DMVPN

  • GRE is a tunneling protocol. 
  • Branches can use static or dynamic IP address.
  • There is no neighborship between Spoke routers for any phase of the DMVPN.
  • NHRP is a L2 protocol
    • Based on a server-client relationship.
    • Spokes are referred to next hop clients.
    • The hub is referred to Next hop Server which tracks all the registered next hop clients.
      • Clients register with a registration request 
      • Server responds with registration reply.
      • When two spokes need to communicate with another, they will send a resolution request to the NHS.
      • NHS respond with a resolution reply.
      • NHRP will map reachability information of WAN IP address to the tunnel IP address.
        • Dynamic routing will map next-hop address to the tunnel interface
  • DMVPN Phases
    • Phase 1
      • Single mGRE interface on the hub router and a standard GRE interface on the spoke routers.
      • We can only support Hub-and-Spoke

    • Phase 2
      • Every site is going to be configured with mGRE interfaces.
      • Spoke-to-Spoke communication is permitted.
      • Dynamic Tunnel establishment and not static tunnel configuration.
      • Default route is not allowed.
      • summarization is not allowed.

    • Phase 3
      • Adds great scalability
      • Summarize into DMVPN cloud (EIGRP summaries per interface or BGP aggregation to neighbors).
      • along with NHRP redirects and NHRP shortcut we have enhanced switching capabilities.
      • NHRP redirect tell the source how to locate a better path to the destination.
      • NHRP shortcuts allows the DMVPN to learn about other networks behind other DMVPN routers (ARP for DMVPN).

  • DMVPN components
    • Headend router will act as DMVPN hub
    • Access routers that will act as DMVPN spokes
    • Underlay network (Internet)
      • Public facing IP and basic internet routing for network reachability.
      • Can be done over MPLS
    • Overlay Network (DMVPN/mGRE/NHRP)
      • Tunnel interfaces
      • Static or dynamic routing process for inter-location routing.
Phase 1 configuration example.

interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 10
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

Spoke

interface Tunnel1
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp map multicast 10.1.10.1
 ip nhrp map 192.168.1.1 10.1.10.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 tunnel source Ethernet0/0
 tunnel destination 10.1.10.1


Phase 2 configuration example.

Hub

interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 10
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

Spoke

interface Tunnel1
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast 10.1.10.1
 ip nhrp map 192.168.1.1 10.1.10.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

Phase 3 configuration Example

Hub

interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

Spoke

interface Tunnel1
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast 10.1.10.1
 ip nhrp map 192.168.1.1 10.1.10.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

Routing table

R3#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/27008000] via 192.168.1.1, 00:19:09, Tunnel1
      3.0.0.0/32 is subnetted, 1 subnets
C        3.3.3.3 is directly connected, Loopback0
      4.0.0.0/32 is subnetted, 1 subnets
D   %    4.4.4.4 [90/28288000] via 192.168.1.1, 00:18:40, Tunnel1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O        10.1.10.0/24 [110/20] via 10.3.10.10, 01:48:16, Ethernet0/0
C        10.3.10.0/24 is directly connected, Ethernet0/0
L        10.3.10.3/32 is directly connected, Ethernet0/0
O        10.4.10.0/24 [110/20] via 10.3.10.10, 01:48:16, Ethernet0/0
O        10.5.10.0/24 [110/20] via 10.3.10.10, 01:48:16, Ethernet0/0
      192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel1
L        192.168.1.3/32 is directly connected, Tunnel1
H        192.168.1.4/32 is directly connected, 00:18:13, Tunnel1



Verification

R1#sho dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.3.10.3           192.168.1.3    UP 04:05:35     D
     1 10.4.10.4           192.168.1.4    UP 04:05:34     D

R1#sho ip nhrp
192.168.1.3/32 via 192.168.1.3
   Tunnel1 created 04:05:41, expire 01:41:55
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 10.3.10.3
192.168.1.4/32 via 192.168.1.4
   Tunnel1 created 04:05:40, expire 01:41:55
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 10.4.10.4
R1#




Full coniguration Example

HUB
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.1 255.255.255.0
! Ensures longer packets are fragmented before they are encrypted; otherwise, the receiving router would have to do the reassembly.
 ip mtu 1400
! The following line must match on all nodes that “want to use” this mGRE tunnel:
 ip nhrp authentication donttell
! Note that the next line is required only on the hub.
 ip nhrp map multicast dynamic
! The following line must match on all nodes that want to use this mGRE tunnel:
 ip nhrp network-id 99
 ip nhrp holdtime 300
! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not advertise routes that are learned via the mGRE interface back out that interface.
 no ip split-horizon eigrp 1
! Enables dynamic, direct spoke-to-spoke tunnels when using EIGRP.
 no ip next-hop-self eigrp 1
 ip tcp adjust-mss 1360
 delay 1000
! Sets IPsec peer address to Ethernet interface’s public address.
 tunnel source Gigabitethernet 0/0/0
 tunnel mode gre multipoint
! The following line must match on all nodes that want to use this mGRE tunnel.
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0/0
 ip address 172.17.0.1 255.255.255.0
!
interface FastEthernet0/0/1
 ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0 0.0.0.255 
 network 192.168.0.0 0.0.0.255 .

SPOKE

In the following example, all spokes are configured the same except for tunnel and local interface address, thereby reducing necessary configurations for the user:


crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.2 255.255.255.0
 ip mtu 1400
! The following line must match on all nodes that want to use this mGRE tunnel:
 ip nhrp authentication donttell
! Definition of NHRP server at the hub (10.0.0.1), which is permanently mapped to the static public address of the hub (172.17.0.1).
 ip nhrp map 10.0.0.1 172.17.0.1
! Sends multicast packets to the hub router, and enables the use of a dynamic routing protocol between the spoke and the hub.
 ip nhrp map multicast 172.17.0.1
! The following line must match on all nodes that want to use this mGRE tunnel:
 ip nhrp network-id 99 
 ip nhrp holdtime 300
! Configures the hub router as the NHRP next-hop server.
 ip nhrp nhs 10.0.0.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Gigabitethernet 0/0/0
 tunnel mode gre multipoint
! The following line must match on all nodes that want to use this mGRE tunnel:
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!
! This is a spoke, so the public address might be dynamically assigned via DHCP.
interface FastEthernet0/0/0
 ip address dhcp hostname Spoke1
!
interface FastEthernet0/0/1
 ip address 192.168.1.1 255.255.255.0
!
! EIGRP is configured to run over the inside physical interface and the tunnel.
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 192.168.1.0 0.0.0.255

No comments:

Post a Comment

Subscribe to: Comments (Atom)

 EIGRP New 

  • (no title)
     EIGRP New 
  • CCIE EI
    Topology Topics
  • CCIE SP Workbook
    ISIS Topology Prefix Suppression Hello Padding Hello padding Prefix Suppression Overload bit LSP Size Default Metric Hello/hold Timer