Difference between revisions of "DMVPN"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies: | In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies: | ||
| − | * | + | * Deployment is simple. Spoke node configurations can almost be reproduced verbatim. |
| − | * | + | * It can be used over any medium (3G/4g, cable, DSL, fibre, etc). |
| − | * Scalable, with no additional configuration required on the hub to accommodate growth | + | * Scalable, with no additional configuration required on the hub to accommodate growth. |
| − | * | + | * There is no need to update the configuration on the hub as sites are added, removed, or changed. |
* Spokes can have static or dynamic IPs. It will even work through NAT. | * Spokes can have static or dynamic IPs. It will even work through NAT. | ||
| − | * High availability is easy to configure | + | * High availability is easy to configure. |
* Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub. | * Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub. | ||
| − | * | + | * It natively uses standard routing protocols (OSPF, BGP, EIGRP, etc). |
| − | * | + | * It can easily be configured as a backup connection, as it supports routing protocols and automatically sets a high metric. |
| − | * | + | * It can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels. |
| − | * | + | * It can be easily integrated into customer IPVPNs in a service provider environment. |
| Line 30: | Line 30: | ||
HUB1#show ip nhrp brief | HUB1#show ip nhrp brief | ||
Target Via NBMA Mode Intfc Claimed | Target Via NBMA Mode Intfc Claimed | ||
| − | 10.10.10. | + | 10.10.10.3/32 10.10.10.3 198.51.100.1 dynamic Tu1 < > |
</PRE> | </PRE> | ||
| Line 39: | Line 39: | ||
Neighbor ID Pri State Dead Time Address Interface | Neighbor ID Pri State Dead Time Address Interface | ||
| − | 10.10.10. | + | 10.10.10.3 0 FULL/DROTHER 00:00:30 10.10.10.3 Tunnel1 |
</PRE> | </PRE> | ||
| Line 47: | Line 47: | ||
SPOKE1#show ip nhrp brief | SPOKE1#show ip nhrp brief | ||
Target Via NBMA Mode Intfc Claimed | Target Via NBMA Mode Intfc Claimed | ||
| − | 10.10.10.1/32 10.10.10.1 192.0.2.1 | + | 10.10.10.1/32 10.10.10.1 192.0.2.1 static Tu1 < > |
| − | 10.10.10. | + | 10.10.10.2/32 10.10.10.3 203.0.113.28 static Tu1 < > |
10.10.10.4/32 10.10.10.4 198.51.100.117 dynamic Tu1 < > | 10.10.10.4/32 10.10.10.4 198.51.100.117 dynamic Tu1 < > | ||
| + | 10.10.10.5/32 10.10.10.5 198.51.100.202 dynamic Tu1 < > | ||
| + | </PRE> | ||
| + | |||
| + | |||
| + | ==Basic Hub Configuration== | ||
| + | This is a simple crypto configuration. Note that the ISAKMP key that is allowed from any host (0.0.0.0/0) | ||
| + | <PRE> | ||
| + | crypto isakmp policy 1 | ||
| + | hash md5 | ||
| + | authentication pre-share | ||
| + | crypto isakmp key aw3s0m3crypt0k3y address 0.0.0.0 0.0.0.0 | ||
| + | crypto isakmp keepalive 60 5 periodic | ||
| + | ! | ||
| + | crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-aes esp-md5-hmac | ||
| + | ! | ||
| + | crypto ipsec profile DMVPN | ||
| + | set transform-set DMVPN_TRANSFORM_SET | ||
| + | </PRE> | ||
| + | |||
| + | Create the tunnel interface. Note the following: | ||
| + | * The subnet is a /24 to accommodate all the other DMVPN nodes that will be participating. | ||
| + | * The IP MTU has been lowered below that of the WAN interface. Having it the same or higher will kill the throughput. | ||
| + | * There is a secondary hub node, 10.10.10.2. | ||
| + | * The tunnel source is set to the WAN interface, the mode configured as gre multipoint, and the crypto profile is assigned. | ||
| + | <PRE> | ||
| + | interface Tunnel0 | ||
| + | description DMVPN | ||
| + | ip address 10.10.10.1 255.255.255.0 | ||
| + | no ip redirects | ||
| + | ip mtu 1400 | ||
| + | ip nhrp map multicast dynamic | ||
| + | ip nhrp map multicast 203.0.113.28 | ||
| + | ip nhrp map 10.10.10.2 203.0.113.28 | ||
| + | ip nhrp network-id 1 | ||
| + | ip nhrp holdtime 180 | ||
| + | ip nhrp nhs 10.10.10.2 | ||
| + | ip nhrp registration timeout 60 | ||
| + | ip ospf network broadcast | ||
| + | ip ospf priority 128 | ||
| + | tunnel source FastEthernet0 | ||
| + | tunnel mode gre multipoint | ||
| + | tunnel protection ipsec profile DMVPN | ||
| + | </PRE> | ||
| + | |||
| + | A very basic WAN interface. The real thing would have things like a firewall. | ||
| + | <PRE> | ||
| + | interface FastEthernet0 | ||
| + | ip address 192.0.2.1 255.255.255.0 | ||
| + | </PRE> | ||
| + | |||
| + | Enable a routing protocol, and add the tunnel subnet. | ||
| + | <PRE> | ||
| + | router ospf 1 | ||
| + | router-id 10.10.10.1 | ||
| + | network 10.10.10.0 0.0.0.255 area 0 | ||
| + | </PRE> | ||
| + | |||
| + | ==Basic Spoke Configuration== | ||
| + | <PRE> | ||
| + | |||
</PRE> | </PRE> | ||
Revision as of 23:25, 6 April 2015
In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies:
- Deployment is simple. Spoke node configurations can almost be reproduced verbatim.
- It can be used over any medium (3G/4g, cable, DSL, fibre, etc).
- Scalable, with no additional configuration required on the hub to accommodate growth.
- There is no need to update the configuration on the hub as sites are added, removed, or changed.
- Spokes can have static or dynamic IPs. It will even work through NAT.
- High availability is easy to configure.
- Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub.
- It natively uses standard routing protocols (OSPF, BGP, EIGRP, etc).
- It can easily be configured as a backup connection, as it supports routing protocols and automatically sets a high metric.
- It can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels.
- It can be easily integrated into customer IPVPNs in a service provider environment.
Basic DMVPN Establishment
The deployment of DMVPN spokes is simple, as the hub nodes have no prior knowledge of the spokes. Since the spoke sites may have dynamic WAN IPs, this simplifies the hub configuration immensely. The spoke sites have their hub sites statically configured. On IOS 15 builds, the hubs can actually be configured using their DNS names. This prevents anyone from having to update the configuration on all the spokes if the hub has to change IPs.
First, they establish an ISAKMP/IPSec connection to the hub(s):
HUB1#show crypto isakmp sa dst src state conn-id slot status 192.0.2.1 198.51.100.1 QM_IDLE 541 0 ACTIVE
Using NHRP (Next-Hope Reachability Protocol), they create an association on the hubs between their WAN IP and their GRE IP, bringing up the GRE tunnel:
HUB1#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.3/32 10.10.10.3 198.51.100.1 dynamic Tu1 < >
OSPF creates an adjacency over the GRE tunnel:
HUB1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.3 0 FULL/DROTHER 00:00:30 10.10.10.3 Tunnel1
A spoke router will also learn of other spokes through the GRE tunnel and dynamically create tunnels to other them as needed:
SPOKE1#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.1/32 10.10.10.1 192.0.2.1 static Tu1 < > 10.10.10.2/32 10.10.10.3 203.0.113.28 static Tu1 < > 10.10.10.4/32 10.10.10.4 198.51.100.117 dynamic Tu1 < > 10.10.10.5/32 10.10.10.5 198.51.100.202 dynamic Tu1 < >
Basic Hub Configuration
This is a simple crypto configuration. Note that the ISAKMP key that is allowed from any host (0.0.0.0/0)
crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key aw3s0m3crypt0k3y address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 5 periodic ! crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-aes esp-md5-hmac ! crypto ipsec profile DMVPN set transform-set DMVPN_TRANSFORM_SET
Create the tunnel interface. Note the following:
- The subnet is a /24 to accommodate all the other DMVPN nodes that will be participating.
- The IP MTU has been lowered below that of the WAN interface. Having it the same or higher will kill the throughput.
- There is a secondary hub node, 10.10.10.2.
- The tunnel source is set to the WAN interface, the mode configured as gre multipoint, and the crypto profile is assigned.
interface Tunnel0 description DMVPN ip address 10.10.10.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp map multicast 203.0.113.28 ip nhrp map 10.10.10.2 203.0.113.28 ip nhrp network-id 1 ip nhrp holdtime 180 ip nhrp nhs 10.10.10.2 ip nhrp registration timeout 60 ip ospf network broadcast ip ospf priority 128 tunnel source FastEthernet0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN
A very basic WAN interface. The real thing would have things like a firewall.
interface FastEthernet0 ip address 192.0.2.1 255.255.255.0
Enable a routing protocol, and add the tunnel subnet.
router ospf 1 router-id 10.10.10.1 network 10.10.10.0 0.0.0.255 area 0