in other of my courses, new courses, do review my other courses in the in in Udemy. Thank you again