Let's start from the ground up.
Now that some of the fundamentals are out of the way, let's get on with the topology:
Basic tunnel interface = GRE: These are virtual interfaces with their own layer 3 address configuration, similar to loopbacks. While you can set them up for IP in IP, or IPv6 in IPv4, etc., here we're only talking about GRE mode. GRE tunnels are very simple to configure and easily researched. They connect one router to another across any type of network, and can carry any type of traffic. The main requirement is that the routers can reach each other. If you want to tunnel to any additional routers, you'll need additional tunnel interfaces.
Multipoint tunnel interface = GRE in multipoint mode + NHRP: These connect one router to any number of other routers using a single tunnel interface. You don't need to specify the tunnel destination IP addresses of each router because you specify GRE multipoint mode. The magic of NHRP is that you don't need to already know these addresses. The tunnel destinations are found dynamically. When a router needs the physical IP address of another router, it sends an NHRP request to its hub router, asking what is the physical address that I can tunnel to, in order to reach the router with this other specific GRE tunnel IP address.
DMVPN = GRE + NHRP + IPSec + Routing: These are multipoint tunnel interfaces with encryption and routing running on top. The encryption keeps everything confidential and the routing tells the routers which networks are reachable via their GRE tunnel interface with a corresponding next hop address of the other routers GRE tunnel interface. The router takes the next hop address and uses NHRP to find the matching physical address. It then builds a completely dynamic GRE tunnel to that physical address. The IPSec tunnel is also terminated on the physical addresses.
Now that some of the fundamentals are out of the way, let's get on with the topology:
This is a simple topology with two remote sites connecting to two headquarters edge routers.
Now for the configs:
Site1#
crypto isakmp policy 10 <--Phase 1 parameters policy
encr aes 256
authentication pre-share
group 5
crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0 <--Pre-shared peer authentication key
crypto isakmp keepalive 10 <--VPN session 10 second timeout. This tears down the VPN tunnel if the hub fails to respond. Without this command, if a hub fails momentarily and comes back online, the spoke won't recover because it will keep trying to use the old VPN SA, which is no longer active on the hub.
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac <--Phase 2 parameters policy
mode transport <--We don't need to use tunnel mode since GRE is already tunneling the private IP address across the public one for us. The public address is the outer one and the private is the inner.
!
crypto ipsec profile IPSEC <--Required in order to configure it under the tunnel interface
set transform-set TSET
set pfs group5
!
interface Loopback0
description SIMULATES A LAN SEGMENT
ip address 10.0.0.1 255.255.255.255 <--Simulates a host at the site
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400 <--Recommended in order to fragment packets at point of egress. This is the max MTU I found in my lab by doing do not fragment pings.
ip nhrp authentication NHRPKEY <--NHRP pre-shared authentication key
ip nhrp map 192.168.1.253 3.3.3.3 <--Our static NHRP mapping to hub R1
ip nhrp map multicast 3.3.3.3 <--Tells the router to send multicasts to this public address. Needed for EIGRP traffic.
ip nhrp map 192.168.1.254 4.4.4.4 <--Our static NHRP mapping to hub R2
ip nhrp map multicast 4.4.4.4 <--Tells the router to send multicasts to hub R2 also
ip nhrp network-id 1 <--This is the NHRP domain identifier
ip nhrp nhs 3.3.3.3 <--Tells the router to ask hub R1 for the VPN tunnel destination address for each specific tunnel IP address. Example: VPN tunnel to 2.2.2.2 in order to get to GRE tunnel address 192.168.1.2. The hub routers discover these mappings after the spokes register themselves statically to the hubs.
ip nhrp nhs 4.4.4.4 <--Also ask hub R2 for NHRP mappings.
ip nhrp shortcut <--Tells the router to tunnel directly to a spoke router after it obtains the tunnel physical IP destination of the spoke from the hub. This allows spokes to tunnel directly to each other without needing to always go through the hub.
tunnel source FastEthernet0/0 <--GRE parameters
tunnel mode gre multipoint <--Enables GRE multipoint
tunnel key 1 <--GRE domain ID
tunnel protection ipsec profile IPSEC <--References the crypto ipsec profile command
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
!
router eigrp 2
passive-interface default
no passive-interface Tunnel0
network 10.0.0.1 0.0.0.0 <--Advertises the simulated LAN network
network 192.168.1.1 0.0.0.0 <--Advertises the GRE tunnel network
no auto-summary
eigrp router-id 192.168.1.1 <--It's a best practice to manually set this
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2 <--Default rout to ISP router
Site2#
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC
set transform-set TSET
set pfs group5
!
interface Loopback0
description SIMULATES A LAN SEGMENT
ip address 10.0.1.1 255.255.255.255 <--Different subnet than Site1
!
interface Tunnel0
bandwidth 1000
ip address 192.168.1.2 255.255.255.0 <--Same subnet as Site1
no ip redirects
ip mtu 1400
ip nhrp authentication NHRPKEY
ip nhrp map 192.168.1.253 3.3.3.3
ip nhrp map multicast 3.3.3.3
ip nhrp map 192.168.1.254 4.4.4.4
ip nhrp map multicast 4.4.4.4
ip nhrp network-id 1
ip nhrp nhs 3.3.3.3
ip nhrp nhs 4.4.4.4
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.0
!
router eigrp 2
passive-interface default
no passive-interface Tunnel0
network 10.0.1.1 0.0.0.0
network 192.168.1.2 0.0.0.0
no auto-summary
eigrp router-id 192.168.1.2
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
R1#
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC
set transform-set TSET
set pfs group 5
!
interface Tunnel0
bandwidth 1000
ip vrf forwarding PRIVATE <--I used a VRF in this lab for added security, but you don't need to
ip address 192.168.1.253 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 2 <--This tells the hub to retain the next hop address of routes advertised by the spokes. Without this command, each spoke will get a next hop of this hubs tunnel IP address for all other spokes networks. Without this command, spokes can't possibly build direct spoke to spoke tunnels, even if they have the nhrp shortcut command configured.
ip nhrp authentication NHRPKEY
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect <--This tells the router to not give out its physical IP address for mapping requests to the tunnel IP addresses of other NHRP routers. So if one spoke asks for a mapping to another spoke, the hub router won't send back its own physical IP address, and instead the spoke will receive the physical IP address of the spoke it's trying to talk to.
no ip split-horizon eigrp 2 <--Tells the hub to readvertise route learned from a spoke back out the tunnel interface even though they were originally learned on the tunnel interface. Without this command, spoke routers will never learn of networks on other spokes.
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
ip address 3.3.3.3 255.255.255.0
!
router eigrp 1
passive-interface default
no passive-interface Tunnel0
no auto-summary
!
address-family ipv4 vrf PRIVATE
redistribute static route-map/network x.x.x.x <--Advertises a path to the internal core network, so that DMVPN sites can talk to networks at headquarters
network 192.168.1.253 0.0.0.0
no auto-summary
autonomous-system 2
eigrp router-id 192.168.1.253
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 3.3.3.1
R2#
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC
set transform-set TSET
set pfs group 5
!
interface Tunnel0
bandwidth 1000
ip vrf forwarding PRIVATE <--I used a VRF in this lab for added security, but you don't need to
ip address 192.168.1.254 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 2
ip nhrp authentication NHRPKEY
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
no ip split-horizon eigrp 2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
ip address 4.4.4.4 255.255.255.0
!
router eigrp 1
passive-interface default
no passive-interface Tunnel0
offset-list 0 out 20 Tunnel0 <--This tells the hub to add 20 to the EIGRP metric of the routes it advertises to the spokes. This causes the spokes to prefer hub R1 over R2 unless R1 fails. I like to do this so that I know which path my traffic should be taking normally.
no auto-summary
!
address-family ipv4 vrf PRIVATE
redistribute static
network 192.168.1.254 0.0.0.0
no auto-summary
autonomous-system 2
eigrp router-id 192.168.1.254
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 4.4.4.1
Now let's go over what you'll see under basic operation:
The sites are configured with static NHRP mappings to the hubs. Let's look at that:
Site1#sh ip nhrp
192.168.1.253/32 via 192.168.1.253
Tunnel0 created 01:23:39, never expire
Type: static, Flags: used
NBMA address: 3.3.3.3
192.168.1.254/32 via 192.168.1.254
Tunnel0 created 01:23:39, never expire
Type: static, Flags: used
NBMA address: 4.4.4.4
R1#sh ip nhrp
192.168.1.1/32 via 192.168.1.1
Tunnel0 created 01:24:13, expire 01:54:44
Type: dynamic, Flags: unique registered
NBMA address: 1.1.1.1
192.168.1.2/32 via 192.168.1.2
Tunnel0 created 01:24:07, expire 01:54:44
Type: dynamic, Flags: unique registered
NBMA address: 2.2.2.2
Notice how it says static on the spokes but dynamic on the hubs, since the hubs don't have any mappings manually configured. This is the power of DMVPN. Bringing up a new site requires NO new configuration on the hubs! We also don't have any crypto access lists or NAT-0 access lists to deal with!
Now let's take a look at the routing table of a site:
Site1 has a route to the site2 LAN network and the next hop is the tunnel IP address of site2, not the hub. That is because we are using nhrp shortcut on the spokes, and nhrp redirect and no split horizon on the hubs.
Now let's do a trace route from one site to the other:
Site1#traceroute 10.0.1.1
Type escape sequence to abort.
Tracing the route to 10.0.1.1
1 192.168.1.253 52 msec
192.168.1.2 36 msec 64 msec
Site1#
And if we check our NHRP mappings again:
Site1#sh ip nhrp
192.168.1.2/32 via 192.168.1.2
Tunnel0 created 00:02:58, expire 01:57:03
Type: dynamic, Flags: router
NBMA address: 2.2.2.2
192.168.1.253/32 via 192.168.1.253
Tunnel0 created 01:23:39, never expire
Type: static, Flags: used
NBMA address: 3.3.3.3
192.168.1.254/32 via 192.168.1.254
Tunnel0 created 01:23:39, never expire
Type: static, Flags: used
NBMA address: 4.4.4.4
Now the spoke has a third mapping. It's saying that to get to the tunnel interface of site2, build a tunnel to public address 2.2.2.2.
And now if we run the trace route again:
Site1#traceroute 10.0.1.1
Type escape sequence to abort.
Tracing the route to 10.0.1.1
1 192.168.1.2 76 msec 52 msec
Site1#
Now it goes directly to site2, bypassing the hub this time!
And just in case you were wondering, we have VPN tunnels:
Site1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
3.3.3.3 1.1.1.1 QM_IDLE 1001 ACTIVE
4.4.4.4 1.1.1.1 QM_IDLE 1002 ACTIVE
1.1.1.1 2.2.2.2 QM_IDLE 1003 ACTIVE
If we shutdown the path to R1, the EIGRP timers will expire on the stubs after 15 seconds, and they'll start sending traffic to R2 instead. You can change the EIGRP timers to shorten the failover time.
And when R1 comes back up, the spokes will have already reset their security associations to it due to the crypto isakmp keepalive command.
I left out some parts to this that are necessary in the real world, but aren't DMVPN specific. Things like BGP, internal routing, other IGPs and IGP authentication and HSRP weren't critical to this example, and this post is already big enough.
So there you have it. Everything I learned about DMVPN from many different sources, all in one place. I hope this helps some of you.
No comments:
Post a Comment