Monthly Archives: September 2021

Configure HA on Cisco CME

This is a topology for this lab.

On Cisco CME R1 and R2:

+ On R1:

Configure secondary Cisco CME on the IP address 192.168.5.251 and register CIPC phone on Cisco CME R1 with DN is 1111

 “ip source-address 192.168.5.250 port 2000 secondary 192.168.5.251 “

+ On R2:

Configure secondary Cisco CME on the IP address 192.168.5.250

 “ip source-address 192.168.5.251 port 2000 secondary 192.168.5.250 “

telephony-service

 max-ephones 2

 max-dn 25

 ip source-address 192.168.5.251 port 2000 secondary 192.168.5.250

 system message TUNGLEVoIP

 max-conferences 4 gain -6

 web admin system name admin password Pa$$w0rd

 dn-webedit

 time-webedit

 transfer-system full-consult

 create cnf-files version-stamp Jan 01 2002 00:00:00

+ Next, configure CIPC softphone on Windows VM.

TFTP server 1: 192.168.5.210

TFTP server 2: 192.168.5.251

+ Shutdown R1 (192.168.5.250)

The phone has been switched to successfully register on CME R2.

Install TP-Link AC600 Archer T2U Plus WiFi USB Adapter In LinuxMint

It is capable to provide 433 Mbps speed on 5GHz with a dual USB adapter by using this adapter.

Install TP-Link AC600 Archer T2U Nano on LinuxMint.

sudo apt install dkms git build-essential libelf-dev linux-headers-$(uname -r)
# Cloning into 'rtl8812au'
git clone https://github.com/aircrack-ng/rtl8812au.git
cd rtl8812au/
sudo make dkms_install

Unplug the TP-Link Archer T2U Plus adapter and plug it in again. The LED will start to blink. Verify the driver has been installed successfully.

sudo dkms status

Then setup your new wireless USB adapter device.

Implementing DMVPN over IPSEC

Below is a topology that is used to configure DMVPN over IPSEC. This is one of the most important topics that I have learned on CCNP ENCOR.

HUB Configuration:

int tun 0
ip addr 10.40.1.1 255.255.255.0
ipv6 addr 2001:10:40:1::1/64
ipv6 addr fe80::1 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp map multicast dynamic
ipv6 nhrp network-id 1
ipv6 nhrp map multicast dynamic

SPOKE Configuration:

# Site 1:
int tun 0
ip addr 10.40.1.2 255.255.255.0
ipv6 addr 2001:10:40:1::2/64
ipv6 addr fe80::2 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp nhs 10.40.1.1 nbma 150.40.1.1 multicast

ipv6 nhrp network-id 1
ipv6 nhrp nhs 2001:10:40:1::1 nbma 150.40.1.1 multicast

# Site 2:
int tun 0
ip addr 10.40.1.3 255.255.255.0
ipv6 addr 2001:10:40:1::3/64
ipv6 addr fe80::2 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp nhs 10.40.1.1 nbma 150.40.1.1 multicast

ipv6 nhrp network-id 1
ipv6 nhrp nhs 2001:10:40:1::1 nbma 150.40.1.1 multicast

# Site 3:
int tun 0
ip addr 10.40.1.4 255.255.255.0
ipv6 addr 2001:10:40:1::4/64
ipv6 addr fe80::2 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp nhs 10.40.1.1 nbma 150.40.1.1 multicast

ipv6 nhrp network-id 1
ipv6 nhrp nhs 2001:10:40:1::1 nbma 150.40.1.1 multicast

Using a nice TCLSH script to test connectivity between sites.

tclsh 

foreach X {
10.40.1.1
10.40.1.2
10.40.1.3
10.40.1.4
2001:10:40:1::1
2001:10:40:1::2
2001:10:40:1::3
2001:10:40:1::4
} {ping $X repeat 2}
#sh ip nhrp
# sh ipv6 nhrp  
# sh dmvpn

+ Using IPSec tunnel to protect DMVPN traffic.

  • IKE Configuration
crypto keyring VPN-BCITCISA
 pre-shared-key address 0.0.0.0 0.0.0.0 key Pa$$w0rd

crypto isakmp enable

crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 5

crypto isakmp profile ISAKMP-Profile
 Keyring VPN-BCITCISA
 Match identity address 0.0.0.0
  • IPsec Configuration
crypto ipsec transform-set IPSEC-TRANSFORM esp-aes 256 esp-sha256-hmac

crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set IPSEC-TRANSFORM
 set isakmp-profile ISAKMP-Profile
 set pfs group2
  • Apply the profile to the interface Tunnel0

Interface Tunnel0
tunnel protection ipsec profile DMVPN

+ Verify DMVPN over IPSEC:

#show dmvpn detail
# show crypto isakmp sa
#show crypto ipsec sa
+ Capture DMVPN over IPSEC traffic.
Capture packets from Wireshark. It can be seen that the ping traffic has been encrypted by ESP on the IPSEC tunnel.