Dynamic Multipoint VPN (DMVPN)
Secure Communications Between Branch Offices
Francisco Antonio: Network System Engineer
Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software solution for building scalable IPsec Virtual Private Networks (VPNs). Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users. Cisco DMVPN allows branch locations to communicate directly with each other over the public WAN or Internet, such as when using voice over IP (VOIP) between two branch offices but doesn't require a permanent VPN connection between sites. It enables zero-touch deployment of IPsec VPNs and improves network performance by reducing latency and jitter while optimizing head office bandwidth utilization.
DMVPN is not a protocol, it is the combination of the following technologies:
+ Multipoint GRE (mGRE) + Next-Hop Resolution Protocol (NHRP) + Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional) + Dynamic IPsec encryption (optional) + Cisco Express Forwarding (CEF)
Generic Routing Encapsulation (GRE) Tunnels, configurations.
A GRE tunnel provides connectivity to a wide variety of network layer protocols by encapsulating and forwarding those packets over in an IP-based network.
GRE tunnels support IPv4 or IPv6 addresses as an overlay or transport network.
DMVPN uses Multipoint GRE (mGRE) encapsulation and supports dynamic routing protocols, which eliminates many of the support issues associated with other VPN technologies. GRE tunnels are classified as an overlay network because a GRE tunnel is but on top of an existing transport network, also known as an underlay network.
GRE Tunnel Configuration.
GRE Tunnel Topology
Note: The topology of DMVPN is always hub-and-spoke as all Spokes are required to connect to the hub directly.
The GRE configurations step-by-step:
The configuration on router SP (Service Provider).
Configuring the Interfaces Gi1/0 and Gi2/0
Adding static routes to SP's router.
NOTE: For any reason that will be investigated later, was needed to add RIPv2 network 172.16.0.0 /16 to bring up the interface tunnel on both routers 11 & 31.
Output route table.
The GRE Tunnel configurations are added on the routers R11 and R31 as following steps.
Step 1. Create the tunnel interface by using the global configuration command interface tunnel tunnel-number
Example: R11(config)# interface tunnel 100
Step 2. Identify the local source of the tunnel by using the interface parameter command tunnel source {ip-address | interface-id}. The tunnel source interface indicates the interface that will be used for encapsulation and decapsulation of the GRE tunnel. The tunnel source can be a physical interface or a loopback interface. A loopback interface can provide reachability if one of the transport interfaces fails.
tunnel source GigabitEthernet1/0
Step 3. Identify the tunnel destination by using the interface parameter command tunnel destination ip-address. The tunnel destination is the remote router's underlay IP address toward which the local router sends GRE packets.
tunnel destination 172.16.31.2
Step 4. Allocate an IP address to the tunnel interface by using the command ip address ip-address subnet-mask.
interface Tunnel100
ip address 192.168.100.11 255.255.255.0
The interface Tunnel configuration:
!
interface Tunnel100
bandwidth 4000 (Optionally define the tunnel bandwidth, measured in kilobits per second, by using the interface parameter command bandwidth [1-10000000] )
ip address 192.168.100.11 255.255.255.0
ip mtu 1400 (Optionally define the IP maximum transmission unit (MTU) for the tunnel interface by using the interface parameter command ip mtu mtu. )
keepalive 5 3 (Optionally specify a GRE tunnel keepalive by using the interface parameter command keepalive [seconds[retries]]. The default timer is 10 seconds and three retries.)
tunnel source GigabitEthernet1/0
tunnel destination 172.16.31.2
!
Intrerface Tunnel 100 on router R11
Interface Tunnel 100 on router R31
Some commands to help with troubleshooting
sh interfaces tunnel 100
sh ip route
Verification of the Path from R11 to R31. Notice that packets went through tunnel 100 (ip 192.168.100.31).
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).
DMVPN was released in three phases, each phase built on the previous one with additional functions. All three phases of DMVPN need only one tunnel interface on a router, and the DMVPN network size should accommodate the endpoints associated with that tunnel network. DMVPN spokes can use DHCP or static addressing for the transport and overlay networks. They locate the other spokes' IP addresses (protocols and NBMA) through NHRP.
Phase 1: Spoke-to-hub - Configuration.
DMVPN Phase 1, the first DMVPN implementation, provides zero-touch deployment for VPN sites. VPN tunnels are created only between spoke and hub sites. Traffic between spokes must traverse the hub to reach any other spoke.
There are two types of DMVPN configurations, hub and spoke, used depending on a router's role. The DMVPN hub is the NHRP NHS, and the DMVPN spoke is the NHC.
The spokes should be preconfigured with the hub's static IP address, but a spoke's NBMA IP address can be static or from DHCP.
DMVPN Hub Configuration.
The steps for configuring DMVPN on a hun router are as follows:
Step 1. Create a tunnel interface by using the global configuration command interface tunnel tunnel-number.
Router-Hub# config terminal
Router-Hub(config)# interface tunnel 100
Step 2. Identify the local source of the tunnel by using the interface parameter command tunnel source {ip address | interface-id}. The tunnel source depends on the transport type.
Router-Hub(config-if)# tunnel source GigabitEthernet0/1
Note: QoS problems may occur with the user of loopback Interfaces.
Step 3. Configure the DMVPN tunnel as an mGRE tunnel by using the interface parameter command tunnel mode gre multipoint.
Router-Hub(config-if)# tunnel mode gre multipoint
Step 4. Allocate an IP address for the DMVPN network (tunnel) by using the command ip address ip-address subnet-mask
Router-Hub(config-if)# ip address 192.168.100.11 255.255.255.0
Step 5. Enable NHRP on the tunnel interface and uniquely identify the DMVPN tunnel for the virtual interface by using the interface parameter command ip nhrp network-id 1-4294967295. The NHRP network ID is locally significant and is used to identify a DMVPN cloud on a router because multiple tunnel interfaces can belong to the same DMVPN cloud.
It is recommended that the NHRP network ID match on all routers participating in the same DMVPN network.
Router-Hub(config-if)# ip nhrp network-id 100
"The optional configuration won't be reported here they can be found on the cisco website or other good CCNP books."
Viewing DMVPN Tunnel Status
After configuring a DMVPN network, it is a good practice that the tunnels have been established and that NHRP is functioning properly.
The command show dmvpn [detail] provides the tunnel interface, tunnel role, tunnel state, and tunnel peers with uptime.
The tunnel states in order of establishment:
INTF: The line protocol of the DMVPN tunnel is down
IKE: DMVPN tunnels configured with IPsec have not yet successfully established an Internet Key Exchange (IKE) session.
IPsec: AN IKE session has been established, but an IPsec security association (SA) has not yet been established.
NHRP: The DMVPN spoke router has not yet been successfully registered.
Up: The DMVPN spoke router has registered with the DMVPN hub and received an ACK (positive registration reply) from the hub.
Some circumstances that can cause a GRE tunnel to be in an up/down are:
a) The tunnel interface is down
b) A valid route to the destination address is missing from the routing table.
c) The tunnel address is routed through the tunnel itself.
Viewing the DMVPN Tunnel Status
The information that NHRP provides is a vital component of the information of DMVPN router maintains a cache of requests that it receives or is processing. The command ip nhrp [brief] displays the local NHRP cache contains the following fields:
Network entry for hosts (IPv4/32 or IPv6 /128) or a network /xx and the tunnel IP address to NBMA (transport) IP address.
The interface number, duration of existence, and when it will expire (hours:minutes: seconds).
NHRP Mapping Entries
Comments