DMVNP light reading
Become the stainless steel sharp knife in a drawer full of rusty spoons
Comments
-
PStefanov
Member Posts: 79 ■■□□□□□□□□
Yep, I used these presentations and study materials when I was preparing for the written and I find them very helpful. Although they might be enough for the written, you will want to read the NHRP and theDMVPN section from Cisco DocCD and some of the IPSec guides if you're not familiar with it. Don't be fooled by Cisco, they listed DMVPN under FR, but you've got to know IPSec (at least the basics).
Here are some guides I found helpful:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/hadnhrp.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/hgreips.htm -
keenon
Member Posts: 1,922 ■■■■□□□□□□
thanksBecome the stainless steel sharp knife in a drawer full of rusty spoons -
Humper
Member Posts: 647
DMVPN Design Guide: Very insightful, actually explains the technology unlike many of the other cisco docs I read.
http://www.cisco.com/univercd/cc/td/doc/solution/dmvpn_x.pdf
DMVPN Configuration Guide: This is the best one I found yet..
http://www.cisco.com/warp/public/105/dmvpn.html
DMVPN using IPSEC HA (HSRP):
http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd80278edf.shtml
^^ I couldn't get this to work...Now working full time! -
Humper
Member Posts: 647
Good Intro to DMVPN:
http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313c9d.pdf
Now just a question....
Is the traffic (such as ICMP) carried from spoke to spoke carried within GRE? If so why is this? Why not use IPV4 with ESP and/or AH?Now working full time! -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Humper wrote:Good Intro to DMVPN:
http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313c9d.pdf
Now just a question....
Is the traffic (such as ICMP) carried from spoke to spoke carried within GRE? If so why is this? Why not use IPV4 with ESP and/or AH?
Yes, that is the point of mGRE. The advantage is you don't need to configure all the tunnels manually (in an environment with 10 routers that would require 45 tunnels.)The only easy day was yesterday! -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
I guess another important point to make is mGRE is not encrypted, it is simply a tunneling method. If you also want to encrypt the payload you will need to tie a crypto map to the tunnels. Also mGRE has an added benefit where the spokes can use dynamic IP addresses and form the tunnel which is not the case with GRE or IPSec, you would need to know atleast one IP address for it to work.The only easy day was yesterday!
-
Humper
Member Posts: 647
Not sure what you mean...
Naturally the GRE tunnel is not protected...But if you setup the ISAKMP policy and IPSEC profile all the tunnel traffic is encrypted with ESP (for example).
Cisco recommends using IPSec profile and applying the "tunnel protection" command to the tunnel interface as crypto maps are considered "cumbersome".
When I am finished my DMVPN write up I will post some of it here
Now working full time! -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Yes that is correct, you use a ipsec profile, not a crypto map because you would need to manually configure the peers and that would be cumbersome.The only easy day was yesterday!
-
Humper
Member Posts: 647
dtlokee wrote:Yes that is correct, you use a ipsec profile, not a crypto map because you would need to manually configure the peers and that would be cumbersome.
I could only imagine, as it would completely defeat one of the main uses for DMVPN!
Thanks for your help !Now working full time!
