Dynamic Multipoint VPN example.

Objetivo: Realizar un laboratorio con un ejemplo de configuración de DMVPN.

Teoría:

The Cisco DMVPN feature allows administrators to deploy scalable IPsec VPNs for both small and large networks.
The Cisco DMVPN feature combines the features and benefits of:
-mGRE tunnels
-IPsec encryption
-Next Hop Resolution Protocol (NHRP)

DMVPNs can be deployed using two models:
Hub-and-spoke: A hub-and-spoke DMVPN requires that each branch (spoke) have a point-to-point GRE interface that is used to build a tunnel to the hub router. All traffic between spokes must flow through the hub router. This model provides a scalable configuration on the hub router but does not provide direct spoke-to-spoke communication.
Spoke-to-spoke: A spoke-to-spoke DMVPN requires that each branch (spoke) have an mGRE interface through which dynamic spoke-to-spoke tunnels are used for spoke-to-spoke traffic. This model provides a scalable configuration for all involved devices and also provides direct spoke-to-spoke communication. Be aware that DMVPN does not immediately produce a mesh (partial or full) topology. It initially establishes a hub-and-spoke topology from which a partial or full mesh is generated dynamically as traffic patterns dictate.

Building Blocks of DMVPNs.
mGRE: mGRE allows a single Generic Routing Encapsulation (GRE) interface to support multiple GRE tunnels and makes the configuration much easier. Using GRE tunnels provides support for IP multicast and non-IP protocols to traverse the interface as well.
NHRP: Next Hop Resolution Protocol (NHRP) is a client and server protocol where the hub acts as the NHRP server and the spokes are the NHRP clients. The NHRP database maintains mappings between the router (public, physical interface) and the tunnel (inside the tunnel interface) IP addresses of each spoke.
IPsec: IPsec provides transmission protection for GRE tunnels.

Deployment Tasks
Deploying a DMVPN requires completing the following configuration tasks:
Task 1. Configure Internet Key Exchange (IKE) sessions between each DMVPN spoke and the hub, including Internet Security Association and Key Management Protocol (ISAKMP) policies and authentication information.
Task 2. Configure NHRP sessions between each DMVPN spoke and the hub.
Task 3. Configure mGRE tunnels and IPsec profiles on the DMVPN hub.
Task 4. Configure GRE (for pure hub-and-spoke DMVPNs) or mGRE (for partial or full mesh DMVPNs) tunnels and IPsec profiles on DMVPN spokes.
Task 5. Configure dynamic routing over DMVPN tunnels.

GRE does have some limitations:
■ GRE provides no cryptographic protection for traffic and must be combined with IPsec to provide it.
■ There is no standard way to determine the end-to-end state of a GRE tunnel. Cisco IOS Software provides proprietary GRE keepalives for this purpose.
■ It can be CPU intensive on some platforms.
Tunnels can somet imes cause maximum transmission unit (MTU) and IP fragmentation-related issues (importante para la configuración de OSPF como IGP y para aplicaciones como ftp).

(m)GRE and NHRP Integration
As stated, NHRP maps tunnel IP addresses to outer transport IP addresses. This means that in a hub-and-spoke DMVPN deployment, no GRE or IPsec information about the spoke is configured on the hub router. The spoke router is configured with information about the hub using NHRP commands. When the spoke router starts up, it automatically initiates an IPsec tunnel with the hub router. It then notifies the NHRP server (hub router) of its current physical interface IP address. This notification is beneficial because
■ The hub router configuration is drastically shortened and simplified because it does not need to know any GRE or IPsec information about the spoke router. It is learned through NHRP.
■ Adding a new spoke router to the DMVPN requires no configuration on the hub. The spoke is configured with the hub information and dynamically registers with the hub router. Dynamic routing protocols distribute information about the spoke to the hub, which in turn propagates the information to the other spokes.

Laboratorio:

R1 Config:
//Hub configuration.
!
hostname R1
!
//IPSec Config. One password for the ipsec clients.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key testing address 172.22.8.2
crypto isakmp key testing1 address 172.22.8.3
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac
!
crypto ipsec profile Test
description tunnel-test
set transform-set dmvpn
!
interface Tunnel0
ip address 10.1.5.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 1
//Configuring NHRP Server.
ip nhrp authentication teto //If NHRP is being used over an untrusted network, configure NHRP authentication.
ip nhrp map multicast dynamic //To support dynamic routing protocols, enable suppor t of IP multicast traffic. This allows each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast packets to the spoke routers.
ip nhrp network-id 1 //Create a new NHRP server on the tunnel interface. The NHRP network ID must be the same on the NHRP server and its NHRP clients.
tunnel source Ethernet0/0 //There is a need to declare Tunnel source, but no the destination, since is a multipoint tunnel.
tunnel mode gre multipoint //Create a Cisco IOS Software tunnel interface and make it an mGRE interface.
tunnel key 345678 //This command is required and must match the tunnel key configured on the spokes. This command allows network administrators to run more than one DMVPN at a time on the same router.
tunnel protection ipsec profile Test //Where IPSec is applied.
!
interface Ethernet0/0
ip address 172.22.8.1 255.255.255.248
!
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
!

R2 Config:
//Spoke1 configuration
!
hostname R2
!
//IPSec Config. Only the hub is declared.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key testing address 172.22.8.1
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac
!
crypto ipsec profile Test
description tunnel-test
set transform-set dmvpn
!
interface Tunnel0 //Configure a GRE Interface, tunnel mode is not declared because the default mode is gre.
ip address 10.1.5.2 255.255.255.0
//Configure an NHRP Client
ip nhrp authentication teto
ip nhrp map multicast 172.22.8.1 //To allow the spoke to register its multicast capability with the hub.
ip nhrp map 10.1.5.1 172.22.8.1 //Specify a static NHRP map that enables the spoke to reach the NHRP server over its address. Appears that you can use any ip
ip nhrp network-id 1
ip nhrp nhs 10.1.5.1 //Specify the location of the NHRP NHS.
tunnel source Ethernet0/0
tunnel destination 172.22.8.1 //The spoke need the definition of a tunnel destination, just like a regular point-to-point tunnel.
tunnel key 345678
tunnel protection ipsec profile Test //Where IPSec is applied.
!
interface Ethernet0/0
ip address 172.22.8.2 255.255.255.248
!
interface Ethernet0/1
ip address 10.1.2.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
!

R3 Config:
//Spoke2 configuration.
!
hostname R3
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key testing1 address 172.22.8.1
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac
!
crypto ipsec profile Test
description tunnel-test
set transform-set dmvpn
!
interface Tunnel0
ip address 10.1.5.3 255.255.255.0
ip nhrp authentication teto
ip nhrp map multicast 172.22.8.1
ip nhrp map 10.1.5.1 172.22.8.1
ip nhrp network-id 1
ip nhrp nhs 10.1.5.1
tunnel source Ethernet0/0
tunnel destination 172.22.8.1
tunnel key 345678
tunnel protection ipsec profile Test
!
interface Ethernet0/0
ip address 172.22.8.3 255.255.255.248
!
interface Ethernet0/1
ip address 10.1.3.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s