CCIE Ep. 13 CrYpt0*DMVPN.sha
14 min readDec 24, 2021
Hey There! First of all, I suggest you should get a couple of coffee or your favorite tea.
Today I’ll share some techniques around Dynamic Multipoint Virtual Private Network ( a.k.a DMVPN).
So, DMVPN allows us to make dynamic and static tunnels between hubs and Spokes. Many times Hubs will be routers in Headquarter or Data-center and spokes are routers allocated on branches and remote locations.
The second thing that we must keep in mind is that a DMVPN puzzle has some pieces:
- Multipoint GRE (mGRE);
That’s the same as GRE but allows one interface to make multiples tunnels. - Next Hop Resolution Protocol
NHRP permits spokes report to NHS their Public IP address and send NHRP resolution to reach and create a dynamic GRE tunnel to remote spoke. Server role for Hubs (NHS) and clients for spokes (NHC). - Routing Protocols
To change LSA, Network prefix and/or NLRI. - IPsec (option but you should use).
Protect data on transport network.
Another piece of DMVPN is their phases:
- Phase 1
Spoke make traditional point-to-point GRE tunnel. All traffic must pass through Hub and Spoke-to-spoke isn’t allowed. - Phase 2
All spokes performs Multipoint GRE. Because that, Spoke-to-spoke tunneling is allowed. When spoke want reach another spoke, it will send a NHRP resolution request to hub to find NBMA IP address of the other spoke. Only hub exchange routing information with Spokes and Spokes must known a route to remote network. Next hop IP of the route has to be the remote spoke. - Phase 3
In this phase doesn’t matter specific route or next hop IP address. Here, NHRP uses Redirect message to both spokes. when spokes receive redirect message they install an specific entry in the routing table so that can reach each other directly.
Design consideration
Many routing protocols is supported in DMVNP deploy, but Link state protocols, Distance vector protocols and Path vector protocols doesn’t working in the same mean.
Links State Protocol
Link state protocol like OSPF doesn’t exchange Network and Prefix-length. Instead LSAs are exchange and has areas strategy for scalability technique. Understand that, Keep in mind worse point when deploy OSPF in DMVPN is that both hubs and spoke must stay in the same area.
Flap networks at any spoke means SPF tree rerun.
Another strategy is put backbone in backbone area and spoke with small two areas in LSDB.
Distance vector protocol
Not, no thing in rip. That old protoocol has some limitation among all version RIP, RIPv2 and RIPng.
Opposite RIP and link state protocol, EIGRP doesn’t exchange LSAs and can perform filtering and summarization in arbitrary interface is the most preferred protocol when possible during DMVPN deploy.
EIGRP allows us to make summarization, route filtering like distribute list, off-set list where is needed.
Path Vector protocol
BGP is supported for both underlay and overlay network in Internal or external peering approach. When eBGP, each spoke must be manually configured to be neighbor with Hub. On iBGP, dynamic peering can be used.
hand-on
Topology reference
Base configuration
! HUB-A
hostname HUB-a
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45! HUB-b
hostname HUB-b
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.2 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45! SPOKE A
hostname Spoke-A
!
ip address 10.100.0.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.100 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.100.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45! SPOKE B
hostname Spoke-B
!
interface Loopback0
ip address 10.101.0.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.101 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.101.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
Front door VRF also called FVRF
To protect global RIB from possible leak route on public network (ISP), FVRF will be created on WAN Interface and Loopback that is tunnel source.
! on All devices
vrf definition DMVPN
!
rd 65001:<nn>
address-family ipv4
exit-address-family
! nn = 1=hubA, 2=HubB, 100=SpokeA and 101=SpokeB! HUB-A
hostname HUB-a
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.1 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45! HUB-b
hostname HUB-b
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.2 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45! SPOKE A
hostname Spoke-A
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.100.0.1 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.100 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.100.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45! SPOKE B
hostname Spoke-B
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.101.0.1 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.101 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.101.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
Verification
! Hub A
show vrf brief
Name Default RD Protocols Interfaces
DMVPN <65001:1> ipv4 Lo0 Gi0/0! ICMP test
HUB-a#tclsh
HUB-a(tcl)#foreach device {
+>203.0.113.1
+>203.0.113.2
+>203.0.113.100
+>203.0.113.101
+>} { ping vrf DMVPN $device source g0/0 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/14 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.2, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/25/38 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.100, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/27/33 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.101, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 19/21/23 ms
HUB-a(tcl)#
BGP
BGP here is used on our underlay network. NRLI of loopbacks will be exchange between hubs and spooke and in the future DMVPN will use Loopback IPs to turn VPNs up.
HUB A
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.1.1.1 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor DMVPN route-reflector-client
neighbor DMVPN next-hop-self
neighbor 203.0.113.100 peer-group DMVPN
neighbor 203.0.113.100 activate
neighbor 203.0.113.101 peer-group DMVPN
neighbor 203.0.113.101 activate
exit-address-familyHUB-a(tcl)#foreach spoke {
+>10.100.0.1
+>10.101.0.1
+>} { ping vrf DMVPN $spoke source g0/0}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.101.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/9 ms
HUB-a(tcl)#
HUB B
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.1.1.2 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor DMVPN route-reflector-client
neighbor DMVPN next-hop-self
neighbor 203.0.113.100 peer-group DMVPN
neighbor 203.0.113.100 activate
neighbor 203.0.113.101 peer-group DMVPN
neighbor 203.0.113.101 activate
exit-address-familyHUB-b#tclsh
HUB-b(tcl)#foreach spoke {
+>10.100.0.1
+>10.101.0.1
+>} { ping vrf DMVPN $spoke source g0/0}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.101.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/11 ms
HUB-b(tcl)#
Spoke A
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.100.0.1 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor 203.0.113.1 peer-group DMVPN
neighbor 203.0.113.1 activate
neighbor 203.0.113.2 peer-group DMVPN
neighbor 203.0.113.2 activate
exit-address-family
Spoke B
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.101.0.1 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor 203.0.113.1 peer-group DMVPN
neighbor 203.0.113.1 activate
neighbor 203.0.113.2 peer-group DMVPN
neighbor 203.0.113.2 activate
exit-address-family
DMVPN PHASE 2
In this step, setting interface tunnel0 as also mGRE and NHRP options.
HUB A
interface Tunnel0
ip address 192.0.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication P4S$vpn
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf DMVPN ! Front door VRF
HUB B
interface Tunnel0
ip address 192.0.3.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PAS$vpn
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf DMVPN ! Front door VRF
SPOKE A
interface Tunnel0
description DMVPN-1
ip address 192.0.2.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication P4S$vpn
ip nhrp map multicast 10.1.1.1
ip nhrp map 192.0.2.1 10.1.1.1
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 192.0.2.1
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf DMVPNinterface Tunnel1
description DMVPN-2
ip address 192.0.3.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PAS$vpn
ip nhrp map multicast 10.1.1.2
ip nhrp map 192.0.3.2 10.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 192.0.3.2
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf DMVPN ! Front door VRF
SPOKE B
interface Tunnel0
description DMVPN-1
ip address 192.0.2.101 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication P4S$vpn
ip nhrp map multicast 10.1.1.1
ip nhrp map 192.0.2.1 10.1.1.1
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 192.0.2.1
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf DMVPNinterface Tunnel1
description DMVPN-2
ip address 192.0.3.101 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PAS$vpn
ip nhrp map multicast 10.1.1.2
ip nhrp map 192.0.3.2 10.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 192.0.3.2
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf DMVPN ! Front door VRF
Note, in phase 1 tunnel is P-Pgre with destination to Hubs’ IP. Phase 2 and 3 suport mGRE.
ROUTING WITH EIGRP
HUB A
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.1.0.0 255.255.0.0
no ip next-hop-self
no ip split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
network 192.0.2.1 0.0.0.0
exit-address-familyHUB B
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.1.0.0 255.255.0.0
no ip split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
network 192.0.3.2 0.0.0.0
exit-address-family
Note, by default split-horizon and change next hop IP are anable.
Spoke A
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.100.0.0 255.255.0.0
exit-af-interface
!
af-interface Tunnel1
summary-address 10.100.0.0 255.255.0.0
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.100.0.0 0.0.255.255
network 192.0.2.100 0.0.0.0
network 192.0.3.100 0.0.0.0
exit-address-familySpoke B
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Tunnel1
summary-address 10.101.0.0 255.255.0.0
exit-af-interface
!
af-interface Tunnel0
summary-address 10.101.0.0 255.255.0.0
exit-af-interface
!
topology base
exit-af-topology
network 10.101.0.0 0.0.255.255
network 192.0.2.101 0.0.0.0
network 192.0.3.101 0.0.0.0
exit-address-famil
Verifying EIGRP
DMVPN PHASE 3
at this stage, NHRP adding a new message called NHRP redirect. When an spoke send nhrp resolution request, Hub also sent a nhrp redirect. It`s has same idea of icmp redirect message.
HUBs
interface Tunnel0
ip nhrp ridirect
!
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.0.0.0 255.0.0.0
exit-af-interfaceSPOKES
interface tunnel0
ip nhrp shortcut
interface tunnel1
ip nhrp shortcut
Disable split-horizon is not necessary because specific entries or route is not requiered thanks to NHRP cache. Let`s check all
Protect DMVPN with IPsec
IPsec has two phases that are phase 1 and phase 2.
PHASE 1 isamkp policy that`s must match among all routers. Phase 2 is IPsec profile
! All routers
! Phase 1
crypto keyring DMVPN-KEY vrf DMVPN ! FVRF
pre-shared-key address 0.0.0.0 0.0.0.0 key Sec*words
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14 !
! Pahse 2
crypto ipsec transform-set TRANS_DMVPN esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC-PROFILE-DMVPN
set transform-set TRANS_DMVPN!HUBs
interface tunnel0
tunnel protection ipsec profile IPSEC-PROFILE-DMVPN!SPOKES
interface tunnel0
tunnel protection ipsec profile IPSEC-PROFILE-DMVPN sharedinterface tunnel1
tunnel protection ipsec profile IPSEC-PROFILE-DMVPN shared
IPSEC and ISAKMP Security Association
Spoke-A#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.100.0.1 10.101.0.1 QM_IDLE 1005 ACTIVE
10.101.0.1 10.100.0.1 QM_IDLE 1004 ACTIVE
10.100.0.1 10.1.1.2 QM_IDLE 1002 ACTIVE
10.1.1.2 10.100.0.1 QM_IDLE 1001 ACTIVE
10.1.1.1 10.100.0.1 QM_IDLE 1003 ACTIVESpoke-A#show crypto ipsec sa peer 10.1.1.1interface: Tunnel1
Crypto map tag: IPSEC-PROFILE-DMVPN-head-1, local addr 10.100.0.1protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 245, #pkts encrypt: 245, #pkts digest: 245
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 10.100.0.1, remote crypto endpt.: 10.1.1.1
plaintext mtu 1454, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xB9FC8717(3120334615)
PFS (Y/N): N, DH group: noneinbound esp sas:
spi: 0xD5467763(3578165091)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298751/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)inbound ah sas:inbound pcp sas:outbound esp sas:
spi: 0xB9FC8717(3120334615)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298752/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)outbound ah sas:outbound pcp sas:interface: Tunnel0
Crypto map tag: IPSEC-PROFILE-DMVPN-head-1, local addr 10.100.0.1protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 245, #pkts encrypt: 245, #pkts digest: 245
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 10.100.0.1, remote crypto endpt.: 10.1.1.1
plaintext mtu 1454, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xB9FC8717(3120334615)
PFS (Y/N): N, DH group: noneinbound esp sas:
spi: 0xD5467763(3578165091)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298751/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)inbound ah sas:inbound pcp sas:outbound esp sas:
spi: 0xB9FC8717(3120334615)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298752/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)outbound ah sas:outbound pcp sas:
Conclusion
- DMVPN has three phases and uses a lot of protocols (NHRP, GRE, IPsec, IP and routing protocols);
- With FVRF, RIB WAN as isolated from global rib;
- command tunnel vrf “leak” route on global rib;
- IPsec was used to protect tunnel and traffic is crypted before GRE and NHRP;
- Each routing protocol handling diferrent on DMVPN flavors;
Resources
Go ahead. Keep going #CCIE EI
