Menu Close

Category: Practical – Cisco

Setting LAN network with three VLANs on Mikrotik RouterOS switch and Cisco IOS router on-stick.

In this article, I will set up a simple LAN network consisting of two PCs, one Mikrotik box that acts as a L2 LAN switch, and one Cisco router that connects everything to the internet using NAT. PCs and Mikrotik switch are in the separate VirtualLANs (VLANs). My VLAN definition is:

  • VLAN10, name Home, network address: 10.1.10.0/24, Mikrotik port: Ether 2
  • VLAN20, name IoT, network address: 10.1.20.0/24, Mikrotik port: Ether 3
  • VLAN99, name MGMT, network address: 10.1.99.0/24, Mikrotik port: bridge
  • Ether port 1 will act as the trunk

Devices addresses:

Setting a simple LAN network with Mikrotik RouterOS and Cisco IOS

In this article, as the RouterOS CLI newbie, I will set up a simple LAN network consisting of two PCs, one Mikrotik box that acts as a simple L2 LAN switch, and one Cisco router that connects everything to the internet using NAT. All four devices are in the same broadcast domain and have IP addresses from the network address space : 10.1.1.0/24

Devices addresses:

Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication – simple configuration example for two Cisco routers

This config example shows a Site-to-Site configuration of IPsec VPN established between two Cisco routers. VPN will use IKEv2 protocol with PreSharedKey (PSK) remote-site authentication. Topology simulates a Branch router connected over an ISP to the HQ router. There are several options for how to configure IKEv2. In this example, I’m using the symmetric PSK witch crypto map, where the IKEv2 process is started by ACL that identifies interesting traffic. I also do not use GRE tunnel for the interconnection of both sides, instead, simple static default routes are used.

Topology

Configuration runs on GNS3 emulator and I’m using the CSR1000v platform with version 16.12.01a IOS XE as the older ISR platform (7200 15.4 IOS) does not support IKEv2. On real devices, IKEv2 is supported on Cisco ISR Generation 2 (G2) that runs Cisco IOS software version 15.2(4)M or later (for example 29xx ISR), ASA with 8.4.(1) and later (including ASA 5510).

CCNA study – How to configure multiple IPv6 DHCP pools on a remote Cisco router

This config example shows how to configure three DHCPv6 pools for a network setup, where the DHCP server is running on a remote router. This situation had emerged during my remote CCNA lesson and it found me unprepared. The main problem is with the ipv6 dhcp server POOL command, that can be executed only once, all others rewrite the previous one. The solution is to use ipv6 dhcp server automatic or just pv6 dhcp server command with some additional pool command.

Topology

Configuration runs on GNS3 emulator. The Switch runs IOSv and is primarily used for the VLAN segmentation. In R1/R2 I’m using the older ISR platform (7200 15.4 IOS). CSR-1000v is also fine. Problems are with older 12.x IOSs, that do not support ipv6 dhcp server command. DHCPv6 servers/pools are configured on R2. DHCPv6 relay and nd config flags on R1 fa0/0 subinterfaces.

IOS XRv – no network interfaces in GNS3

A few words about the setup. We operate a remote GNS3 server setup, where all components (server even clients) are version 2.2.25. The remote server is deployed in a Linux container.

Problem

We operate several IOS XRv 9k appliances that were in default state default during the import process. We notice the following problem. Running small topos with an IOS XRv, once the router is loaded it had no network interfaces.

Statefull NAT64 – simple configuration example on Cisco routers

The example shows a simplified configuration of a Statefull NAT64 demo, without DNS64. I instruct the stateful NAT64 router (CSR-1 – CSR100v) to translate IPv6 packets into IPv4 packets (and vice versa) using algorithmic mapping (defined by RFC 6052) of IPv4 addresses of IPv4 routers to and from IPv6 addresses by using manually defined IPv6 prefix 2001:db8::/96). In a similar manner, the IPv6 addresses of IPv6 routes are translated to and from IPv4 addresses.

Topology

R1/R2 run 7200 IOS image., R1 is pure IPv4 router, on the other site, R2 is IPv6 only.

Configuring simple MPLS network

Objective

Create a simple MPLS network and observe partial parts of MPLS functionality. MPLS network consist of four routers, two edge routers - LSE1 and LSE2 whose fastEthernet interfaces are not parts of the MPLS network and two Label Switch Routers - LSR1 and LSR2 interconnected through serial lines.

Topology

Four routers are connected in a chain line topology:

Configruration L2TP over IPsec

Configuration of L2TP over IPsec tunnel connection with Cisco router as a server and MikroTik router as a client.

Configuration of Cisco server

(config)#int loopback 0 
(config-if)#ip address 192.168.1.1 255.255.255.255
(config-if)#exit
(config)#ip local pool l2tp-pool 192.168.1.5 192.168.1.10
(config)#vpdn enable
(config)#vpdn-group l2tp-group
(config-vpdn)#accept-dialin
(config-vpdn-acc-in)#protocol l2tp
(config-vpdn-acc-in)#virtual-template 1
(config-vpdn-acc-in)#exit
(config-vpdn)#no l2tp tunnel authentication
(config-vpdn)#exit
(config)#interface virtual-template 1
(config-if)#ip unnumbered loopback 0
(config-if)#peer default ip address pool l2tp-pool
(config-if)#ppp authentication ms-chap-v2
(config-if)#exit
(config)#crypto isakmp policy 1
(config-isakmp)#encryption aes 256
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 2
(config-isakmp)#lifetime 3600
(config-isakmp)#exit
(config)#crypto isakmp key PRESHARED_KEY address 0.0.0.0 !or peer address 
(config)#crypto ipsec transform-set l2tp-ipsec-transport-esp esp-aes 256 esp-sha512-hmac
(cfg-crypto-trans)#mode transport
(cfg-crypto-trans)#exit
(config)#crypto dynamic-map my-dynamic-map 1
(config-crypto-map)#set nat demux
(config-crypto-map)#set transform-set l2tp-ipsec-transport-esp
(config-crypto-map)#exit
(config)#crypto map my-static-map 1  ipsec-isakmp dynamic my-dynamic-map
(config)#interface fastEthernet 4 ! Your WAN interface
(config-if)#crypto map my-static-map
(config-if)#exit

Now we are able to connect to this router with L2TP/IPsec tunnel.