Dynamic Multipoint VPN (CCIE Notes)


Disclaimer: These are my rough cut notes for CCIE Security studies! Not a detailed explanation of DMVPN.

Three components that make up DMVPN:

1. Mulitpoint GRE (mGRE)

  • Tunnel interface having multiple tunnel destinations unlike a point-to-point GRE tunnel that has a single tunnel destination.

2. Next-Hop Resolution Protocol (NHRP)

  • Each router in an NHRP topology acts as either a NHC or a NHS.
  • mGRE uses NHRP for mapping logical/tunnel IP address to physical/real IP addresses.
  • NHC registers its physical-to-tunnel mapped IP address to the NHS and the NHS acts as a database agent which stores all registered mappings and replying to NHC queries.
  • If a NHS does not have a requested entry in its database, it can forward packet to another NHS to see if it has the requested association.

3. Cisco Express Forwarding (CEF)

  • Cisco Express Forwarding (CEF) is a packet-switching technique which provides the ability to switch packets through a device in a very quick efficient way while also keeping the load on the router’s processor low.
  • CEF is made up of two different main components: the Forwarding Information Base (FIB) and the CEF Adjacency Table.



DMVPN Phase 1How it works?

  • Hub is configured with mGRE tunnel and Spokes are configured with point-to-point GRE tunnel with the physical IP address of the HUB as the tunnel destination.
  • Spoke-to-spoke communication has to go through the hub.
  • Benefit is simplified hub router configuration, which does not require static NHRP mapping for every new spoke.
  • Recommended routing:
    – The hub advertises a default route to the spokes.
    – Spokes advertise their subnets to the hub.

DMVPN Phase 1Configuration tips

The Hub

  • Configure Phase 1/2 parameters and an IPsec profile.
  • Configure wildcard or specific pre-shared keys.
  • Configure the tunnel interface in a multipoint gre mode with no tunnel destination and apply the IPsec profile to it.
  • Configure NHRP map multicast dynamic, NHRP authentication string and network-id.

The Spoke

  • Configure Phase 1/2 parameters and an IPsec profile.
  • Configure wildcard or specific pre-shared keys.
  • Configure the tunnel interface tunnel source & destination and apply the IPsec profile to it.
  • Configure NHRP authentication and network-id.
  • NHRP map – Statically configures IP-to-NBMA address mapping
  • NHRP map multicast Enable use of multicast routing with the hub
  • NHRPnhs

The Routing

  • When EIGRP is used for the overlay routing, split-horizon should be disabled on the hub tunnel interface.
  • When using OSPF is used for the overlay routing, the network type should be set to ‘point-to-multipoint’ on the hub and spokes tunnel interfaces.


DMVPN Phase 2How it works?

  • The only difference in this phase is that the spokes can form an IPsec tunnel directly with the other spokes instead of forcing the traffic to go through the hub as in the case of Phase 1.
  • The tunnel interfaces on the hub and spoke are all mGRE encapsulated.
  • There is a CEF entry for a prefix learnt via the overlay routing protocol with the next-hop set to the tunnel IP address of the router from where it originated. At this point the CEF entry for the next-hop is marked as “glean”, meaning it needs L3 to L2 lookup to be performed. This L3 to L2 lookup is performed by NHRP, when an initial packet is being sent to the destination prefix.
  • The spokes are also the NHCs so they register themselves with the NHS and also request the NHS for the IP-to-NBMA mapping information of the spoke they want to peer with.
  • Using that mapping information they form IPsec tunnels with the spokes for which you have to use either a wildcard pre-shared key or specific keys for each of the other spoke they want to peer with.

DMVPN Phase 2Configuration tips

The Hub

  • Nothing much here. The configuration remains the same that was used in Phase 1.

The Spoke

  • The spokes have to be configured with “tunnel mode gre multipoint”

The Routing

  • When EIGRP is used for the overlay routing, split-horizon should be disabled on the hub tunnel interface as well as the hub should not alter the next-hop field with its own exit interface IP in the route advertisement to the other peer.
  • When OSPF is used for the overlay routing, the network type should be set to ‘broadcast’ on the hub and spokes tunnel interfaces IF CEF is disabled. Or else point-to-multipoint will also work.


 DMVPN Phase 3How it works?

  • It borrows the benefit of summarization from Phase 1 and spoke-to-spoke tunnels from Phase 2.
  • NHRP redirect configured on the hub tells the initiator spoke to look for a better path to the destination spoke. Upon receiving the NHRP redirect message the spokes communicate with each other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out.
  • NHRP Shortcut configured on the spoke updates the CEF table. It basically overrides the next-hop value for a remote spoke network from the default initial hub tunnel IP address to the NHRP resolved remote spoke tunnel IP address.
  • NHRP Resolution Requests in DMVPN Phase 2 is done for the next-hop IP address, which is identified from the routing table; this is similar to how Ethernet ARP works for a static route configured with a next-hop IP address.
  • NHRP Resolution Requests in DMVPN Phase3 is done for the destination network being accessed; this is similar to how Ethernet ARP works for a static route configured with a multipoint exit.

DMVPN Phase 3Configuration tips

The Hub

  • Configure “ip nhrp redirect” on the hub.

The Spoke

  • Configure “ip nhrp shortcut” on the spoke so that it can override the next-hop field in the CEF and the routing table for the destination prefix of the spoke that it wants to reach.

The Routing

  • Ensure the next-hop field IS NOT modified while relaying routing updates.


DMVPN with NATHow it works?

  • When the Spoke routers are NAT’d the DMVPN hub or the other spokes peer with that NAT IP, NHRP inherently supports NAT-T and there isn’t much changes that you need to perform to make that work.
  • However spoke routers behind a PAT device cannot peer with each other.
  • IPsec transport mode must be used!
  • If a spoke is behind a dynamic PAT device, disable the following “ ip nhrp registration no-unique”.

DMVPN with NATConfiguration tips

  • Perform NAT on the intermediary device that is in the path of the DMVPN tunnels.
  • Ensure IPsec uses transport mode.


Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/CCIE

Advertisements

5 thoughts on “Dynamic Multipoint VPN (CCIE Notes)

  1. hello friend
    how is your ccie studies.am currently on ipexpert vol1, my lab is sch for next yr july. i hope to be 80% ready then.
    what is the study mode and how many hours do u put in per day

  2. Hey Tony,

    I have been studying with some ups and downs in work/life. It’s going good but unfortunately with too many breaks in between. I’m following INE and ACIT workbooks, completed the Volume 1 excluding the ISE/WSA/IPS stuff. Now I’m refreshing all the Sections before I start off with the ISE/WSA on actual gear. Until now I have done everything on GNS3 and VMware. Wanted to save money on the rack rentals only when I’m thorough with the Volume 1 labs. Took some time getting around everything in GNS3 but once I had all of it mapped, it was quick and easy. I think I’ll end up close to July 2015 too but haven’t booked a date yet.

    Are you on twitter? Follow me there so we can keep in touch.

  3. hey, nice blog!
    Just a comment about DMVPN and PAT: *** “If a spoke is behind a dynamic PAT device, disable the following “ ip nhrp registration no-unique”. ***

    Actually, my understanding is that this flag should be changed only when you have a NAT pool with more than one IP, so the NBMA address of the Spoke can change from time to time, and you want to allow the NHRP mapping to change accordingly.
    Please check unique flag explanation @ http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#wp1067931

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s