Yasser Auda CCIEv5 DMVPN Quick Guide

CCIEv5 DMVPN Quick Guide By CCSI: Yasser Auda
1

Ok lets talk first about following topology

HQ (Hub) connect to internet (Cloud) and also two branches (Spokes) , each site had its own public ip
address .

I can make these sites connect to each other with their own private ip address using GRE tunnels.
GRE provide point to point tunnel ( we need tunnel source & tunnel destination under tunnel interface )

GRE Important Notes
GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety
of protocol packet types inside IP tunnels, such as IP . IPX , Apple Talk..etc

GRE Creating a virtual point-to-point link to Cisco routers at remote points over an IP
internetwork. By connecting multiprotocol subnets in a single-protocol backbone environment.

GRE add header with tunneling IP header create at least 24 bytes of additional overhead for
tunneled packets, that is why we need to decrease MTU to 1400 to free some space to these
additional bytes.

GRE Tunnel can be used to make two endpoint communicate with each Private subnet while
physical interface assigned public IP , we can also use to let two IPv6 islands communicate
through a sea of IPv4 networks

GRE tunnel will not encrypt or secure your data goes through it unless we use IPsec

GRE can be used to provide point to multipoint tunnel using m GRE


2

Type of IP address we will use in GRE or m GRE (with DMVPN) :
Hub & Spokes Public IP address called also infrastructure addressing space , Outside Address ,
Service Provide address or NBMA ip address , all names has same meaning.

Hub &Spokes Private IP address ( tunnel ip address ) called also enterprise addressing space ,
Inside address .

Example: R1 public ip address is 10.1.12.1 R2 public ip address 10.1.12.2 lets create a tunnel through
internet to connect both of them, tunnel network will be 180.180.180.0/24

R1
interface Tunnel1
ip address 180.180.180.1 255.255.255.0
ip mtu 1400
tunnel source 10.1.12.1
tunnel destination 10.1.12.2
!
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0

R2
interface Tunnel1
ip address 180.180.180.2 255.255.255.0
ip mtu 1400
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0

But what if I have 100 branches want to connect to HQ , I will need 100 GRE tunnel ?!!!
In this case we use mGRE which provide Point-to-Multipoint dynamic tunnels (we need tunnel source
only under tunnel interface) .

Both GRE & m GRE provide support for unicast, multicast, and broadcast traffic. But in m GRE there
some considerations , we will talk about later when implement IGP over DMVPN.

3

DMVPN
DMVPN feature allows you to create single mGRE tunnel interface & single IPsec Profile

DMVPN components:
CEF is running
Multipoint GRE
NHRP next hop resolution protocol
Dynamic Routing protocol or static routes
Optional- IPsec (GRE & m GRE not provide cryptographic protection thats why we need IPsec to
do it for us).

To let spokes talk to each others we need mapping to be configured thats why we use NHRP
In GRE tunnel we do not need NHRP because other peers (their destination tunnel address) are Statically
configured.

NHRP Notes:
NHRP provide layer 2 address resolution protocol like ARP or Inverse ARP

NHRP used by spokes to determine the NBMA address of next hop router

NHRP map Tunnel ip address to NBMA ip address statically or dynamically

Next Hop Resolution Protocol (NHRP) is a client and server protocol where the hub acts as the
NHRP server (NHS), and the spokes are the NHRP clients (NHC).

Each spoke registers its public and internal tunnel addresses when it boots and queries the
NHRP database for the addresses of other spokes.

Adding a new spoke router to the DMVPN requires no configuration on the hub. The spoke is
configured with the hub information and dynamically registers with the hub router.

DMVPN can configure in one of three ways, we technically call it Phases 1, 2, 3:

DMVPN Phases:

Phase 1 (Hub & Spoke Deployment Model)
-mGRE configured in Hub , GRE configured on the spokes
-multicast or unicast traffic flow between hub & spokes only , NOT spoke to spoke
-can be configured statically or NHC will dynamically register themselves in NHS
-(in phase 1 spokes talk to each other using the hub)

Phase 2 ( Spoke-To-Spoke deployment Model , partial / full mesh)
-hub & all spokes will configured with mGRE
-(in phase 2 spokes can talk to each other directly)


4

Phase 3
Is identical to Phase 2 with one major different. we use ip nhrp redirect command , Will explain this
later when we talk about running IGP/EGP over DMVPN.

The following step happens in phase 2 where spokes can communicate to each other directly:

1-spoke1 consults its local NHRP cache for spoke2 tunnel IP address and finds no entry.
2-It sends an NHRP query to the NHRP server (the DMVPN hub router) to re-solve the inner (tunnel)
address to an external physical IP address on spoke2.
3-The NHRP server, which maintains inner (tunnel) and outer (physical) addresses for spoke routers,
sends an NHRP reply to spoke1, which informs it that the inner tunnel IP on spoke2 is reachable through
its outer (physical) IP address.
4-spoke1 receives the response from the server and enters it into the local NHRP cache

DMVPN configuration
In both phases 1 & 2 we can use static mapping or dynamic mapping lets examine this:

Phase 1 static mapping example:

Hub

int tunnel 1
ip add 10.1.1.1 255.255.255.0
tunnel mode gre multipoint < the absence of the tunnel destination command. It has been replaced
with the tunnel mode gre multipoint command, which designates this tunnel as a multipoint GRE
tunnel

ip nhrp network-id 111 < this enable NHRP on this tunnel , must be the same on the NHRP server and
its NHRP clients.

ip nhrp map 10.1.1.2 192.1.2.2
ip nhrp map 10.1.1.3 192.1.3.3
ip nhrp map 10.1.1.4 192.1.4.4 <these ip nhrp map commands map spokes tunnel int to spokes
NBMA ip add.

Note :To support dynamic routing protocols, enable support of IP multicast traffic with the ip nhrp map
multicast dynamic command under Hub tunnel interface . This allows each spoke to register as a
receiver of multicast traffic, causing the hub to replicate and forward multicast packets to the spoke
routers. In spokes we type ip nhrp map multicast 1.1.1.10 (where 1.1.1.10 is hub public ip address) , this
ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke. All multicast
traffic should be received by the hub, processed and then updates are sent out to the spokes

in phase 1 no need for multicast command since from spoke to hub its point to point because we
used GRE in spokes.


5

Spoke1
(notice in Phase 1 we will not type Tunnel Mode command in the spokes since we are using Default
(Gre ip))
int tunnel 1
ip add 10.1.1.2 255.255.255.0
tunnel source 192.1.2.2 <or tunnel source f0/0 if fastethernet 0/0 getting dynamic public ip address
ip nhrp netowrk-id 222
ip nhrp map 10.1.1.1 192.1.1.1

Spoke2
int tunnel 1
ip add 10.1.1.3 255.255.255.0
tunnel source f0/0
ip nhrp map 10.1.1.1 192.1.1.1

Note: we can write the following command in hub & the spokes to add security for authentication :
ip nhrp authentication Cbtme , used to allow the authenticated updates and queries to the NHRP
Database, ensuring unwanted queries are not provided with any information about the DMVPN
network.

Phase 1 dynamic mapping example:

Hub (had no mapping commands)

int tunnel 1
ip add 10.1.1.1 255.255.255.0
tunnel mode gre multipoint

Spoke1
int tunnel 1
ip add 10.1.1.2 255.255.255.0
ip nhrp map 10.1.1.1 192.1.1.1 < maps the NHS address (10.1.1.1) to the Hubs (R1) public IP address
(192.1.1.1).

ip nhrp nhs 10.1.1.1 < send registration request to hub , tells our spoke router who the Next Hop
Server (NHS) is.


6

Spoke 2
int tunnel 1
ip add 10.1.1.3 255.255.255.0
tunnel source f0/0
ip nhrp map 10.1.1.1 192.1.1.1
ip nhrp nhs 10.1.1.1

Why use tunnel source f0/0 command?
All spokes with dynamic WAN IP address must be configured to bind the physical WAN interface as the
tunnel source. This way, when the spokes WAN IP changes, it will be able to update the NHS server
with its new WAN IP address.

Note: In spoke 1 configuration, weve configured a static IP address on its WAN interface
FastEthernet0/0 but for the sake of this example, let us assume it was dynamically provided by
The ISP.

Verification commands for all phases:
sh ip nhrp
sh ip nhrp detail

On the hub (NHRP server), displays NHRP mappings for all registered spokes.

On the spoke (NHRP clients), show a static mapping for the hub router, a local mapping for the
local spoke, and dynamic mappings for any spokes to which the local spoke is sending traffic.

show ip nhrp nhs
Displays the NHRP next-hop server information and can be used to show NHRP mapping information for
a device.

debug nhrp packet

sh dmvpn
To verify spoke registrations on the hub router.


7

Phase 2 static mapping example:

Hub

int tunnel 1
ip add 10.1.1.1 255.255.255.0
ip nhrp map 10.1.1.2 192.1.2.2
ip nhrp map 10.1.1.3 192.1.3.3
ip nhrp map 10.1.1.4 192.1.4.4

spoke1
int tunnel 1
ip add 10.1.1.2 255.255.255.0
tunnel source f0/0
ip nhrp map 10.1.1.1 192.1.1.1 < map to hub
ip nhrp map 10.1.1.3 192.1.3.3 < map to spoke 2

spoke2
int tunnel 1
ip add 10.1.1.3 255.255.255.0
tunnel source f0/0

Phase 2 dynamic mapping example:

Hub (without static mapping)

int tunnel 1
ip add 10.1.1.1 255.255.255.0


8

spoke 1
int tunnel 1
ip add 10.1.1.2 255.255.255.0
tunnel source f0/0

spoke2
int tunnel 1
ip add 10.1.1.3 255.255.255.0
tunnel source f0/0

Note: Optionally, to avoid problems with frag-mentation of user packets in GRE Tunnels, set the IP MTU
side with the ip mtu command and set the TCP MSS value using the ip tcp adjust-mss interface
command.

Spoke(config)# interface tunnel0
Spoke(config-if)# ip address 10.1.1.2 255.255.0.0
Spoke(config-if)# ip mtu 1400
Spoke(config-if)# ip tcp adjust-mss 1360

Configure Dynamic Routing in a Cisco IOS Software DMVPN

DMVPN cloud is like an NBMA network.

Many routing protocols use IP multicast to discover other participating nodes. For this reason, NHRP
multicast maps must be configured on the spoke routers to register their multicast capability with the
hub. The hub router can be configured with a dynamic multicast map that will replicate multicast traffic
to the spokes that have registered to receive IP multicast. This permits the hub and spoke routers to
forward multicast and broadcast, but it does not permit spokes to receive broadcasts from other spokes.

In a DMVPN, routing neighbor relationships only happen between the hub and each spoke. There is
never any spoke-to-spoke routing peering. Thus, the hub will propagate in-formation from each spoke
network to the other spokes.


9

EIGRP over DMVPN
Hub-and-spoke (Phase 1) DMVPN
-disable automatic summarization on the hub and
-disable EIGRP split horizon so that the hub will propagate information about spoke net-works to other
spokes.

Mesh DMVPN (Phase 2)
Spoke routers cannot directly exchange information with one another, even though they are on the
same logical subnet. This requires the hub router to advertise the subnets from the spokes on the same
subnet, and the advertised route must contain the original next hop as it was learned by the hub router
from the originating spoke. The no ip next-hop-self eigrp AS-number interface configuration command
takes care of this requirement.

Commands need to be written in your Hub with Phase 1


OSPF over DMVPN
Hub should be configured as a designated router (DR) because it is in direct Communication with all the
spokes. Typically, there is no backup designated router (BDR).



In both phases Better to type in spokes tunnel interfaces ip ospf pri 0 (to make sure it always be
DROTHER)
<We add this line to Spokes as well.
<We add this line to Spokes as well.
<without it spokes will use hub to reach each others

10

To run dynamic routing protocols over DMVPN we need to enable Multicast capability :

Phase 1
hub
int tunnel 1
ip nhrp map multicast 10.1.1.2

or just type in Hub :
ip nhrp map multicast dynamic

-no need for this command in spokes since they are point to point in phase 1

Phase 2
. In hub we type ip nhrp map multicast dynamic
. In spokes we type ip nhrp map multicast 10.1.1.1 ( Hub ip address)

Running DMVPN For BGP
Just Remember we will need (ebgp-multihop 2 )in spokes

DMVPN Phase 3
Phase 2 & 3 are identical but since 12.4(6)T IOS no need for (no ip next-hop-self eigrp 100 ), we will use
ip nhrp redirect in hub and ip nhrp shortcut in spokes

Hub
Int tunnel 1
Ip nhrp redierct

Spokes
Int tunnel 1
Ip nhrp shortcut

Ip nhrp redirect message is an indication that current path to the destination is not optimal and that
receiver of the message should find a better path to that destination .

Ip nhrp shortcut message overrides the routing table only if receives an ip NHRP redirect message .

The Main Idea of Phase 3 is involves spokes in responding to NHRP resolution requests. Thus, the unique
role of hub as the only source of NHRP information is reduced.


11

How to simulate Internet for DMVPN Practice
For Simulating internet during practice we use Multilayer Switch ( or Router ) with one of two ways
1-making Multilayer switch interface connected to Hub & Spokes as Routed interfaces
2- creating SVI with VLANs like example below:

SW1
ip routing
ip cef

vlan 1
vlan 2
vlan 3

int e1/1
sw acc vlan 1
int e0/2
sw acc vlan 2
int e0/3
sw acc vlan 3

int vlan 1
ip add 1.1.1.100 255.255.255.0
no sh
int vlan 2
ip add 2.2.2.100 255.255.255.0
no sh
int vlan 3
ip add 3.3.3.100 255.255.255.0
no sh

12

We will need to make R5 , R2 , R3 had layer3 connectivity to each other so we go on each one of them
and create default route point to SW1 by doing this ,SW1 will simulated as internet and connecting the
three routers while they use different subnets ,this will help us later in DMVPN Task

On R5
ip route 0.0.0.0 0.0.0.0 1.1.1.100
On R2
ip route 0.0.0.0 0.0.0.0 2.2.2.100
On R3
ip route 0.0.0.0 0.0.0.0 3.3.3.100

Securing DMVPN with IPsec

Lest First Configure DMVPN Phase2 :

R1 HUB
int loop 0
ip add 192.168.1.1 255.255.255.0

int e0/0
ip add 1.1.1.10 255.255.255.0
no sh

int tunnel 0
ip add 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp authentication cbtme
ip nhrp network-id 1

13

R2 SPOKE
int loop 0
192.168.2.1 255.255.255.0

int f0/0
ip add 2.2.2.10 255.255.255.0
no sh

int tunnel 0
ip add 172.16.0.2 255.255.255.0
no ip redirects
tunnel source e0/0
ip nhrp map 172.16.0.1 1.1.1.10

R3 SPOKE
int loop 0
192.168.3.1 255.255.255.0

int f0/0
ip add 3.3.3.10 255.255.255.0
no sh

int tunnel 0
ip add 172.16.0.3 255.255.255.0
no ip redirects
tunnel source e0/0
ip nhrp map 172.16.0.1 1.1.1.10


14

Now lets secure our DMVPN with IPsec ( you should be familiar with IPsec over GRE )
R1
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre

R2/R3
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre


15

DMVPN online Resources :
http://blog.ine.com/2008/08/02/dmvpn-explained/
http://blog.ine.com/2008/12/23/dmvpn-phase-3/
http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-
dmvpn/DMVPN_Overview.pdf
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-
intro.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-
dmvpn-configuration.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/29240-dcmvpn.html
https://supportforums.cisco.com/document/124431/dmvpn-configuration-example
http://micronics.nl/NHRP-BEST.pdf (thanks for narbik kocharians)
http://micronics.nl/Site-2-Site-VPNs.pdf (thanks for narbik kocharians)
http://packetlife.net/blog/2008/jul/23/dynamic-multipoint-vpn-dmvpn/
http://packetlife.net/blog/2012/jan/9/multiple-dmvpns-single-hub/
http://networklessons.com/security/dynamic-multipoint-vpn-dmvpn-configuration/

Videos from INE:
http://www.youtube.com/watch?v=CIWcYSClbio
http://www.youtube.com/watch?v=DA9K0eGG17E

Good Luck

CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyaud

Yasser Auda CCIEv5 DMVPN Quick Guide

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Yasser Auda CCIEv5 DMVPN Quick Guide

Cargado por

Copyright:

Formatos disponibles

CCIEv5 DMVPN Quick Guide By CCSI: Yasser Auda

También podría gustarte