DMVPN Configuration Example

 

Dynamic Multipoint VPN (DMVPN)

Dynamic Multipoint VPN is a Cisco solution for deploying scalable IPsec tunnels.
Cisco DMVPN allows branch locations to communicate directly with each other over the public WAN or Internet or through MPLS network.

HUB Config :

 

interface Tunnel500

 description "HUB-DMVPN"

 ip address 100.64.181.81 255.255.255.240

 no ip redirects

 ip nhrp authentication DMVPN

 ip nhrp map multicast dynamic

 ip nhrp network-id 500

 ip nhrp holdtime 300

 tunnel source gigabitEthernet 0

 tunnel mode gre multipoint

 tunnel key 500

 tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

end

 

Spoke-1 Config:

 

interface Tunnel500

 description "SPOKE1-DMVPN"

 ip address 100.64.181.82 255.255.255.240

 no ip redirects

 ip nhrp authentication DMVPN

 ip nhrp map multicast dynamic

 ip nhrp map 100.64.181.81 100.64.147.106

 ip nhrp network-id 500

 ip nhrp holdtime 300

 ip nhrp nhs 100.64.181.81

 tunnel source FastEthernet4

 tunnel mode gre multipoint

 tunnel key 500

 tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

end

 

Spoke-2 Config:

 

interface Tunnel500

 description "SPOKE2-DMVPN"

 ip address 100.64.181.83 255.255.255.240

 no ip redirects

 ip nhrp authentication DMVPN

 ip nhrp map multicast dynamic

 ip nhrp map 100.64.181.81 100.64.147.106

 ip nhrp network-id 500

 ip nhrp holdtime 300

 ip nhrp nhs 100.64.181.81

 tunnel source GigabitEthernet0

 tunnel mode gre multipoint

 tunnel key 500

 tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

end

 

 

IPSEC Configuration:

 

// ISAKMP policy for Phase 1 negotiations.

 

crypto isakmp policy 10

hash md5

authentication pre-share

 

// dynamic pre-shared keys for all the tunnels ( HUB and SPOKES)

 

crypto isakmp key DMVPN123 address 0.0.0.0 0.0.0.0

 

// Phase 2 policy for actual data encryption.

 

crypto ipsec transform-set DMVPN-TSET esp-3des esp-md5-hmac

 

// IPSec profile to be applied on GRE tunnels.

 

crypto ipsec profile DMVPN-IPSEC-PROFILE

set security-association lifetime seconds 120

set transform-set DMVPN-TSET

 

 

DMVPN Verification:

 

On Spoke-1 :

 

NHRP mappings on Spoke-1.  Spoke-1 will have static NHRP mapping and static tunnel with HUB.

 

Spoke-1#sh ip nhrp brief

   Target                           Via                     NBMA                 Mode    Intfc      Claimed

100.64.181.81/32     100.64.181.81   100.64.147.106   static    Tu500     <   >

Spoke-1#

Spoke-1#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel500, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1  100.64.147.106   100.64.181.81    UP    6d00h     S

               

 

Configure routing between Spoke-1 and Spoke-2. We can configure OSPF or EIGRP or BGP  or static routes between tunnels as per your choice.

In this example we have configured one loopback on Spoke-1 and Spoke-2 and configured static routing between loopbacks pointing next-hop as tunnel-IP.

 

On Spoke-1:

!

interface Loopback500

 description Spoke1-loopback

 ip address 100.64.181.97 255.255.255.255

 !

end

//Static route to Spoke-2 loopback with next-hop as Spoke-2 tunnel IP.

ip route 100.64.181.98 255.255.255.255 100.64.181.83

 

On Spoke-2:

!

interface Loopback500

 description spoke2-loopback

 ip address 100.64.181.98 255.255.255.255

end

//Static route to Spoke-1 loopback with next-hop as Spoke-1 tunnel IP.

ip route 100.64.181.97 255.255.255.255 100.64.181.82

 

Now Ping 100.64.181.98 from Spoke-1

Spoke-1#ping 100.64.181.98

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.64.181.98, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

Spoke-1#

 

Initiate traffic from Spoke-1 to Spoke-2 and notice dynamic NHRP and DMVPN tunnel being formed.

 

Spoke-1#sh ip nhrp brief 

   Target                                Via                          NBMA             Mode       Intfc    Claimed

100.64.181.81/32     100.64.181.81   100.64.147.106   static       Tu500     <   >

100.64.181.82/32     100.64.181.82   100.64.181.69     dynamic  Tu500     <   >

100.64.181.83/32     100.64.181.83   100.64.181.77     dynamic  Tu500     <   >

Spoke-1# sh dmvpn         

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel500, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1  100.64.147.106   100.64.181.81    UP    6d00h     S

     1   100.64.181.77   100.64.181.83    UP 00:00:01     D

 

 

Labels: , ,

2 comments:

  1. Anonymous13 October 2017 at 14:22

    DMVPN is pretty good, would be nice if Juniper had an equivalent technology.

    ReplyDelete
  2. Prasanth23 October 2017 at 04:57

    It looks like juniper has ADVPN which is similar to DMVPN
    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-auto-discovery-vpn-understanding.html

    ReplyDelete

Subscribe to: Post Comments (Atom)