DMVPN (Dynamic Multipoint VPN), introduced by Cisco in late 2000, is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes can communicate with each other directly without having to go through the hub. Encryption is supported through IPsec, which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.
- In DMVPN Phase 2, hub and spokes are configured as multipoint GRE and spoke-to-spoke tunnels are created. NHRP is required for spokes to register to the hub, and NHRP is also required for spoke-to-spoke resolution.
- Phase 2: Spoke-to-Spoke tunnels allowed. Branches can talk directly, offloading the Hub. However, routing can become asymmetrical (traffic takes one path there and a different path back), which can cause issues with firewalls.
NHRP (Next Hop Resolution Protocol)
- Think of NHRP as the "DNS for DMVPN."
- When a Spoke boots up, it registers its real public IP address with the Hub using NHRP.
- When Spoke A wants to talk to Spoke B, it asks the Hub, "Who is Spoke B?"
- The Hub responds with Spoke B’s real public IP.
- Spoke A then builds a direct IPsec tunnel to Spoke B
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.8
R1(config)#end
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.8
R2(config)#exit
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.8
R3(config)#end
R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.8
switch-1(config)#interface range ethernet0/0-3
switch-1(config-if-range)#no switchport
switch-1(config-if-range)#shutdown
switch-1(config-if-range)#exit
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.8
R1(config)#end
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.8
R2(config)#exit
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.8
R3(config)#end
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.8
switch-1(config-if-range)#no switchport
switch-1(config-if-range)#shutdown
switch-1(config-if-range)#exit
switch-1(config)#interface Ethernet0/0
switch-1(config-if)#no shutdown
switch-1(config-if)# ip address 192.168.1.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface Ethernet0/1
switch-1(config-if)#no shutdown
switch-1(config-if)# ip address 192.168.2.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface Ethernet0/2
switch-1(config-if)# no switchport
switch-1(config-if)# ip address 192.168.3.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface Ethernet0/3
switch-1(config-if)# no switchport
switch-1(config-if)# ip address 192.168.4.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface range ethernet0/0-3
switch-1(config-if-range)#no switchport
switch-1(config-if-range)#no shutdown
switch-1(config-if-range)#exit
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#tunnel source 192.168.1.1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#ip nhrp network-id 111
R1(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.2.1 10.1.1.2 UP 00:00:27 D
1 192.168.3.1 10.1.1.3 UP 00:00:27 D
1 192.168.4.1 10.1.1.4 UP 00:00:28 D
R2(config-if)#ip address 10.1.1.2 255.255.255.0
R2(config-if)#tunnel source 192.168.2.1
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#ip nhrp network-id 222
R2(config-if)#ip nhrp nhs 10.1.1.1
R2(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Intferface Tunnel1 is up/up, Addr. is 10.1.1.2, VRF ""
Tunnel Src./Dest. addr: 192.168.2.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect ""
IPv4 NHS: 10.1.1.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.168.1.1 10.1.1.1 UP 00:01:06 S 10.1.1.1/32
R3(config)#interface tunnel 1
R3(config-if)#ip address 10.1.1.3 255.255.255.0
R3(config-if)#tunnel source 192.168.3.1
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#ip nhrp network-id 333
R3(config-if)#ip nhrp nhs 10.1.1.1
R3(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R3(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R3(config-if)#ip address 10.1.1.3 255.255.255.0
R3(config-if)#tunnel source 192.168.3.1
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#ip nhrp network-id 333
R3(config-if)#ip nhrp nhs 10.1.1.1
R3(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R3(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R4(config)#interface tunnel 1
R4(config-if)#ip address 10.1.1.4 255.255.255.0
R4(config-if)#tunnel source 192.168.4.1
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#ip nhrp network-id 444
R4(config-if)#ip nhrp nhs 10.1.1.1
R4(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R4(config-if)#exit
R4(config-if)#ip address 10.1.1.4 255.255.255.0
R4(config-if)#tunnel source 192.168.4.1
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#ip nhrp network-id 444
R4(config-if)#ip nhrp nhs 10.1.1.1
R4(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R4(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on
Interface Tunnel1, hanged state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
10.1.1.2/32 via 10.1.1.2
Tunnel1 created 00:03:23, expire 01:56:36
Type: dynamic, Flags: unique registered
NBMA address: 192.168.2.1
10.1.1.3/32 via 10.1.1.3
Tunnel1 created 00:03:23, expire 01:56:36
Type: dynamic, Flags: unique registered
NBMA address: 192.168.3.1
10.1.1.4/32 via 10.1.1.4
Tunnel1 created 00:03:24, expire 01:56:35
Type: dynamic, Flags: unique registered
NBMA address: 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms
R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/48 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/48 ms
R1#ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/48 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/48 ms
R1#traceroute 10.1.1.2
Type escape sequence to abort.
Tracing the route to 10.1.1.2
1 10.1.1.2 20 msec 32 msec 28 msec
Type escape sequence to abort.
Tracing the route to 10.1.1.2
1 10.1.1.2 20 msec 32 msec 28 msec
R1#traceroute 10.1.1.2
Type escape sequence to abort.
Tracing the route to 10.1.1.2
1 10.1.1.2 40 msec 28 msec 28 msec
Type escape sequence to abort.
Tracing the route to 10.1.1.2
1 10.1.1.2 40 msec 28 msec 28 msec
R1#traceroute 10.1.1.3
Type escape sequence to abort.
Tracing the route to 10.1.1.3
1 10.1.1.3 44 msec 32 msec 28 msec
Type escape sequence to abort.
Tracing the route to 10.1.1.3
1 10.1.1.3 44 msec 32 msec 28 msec
R1#traceroute 10.1.1.4
Type escape sequence to abort.
Tracing the route to 10.1.1.4
1 10.1.1.4 56 msec 28 msec 28 msec
Type escape sequence to abort.
Tracing the route to 10.1.1.4
1 10.1.1.4 56 msec 28 msec 28 msec
No comments:
Post a Comment