Cisco – Maquette VPN IP-MPLS sous GNS3

Cisco – Maquette VPN IP-MPLS sous GNS3

Vous souhaitez vous amuser à mettre en œuvre des VPN IP MPLS, GNS3 l’émulateur le plus connu actuellement dans le domaine de l’émulation d’équipements CISCO permet la conception de ce type de réseau.

Afin de concevoir cette architecture, je me suis basé sur l’utilisation de GNS3 comme cité précédemment, ma maquette a pour objectif la conception de deux VPN IP que j’ai nommé VPN1 et VPN2.

Présentation des équipements de base composant une infrastructure VPN IP/MPLS:

  • P (Provider) –> Émulation d’un Cisco 7200 sert principalement à la commutation de label (routage IGP, commutation de label (MPLS) ..)
  • PE (Provider Eedge) –> Émulation d’un Cisco 7200 représente l’équipement possédant la majorité de l’intelligence des services délivrés (VRF, MPLS ,MP-BGP, routage IGP entre PE et P, redistribution de routes ……).
  • CPE (Customer Premises Equipment) –> Émulation d’un cisco 1700 permettant de simuler les clients des VRF.

Mise en œuvre de la maquette des vpn_mpls :

Le fichier de configuration dynagen de la topologie (utilisable sous GNS3):

Attention de veiller à modifier les paramètres relatifs au chemin du répertoire de travail, ainsi que la position des images IOS.

autostart = False
[localhost:7200]
workingdir = C:\GNS3\mpls_VPN.net_snapshot_191109_211525
udp = 10000
[[7200]]
ghostios = True
image = C:\Document travail FIP\divers – docs – outils\outils\images OS\ios cisco\c7200-jk9s-mz.123-12a.bin
ram = 128
sparsemem = True
idlepc = 0x60c0bd88
[[1721]]
image = C:\Document travail FIP\divers – docs – outils\outils\images OS\ios cisco\c1700-advsecurityk9-mz.124-21.bin
idlepc = 0x811f95b4
ghostios = True
sparsemem = True
chassis = 1721
[[ROUTER P2]]
console = 2020
idlepc = 0x606c3670
g0/0 = PE2 g3/0
slot1 = PA-GE
g1/0 = PE g3/0
slot2 = PA-GE
g2/0 = P g2/0
slot3 = PA-GE
slot4 = PA-GE
x = 61.0
y = 50.0
[[ROUTER CPE_VPN1_A]]
model = 1721
console = 2021
idlepc = 0x8018862c
f0 = PE g0/0
x = -178.0
y = -99.0
[[ROUTER CPE_VPN2_A]]
model = 1721
console = 2022
f0 = PE g1/0
x = -186.0
y = 79.0
[[ROUTER PE2]]
console = 2018
idlepc = 0x6073a1d8
g0/0 = CPE_VPN1_B f0
slot1 = PA-GE
g1/0 = CPE_VPN2_B f0
slot2 = PA-GE
g2/0 = P g1/0
slot3 = PA-GE
g3/0 = P2 g0/0
slot4 = PA-GE
x = 186.0
y = -15.0
[[ROUTER PE]]
console = 2017
g0/0 = CPE_VPN1_A f0
slot1 = PA-GE
g1/0 = CPE_VPN2_A f0
slot2 = PA-GE
g2/0 = P g0/0
slot3 = PA-GE
g3/0 = P2 g1/0
slot4 = PA-GE
x = -50.0
y = -19.0
[localhost:7201]
workingdir = C:\GNS3\mpls_VPN.net_snapshot_191109_211525
udp = 10100
[[7200]]
ghostios = True
image = C:\Document travail FIP\divers – docs – outils\outils\images OS\ios cisco\c7200-jk9s-mz.123-12a.bin
ram = 128
sparsemem = True
idlepc = 0x6073a1a0
[[1721]]
image = C:\Document travail FIP\divers – docs – outils\outils\images OS\ios cisco\c1700-advsecurityk9-mz.124-21.bin
idlepc = 0x806f0540
ghostios = True
sparsemem = True
chassis = 1721
[[ROUTER CPE_VPN1_B]]
model = 1721
console = 2023
idlepc = 0x803a0b28
f0 = PE2 g0/0
x = 294.0
y = -103.0
[[ROUTER P]]
console = 2019
g0/0 = PE g2/0
slot1 = PA-GE
g1/0 = PE2 g2/0
slot2 = PA-GE
g2/0 = P2 g2/0
slot3 = PA-GE
slot4 = PA-GE
x = 61.0
y = -85.0
[[ROUTER CPE_VPN2_B]]
model = 1721
console = 2024
f0 = PE2 g1/0
x = 298.0
y = 80.0
[GNS3-DATA]
workdir = C:\GNS3\mpls_VPN.net_snapshot_191109_211525
m11 = 0.707106781187
m22 = 0.707106781187

Les fichiers de configurations des équipements composants la topologie:

Cliquez pour agrandir:

Les CPE:

La configuration des équipements est relativement simple, ils n’ont pas à ce stade la connaissance du VPN auquel ils sont associés.

CPE_VPN1_A (CUSTOMER)

hostname CPE_VPN1_A
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
interface FastEthernet0
ip address 10.11.11.1 255.255.255.252
speed auto
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

CPE_VPN1_B (CUSTOMER)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CPE_VPN1_B
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
interface FastEthernet0
ip address 10.11.11.5 255.255.255.252
speed auto
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

CPE_VPN2_A

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CPE_VPN2_A
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
interface FastEthernet0
ip address 10.11.11.1 255.255.255.252
speed auto
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

CPE_VPN2_B (CUSTOMER)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CPE_VPN2_B
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
!
interface FastEthernet0
ip address 10.11.11.5 255.255.255.252
speed auto
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

Les PE:

La configuration des équipements de collecte est plus complexe, elle implique la mise en œuvre des VPN et l’accès au réseau de commutation de label (dans le langage MPLS ils sont nommé LER (Label  Edge Router).

PE1 (EDGE)

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip vrf VPN1
rd 1:1
route-target export 1000:1
route-target import 1000:1
!
ip vrf VPN2
rd 2:1
route-target export 2000:1
route-target import 2000:1
!
ip vrf forwarding
!
ip cef
!
!
!
interface Loopback0
ip address 172.16.1.11 255.255.255.255
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip vrf forwarding VPN1
ip address 10.11.11.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
ip vrf forwarding VPN2
ip address 10.11.11.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet2/0
ip address 192.168.1.12 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet3/0
ip address 192.168.2.12 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router rip
version 2
!
address-family ipv4 vrf VPN2
redistribute bgp 64999 metric 1
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute bgp 64999 metric 1
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 64999
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 172.16.1.12 remote-as 64999
neighbor 172.16.1.12 update-source Loopback0
!
address-family vpnv4
neighbor 172.16.1.12 activate
neighbor 172.16.1.12 send-community both
exit-address-family
!
address-family ipv4 vrf forwarding
exit-address-family
!
address-family ipv4 vrf VPN2
redistribute rip metric 1
auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute rip metric 1
auto-summary
no synchronization
exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

PE2 (EDGE)

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip vrf VPN1
rd 1:1
route-target export 1000:1
route-target import 1000:1
!
ip vrf VPN2
rd 2:1
route-target export 2000:1
route-target import 2000:1
!
ip cef
!
!
!
interface Loopback0
ip address 172.16.1.12 255.255.255.255
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip vrf forwarding VPN1
ip address 10.11.11.6 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
ip vrf forwarding VPN2
ip address 10.11.11.6 255.255.255.252
negotiation auto
!
interface GigabitEthernet2/0
ip address 192.168.14.2 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet3/0
ip address 192.168.13.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 100
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
!
router rip
version 2
!
address-family ipv4 vrf VPN2
redistribute bgp 64999 metric 1
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute bgp 64999 metric 1
network 10.0.0.0
no auto-summary
exit-address-family
!
router bgp 64999
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 172.16.1.11 remote-as 64999
neighbor 172.16.1.11 update-source Loopback0
!
address-family vpnv4
neighbor 172.16.1.11 activate
neighbor 172.16.1.11 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN2
redistribute rip metric 1
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute rip metric 1
no auto-summary
no synchronization
exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

Les P:

La configuration des équipements est relativement simple, ils n’ont pas à ce stade la connaissance des VPN. Le rôle de ces équipements est principalement de la commutation de labels (dans le langage MPLS on les nomme les LSR (Label Switching Router).

P (core switch)

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
!
!
interface Loopback0
ip address 172.16.1.13 255.255.255.255
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.1.11 255.255.255.0
duplex full
speed 1000
media-type gbic
negotiation auto
tag-switching ip
!
interface GigabitEthernet1/0
ip address 192.168.4.11 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet2/0
ip address 192.168.5.11 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 100
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

P2 (core switch)

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef!!
!
interface Loopback0
ip address 172.16.1.14 255.255.255.255
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.3.11 255.255.255.0
duplex full
speed 1000
media-type gbic
negotiation auto
tag-switching ip
!
interface GigabitEthernet1/0
ip address 192.168.2.11 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet2/0
ip address 192.168.5.12 255.255.255.0
negotiation auto
tag-switching ip
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 100
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

One thought on “Cisco – Maquette VPN IP-MPLS sous GNS3

  1. lyacine

    salut,

    Bravo pour toutes ces informations.

Laisser une réponse

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *