How to Configure IOS Site-Site With Stateless Failover

by | Nov 15, 2016 | CCNP | 1 comment

R1

interface f0/0
no shutdown
ip add 192.168.101.10 255.255.255.0
int s0/0
no shutdown
ip add 101.1.1.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 101.1.1.1

R2

interface fastEthernet 0/0
no shutdown
ip add 192.168.101.20 255.255.255.0
int s0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 102.1.1.1

An-Advance-E-Book

ISP

int s0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
int s0/2
no shutdown
ip add 103.1.1.1 255.255.255.0

R3

interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 103.1.1.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 103.1.1.1

R3

R3# ping 101.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 1/25/64 ms
R3# pin
R3#ping 102.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/48 ms

R1

interface f0/0
standby 1 ip 192.168.101.1
standby 1 preempt
standby 1 priority 101
standby 1 track serial 0/0

R2

int f0/0
standby 1 ip 192.168.101.1
standby 1 preempt

R1

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto isakmp key shiva add 103.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
crypto map test 10 ipsec-isakmp
set transform-set t-set
set peer 103.1.1.100
match address 101
int s0/0
crypto map test

R2

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto isakmp key shiva add 103.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
crypto map test 10 ipsec-isakmp
set transform-set t-set
set peer 103.1.1.100
match address 101
int s0/0
crypto map test

R3

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto isakmp key shiva add 101.1.1.100
crypto isakmp key shiva add 102.1.1.100
crypto isakmp keepalive 10 10

crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel exit crypto ipsec security-association lifetime seconds 1800 access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255 crypto map test 10 ipsec-isakmp set transform-set t-set set peer 101.1.1.100 default set peer 102.1.1.100 match address 102 int s0/0 crypto map test exit

R3

R3# ping 192.168.101.1 source fastEthernet 0/0 repeat 999999999
#Type escape sequence to abort.
#Sending 999999999, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
#Packet sent with a source address of 192.168.102.1
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R1# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
101.1.1.100 103.1.1.100 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1# sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: test, local addr 101.1.1.100
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer 103.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 455, #pkts encrypt: 455, #pkts digest: 455
#pkts decaps: 455, #pkts decrypt: 455, #pkts verify: 455
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.1.1.100, remote crypto endpt.: 103.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x22BFB79F(582989727)
inbound esp sas:
spi: 0xE8BC3E68(3904650856)
transform: esp-aes esp-sha-hmac

R1

R1(config)# interface s0/0
R1(config-if)# sh
R1(config-if)# shutdown

R2

*Mar 1 00:10:32.911: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
R2# sh crypto isakmp
*Mar 1 00:10:58.791: %SYS-5-CONFIG_I: Configured from console by console
R2# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
103.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: test, local addr 102.1.1.100
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer 103.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 328, #pkts encrypt: 328, #pkts digest: 328
#pkts decaps: 328, #pkts decrypt: 328, #pkts verify: 328
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 102.1.1.100, remote crypto endpt.: 103.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xB97B132C(3111850796)
inbound esp sas:
spi: 0x44BEA89A(1153345690)
transform: esp-aes esp-sha-hmac

R3

R3# ping 192.168.101.1 source fastEthernet 0/0 repeat 999999999
#Type escape sequence to abort.
#Sending 999999999, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
#Packet sent with a source address of 192.168.102.1
#.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I-Medita

I-Medita is an ISO 9001:2015 certified Professional Training Company. I-Medita is India's Most Trusted Networking Training Company. We help in providing industry oriented skill training to networking enthusiasts and professionals to kick-start their career in Networking domains. Our efforts are to keep momentum with the Industry technological demands and diversifying universe of knowledge.
Register for Free Demo Session