Scribd
Upload
78 views10 pages

Topology: Created by NRU Untuk Pelanggan Merapi Utama Pharma

Ef

Uploaded by

Arham Sofyan PLI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
78 views10 pages

Topology: Created by NRU Untuk Pelanggan Merapi Utama Pharma

Ef

Uploaded by

Arham Sofyan PLI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Created By NRU untuk pelanggan Merapi Utama Pharma

Topology

Router Remote
Customer switch

Router Remote
Customer switch

Lintasarta Internet Cloud


Customer
Backhaul PE Internet
Devices PE Internet

Router Remote
Customer switch

Customer switch

Broadband Internet Cloud


DMVPN Tunneling as a main

Broadband IPSec Tunneling as


a optional backup

Company Sheet File Topology DMVPN Internet + fortinet.vsd

Mei 2018 Ver


1
1.0 by NRU

Copy Right © of PT.APLIKANUSA LINTASARTA , Indonesia


Created By NRU untuk pelanggan Merapi Utama Pharma

Data Awal yang di perlukan silahkan di tanyakan ke DCO


a. IP LAN remote
b. ASN BGP Router cisco 892 FSP
c. ASN BGP Fortinet 50E
d. IP PTP Router cisco dg Fortinet
e. IP NAT Static untuk Fortinet
f. Alokasi IP internet /29 atau /28

CONFIGURASI ROUTER CISCO 892FSP

1. Configure all interface ip address

interface GigabitEthernet9
description LINK_TO_WAN
ip address 202.152.xxx.xxx 255.255.255.252 => alokasi dari idola
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
!
interface GigabitEthernet8
description TO-FORTINET
ip address 1.1.2.1 255.255.255.252 => alokasi 1.1.34.1/30 (buat merapi jaya pura temporary )
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
end
!
2. Create Default route internet

ip route 0.0.0.0 0.0.0.0 202.152.xxx.xxx => ip wan pe idola

3. Create akses telnet/ssh

username cperoot privilege 15 password 0 nasional


!
line vty 0 4
login local
Created By NRU untuk pelanggan Merapi Utama Pharma

exec-timeout 10
transport input all
!
service password-encryption
!
4. Create Timezone

clock timezone WIB +7

5. Create IP Sec Profile

crypto isakmp policy 10


hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set MY-TRANSFORM esp-3des esp-md5-hmac
!
crypto ipsec profile MY-PROFILE
set security-association lifetime seconds 1200
set transform-set MY-TRANSFORM

6. Create DMVPN Hub di backhaul (khusus backhaul)

interface Tunnel0
ip address 172.16.255.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
no ip split-horizon eigrp 99
ip nhrp network-id 1
ip nhrp holdtime 600
tunnel source gi8
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MY-PROFILE
end

7. Create DMVPN Spoke di remote

interface Tunnel0
ip address 172.16.255.x 255.255.255.0 => alokasi merapi jaya pura temporary 172.16.255.34
no ip redirects
Created By NRU untuk pelanggan Merapi Utama Pharma

ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 172.16.255.1 182.23.95.98
ip nhrp map multicast 182.23.95.98
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 172.16.255.1
tunnel source e 0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MY-PROFILE
end

8. Cek DMVPN tunnel dan IPSEC tunnel status

Router#ping 172.16.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 ms
Router#

Router#show crypto session


Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.0.1 port 500
Session ID: 0
IKEv1 SA: local 10.0.0.2/500 remote 10.0.0.1/500 Active
IPSEC FLOW: permit 47 host 10.0.0.2 host 10.0.0.1
Active SAs: 2, origin: crypto map

9. Create EIGRP routing dan redistributing BGP di remote untuk DMVPN


route-map LAN-OUT permit 10
match ip address LAN
!
ip access-list standard LAN
permit 192.168.200.0 0.0.0.255
!
router eigrp 99
network 172.16.255.0 0.0.0.255
redistribute bgp 64102 metric 10000 100 255 1 1500 route-map LAN-OUT
Created By NRU untuk pelanggan Merapi Utama Pharma

no auto-summary
!
10. Create NAT untuk LAN dan NAT STATIC untuk fortinet

ip nat inside source list LAN interface GigabitEthernet9 overload


!nat static utk membuka Fortinet dari internet, jangan menggunakan ip yang sama dengan
!interface wan
ip nat inside source static 1.1.34.2 202.152.xxx.xxx (alokasi dariidola ip yg tdk di gukan di wan)

11. Cek EIGRP status

Router#show ip eigrp neighbors


EIGRP-IPv4 Neighbors for AS(99)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.255.1 Tu0 14 00:30:58 1 3000 0 4
Router#

12. Create BGP routing dan redistributing EIGRP dari Cisco 892FSP ke Fortinet di remote

router bgp 64102


bgp log-neighbor-changes
neighbor 1.1.2.2 remote-as 64202
!
address-family ipv4
network 0.0.0.0
redistribute eigrp 99 route-map SERVER-IP
neighbor 1.1.34.2 activate
neighbor 1.1.34.2 soft-reconfiguration inbound
default-information originate
exit-address-family
!
route-map SERVER-IP permit 10
match ip address SERVER
!
ip access-list standard SERVER
permit 192.168.11.0 0.0.0.255
permit 192.168.12.0 0.0.0.255
permit 192.168.13.0 0.0.0.255
permit 192.168.14.0 0.0.0.255
permit 192.168.15.0 0.0.0.255
permit 192.168.16.0 0.0.0.255
permit 192.168.17.0 0.0.0.255
permit 192.168.18.0 0.0.0.255
Created By NRU untuk pelanggan Merapi Utama Pharma

permit 192.168.19.0 0.0.0.255


permit 192.168.20.0 0.0.0.255
permit 192.168.21.0 0.0.0.255
permit 192.168.22.0 0.0.0.255
permit 192.168.23.0 0.0.0.255
permit 192.168.24.0 0.0.0.255
permit 192.154.28.64 0.0.0.63
permit 192.168.0.0 0.0.3.255
permit 192.168.10.0 0.0.0.7
permit 192.168.10.8 0.0.0.7
!

13. Cek BGP Status


Router#show ip bgp summary

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


1.1.3.2 4 64203 14 14 3 0 0 00:09:06 1

Router#show ip bgp neighbors 1.1.3.2 advertised-routes

Network Next Hop Metric LocPrf Weight Path


*> 192.168.11.0 172.16.255.1 27008000 32768 ?
~
*> 192.168.24.0 172.16.255.1 27008000 32768 ?

Total number of prefixes 19

CONFIGURASI FORTIGATE 50E

1. Factory reset fortinet

execute factory reset


y

2. Configure all interface ip address

config system interface


Created By NRU untuk pelanggan Merapi Utama Pharma

edit wan1
set mode static
set ip 1.1.34.2 255.255.255.252
set allowaccess ping https ssh http telnet fgfm
next
edit lan
set ip 192.168.134.1 255.255.255.0
set allowaccess ping https ssh http fgfm capwap telnet
end

3. Configure BGP dan cek status BGP

config router bgp


set as 64202
set router-id 1.1.34.2
config neighbor
edit 1.1.34.1
set soft-reconfiguration enable
set remote-as 64102
end
config network
edit 1
set prefix 192.168.134.0/24
end

FGT50E3U17024290 # get router info bgp summary


BGP router identifier 1.1.2.2, local AS number 64202
BGP table version is 6
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


1.1.2.1 4 64102 417 428 5 0 0 05:38:39 19

Total number of neighbors 1

4. Config DHCP server

config system dhcp server


edit 1
set default-gateway 192.168.134.1
set netmask 255.255.255.0
set interface "lan"
config ip-range
Created By NRU untuk pelanggan Merapi Utama Pharma

edit 1
set start-ip 192.168.134.10
set end-ip 192.168.134.250
next
end
set timezone-option default
set dns-service specify
set dns-server1 192.168.2.248
set dns-server2 202.152.5.36
set dns-server3 202.152.0.2
next
end

5. Config Firewall policy

config firewall policy


edit 1
set name "lan_wan1"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set nat disable
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "wan1_lan"
set srcintf "wan1"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set name "lan_wan2"
set srcintf "lan"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
Created By NRU untuk pelanggan Merapi Utama Pharma

set schedule "always"


set service "ALL"
end

6. Cross cek link

Pastikan routing di sisi Merapi Utama Pharma sudah di arahkan ke Internet DMVPN. Minta
tolong tim IT Pusat Merapi

telnet to DMVPN HUB :


telnet 182.23.95.98
username : cperoot
password : nasional

pastikan ip LAN cabang sudah ada di router DMVPN Hub

2018002921_MUP#show ip route eigrp


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 182.23.95.97 to network 0.0.0.0

D EX 192.168.104.0/24 [170/26905600] via 172.16.255.18, 03:30:40, Tunnel0


D EX 192.168.111.0/24 [170/26905600] via 172.16.255.29, 05:23:17, Tunnel0
D EX 192.168.123.0/24 [170/26905600] via 172.16.255.2, 1d12h, Tunnel0
D EX 192.168.134.0/24 [170/26905600] via 172.16.255.16, 2d07h, Tunnel0
2018002921_MUP#

FGT50E3U17024290 # execute ping-options source 192.168.123.1


FGT50E3U17024290 # execute ping 192.168.2.248
PING 192.168.2.248 (192.168.2.248): 56 data bytes
Created By NRU untuk pelanggan Merapi Utama Pharma

64 bytes from 192.168.2.248: icmp_seq=0 ttl=124 time=6.3 ms


64 bytes from 192.168.2.248: icmp_seq=1 ttl=124 time=6.2 ms
64 bytes from 192.168.2.248: icmp_seq=2 ttl=124 time=6.6 ms
64 bytes from 192.168.2.248: icmp_seq=3 ttl=124 time=6.6 ms
64 bytes from 192.168.2.248: icmp_seq=4 ttl=124 time=9.7 ms

--- 192.168.2.248 ping statistics ---


5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 6.2/7.0/9.7 ms

You might also like