DMVNP light reading

http://cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html

this is pretty good

Find more posts tagged with

Comments

Yep, I used these presentations and study materials when I was preparing for the written and I find them very helpful. Although they might be enough for the written, you will want to read the NHRP and theDMVPN section from Cisco DocCD and some of the IPSec guides if you're not familiar with it. Don't be fooled by Cisco, they listed DMVPN under FR, but you've got to know IPSec (at least the basics).

Here are some guides I found helpful:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/hadnhrp.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/hgreips.htm

keenon

thanks

LOkrasa

Great links guys THANKS!

Humper

DMVPN Design Guide: Very insightful, actually explains the technology unlike many of the other cisco docs I read.

http://www.cisco.com/univercd/cc/td/doc/solution/dmvpn_x.pdf

DMVPN Configuration Guide: This is the best one I found yet..

http://www.cisco.com/warp/public/105/dmvpn.html

DMVPN using IPSEC HA (HSRP):

http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd80278edf.shtml

^^ I couldn't get this to work...

Humper

Good Intro to DMVPN:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313c9d.pdf

Now just a question....

Is the traffic (such as ICMP) carried from spoke to spoke carried within GRE? If so why is this? Why not use IPV4 with ESP and/or AH?

dtlokee

Humper wrote:

Good Intro to DMVPN:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313c9d.pdf

Now just a question....

Is the traffic (such as ICMP) carried from spoke to spoke carried within GRE? If so why is this? Why not use IPV4 with ESP and/or AH?

Yes, that is the point of mGRE. The advantage is you don't need to configure all the tunnels manually (in an environment with 10 routers that would require 45 tunnels.)

Humper

Thats what I thought..Thanks!

dtlokee

I guess another important point to make is mGRE is not encrypted, it is simply a tunneling method. If you also want to encrypt the payload you will need to tie a crypto map to the tunnels. Also mGRE has an added benefit where the spokes can use dynamic IP addresses and form the tunnel which is not the case with GRE or IPSec, you would need to know atleast one IP address for it to work.

Humper

Not sure what you mean...

Naturally the GRE tunnel is not protected...But if you setup the ISAKMP policy and IPSEC profile all the tunnel traffic is encrypted with ESP (for example).

Cisco recommends using IPSec profile and applying the "tunnel protection" command to the tunnel interface as crypto maps are considered "cumbersome".

When I am finished my DMVPN write up I will post some of it here

dtlokee

Yes that is correct, you use a ipsec profile, not a crypto map because you would need to manually configure the peers and that would be cumbersome.

Humper

dtlokee wrote:

Yes that is correct, you use a ipsec profile, not a crypto map because you would need to manually configure the peers and that would be cumbersome.

I could only imagine, as it would completely defeat one of the main uses for DMVPN!

Thanks for your help !