Difference between revisions of "DMVPN"
(Created page with "In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies: * Simple...") |
|||
| Line 12: | Line 12: | ||
* Can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels | * Can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels | ||
* Can be easily integrated into customer IPVPNs in a service provider environment | * Can be easily integrated into customer IPVPNs in a service provider environment | ||
| + | |||
| + | |||
| + | ==Basic DMVPN Establishment== | ||
| + | The deployment of DMVPN spokes is simple, as the hub nodes have no prior knowledge of the spokes. Since the spoke sites may have dynamic WAN IPs, this simplifies the hub configuration immensely. The spoke sites have their hub sites statically configured. On IOS 15 builds, the hubs can actually be configured using their DNS names. This prevents anyone from having to update the configuration on all the spokes if the hub has to change IPs. | ||
| + | |||
| + | First, they establish an ISAKMP/IPSec connection to the hub(s): | ||
| + | |||
| + | <PRE style="color:white;background-color:black;font-weight:bold;font-size:1.2em;"> | ||
| + | HUB1#show crypto isakmp sa | ||
| + | dst src state conn-id slot status | ||
| + | 192.0.2.1 198.51.100.1 QM_IDLE 541 0 ACTIVE | ||
| + | </PRE> | ||
| + | |||
| + | Using NHRP (Next-Hope Reachability Protocol), they create an association on the hubs between their WAN IP and their GRE IP, bringing up the GRE tunnel: | ||
| + | |||
| + | <PRE style="color:white;background-color:black;font-weight:bold;font-size:1.2em;"> | ||
| + | HUB1#show ip nhrp brief | ||
| + | Target Via NBMA Mode Intfc Claimed | ||
| + | 10.10.10.2/32 10.10.10.2 198.51.100.1 dynamic Tu1 < > | ||
| + | </PRE> | ||
| + | |||
| + | OSPF creates an adjacency over the GRE tunnel: | ||
| + | |||
| + | <PRE style="color:white;background-color:black;font-weight:bold;font-size:1.2em;"> | ||
| + | HUB1#show ip ospf neighbor | ||
| + | |||
| + | Neighbor ID Pri State Dead Time Address Interface | ||
| + | 10.10.10.2 0 FULL/DROTHER 00:00:30 10.10.10.2 Tunnel1 | ||
| + | </PRE> | ||
| + | |||
| + | A spoke router will also learn of other spokes through the GRE tunnel and dynamically create tunnels to other them as needed: | ||
| + | |||
| + | <PRE style="color:white;background-color:black;font-weight:bold;font-size:1.2em;"> | ||
| + | SPOKE1#show ip nhrp brief | ||
| + | Target Via NBMA Mode Intfc Claimed | ||
| + | 10.10.10.1/32 10.10.10.1 192.0.2.1 dynamic Tu1 < > | ||
| + | 10.10.10.3/32 10.10.10.3 203.0.113.28 dynamic Tu1 < > | ||
| + | 10.10.10.4/32 10.10.10.4 198.51.100.117 dynamic Tu1 < > | ||
| + | </PRE> | ||
Revision as of 23:06, 6 April 2015
In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies:
- Simple deployment
- Can be used over any medium (3G/4g, cable, DSL, fibre, etc)
- Scalable, with no additional configuration required on the hub to accommodate growth
- No need to update the configuration on the hub as sites are added, removed, or changed
- Spokes can have static or dynamic IPs. It will even work through NAT.
- High availability is easy to configure
- Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub.
- Natively uses standard routing protocols (OSPF, BGP, EIGRP, etc)
- Can easily be configured as a backup connection, as it supports routing protocols and automatically sets a high metric.
- Can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels
- Can be easily integrated into customer IPVPNs in a service provider environment
Basic DMVPN Establishment
The deployment of DMVPN spokes is simple, as the hub nodes have no prior knowledge of the spokes. Since the spoke sites may have dynamic WAN IPs, this simplifies the hub configuration immensely. The spoke sites have their hub sites statically configured. On IOS 15 builds, the hubs can actually be configured using their DNS names. This prevents anyone from having to update the configuration on all the spokes if the hub has to change IPs.
First, they establish an ISAKMP/IPSec connection to the hub(s):
HUB1#show crypto isakmp sa dst src state conn-id slot status 192.0.2.1 198.51.100.1 QM_IDLE 541 0 ACTIVE
Using NHRP (Next-Hope Reachability Protocol), they create an association on the hubs between their WAN IP and their GRE IP, bringing up the GRE tunnel:
HUB1#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.2/32 10.10.10.2 198.51.100.1 dynamic Tu1 < >
OSPF creates an adjacency over the GRE tunnel:
HUB1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.2 0 FULL/DROTHER 00:00:30 10.10.10.2 Tunnel1
A spoke router will also learn of other spokes through the GRE tunnel and dynamically create tunnels to other them as needed:
SPOKE1#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.1/32 10.10.10.1 192.0.2.1 dynamic Tu1 < > 10.10.10.3/32 10.10.10.3 203.0.113.28 dynamic Tu1 < > 10.10.10.4/32 10.10.10.4 198.51.100.117 dynamic Tu1 < >