As I’m currently preparing for Cisco CCIE R&S Written exam I’d like to share some information on the subject of DMVPN (Dynamic Multipoint Virtual Private Network) as this is one of the new topics added to the Cisco CCIE R&S blueprint (on the written and lab exams). You only have to know about the single-hub toplogy, but it’s also not very difficult to do a dual-hub dual-cloud topology.
What is DMVPN?
DMVPN is a VPN which uses dynamic tunnels, this means that on the hub only 1 tunnel is needed to connect all the different spokes to the hub (so no more configuring an IPSEC-tunnel for each site you want to connect). It even automatically forms spoke-to-spoke tunnels on demand, so spoke-to-spoke traffic does not need traverse the hub. Another advantage in my opinion that it is very easy to setup and a very stable solution.
DMVPN is based on:
- mGRE (Multipoint Generic Routing Encapsulation)
- NHRP (Next Hop Resolution Protocol)
- a Dynamic Routing Protocol (EIGRP, OSPF, BGP)
- IPSEC (optional)
Configuration example
I’ve created a small topology in GNS3 to provide you with an configuration example to clarify the configuration proces. I’ll provide an explanation of the commands entered. This configuration is based on EIGRP as the dynamic routing protocol and uses IPSEC for encryption.
Topology
IPSEC Configuration (for both Hub and Spokes)
Create Crypto Keyring (with pre-shared key)
crypto keyring keyring_cloudfix pre-shared-key address 0.0.0.0 0.0.0.0 key cloudfix
Create ISAKMP Policy
crypto isakmp policy 10 hash sha512 authentication pre-share group 16
Create ISAKMP profile
crypto isakmp profile DMPVN_Cloudfix keyring keyring_cloudfix match identity address 0.0.0.0
Create IPSEC Transform-Set
crypto ipsec transform-set aes-sha512-hmac esp-aes esp-sha512-hmac mode transport
Create IPSEC Policy
crypto ipsec profile ipsec_cloudfix set transform-set aes-sha512-hmac set isakmp-profile DMVPN_Cloudfix
Hub configuration
Create Tunnel interface for receiving spoke-to-hub tunnels
interface Tunnel0 ! Assign VPN IP address ip address 192.168.254.1 255.255.255.0 ! Set Maximum Transmission Unit to 1400 ip mtu 1400 ! Set TCP Maximum segment size to 1360 ip tcp adjust-mss 1360 ! Allow spoke-to-spoke routes (Disable hub as next-hop, DMVPN Phase 2) no ip next-hop-self eigrp 10 ! Allow routing updates to go out same interface to spokes no ip split-horizon eigrp 10 ! Enable NHRP Authentication (has to match between hub and spokes) ip nhrp authentication cloudfix ! Automatically create NHRP mappings (pseudo-broadcast) for registered NHRP Clients ip nhrp map multicast dynamic ! Set NHRP Network-id (has to match between hub/spokes) ip nhrp network-id 1 ! Enable NHRP Redirect messages for scalability (DMVPN Phase 3) ip nhrp redirect ! Set Serial1/0 as tunnel source tunnel source Serial1/0 ! Set tunnel mode to GRE Multi-Point tunnel mode gre multipoint ! Protect mGRE tunnel by IPSEC tunnel protection ipsec profile ipsec_cloudfix
Create EIGRP dynamic routing instance and publish networks
router eigrp 10 ! Enable EIGRP for local networks network 11.11.11.0 0.0.0.255 ! Enable EIGRP for DMVPN network network 192.168.254.0
Spoke configuration
interface Tunnel0 ! Assign VPN IP-address ip address 192.168.254.2 255.255.255.0 ! Set Maximum Transmission Unit to 1400 ip mtu 1400 ! Enable NHRP Authentication ip nhrp authentication cloudfix ! Statically map VPN IP to NBMA-address for Hub ip nhrp map 192.168.254.1 1.1.1.1 ! Enable pseudo-broadcast for NBMA-address for hub (to allow multicast traffic) ip nhrp map multicast 1.1.1.1 ! Set NHRP Network-ID ip nhrp network-id 1 ! Set Hub as NHRP Next-Hop-Server for NHRP resolving ip nhrp nhs 192.168.254.1 ! Process received NHRP redirect messages (DMVPN Phase 3) ip nhrp shortcut ! Set Tunnel Source to Serial 1/0 tunnel source Serial1/0 ! Set tunnel mode to GRE Multipoint tunnel mode gre multipoint ! Protect tunnel traffic with IPSEC tunnel protection ipsec profile ipsec_cloudfix
Create EIGRP dynamic routing instance
router eigrp 10 ! Enable EIGRP for local networks network 22.22.22.0 0.0.0.255 ! Enable EIGRP for DMVPN network network 192.168.254.0
It’s easy now to configure the other spokes by just copying the IPSEC-configuration & Spoke-configuration into Notepad++ (or another editor) and modify the IP-address, tunnel source (if different) and the published networks.
Verification
To show the above example is working as configured, let’s show the detailed information about the DMVPN connections and see that all spokes are connected to the hub:
HQ-RTR01#show dmvpn detail Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface Tunnel0 is up/up, Addr. is 192.168.254.1, VRF "" Tunnel Src./Dest. addr: 1.1.1.1/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "ipsec_cloudfix" Interface State Control: Disabled nhrp event-publisher : Disabled Type:Hub, Total NBMA Peers (v4/v6): 3 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network ----- --------------- --------------- ----- -------- ----- ----------------- 1 2.2.2.2 192.168.254.2 UP 00:08:59 D 192.168.254.2/32 1 3.3.3.3 192.168.254.3 UP 00:08:54 D 192.168.254.3/32 1 4.4.4.4 192.168.254.4 UP 00:08:55 D 192.168.254.4/32 Crypto Session Details: -------------------------------------------------------------------------------- Interface: Tunnel0 Session: [0x68E2A278] IKEv1 SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active Capabilities:D connid:1001 lifetime:23:50:57 Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 2.2.2.2 IPSEC FLOW: permit 47 host 1.1.1.1 host 2.2.2.2 Active SAs: 6, origin: crypto map Inbound: #pkts dec'ed 134 drop 0 life (KB/Sec) 4275914/3062 Outbound: #pkts enc'ed 134 drop 0 life (KB/Sec) 4275913/3062 Outbound SPI : 0xB2567ACA, transform : esp-aes esp-sha512-hmac Socket State: Open Interface: Tunnel0 Session: [0x68E2A088] IKEv1 SA: local 1.1.1.1/500 remote 3.3.3.3/500 Active Capabilities:D connid:1003 lifetime:23:51:02 Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 3.3.3.3 IPSEC FLOW: permit 47 host 1.1.1.1 host 3.3.3.3 Active SAs: 4, origin: crypto map Inbound: #pkts dec'ed 130 drop 0 life (KB/Sec) 4292133/3065 Outbound: #pkts enc'ed 131 drop 0 life (KB/Sec) 4292132/3065 Outbound SPI : 0x6565C2E2, transform : esp-aes esp-sha512-hmac Socket State: Open Interface: Tunnel0 Session: [0x68E2A180] IKEv1 SA: local 1.1.1.1/500 remote 4.4.4.4/500 Active Capabilities:D connid:1002 lifetime:23:51:00 Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 4.4.4.4 IPSEC FLOW: permit 47 host 1.1.1.1 host 4.4.4.4 Active SAs: 6, origin: crypto map Inbound: #pkts dec'ed 131 drop 0 life (KB/Sec) 4305973/3064 Outbound: #pkts enc'ed 131 drop 0 life (KB/Sec) 4305972/3064 Outbound SPI : 0x296941FC, transform : esp-aes esp-sha512-hmac Socket State: Open Pending DMVPN Sessions:
Let’s also show the NHRP information of the spokes which are registered to show the VPN IP to NBMA address mappings:
HQ-RTR01#show ip nhrp 192.168.254.2/32 via 192.168.254.2 Tunnel0 created 00:09:09, expire 00:04:00 Type: dynamic, Flags: unique registered NBMA address: 2.2.2.2 192.168.254.3/32 via 192.168.254.3 Tunnel0 created 00:09:04, expire 00:03:54 Type: dynamic, Flags: unique registered NBMA address: 3.3.3.3 192.168.254.4/32 via 192.168.254.4 Tunnel0 created 00:09:05, expire 00:04:01 Type: dynamic, Flags: unique registered NBMA address: 4.4.4.4
Ok. That’s looks fine. Now let’s prove that ondemand spoke-to-spoke tunnels are also forming correctly. Let’s ping the loopback address on router SITEC-RTR01 (44.44.44.44) from the loopback address configured on router SITEA-RTR01. See that DMVPN connection is automatically build and the traceroute shows SITEC-RTR01’s VPN IP address as the only hop (so traffic is not traversing the hub):
SITEA-RTR01#ping 44.44.44.44 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds: Packet sent with a source address of 22.22.22.22 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 120/131/140 ms SITEA-RTR01#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.1.1 192.168.254.1 UP 00:16:21 S 1 4.4.4.4 192.168.254.4 UP 00:00:08 D SITEA-RTR01#show ip nhrp 192.168.254.1/32 via 192.168.254.1 Tunnel0 created 00:16:44, never expire Type: static, Flags: used NBMA address: 1.1.1.1 192.168.254.4/32 via 192.168.254.4 Tunnel0 created 00:00:15, expire 00:04:47 Type: dynamic, Flags: router used NBMA address: 4.4.4.4 SITEA-RTR01#traceroute 44.44.44.44 Type escape sequence to abort. Tracing the route to 44.44.44.44 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.254.4 136 msec 116 msec 156 msec
Everything is working as expected.
Hope you find this article useful for learning about DMVPN, if you have any questions or want more information about setting up DMVPN look at the links below and don’t hesitate to contact me.
More information about DMVPN:
- Cisco documentation: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html
- Jeff Kronnlage’s very detailed post about DMVPN (also explaining DMVPN Phase 2/3 in detail): http://brbccie.blogspot.nl/2014/05/dmvpn.htm