05 January 2015

DMVPN With Frame Multipoint - Overview

Dynamic Multipoint Virtual Private Network (DMVPN)[1] is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.

DMVPN is combination of the following technologies:

Multipoint GRE (mGRE)
Next-Hop Resolution Protocol (NHRP)
Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
Dynamic IPsec encryption
Cisco Express Forwarding (CEF)


    [*] Relevant settings

    Evans# sh run | s router eigrp

    router eigrp 10
 network 172.16.0.0 0.0.0.255
 network 192.168.10.0
 no auto-summary
     

    Evans# sh run int ser 1/0

    !
interface Serial1/0
 ip address 10.0.0.1 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 10.0.0.2 102 broadcast
 frame-relay map ip 10.0.0.3 103 broadcast
 frame-relay map ip 10.0.0.4 104 broadcast
end

    Evans# sh run int tun 0

    !
interface Tunnel0
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 10
 ip nhrp authentication abcd
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 no ip split-horizon eigrp 10
 tunnel source Serial1/0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode gre multipoint
 tunnel key 1234
end

    Scoth# sh run int ser 1/0

    !
interface Serial1/0
 ip address 10.0.0.2 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 10.0.0.1 201 broadcast
 frame-relay map ip 10.0.0.3 201 broadcast
 frame-relay map ip 10.0.0.4 201 broadcast
end

    Scoth# sh run int tun 0 

    !
interface Tunnel0
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication abcd
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 10.0.0.1
 ip nhrp map multicast 10.0.0.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 tunnel source Serial1/0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode gre multipoint
 tunnel key 1234
end

    These configs is almost the same to the other routers. Just change the ip of the tunnel address. Time to choose the best path! ; )

    [*] Before the DMVPN exist

    Scoth# sh ip nhrp 

    172.16.0.1/32 via 172.16.0.1, Tunnel0 created 00:03:52, never expire 
  Type: static, Flags: authoritative used 
  NBMA address: 10.0.0.1

    Scoth# ping 192.168.40.1 source lo0

    Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/36/40 ms

    Scoth# traceroute 192.168.40.1 so lo0

    Type escape sequence to abort.
Tracing the route to 192.168.40.1

  1 172.16.0.1 16 msec 20 msec
    172.16.0.4 28 msec

    [*] After the DMVPN be formed dynamically!

    Scoth# sh ip nhrp 

    172.16.0.1/32 via 172.16.0.1, Tunnel0 created 00:03:59, never expire 
  Type: static, Flags: authoritative used 
  NBMA address: 10.0.0.1 
172.16.0.4/32 via 172.16.0.4, Tunnel0 created 00:00:02, expire 01:56:03
  Type: dynamic, Flags: router used 
  NBMA address: 10.0.0.4

    Scoth# traceroute 192.168.40.1 source lo0
    Type escape sequence to abort.
Tracing the route to 192.168.40.1

  1 172.16.0.4 28 msec 36 msec 36 msec

    [*] Add Security to the DMVPN Traffic!


    conf t
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set DMVPNTrFormSet esp-aes esp-sha-hmac
!
crypto ipsec profile DMProfile
 set transform-set DMVPNTrFormSet
!
interface Tunne0
 tunnel protection ipsec profile DMProfile
end

    [*] Verify as always!


    show dmvpn
show crypto isak sa




    biOos
    Posted by at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)