cisco dmvpn configuration example - learnitpro.net · cisco dmvpn configuration example ......
TRANSCRIPT
Cisco DMVPN Configuration Example
Dynamic Multipoint VPN (DMVPN) is a Cisco VPN solution used when high scalability and
minimal configuration complexity is required in connecting branch offices to a central HQ Hub
site.
DMVPN is one of the most scalable and most efficient VPN types supported by Cisco. It is used
almost exclusively with Hub-and-Spoke topologies where you want to have direct Spoke-to-
Spoke VPN tunnels in addition to the Spoke-to-Hub tunnels. This means that Spoke sites can
communicate between them directly without having to go through the Hub. DMVPN is
supported only on Cisco Routers.
If you want to design a VPN solution to connect numerous sites between them (I would say
more than 10 sites), then DMVPN using Cisco routers is an ideal choice. Although the most
common topology is Hub-and-spoke setup, DMVPN supports full mesh connectivity since all
sites can communicate between them without having to configure static VPN tunnels between
each other.
Some characteristics of DMVPN are the following:
The HUB central router acts as the DMVPN server and the Spoke routers (in branch
offices) act as the DMVPN clients.
The HUB router must have static public IP address on its WAN interface.
The spoke branch routers can have either static or dynamic public IP on the WAN.
Each branch site (Spoke) has a permanent IPSEC Tunnel with the Central site (Hub).
The Spoke-to-Spoke tunnels are established on demand whenever there is traffic
between the Spoke sites. Thereafter, packets are able to bypass the Hub site and use
the spoke-to-spoke tunnel directly.
All tunnels are using Multipoint GRE with IPSEC Protection.
NHRP (Next Hop Resolution Protocol) is used to map the private IPs of Tunnel Interfaces
with their corresponding WAN Public IPs.
The above NHRP mappings will be kept on the NHRP Server router (HUB). Each Spoke
communicates with the NHRP Server (Hub) and registers its public IP address and its
private Tunnel Interface IP to the Hub router. Thus, the Hub router will store all
mappings for “Tunnel Interface IP / Public WAN IP” of all the Spoke sites.
When a spoke needs to send a packet to a destination (private) subnet on another
spoke, it queries the NHRP server in order to learn the public (outside WAN) address of
the destination (target) spoke.
For better scalability, it is recommended to run a dynamic routing protocols (such as
EIGRP) between all the routers.
DMVPN uses the following group of networking technologies
Multipoint GRE
IPSEC
Next-Hop Resolution Protocol – NHRP
Static or dynamic routing
Configuration example
For this tutorial we present a Hub and Spoke topology with a central HUB router that acts as a
DMVPN server and 2 spoke routers that act as DMVPN clients.
All the routers involved in this tutorial are CISCO1921/K9
Step 1. Configure the HUB router
The hub router requires a static IP configured on the WAN interface facing the internet.
! Interface Configuration
interface GigabitEthernet0/0
description to Internet-WAN
ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet0/1
description to LAN
ip address 192.168.160.1 255.255.255.0
duplex auto
! Configure the tunnel interface , which basically is an enhanced GRE tunnel (Multipoint GRE)
interface Tunnel1
description DMVPN Tunnel
ip address 172.16.1.1 255.255.255.0 < --- Select a private IP subnet for the tunnels
no ip redirects
ip nhrp authentication nhrp1234 < ----- authentication used for updates between the routers
ip nhrp network-id 1 < --- Network identification that has to be the same on all the routers
load-interval 30
keepalive 5 10
tunnel source GigabitEthernet0/0 < -- source of the tunnel is the WAN interface
tunnel mode gre multipoint < ------ designates the tunnel as a mGRE tunnel
tunnel protection ipsec profile protect-gre < ------- encrypts the traffic passing through this
tunnel using ipsec
ip mtu 1440 < ----Reduce the MTU to allow extra overhead from mGRE and IPSEC
ip nhrp map multicast dynamic < --- Enables forwarding of multicast traffic across the tunnel.
! Configure IPSEC on HUB
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key isakmp1234 address 0.0.0.0 0.0.0.0 ---- > accept connection from any
source to accommodate also dynamic spokes
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre -------- > profile added to the mGRE tunnel for encryption
set security-association lifetime seconds 86400
set transform-set TS
! Configure static routing on HUB (dynamic routing is recommended for larger networks)
ip route 192.168.164.0 0.0.0.255 172.16.1.2 < ---The remote LAN can be reached via the remote tunnel IP ip route 192.168.161.0 0.0.0.255 172.16.1.3 < ---The remote LAN can be reached via the remote tunnel IP
Step 2 . Configure the Spoke Routers
One of the routers has DHCP assigned IP on WAN and the other one has static WAN IP.
Spoke 1 (Dynamic IP assigned from DHCP)
interface GigabitEthernet0/0
description WAN to Internet
ip address dhcp
duplex auto
speed auto
interface GigabitEthernet0/1
description To LAN
ip address 192.168.164.1 255.255.255.0
duplex auto
speed auto
interface Tunnel1
ip address 172.16.1.2 255.255.255.0 < --in same subnet as all the other tunnels
no ip redirects
ip nhrp map multicast dynamic < --- Enables forwarding of multicast traffic across the tunnel.
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
ip nhrp authentication nhrp1234
ip nhrp map 172.16.1.1 10.10.10.1 ----- > maps the tunnel IP address of the HUB to the WAN
IP of the HUB that has to be static
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1 ------ > configures NHRP client with the IP address of its NHRP server
ip nhrp registration no-unique ----- > if a NHRP map is done for this IP another one will not be
allowed
ip nhrp map multicast 10.10.10.1 < --- Send multicast traffic to the Hub only. Hub will receive
all multicast traffic (e.g routing protocol updates) and then send out updates to all the Spoke
routers.
ip mtu 1440
load-interval 30
keepalive 5 10
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key isakmp1234 address 0.0.0.0 0.0.0.0 < ---Spoke routers must allow also
connections from any IP in order to form IPSEC VPN tunnels with other Spokes.
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
ip route 192.168.160.0 255.255.255.0 172.16.1.1 < --Route for HUB ip route 192.168.161.0 255.255.255.0 172.16.1.3 < --Route for other Spoke site
Spoke 2 (Static IP on WAN)
interface GigabitEthernet0/0
description TO Internet
ip address 10.10.10.9 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/1
description To: LAN
ip address 192.168.161.1 255.255.255.0
duplex auto
speed auto
interface Tunnel1
ip address 172.16.1.3 255.255.255.0 < --in same subnet as all the other tunnels
no ip redirects
ip nhrp map multicast dynamic < --- Enables forwarding of multicast traffic across the tunnel.
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
ip nhrp authentication nhrp1234
ip nhrp map 172.16.1.1 10.10.10.1 ----- > maps the tunnel IP address of the HUB to the WAN
IP of the HUB that has to be static
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1 ------ > configures NHRP client with the IP address of its NHRP server
ip nhrp registration no-unique ----- > if a NHRP map is done for this IP another one will not be
allowed
ip nhrp map multicast 10.10.10.1 < --- Send multicast traffic to the Hub only. Hub will receive
all multicast traffic (e.g routing protocol updates) and then send out updates to all the Spoke
routers.
ip mtu 1440
load-interval 30
keepalive 5 10
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key iaskmp1234 address 0.0.0.0 0.0.0.0 < ---Spoke routers must allow also
connections from any IP in order to form IPSEC VPN tunnels with other Spokes.
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
ip route 192.168.160.0 255.255.255.0 172.16.1.1 < --Route for HUB ip route 192.168.164.0 255.255.255.0 172.16.1.2 < --Route for other Spoke site
Step 3 – Verify the DMVPN on the HUB
show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.10.10.5 (peer public IP) 172.16.1.2 (peer tunnel IP ) UP 07:51:19 D
2 10.10.10.9 172.16.1.3 UP 09:41:33 D
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.5 10.10.10.1 QM_IDLE 1011 ACTIVE ------ > IPsec connectivity between routers
10.10.10.9 10.10.10.1 QM_IDLE 1012 ACTIVE
HUB# ping 192.168.164.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.164.1, timeout is 2 seconds:
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
HUB# ping 192.168.161.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.161.1, timeout is 2 seconds:
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Note : You can use either static routing or a dynamic routing protocol for enabling
communication in the DMVPN cloud. In this tutorial we have used static routing but for larger
networks you should enable dynamic routing such as EIGRP
About the Author
Harris Andrea is a Cisco Certified Professional with more than 18 years of experience
working with Cisco network technologies. He is the author of two Cisco Books
(“Cisco ASA Firewall Fundamentals” and “Cisco VPN Configuration Guide”) which
have been embraced by thousands of Cisco professionals all over the world. You can
find more Cisco configuration guides and tutorials on his blog here
http://www.networkstraining.com