There are several concepts involve in DMVPN..
1. GRE
2. Multi-point GRE
3. NHRP
4. Routing
5. IPSec
GRE (Generic Routing Encapsulation) is the most basic L3 tunneling technology in networking. To learn GRE configuration please go here.
Multi-Point GRE (mGRE) is an extension of GRE where we don't specify the tunnel destination and let a one tunnel interface to form many tunnels with several remote destinations.
NHRP (Next Hop Resolution Protocol) is allowing spokes to directly form tunnels with other spokes. This is achieved by a 1 router (hub) acting as a server (NHS) which stores a database of the public addresses of all the spoke routers. Note that we are talking about Hub & Spoke type of topology which the DMVPN is natively implemented.
Routing is needed of course to identify the routes in WAN sites. We can use any dynamic routing protocol or static routes for L3 routing. If you are going to use a dynamic routing protocol, you should enable multicast traffic on tunnels.
IPSec is for security. Because DMVPN is implemented through internet, it is recommended to use this security framework.
There are 3 Phases (ways of implementation) of DMVPN.. We will get through each Phase with configuration in this post. Following topology will be used..
Provider network is marked in blue. Set up has 3 routers which are connected over the internet. They represent 3 sites and 3 PCs are here to test connectivity. I hope the IP addressing scheme is clear for anyone as it is in the diagram. SP router has the 2nd IP of the point to point links and default routes are statically configured to that IP from R1, R2 & R3. R1 wil be the Hub and R2,R3 will be spokes.
Phase 1
This way of implementation requires the Hub to be configured with mGRE and Spokes to be configured with regular point to point GRE. This means that there will no direct dynamic tunnels forming in between Spokes. All the traffic will come to the Hub and be routed as per the routing table of the Hub.
Configuration of the Hub is like the following..
R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint
Configuration of Spokes are like the following..
R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel destination 13.18.12.1
R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel destination 13.18.12.1
Following configuration will verify the implementation..
Phase 2
This is where the Spokes can dynamically create multiple tunnels directly in between Spokes. Configuration is inherited from Phase 1 and change only in Spoke routers. In Phase 2 we remove the tunnel destination command and replace it with tunnel mode gre multipoint command.
So the Configuration on routers will be like the following..
R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint
R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel mode gre multipoint
R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel mode gre multipoint
Phase 3
This Phase changes the way NHRP operates. When a Spoke wants to reach something which is reachable via DMVPN, it sends the traffic to the Hub and the Hub after realizing that this traffic must reach another Spoke, what it will do is that it sends NHRP redirects to both the Spokes. When Spokes receive the redirects, both of them send NHRP resolution to figure out the NBMA addresses. The Spoke routers then stores a new route in the routing tables (override with %) so that they can reach each other directly..
Following is how you can see something like that.
ip nhrp redirect command in the Hub and ip nhrp shortcut command in Spokes are additionally added to the Phase 2 configuration to achieve this..
R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#ip nhrp redirect
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint
R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#ip nhrp shortcut
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel mode gre multipoint
R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#ip nhrp shortcut
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel mode gre multipoint
Using IPSec over DMVPN is discussed in the following post..
IPSec Over DMVPN
This is where the Spokes can dynamically create multiple tunnels directly in between Spokes. Configuration is inherited from Phase 1 and change only in Spoke routers. In Phase 2 we remove the tunnel destination command and replace it with tunnel mode gre multipoint command.
So the Configuration on routers will be like the following..
R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint
R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel mode gre multipoint
R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel mode gre multipoint
Phase 3
This Phase changes the way NHRP operates. When a Spoke wants to reach something which is reachable via DMVPN, it sends the traffic to the Hub and the Hub after realizing that this traffic must reach another Spoke, what it will do is that it sends NHRP redirects to both the Spokes. When Spokes receive the redirects, both of them send NHRP resolution to figure out the NBMA addresses. The Spoke routers then stores a new route in the routing tables (override with %) so that they can reach each other directly..
Following is how you can see something like that.
ip nhrp redirect command in the Hub and ip nhrp shortcut command in Spokes are additionally added to the Phase 2 configuration to achieve this..
R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#ip nhrp redirect
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint
R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#ip nhrp shortcut
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel mode gre multipoint
R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#ip nhrp shortcut
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel mode gre multipoint
Using IPSec over DMVPN is discussed in the following post..
IPSec Over DMVPN
No comments:
Post a Comment