Dynamic Multipoint VPN example.

Índice:
Dynamic Multipoint VPN example.
DMVPN Relevant show commands.

Objetivo: Realizar un laboratorio con un ejemplo de configuración de DMVPN.

Teoría:

The Cisco DMVPN feature allows administrators to deploy scalable IPsec VPNs for both small and large networks.
The Cisco DMVPN feature combines the features and benefits of:
-mGRE tunnels
-IPsec encryption
-Next Hop Resolution Protocol (NHRP)

DMVPNs can be deployed using two models:
Hub-and-spoke: A hub-and-spoke DMVPN requires that each branch (spoke) have a point-to-point GRE interface that is used to build a tunnel to the hub router. All traffic between spokes must flow through the hub router. This model provides a scalable configuration on the hub router but does not provide direct spoke-to-spoke communication.
Spoke-to-spoke: A spoke-to-spoke DMVPN requires that each branch (spoke) have an mGRE interface through which dynamic spoke-to-spoke tunnels are used for spoke-to-spoke traffic. This model provides a scalable configuration for all involved devices and also provides direct spoke-to-spoke communication. Be aware that DMVPN does not immediately produce a mesh (partial or full) topology. It initially establishes a hub-and-spoke topology from which a partial or full mesh is generated dynamically as traffic patterns dictate.

Building Blocks of DMVPNs:
mGRE: mGRE allows a single Generic Routing Encapsulation (GRE) interface to support multiple GRE tunnels and makes the configuration much easier. Using GRE tunnels provides support for IP multicast and non-IP protocols to traverse the interface as well.
NHRP: Next Hop Resolution Protocol (NHRP) is a client and server protocol where the hub acts as the NHRP server and the spokes are the NHRP clients. The NHRP database maintains mappings between the router (public, physical interface) and the tunnel (inside the tunnel interface) IP addresses of each spoke.
IPsec: IPsec provides transmission protection for GRE tunnels.

Deployment Tasks.
Deploying a DMVPN requires completing the following configuration tasks:
Task 1. Configure Internet Key Exchange (IKE) sessions between each DMVPN spoke and the hub, including Internet Security Association and Key Management Protocol (ISAKMP) policies and authentication information.
Task 2. Configure NHRP sessions between each DMVPN spoke and the hub.
Task 3. Configure mGRE tunnels and IPsec profiles on the DMVPN hub.
Task 4. Configure GRE (for pure hub-and-spoke DMVPNs) or mGRE (for partial or full mesh DMVPNs) tunnels and IPsec profiles on DMVPN spokes.
Task 5. Configure dynamic routing over DMVPN tunnels.

GRE does have some limitations:
■ GRE provides no cryptographic protection for traffic and must be combined with IPsec to provide it.
■ There is no standard way to determine the end-to-end state of a GRE tunnel. Cisco IOS Software provides proprietary GRE keepalives for this purpose.
■ It can be CPU intensive on some platforms.
Tunnels can somet imes cause maximum transmission unit (MTU) and IP fragmentation-related issues (importante para la configuración de OSPF como IGP y para aplicaciones como ftp).

(m)GRE and NHRP Integration
As stated, NHRP maps tunnel IP addresses to outer transport IP addresses. This means that in a hub-and-spoke DMVPN deployment, no GRE or IPsec information about the spoke is configured on the hub router. The spoke router is configured with information about the hub using NHRP commands. When the spoke router starts up, it automatically initiates an IPsec tunnel with the hub router. It then notifies the NHRP server (hub router) of its current physical interface IP address. This notification is beneficial because
■ The hub router configuration is drastically shortened and simplified because it does not need to know any GRE or IPsec information about the spoke router. It is learned through NHRP.
■ Adding a new spoke router to the DMVPN requires no configuration on the hub. The spoke is configured with the hub information and dynamically registers with the hub router. Dynamic routing protocols distribute information about the spoke to the hub, which in turn propagates the information to the other spokes.

Laboratorio:

R1 Config:
//Hub configuration.
!
hostname R1
!
//IPSec Config. One password for the ipsec clients.
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key testing address 172.22.8.2     
crypto isakmp key testing1 address 172.22.8.3     
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac 
!
crypto ipsec profile Test
 description tunnel-test
 set transform-set dmvpn 
!
interface Tunnel0
 ip address 10.1.5.1 255.255.255.0
 no ip redirects
 no ip split-horizon eigrp 1
//Configuring NHRP Server.
 ip nhrp authentication teto    //If NHRP is being used over an untrusted network, configure NHRP authentication.
 ip nhrp map multicast dynamic   //To support dynamic routing protocols, enable suppor t of IP multicast traffic. This allows each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast packets to the spoke routers.
 ip nhrp network-id 1    //Create a new NHRP server on the tunnel interface. The NHRP network ID must be the same on the NHRP server and its NHRP clients.
 tunnel source Ethernet0/0  //There is a need to declare Tunnel source, but no the destination, since is a multipoint tunnel.
 tunnel mode gre multipoint   //Create  a Cisco IOS Software  tunnel interface and make it an mGRE interface.
 tunnel key 345678  //This command is required and must match the tunnel key configured on the spokes. This command allows network administrators to run more than one DMVPN at a time on the same router. 
 tunnel protection ipsec profile Test   //Where IPSec is applied.
!
interface Ethernet0/0
 ip address 172.22.8.1 255.255.255.248
!
interface Ethernet0/1
 ip address 10.1.1.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
!
R2 Config:
//Spoke1 configuration
!
hostname R2
!
//IPSec Config. Only the hub is declared.
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key testing address 172.22.8.1     
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac 
!
crypto ipsec profile Test
 description tunnel-test
 set transform-set dmvpn 
! 
interface Tunnel0 //Configure a GRE Interface, tunnel mode is not declared because the default mode is gre.
 ip address 10.1.5.2 255.255.255.0
//Configure an NHRP Client
 ip nhrp authentication teto
 ip nhrp map multicast 172.22.8.1  //To allow the spoke to register its multicast capability with the hub.
 ip nhrp map 10.1.5.1 172.22.8.1   //Specify a static NHRP map that enables the spoke to reach the NHRP server over its address. Appears that you can use any ip 
 ip nhrp network-id 1
 ip nhrp nhs 10.1.5.1  //Specify the location of the NHRP NHS.
 tunnel source Ethernet0/0
 tunnel destination 172.22.8.1  //The spoke need the definition of a tunnel destination, just like a regular point-to-point tunnel.
 tunnel key 345678
 tunnel protection ipsec profile Test   //Where IPSec is applied.
!         
interface Ethernet0/0
 ip address 172.22.8.2 255.255.255.248
!         
interface Ethernet0/1
 ip address 10.1.2.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
!
R3 Config:
//Spoke2 configuration.
!
hostname R3
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key testing1 address 172.22.8.1     
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac 
!
crypto ipsec profile Test
 description tunnel-test
 set transform-set dmvpn 
!
interface Tunnel0
 ip address 10.1.5.3 255.255.255.0
 ip nhrp authentication teto
 ip nhrp map multicast 172.22.8.1
 ip nhrp map 10.1.5.1 172.22.8.1
 ip nhrp network-id 1
 ip nhrp nhs 10.1.5.1
 tunnel source Ethernet0/0
 tunnel destination 172.22.8.1
 tunnel key 345678
 tunnel protection ipsec profile Test
!
interface Ethernet0/0
 ip address 172.22.8.3 255.255.255.248
!
interface Ethernet0/1
 ip address 10.1.3.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
!

Additional Notes:

1st – Optionally, to avoid problems with fragmentation of user packets, set the IP MTU side with the ip mtu command and set the TCP maximum segment size (MSS) value using the ip tcp adjust-mss interface command.

Ex:
!
Hub(config)# interface tunnel0
Hub(config-if)# ip address 10.1.1.1 255.255.0.0
Hub(config-if)# ip mtu 1400
Hub(config-if)# ip tcp adjust-mss 1360
!

2nd – Dynamic Routing Protocol Configuration.

Ex:
EIGRP Hub Configuration
-EIGRP with Hub-and-Spoke
!
router(config)# router eigrp 1
router(config-router)# no auto-summary
router(config-router)# exit
!
router(config)# interface tunnel 0
router(config-if)# no ip split-horizon eigrp 1    //You should disable automatic summarization on the hub and disable EIGRP split horizon so that the hub will propagate information about spoke networks to other spokes.
!

-EIGRP with Full Mesh
!
router(config)# router eigrp 1
router(config-router)# no auto-summary
router(config-router)# exit
!
router(config)# interface tunnel 0
router(config-if)# no ip next-hop-self eigrp     //Mesh DMVPNs cause a problem for route propagation because spoke routers cannot directly exchange information with one another, even though they are on the same logical subnet. This requires the hub router to advertise the subnets from the spokes on the same subnet, and the advertised route must contain the original next hop as it was learned by the hub router from the originating spoke.
Routet(config-if)# no ip split-horizon eigrp 1
!
OSPF Hub Configuration
-OSPF with Hub-and-Spoke
!
router(config)# interface tunnel 0
router(config-if)# ip ospf network point-to-multipoint   //Configuring the tunnel interface on the hub as a point-to-multipoint OSPF network type and on the spokes as point-to-point network types. There is no need for a BDR, and this makes the branches consider the hub as the only path off the subnet. This will greatly simplify the Dijkstra algorithm process for the OSPF area.
router(config-if)# ip ospf priority 10
!

-OSPF with Full Mesh
!
router(config)# interface tunnel 0
router(config-if)# ip ospf network broadcast
router(config-if)# ip ospf priority 10
!

DMVPN Relevant show commands

R1#sh inter tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 10.1.5.1/24
  MTU 17858 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.22.8.1 (Ethernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with Ethernet0/0
          Set of tunnels with source Ethernet0/0, 1 member (includes iterators), on interface 
  Tunnel protocol/transport multi-GRE/IP
    Key 0x5464E, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1418 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "Test")
  Last input 00:00:02, output never, output hang never
  Last clearing of "show interface" counters 00:01:06
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     33 packets input, 3088 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     58 packets output, 5998 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
!!!!

R1#sh ip nhrp
10.1.5.2/32 via 10.1.5.2
   Tunnel0 created 00:01:26, expire 01:58:34
   Type: dynamic, Flags: unique registered 
   NBMA address: 172.22.8.2 
10.1.5.3/32 via 10.1.5.3
   Tunnel0 created 00:01:26, expire 01:58:34
   Type: dynamic, Flags: unique registered 
   NBMA address: 172.22.8.3 
!!!!

R2#sh ip nhrp nhs
Legend:	E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
10.1.5.1  RE priority = 0 cluster = 0
!!!!

R1#sh dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
	N - NATed, L - Local, X - No Socket
	# Ent --> Number of NHRP entries with same NBMA peer
	NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
	UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1      172.22.8.2        10.1.5.2    UP 00:11:06     D
     1      172.22.8.3        10.1.5.3    UP 00:11:06     D
!!!!

R1#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
	N - NATed, L - Local, X - No Socket
	# Ent --> Number of NHRP entries with same NBMA peer
	NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
	UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 10.1.5.1, VRF "" 
   Tunnel Src./Dest. addr: 172.22.8.1/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "Test" 
   Interface State Control: Disabled
   nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1     172.22.8.2        10.1.5.2    UP 00:11:49    D        10.1.5.2/32
    1     172.22.8.3        10.1.5.3    UP 00:11:49    D        10.1.5.3/32

Crypto Session Details: 
--------------------------------------------------------------------------------

Interface: Tunnel0
Session: [0xB2BBCFB0]
  IKEv1 SA: local 172.22.8.1/500 remote 172.22.8.2/500 Active 
          Capabilities:(none) connid:1001 lifetime:23:48:10
  Crypto Session Status: UP-ACTIVE     
  fvrf: (none),	Phase1_id: 172.22.8.2
  IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.2 
        Active SAs: 4, origin: crypto map
        Inbound:  #pkts dec'ed 164 drop 0 life (KB/Sec) 4304671/2890
        Outbound: #pkts enc'ed 168 drop 0 life (KB/Sec) 4304670/2890
   Outbound SPI : 0x1D2D8375, transform : esp-3des esp-sha-hmac 
    Socket State: Closed

Interface: Tunnel0
Session: [0xB2BBCEB8]
  IKEv1 SA: local 172.22.8.1/500 remote 172.22.8.3/500 Active 
          Capabilities:(none) connid:1002 lifetime:23:48:10
  Crypto Session Status: UP-ACTIVE     
  fvrf: (none),	Phase1_id: 172.22.8.3
  IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.3 
        Active SAs: 4, origin: crypto map
        Inbound:  #pkts dec'ed 163 drop 0 life (KB/Sec) 4205792/2890
        Outbound: #pkts enc'ed 164 drop 0 life (KB/Sec) 4205791/2890
   Outbound SPI : 0x EECB02B, transform : esp-3des esp-sha-hmac 
    Socket State: Closed

Pending DMVPN Sessions:
!!!!
R1#sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Ethernet0/1
L        10.1.1.1/32 is directly connected, Ethernet0/1
D        10.1.2.0/24 [90/26905600] via 10.1.5.2, 00:24:44, Tunnel0
D        10.1.3.0/24 [90/26905600] via 10.1.5.3, 00:24:46, Tunnel0
C        10.1.5.0/24 is directly connected, Tunnel0
L        10.1.5.1/32 is directly connected, Tunnel0
      172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.22.8.0/29 is directly connected, Ethernet0/0
L        172.22.8.1/32 is directly connected, Ethernet0/0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.