Options

DMVPN

larkspurlarkspur Member Posts: 235
in CCNP Security
anyone working or worked with this? I would suppose if you have 2 host sites and a bunch of remote sites this would be good?

Trying to find best options for IPSEC Vpn's termenating at 2 host sites.
just trying to keep it all in perspective!
· Share on FacebookShare on Twitter

Comments

  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    DMVPN is really designed for many sites, it typically requires 2 routers just for the NHRP requests. If you only hae a couple sites it would be better to configure IPSec tunnels or IPSec encrypted GRE tunnels if you plan to run your routing protocols over the tunnels.

    The goal of DMVPN is to allow for the spoke to spoke tunnels to be created dynamically. If you don't plan to have spoke to spoke tunnels then it wouldn't be worthwhile. However if you have spokes that are getting their IP addresses dynamically, you may want to use this as an option.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    thanks for the well explained reply...

    so let me ask this, if i have 50 sites termnating ipsec tunnels to a ios router i can get away with building one crypto map for all 50 sites?

    Of course as long as none of the defining statemnets in the crypto map need to be changed.

    In the event there are say 3 differrent types of vpn terminating, (gre, ipsec, etc) I would need to look at 3 diffrrent crypto policies, and more than one crypto can terminate on the same interface or break it out to tunnel interfaces?

    hope that makes sense..

    I am reviewing books on VPN design and foundentals and have deployed few site-to-site ipsec vpn's but want to go bigger...

    :D
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    anyone on the VPN design questions?
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    You might want to take this one to the cisco.com forums if you can't get a solution.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    larkspur wrote:
    thanks for the well explained reply...

    so let me ask this, if i have 50 sites termnating ipsec tunnels to a ios router i can get away with building one crypto map for all 50 sites?

    Of course as long as none of the defining statemnets in the crypto map need to be changed.

    In the event there are say 3 differrent types of vpn terminating, (gre, ipsec, etc) I would need to look at 3 diffrrent crypto policies, and more than one crypto can terminate on the same interface or break it out to tunnel interfaces?

    hope that makes sense..

    I am reviewing books on VPN design and foundentals and have deployed few site-to-site ipsec vpn's but want to go bigger...

    :D

    You sort of need one crypto map for all 50 sites (how many crypto maps can you assign to one interface?)

    If you are using DMVPN the type of vpn is going to use mGRE, so that would be your "type" of VPN. You don't need to make multiple tunnel interfaces for DMVPN's, just a connection to the NHRP hub (usually 2 of them for backup) and the spoke to spoke VPN's will be established dynamically.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    nevermind...What was I thinking?
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    oh wow, i moved this a couple of times, my bad need to practice patience....

    dtlokee - so away from the DMVPN complexity. butjust more on site-to-site. so for every ipsec spoke that comes online a crypto map statemnet will need to be defined?

    I hope I am asking this correctly.

    tia!!
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    Here is a lab for a hub and spoke configuration I used to learn about it. All the routers are connected to a switch with all interfaces in the same VLAN. Hope this helps you get more of a grasp of things.



    HUB Router

    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname Hub

    The first step is to create the tunnel. Generic Routing Encapsulation (GRE) tunnels provide a specific pathway across the shared WAN and encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. Tunnels do not provide true confidentiality (encryption does) but can carry encrypted traffic.

    Create a GRE tunnel template which will be applied to all the dynamically created GRE tunnels.

    Hub(config)#interface Tunnel 0
    Hub(config-if)#description Hub
    Hub(config-if)#ip address 10.0.0.1 255.255.255.0
    Hub(config-if)#no ip redirects
    Hub(config-if)#ip mtu 1440
    Hub(config-if)#ip nhrp authentication 123
    Hub(config-if)#ip nhrp map multicast dynamic
    Hub(config-if)#ip nhrp network-id 1
    Hub(config-if)#ip ospf network broadcast
    Hub(config-if)#ip ospf priority 2

    Hub(config-if)#tunnel source f0/1
    Hub(config-if)#tunnel mode gre multipoint
    Hub(config-if)#tunnel key 0

    This is the outbound interface.

    Hub(config-if)#int f0/1
    Hub(config-if)#ip address 172.19.0.1 255.255.255.240
    Hub(config-if)#no shut

    This is the inbound interface

    Hub(config-if)#int loopback 0
    Hub(config-if)#ip address 14.0.0.1 255.255.255.255

    Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

    Hub(config-if)#router ospf 100
    Hub(config-router)#network 10.0.0.0 0.255.255.255 area 0
    Hub(config-router)#network 14.0.0.0 0.255.255.255 area 0
    Hub(config-router)#end

    Spoke1 Router

    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname Spoke1

    Create a GRE tunnel template which will be applied to all the dynamically created GRE tunnels.

    Spoke1(config)#interface Tunnel 0
    Spoke1(config-if)#description spoke to Hub
    Spoke1(config-if)#ip address 10.0.0.2 255.255.255.0
    Spoke1(config-if)#no ip redirects
    Spoke1(config-if)#ip mtu 1440
    Spoke1(config-if)#ip nhrp authentication 123
    Spoke1(config-if)#ip nhrp map multicast dynamic
    Spoke1(config-if)#ip nhrp map 10.0.0.1 172.19.0.1
    Spoke1(config-if)#ip nhrp map multicast 172.19.0.1
    Spoke1(config-if)#ip nhrp network-id 1
    Spoke1(config-if)#ip nhrp nhs 10.0.0.1
    Spoke1(config-if)#ip ospf network broadcast
    Spoke1(config-if)#tunnel source e0/0
    Spoke1(config-if)#tunnel mode gre multipoint
    Spoke1(config-if)#tunnel key 0

    This is the outbound interface.

    Spoke1(config-if)#int e0/0
    Spoke1(config-if)#ip address 172.19.0.2 255.255.255.240
    Spoke1(config-if)#no shut


    This is the inbound interface.

    Spoke1(config-if)#int loopback 0
    Spoke1(config-if)#ip address 14.0.0.2 255.255.255.255

    Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

    Spoke1(config-if)#router ospf 100
    Spoke1(config-router)#network 10.0.0.0 0.255.255.255 area 0
    Spoke1(config-router)#network 14.0.0.0 0.255.255.255 area 0
    Spoke1(config-router)#end

    Spoke2 Router

    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname Spoke2

    Spoke2(config)#interface Tunnel 0
    Spoke2(config-if)#description spoke to Hub
    Spoke2(config-if)#ip address 10.0.0.3 255.255.255.0
    Spoke2(config-if)#no ip redirects
    Spoke2(config-if)#ip mtu 1440
    Spoke2(config-if)#ip nhrp authentication 123
    Spoke2(config-if)#ip nhrp map multicast dynamic
    Spoke2(config-if)#ip nhrp map 10.0.0.1 172.19.0.1
    Spoke2(config-if)#ip nhrp map multicast 172.19.0.1
    Spoke2(config-if)#ip nhrp network-id 1
    Spoke2(config-if)#ip nhrp nhs 10.0.0.1
    Spoke2(config-if)#ip ospf network broadcast
    Spoke2(config-if)#tunnel source e0
    Spoke2(config-if)#tunnel mode gre multipoint
    Spoke2(config-if)#tunnel key 0

    This is the outbound interface.

    Spoke2(config-if)#int e0
    Spoke2(config-if)#ip address 172.19.0.3 255.255.255.240
    Spoke2(config-if)#no shut

    This is the inbound interface.

    Spoke2(config-if)#int loopback 0
    Spoke2(config-if)#ip address 14.0.0.3 255.255.255.255

    Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

    Spoke2(config-if)#router ospf 100
    Spoke2(config-router)#network 10.0.0.0 0.255.255.255 area 0
    Spoke2(config-router)#network 14.0.0.0 0.255.255.255 area 0
    Spoke2(config-router)#end


    Spoke3 Router

    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname Spoke3

    Create a GRE tunnel template which will be applied to all the dynamically created GRE tunnels.

    Spoke3(config)#interface Tunnel0
    Spoke3(config-if)#description spoke to Hub
    Spoke3(config-if)#ip address 10.0.0.4 255.255.255.0
    Spoke3(config-if)#no ip redirects
    Spoke3(config-if)#ip mtu 1440
    Spoke3(config-if)#ip nhrp authentication 123
    Spoke3(config-if)#ip nhrp map multicast dynamic
    Spoke3(config-if)#ip nhrp map 10.0.0.1 172.19.0.1
    Spoke3(config-if)#ip nhrp map multicast 172.19.0.1
    Spoke3(config-if)#ip nhrp network-id 1
    Spoke3(config-if)#ip nhrp nhs 10.0.0.1
    Spoke3(config-if)#ip ospf network broadcast
    Spoke3(config-if)#tunnel source e1
    Spoke3(config-if)#tunnel mode gre multipoint
    Spoke3(config-if)#tunnel key 0

    This is the outbound interface.

    Spoke3(config-if)#int e1
    Spoke3(config-if)#ip address 172.19.0.4 255.255.255.240
    Spoke3(config-if)#no shut

    This is the inbound interface.

    Spoke3(config-if)#int loopback 0
    Spoke3(config-if)#ip address 14.0.0.4 255.255.255.255

    Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

    Spoke3(config-if)#router ospf 100
    Spoke3(config-router)#network 10.0.0.0 0.255.255.255 area 0
    Spoke3(config-router)#network 14.0.0.0 0.255.255.255 area 0
    Spoke3(config-router)#end






    Monitoring and Testing the Configuration:

    Hub

    Hub#show ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route

    Gateway of last resort is not set

    172.19.0.0/27 is subnetted, 1 subnets
    C 172.19.0.0 is directly connected, Ethernet0/0
    10.0.0.0/24 is subnetted, 1 subnets
    C 10.0.0.0 is directly connected, Tunnel0
    14.0.0.0/32 is subnetted, 2 subnets
    O 14.0.0.2 [110/11112] via 10.0.0.2, 00:06:47, Tunnel0
    C 14.0.0.1 is directly connected, Loopback0
    Hub#

    Hub#show ip nhrp detail
    10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:18:53, expire 01:41:06
    Type: dynamic, Flags: authoritative unique registered
    NBMA address: 172.19.0.2 (Spoke1)
    10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:08:47, expire 01:51:12
    Type: dynamic, Flags: authoritative unique registered
    NBMA address: 172.19.0.3 (Spoke2)
    10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:01:01, expire 01:58:58
    Type: dynamic, Flags: authoritative unique registered
    NBMA address: 172.19.0.3 (Spoke3)

    Hub#show int tunnel 0
    Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Description: Hub
    Internet address is 10.0.0.1/24
    MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 172.19.0.1 (Ethernet0/0), destination UNKNOWN
    Tunnel protocol/transport multi-GRE/IP, key 0x0, sequencing disabled
    Checksumming of packets disabled, fast tunneling enabled
    Last input 00:00:05, output 00:00:01, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    94 packets input, 12930 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    92 packets output, 10130 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 output buffer failures, 0 output buffers swapped out


    Spoke1


    Spoke1#show ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route

    Gateway of last resort is not set

    172.19.0.0/27 is subnetted, 1 subnets
    C 172.19.0.0 is directly connected, Ethernet0/0
    10.0.0.0/24 is subnetted, 1 subnets
    C 10.0.0.0 is directly connected, Tunnel0
    14.0.0.0/32 is subnetted, 2 subnets
    C 14.0.0.2 is directly connected, Loopback0
    O 14.0.0.3 [110/11112] via 10.0.0.1, 01:25:17, Tunnel0
    O 14.0.0.4 [110/11112] via 10.0.0.1, 01:25:17, Tunnel0
    O 14.0.0.1 [110/11112] via 10.0.0.1, 01:25:17, Tunnel0



    Spoke1#show ip nhrp tunnel 0
    10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:01:02, never expire
    Type: static, Flags: authoritative used
    NBMA address: 172.19.0.1 (Hub)

    Spoke1# show int tunnel 0
    Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Description: spoke to Hub
    Internet address is 10.0.0.2/24
    MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 172.19.0.2 (Ethernet0/0), destination UNKNOWN
    Tunnel protocol/transport multi-GRE/IP, key 0x0, sequencing disabled
    Checksumming of packets disabled, fast tunneling enabled
    Last input 00:00:03, output 00:00:07, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    555 packets input, 75658 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    586 packets output, 63422 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 output buffer failures, 0 output buffers swapped out
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    excuse my lack of experience with vpn technology,

    so this is a dmvpn example or for point-to-multipoint vpn?
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    This is an example of DMVPN. This doesn't exlain the ins and outs, but you can use this as an example when doing some reaserch.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    very cool thanks a bunch....
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    No problem, it helped me a lot. I like to set things up when I learn about them, it helps put it in perspective better than just reading.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    man I spent 4 or 5 hours this weekend labbin gipsec vpn. opened my eyes to a couple of things, i was not seeing before.

    nothign like putting your hands on it. icon_rolleyes.gif
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    I agree, and people new this wonder why experience is regarded MUCH higher than certs or education.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    Great links on DMVPN you may want to look at:
    keenon wrote:
    http://cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html

    this is pretty good
    littlegrave wrote:
    Yep, I used these presentations and study materials when I was preparing for the written and I find them very helpful. Although they might be enough for the written, you will want to read the NHRP and theDMVPN section from Cisco DocCD and some of the IPSec guides if you're not familiar with it. Don't be fooled by Cisco, they listed DMVPN under FR, but you've got to know IPSec (at least the basics).

    Here are some guides I found helpful:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/hadnhrp.htm
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/hgreips.htm


    Awesome info from both of those guys.
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    thanks for the addtional resources. LOkrasa.
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    HumperHumper Member Posts: 647
    Has anyone used DMVPN with a PKI (CA) server? Right now I am using pre-shared keys but would like to use CA server. Can anyone provide me with documentation to set this up as I have tried looking for the DMVPN + CA implementation docs.
    Now working full time!
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Yeah you need to change the way ISAKMP is negoiated from pre-share to rsa-sig, and you need to enroll with the CA the same way you would with a site to site VPN. Then set the "tunnel protection ipsec profile" command to link the IPSEC configuration to the tunnel.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    HumperHumper Member Posts: 647
    dtlokee wrote:
    Yeah you need to change the way ISAKMP is negoiated from pre-share to rsa-sig, and you need to enroll with the CA the same way you would with a site to site VPN. Then set the "tunnel protection ipsec profile" command to link the IPSEC configuration to the tunnel.

    I understand how to change ISAKMP from pre-share to rsa-sig, but I am not sure what you mean by enroll the CA server. Is this done under crypto pki server command? I am also confused how the branch router config.

    Right now I am looking at "Configuring certificate enrollment for PKI" found here:

    http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804a5a17.html

    Is this the right direction?
    Now working full time!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.