Dynamic Multipoint VPN example.

Objetivo: Realizar un laboratorio con un ejemplo de configuración de DMVPN.

Teoría:

The Cisco DMVPN feature allows administrators to deploy scalable IPsec VPNs for both small and large networks.
The Cisco DMVPN feature combines the features and benefits of:
-mGRE tunnels
-IPsec encryption
-Next Hop Resolution Protocol (NHRP)

DMVPNs can be deployed using two models:
Hub-and-spoke: A hub-and-spoke DMVPN requires that each branch (spoke) have a point-to-point GRE interface that is used to build a tunnel to the hub router. All traffic between spokes must flow through the hub router. This model provides a scalable configuration on the hub router but does not provide direct spoke-to-spoke communication.
Spoke-to-spoke: A spoke-to-spoke DMVPN requires that each branch (spoke) have an mGRE interface through which dynamic spoke-to-spoke tunnels are used for spoke-to-spoke traffic. This model provides a scalable configuration for all involved devices and also provides direct spoke-to-spoke communication. Be aware that DMVPN does not immediately produce a mesh (partial or full) topology. It initially establishes a hub-and-spoke topology from which a partial or full mesh is generated dynamically as traffic patterns dictate.

Building Blocks of DMVPNs:
mGRE: mGRE allows a single Generic Routing Encapsulation (GRE) interface to support multiple GRE tunnels and makes the configuration much easier. Using GRE tunnels provides support for IP multicast and non-IP protocols to traverse the interface as well.
NHRP: Next Hop Resolution Protocol (NHRP) is a client and server protocol where the hub acts as the NHRP server and the spokes are the NHRP clients. The NHRP database maintains mappings between the router (public, physical interface) and the tunnel (inside the tunnel interface) IP addresses of each spoke.
IPsec: IPsec provides transmission protection for GRE tunnels.

Deployment Tasks.
Deploying a DMVPN requires completing the following configuration tasks:
Task 1. Configure Internet Key Exchange (IKE) sessions between each DMVPN spoke and the hub, including Internet Security Association and Key Management Protocol (ISAKMP) policies and authentication information.
Task 2. Configure NHRP sessions between each DMVPN spoke and the hub.
Task 3. Configure mGRE tunnels and IPsec profiles on the DMVPN hub.
Task 4. Configure GRE (for pure hub-and-spoke DMVPNs) or mGRE (for partial or full mesh DMVPNs) tunnels and IPsec profiles on DMVPN spokes.
Task 5. Configure dynamic routing over DMVPN tunnels.

GRE does have some limitations:
■ GRE provides no cryptographic protection for traffic and must be combined with IPsec to provide it.
■ There is no standard way to determine the end-to-end state of a GRE tunnel. Cisco IOS Software provides proprietary GRE keepalives for this purpose.
■ It can be CPU intensive on some platforms.
Tunnels can somet imes cause maximum transmission unit (MTU) and IP fragmentation-related issues (importante para la configuración de OSPF como IGP y para aplicaciones como ftp).

(m)GRE and NHRP Integration
As stated, NHRP maps tunnel IP addresses to outer transport IP addresses. This means that in a hub-and-spoke DMVPN deployment, no GRE or IPsec information about the spoke is configured on the hub router. The spoke router is configured with information about the hub using NHRP commands. When the spoke router starts up, it automatically initiates an IPsec tunnel with the hub router. It then notifies the NHRP server (hub router) of its current physical interface IP address. This notification is beneficial because
■ The hub router configuration is drastically shortened and simplified because it does not need to know any GRE or IPsec information about the spoke router. It is learned through NHRP.
■ Adding a new spoke router to the DMVPN requires no configuration on the hub. The spoke is configured with the hub information and dynamically registers with the hub router. Dynamic routing protocols distribute information about the spoke to the hub, which in turn propagates the information to the other spokes.

Laboratorio:

R1 Config:
//Hub configuration.
!
hostname R1
!
//IPSec Config. One password for the ipsec clients.
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key testing address 172.22.8.2     
crypto isakmp key testing1 address 172.22.8.3     
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac 
!
crypto ipsec profile Test
 description tunnel-test
 set transform-set dmvpn 
!
interface Tunnel0
 ip address 10.1.5.1 255.255.255.0
 no ip redirects
 no ip split-horizon eigrp 1
//Configuring NHRP Server.
 ip nhrp authentication teto    //If NHRP is being used over an untrusted network, configure NHRP authentication.
 ip nhrp map multicast dynamic   //To support dynamic routing protocols, enable suppor t of IP multicast traffic. This allows each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast packets to the spoke routers.
 ip nhrp network-id 1    //Create a new NHRP server on the tunnel interface. The NHRP network ID must be the same on the NHRP server and its NHRP clients.
 tunnel source Ethernet0/0  //There is a need to declare Tunnel source, but no the destination, since is a multipoint tunnel.
 tunnel mode gre multipoint   //Create  a Cisco IOS Software  tunnel interface and make it an mGRE interface.
 tunnel key 345678  //This command is required and must match the tunnel key configured on the spokes. This command allows network administrators to run more than one DMVPN at a time on the same router. 
 tunnel protection ipsec profile Test   //Where IPSec is applied.
!
interface Ethernet0/0
 ip address 172.22.8.1 255.255.255.248
!
interface Ethernet0/1
 ip address 10.1.1.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
!
R2 Config:
//Spoke1 configuration
!
hostname R2
!
//IPSec Config. Only the hub is declared.
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key testing address 172.22.8.1     
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac 
!
crypto ipsec profile Test
 description tunnel-test
 set transform-set dmvpn 
! 
interface Tunnel0 //Configure a GRE Interface, tunnel mode is not declared because the default mode is gre.
 ip address 10.1.5.2 255.255.255.0
//Configure an NHRP Client
 ip nhrp authentication teto
 ip nhrp map multicast 172.22.8.1  //To allow the spoke to register its multicast capability with the hub.
 ip nhrp map 10.1.5.1 172.22.8.1   //Specify a static NHRP map that enables the spoke to reach the NHRP server over its address. Appears that you can use any ip 
 ip nhrp network-id 1
 ip nhrp nhs 10.1.5.1  //Specify the location of the NHRP NHS.
 tunnel source Ethernet0/0
 tunnel destination 172.22.8.1  //The spoke need the definition of a tunnel destination, just like a regular point-to-point tunnel.
 tunnel key 345678
 tunnel protection ipsec profile Test   //Where IPSec is applied.
!         
interface Ethernet0/0
 ip address 172.22.8.2 255.255.255.248
!         
interface Ethernet0/1
 ip address 10.1.2.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
!
R3 Config:
//Spoke2 configuration.
!
hostname R3
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key testing1 address 172.22.8.1     
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac 
!
crypto ipsec profile Test
 description tunnel-test
 set transform-set dmvpn 
!
interface Tunnel0
 ip address 10.1.5.3 255.255.255.0
 ip nhrp authentication teto
 ip nhrp map multicast 172.22.8.1
 ip nhrp map 10.1.5.1 172.22.8.1
 ip nhrp network-id 1
 ip nhrp nhs 10.1.5.1
 tunnel source Ethernet0/0
 tunnel destination 172.22.8.1
 tunnel key 345678
 tunnel protection ipsec profile Test
!
interface Ethernet0/0
 ip address 172.22.8.3 255.255.255.248
!
interface Ethernet0/1
 ip address 10.1.3.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
!

Additional Notes:

1st – Optionally, to avoid problems with fragmentation of user packets, set the IP MTU side with the ip mtu command and set the TCP maximum segment size (MSS) value using the ip tcp adjust-mss interface command.

Ex:
!
Hub(config)# interface tunnel0
Hub(config-if)# ip address 10.1.1.1 255.255.0.0
Hub(config-if)# ip mtu 1400
Hub(config-if)# ip tcp adjust-mss 1360
!

2nd – Dynamic Routing Protocol Configuration.

Ex:
EIGRP Hub Configuration
-EIGRP with Hub-and-Spoke
!
router(config)# router eigrp 1
router(config-router)# no auto-summary
router(config-router)# exit
!
router(config)# interface tunnel 0
router(config-if)# no ip split-horizon eigrp 1    //You should disable automatic summarization on the hub and disable EIGRP split horizon so that the hub will propagate information about spoke networks to other spokes.
!

-EIGRP with Full Mesh
!
router(config)# router eigrp 1
router(config-router)# no auto-summary
router(config-router)# exit
!
router(config)# interface tunnel 0
router(config-if)# no ip next-hop-self eigrp     //Mesh DMVPNs cause a problem for route propagation because spoke routers cannot directly exchange information with one another, even though they are on the same logical subnet. This requires the hub router to advertise the subnets from the spokes on the same subnet, and the advertised route must contain the original next hop as it was learned by the hub router from the originating spoke.
Routet(config-if)# no ip split-horizon eigrp 1
!
OSPF Hub Configuration
-OSPF with Hub-and-Spoke
!
router(config)# interface tunnel 0
router(config-if)# ip ospf network point-to-multipoint   //Configuring the tunnel interface on the hub as a point-to-multipoint OSPF network type and on the spokes as point-to-point network types. There is no need for a BDR, and this makes the branches consider the hub as the only path off the subnet. This will greatly simplify the Dijkstra algorithm process for the OSPF area.
router(config-if)# ip ospf priority 10
!

-OSPF with Full Mesh
!
router(config)# interface tunnel 0
router(config-if)# ip ospf network broadcast
router(config-if)# ip ospf priority 10
!
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.