DMVPN
DMVPN is a design concept that is an evolved hub and spoke
tunnelling(GRE or IPsec). Before DMVPN, hub and spoke implementation was
done using static tunnels from HQ to branches. for such an
implementation, all communication is via the hub. Every time theres new
branches that need to be part of the communication domain, configuration
has to be done on the hub. As spokes increase in number this solution
is observed not to scale well to the increasing number of the spokes.
DMVPN features allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.
Point-to-point GRE tunnels have exactly two endpoints, and each tunnel on a router requires a separate virtual interface with its own independent configuration. Conversely, a multipoint GRE tunnel allows for more than two endpoints, and is treated as a non-broadcast multi-access (NBMA) network.
Network setup Before DMVPN setup:
For this setup, all the end devices have a means of communication that has been provided by an ISP over internet or through their data network
Below are the Multiple GRE tunnels to be formed in DMVPN:
With multipoint tunnels, a single tunnel interface is connected to multiple neighbouring routers. Unlike point-to-point tunnels, a tunnel destination need not be configured.
CONFIGURATION:
---------------------------------------------------------------------------------------------------
HQ :
#conf t
Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.
# crypto isakmp policy 10
# hash md5
# authentication pre-share
# exit
# crypto isakmp key secret123 address 0.0.0.0 0.0.0.0
Create the Phase 2 policy for actual data encryption.
# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Create an IPSec profile to be applied dynamically to the !--- GRE over IPSec tunnels.
# crypto ipsec profile MyPROF
# set security-association lifetime seconds 120
# set transform-set strong
# exit
#interface gigEthernet0/0
#ip address 172.16.15.2 255.255.255.252
#interface Tunnel0
ip mtu 1430
ip address 192.168.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MyPROF
------------------------------------------------------------------------------------------------------
Branch A :
#conf t
Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.
# crypto isakmp policy 10
# hash md5
# authentication pre-share
# exit
# crypto isakmp key secret123 address 0.0.0.0 0.0.0.0
Create the Phase 2 policy for actual data encryption.
# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Create an IPSec profile to be applied dynamically to the !--- GRE over IPSec tunnels.
# crypto ipsec profile MyPROF
# set security-association lifetime seconds 120
# set transform-set strong
# exit
#interface gigaEthernet1/0/1
ip address 172.16.25.2 255.255.255.252
exit
#interface Tunnel0
ip mtu 1430
ip address 192.168.0.2 255.255.255.0
ip nhrp map 192.168.0.1 172.16.15.2 // NHS static resolution ; tunnel to ethernet IPs
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1 // NHRP domain
ip nhrp nhs 192.168.0.1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MyPROF
------------------------------------------------------------------------------------------------------
Branch B :
#conf t
Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.
# crypto isakmp policy 10
# hash md5
# authentication pre-share
# exit
# crypto isakmp key secret123 address 0.0.0.0 0.0.0.0
Create the Phase 2 policy for actual data encryption.
# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Create an IPSec profile to be applied dynamically to the !--- GRE over IPSec tunnels.
# crypto ipsec profile MyPROF
# set security-association lifetime seconds 120
# set transform-set strong
# exit
#interface gigaEthernet1/0/1
ip address 172.16.45.2 255.255.255.252
exit
#interface Tunnel0
ip mtu 1430
ip address 192.168.0.3 255.255.255.0
ip nhrp map 192.168.0.1 172.16.15.2 // NHS static resolution ; tunnel to ethernet IPs
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1 // NHRP domain
ip nhrp nhs 192.168.0.1
tunnel source 172.16.45.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MyPROF
---------------------------------------------------------------------------------------------------
NHRP: Next Hop Resolution Protocol
When Branch A initially attempts to send an IP packet to Branch C, the packet is forwarded through the HQ router. The routers use NHRP to quickly learn the NBMA addresses of each other (in this case, IP addresses assigned to the underlying Ethernet network). The partially meshed tunnel network readily becomes fully meshed, at which point any of the routers can directly communicate over the tunnel network without their IP traffic requiring an intermediate hop.
Full mesh network that results:
Troubleshooting:
show ip nhrp
show ip nhrp traffic
show ip nhrp traffic interface tun0
show ip nhrp nhrp nhs detail //nhs - next hop server
END.
DMVPN features allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.
Point-to-point GRE tunnels have exactly two endpoints, and each tunnel on a router requires a separate virtual interface with its own independent configuration. Conversely, a multipoint GRE tunnel allows for more than two endpoints, and is treated as a non-broadcast multi-access (NBMA) network.
Network setup Before DMVPN setup:
For this setup, all the end devices have a means of communication that has been provided by an ISP over internet or through their data network
Below are the Multiple GRE tunnels to be formed in DMVPN:
With multipoint tunnels, a single tunnel interface is connected to multiple neighbouring routers. Unlike point-to-point tunnels, a tunnel destination need not be configured.
CONFIGURATION:
---------------------------------------------------------------------------------------------------
HQ :
#conf t
Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.
# crypto isakmp policy 10
# hash md5
# authentication pre-share
# exit
# crypto isakmp key secret123 address 0.0.0.0 0.0.0.0
Create the Phase 2 policy for actual data encryption.
# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Create an IPSec profile to be applied dynamically to the !--- GRE over IPSec tunnels.
# crypto ipsec profile MyPROF
# set security-association lifetime seconds 120
# set transform-set strong
# exit
#interface gigEthernet0/0
#ip address 172.16.15.2 255.255.255.252
#interface Tunnel0
ip mtu 1430
ip address 192.168.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MyPROF
------------------------------------------------------------------------------------------------------
Branch A :
#conf t
Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.
# crypto isakmp policy 10
# hash md5
# authentication pre-share
# exit
# crypto isakmp key secret123 address 0.0.0.0 0.0.0.0
Create the Phase 2 policy for actual data encryption.
# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Create an IPSec profile to be applied dynamically to the !--- GRE over IPSec tunnels.
# crypto ipsec profile MyPROF
# set security-association lifetime seconds 120
# set transform-set strong
# exit
#interface gigaEthernet1/0/1
ip address 172.16.25.2 255.255.255.252
exit
#interface Tunnel0
ip mtu 1430
ip address 192.168.0.2 255.255.255.0
ip nhrp map 192.168.0.1 172.16.15.2 // NHS static resolution ; tunnel to ethernet IPs
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1 // NHRP domain
ip nhrp nhs 192.168.0.1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MyPROF
------------------------------------------------------------------------------------------------------
Branch B :
#conf t
Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.
# crypto isakmp policy 10
# hash md5
# authentication pre-share
# exit
# crypto isakmp key secret123 address 0.0.0.0 0.0.0.0
Create the Phase 2 policy for actual data encryption.
# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Create an IPSec profile to be applied dynamically to the !--- GRE over IPSec tunnels.
# crypto ipsec profile MyPROF
# set security-association lifetime seconds 120
# set transform-set strong
# exit
#interface gigaEthernet1/0/1
ip address 172.16.45.2 255.255.255.252
exit
#interface Tunnel0
ip mtu 1430
ip address 192.168.0.3 255.255.255.0
ip nhrp map 192.168.0.1 172.16.15.2 // NHS static resolution ; tunnel to ethernet IPs
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1 // NHRP domain
ip nhrp nhs 192.168.0.1
tunnel source 172.16.45.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MyPROF
---------------------------------------------------------------------------------------------------
NHRP: Next Hop Resolution Protocol
When Branch A initially attempts to send an IP packet to Branch C, the packet is forwarded through the HQ router. The routers use NHRP to quickly learn the NBMA addresses of each other (in this case, IP addresses assigned to the underlying Ethernet network). The partially meshed tunnel network readily becomes fully meshed, at which point any of the routers can directly communicate over the tunnel network without their IP traffic requiring an intermediate hop.
Full mesh network that results:
Troubleshooting:
show ip nhrp
show ip nhrp traffic
show ip nhrp traffic interface tun0
show ip nhrp nhrp nhs detail //nhs - next hop server
END.
Comments
Post a Comment