dmvpn overview and config example
13.12 2019 | by massimilianoLe caratteristiche DMVPN si possono sintetizzare in: – GRE Tunnel Protocols (Generic Routing Encapsulation) or mGRE (Multipoint GRE) […]
https://www.ingegnerianetworking.com/wp-content/uploads/2019/12/dmvpn-phase1-a59.png
Le caratteristiche DMVPN si possono sintetizzare in:
– GRE Tunnel Protocols (Generic Routing Encapsulation) or mGRE (Multipoint GRE)
– Next-Hop Resolution Protocols (NHRP)
– Dynamic Routing Protocols (IGP)
– IPSEC Encryption Protocols
– CEF (Cisco Express Forwarding)
- – Hub and Spoke architectures
Cisco DMVPN Hub-and-Spoke Deployment Model: supporta dynamic routing, QoS, and IP Multicast
Cisco DMVPN Spoke-to-Spoke Deployment Model: crea dinamicamente IPsec tunnels direttamente tra spokes; con spoke-to-spoke tunnel, il traffico tra remote sites non necessita di attraversare il router hub; questo elimina delay e mantiene bandwidth.
Spoke-to-Spoke capability è supportata in a single-hub oppure in multi-hub enviroment
DMVPN hub and spoke with dynamic ip addresses PHASE 1
DMVPN hub and spoke with dynamic ip addresses PHASE 2
CONFIG EXAMPLE
configurazione parametri IPSEC phase 1 e phase 2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set tranform-set IPSEC
!
interface tunnel 0
tunnel protection ipsec profile DMVPN
Configurazione Tunnel mGRE + NHRP (hub)
HUB router#
interface loopback 0
ip address 10.10.10.10 255.255.255.255
!
interface tunnel 0
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
no ip redirects
ip nhrp authentication <password>
ip nhrp map multicast dynamic
ip nhrp network-id <network-id>
tunnel source loopback 0 # (oppure la IP interfaccia fisica)
tunnel mode gre multipoint
tunnel key <tunnel-key>
no ip split-horizon eigrp <as> (con EIGRP) # only for phase 1
no ip next-hop-self eigrp <as> (con EIGRP) # both phase 1 and phase 2
ip summary-address eigrp <as> 0.0.0.0 0.0.0.0
—
ip ospf network point-to-multipoint (con OSPF)
Configurazione Dynamic Routing
HUB router#
router eigrp <as>
network 192.168.1.0 0.0.0.255
network 10.10.10.10 0.0.0.0
no auto-summary
!
oppure
router ospf <process-id>
router-id 192.168.1.0
network 192.168.1.0 0.0.0.255 area 0
network 10.10.10.10 0.0.0.0 area 0
SPOKE router#
router eigrp <as>
netwok 192.168.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
eigrp stub connected
!
oppure
router ospf <process-id>
router-id 192.168.1.2
netwok 192.168.1.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 tunnel 0
Configurazione Tunnel P2P GRE + NHRP (spoke)
SPOKE1 router#
interface loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface tunnel 0
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
no ip redirects
ip nhrp authentication <password>
ip nhrp map multcast 10.10.10.10 # (loopback Hub or IP interfaccia fisica)
ip nhrp map 192.168.1.1 10.10.10.10
ip nhrp nhs 10.10.10.10
ip nhrp network-id <network-id>
ip nhrp registration timeout 30
ip nhrp holdtime 60
tunnel source loopback 0 # (oppure la interfaccia fisica)
tunnel destination 10.10.10.10
tunnel key <tunnel-key>
In DMVPN vi è anche una fase 3, che differisce dalla fase 1 e 2 per questi step:
– NHRP Redirect: un nuovo messaggio è trasmesso dal router HUB verso gli SPOKE in modo tale che ques’ultimi possano conoscere il percorso migliore ra SPOKE e SPOK, piuttosto che attraverso l’HUB
– NHRP Shortcut: un nuovo modo di cambiare o sovrascrivere informazioni su base CEF lato SPOKE
La configurazione, quindi, cambia lato tunnel:
interface tunnel 0
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
no ip redirects
ip nhrp authentication <password>
ip nhrp map multicast dynamic
ip nhrp network-id <network-id>
ip nhrp redirect
tunnel source loopback 0 # (oppure la IP interfaccia fisica)
tunnel mode gre multipoint
tunnel key <tunnel-key>
no ip split-horizon eigrp <as>