CCIE Ep. 13 CrYpt0*DMVPN.sha

  • Multipoint GRE (mGRE);
    That’s same of GRE but allows one interface make multiples tunnels.
  • Next Hop Resolution Protocol
    NHRP permit spokes report to NHS their Public IP address and send NHRP resolution to reach and create a dynamic GRE tunnel to remote spoke. Server role for Hubs (NHS) and clients for spokes (NHC).
  • Routing Protocols
    To change LSA, Network prefix and/or NLRI.
  • IPsec (option but you should use).
    Protect data on transport network.
  • Phase 1
    Spoke make traditional point-to-point GRE tunnel. All traffic must pass through Hub and Spoke-to-spoke isn’t allowed.
  • Phase 2
    All spokes performs Multipoint GRE. Because that, Spoke-to-spoke tunneling is allowed. When spoke want reach another spoke, it will send a NHRP resolution request to hub to find NBMA IP address of the other spoke. Only hub exchange routing information with Spokes and Spokes must known a route to remote network. Next hop IP of the route has to be the remote spoke.
  • Phase 3
    In this phase doesn’t matter specific route or next hop IP address. Here, NHRP uses Redirect message to both spokes. when spokes receive redirect message they install an specific entry in the routing table so that can reach each other directly.

Design consideration

Links State Protocol

Distance vector protocol

Path Vector protocol

hand-on

! HUB-A
hostname HUB-a
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
! HUB-b
hostname HUB-b
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.2 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
! SPOKE A
hostname Spoke-A
!
ip address 10.100.0.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.100 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.100.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
! SPOKE B
hostname Spoke-B
!
interface Loopback0
ip address 10.101.0.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 203.0.113.101 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.101.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
! on All devices
vrf definition DMVPN
!
rd 65001:<nn>
address-family ipv4
exit-address-family
! nn = 1=hubA, 2=HubB, 100=SpokeA and 101=SpokeB
! HUB-A
hostname HUB-a
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.1 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
! HUB-b
hostname HUB-b
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.2 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
! SPOKE A
hostname Spoke-A
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.100.0.1 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.100 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.100.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
! SPOKE B
hostname Spoke-B
!
interface Loopback0
vrf forwarding DMVPN
ip address 10.101.0.1 255.255.255.255
!
interface GigabitEthernet0/0
vrf forwarding DMVPN
ip address 203.0.113.101 255.255.255.128
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.101.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
! Hub A
show vrf brief
Name Default RD Protocols Interfaces
DMVPN <65001:1> ipv4 Lo0 Gi0/0
! ICMP test
HUB-a#tclsh
HUB-a(tcl)#foreach device {
+>203.0.113.1
+>203.0.113.2
+>203.0.113.100
+>203.0.113.101
+>} { ping vrf DMVPN $device source g0/0 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/14 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.2, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/25/38 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.100, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/27/33 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.101, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 19/21/23 ms
HUB-a(tcl)#
HUB A
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.1.1.1 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor DMVPN route-reflector-client
neighbor DMVPN next-hop-self
neighbor 203.0.113.100 peer-group DMVPN
neighbor 203.0.113.100 activate
neighbor 203.0.113.101 peer-group DMVPN
neighbor 203.0.113.101 activate
exit-address-family
HUB-a(tcl)#foreach spoke {
+>10.100.0.1
+>10.101.0.1
+>} { ping vrf DMVPN $spoke source g0/0}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.101.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/9 ms
HUB-a(tcl)#
HUB A BGP table
HUB B
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.1.1.2 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor DMVPN route-reflector-client
neighbor DMVPN next-hop-self
neighbor 203.0.113.100 peer-group DMVPN
neighbor 203.0.113.100 activate
neighbor 203.0.113.101 peer-group DMVPN
neighbor 203.0.113.101 activate
exit-address-family
HUB-b#tclsh
HUB-b(tcl)#foreach spoke {
+>10.100.0.1
+>10.101.0.1
+>} { ping vrf DMVPN $spoke source g0/0}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.101.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.0.113.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/11 ms
HUB-b(tcl)#
HUB B BGP table
Spoke A
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.100.0.1 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor 203.0.113.1 peer-group DMVPN
neighbor 203.0.113.1 activate
neighbor 203.0.113.2 peer-group DMVPN
neighbor 203.0.113.2 activate
exit-address-family
SPOKE A BGP table
Spoke B
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf DMVPN
network 10.101.0.1 mask 255.255.255.255
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65001
neighbor 203.0.113.1 peer-group DMVPN
neighbor 203.0.113.1 activate
neighbor 203.0.113.2 peer-group DMVPN
neighbor 203.0.113.2 activate
exit-address-family
SPOKE B BGP table
HUB A
interface Tunnel0
ip address 192.0.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication P4S$vpn
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf DMVPN ! Front door VRF
Hub A VPNs
HUB B
interface Tunnel0
ip address 192.0.3.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PAS$vpn
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf DMVPN ! Front door VRF
Hub B VPNs
SPOKE A
interface Tunnel0
description DMVPN-1
ip address 192.0.2.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication P4S$vpn
ip nhrp map multicast 10.1.1.1
ip nhrp map 192.0.2.1 10.1.1.1
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 192.0.2.1
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf DMVPN
interface Tunnel1
description DMVPN-2
ip address 192.0.3.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PAS$vpn
ip nhrp map multicast 10.1.1.2
ip nhrp map 192.0.3.2 10.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 192.0.3.2
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf DMVPN ! Front door VRF
Spoke A VPNs
SPOKE B
interface Tunnel0
description DMVPN-1
ip address 192.0.2.101 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication P4S$vpn
ip nhrp map multicast 10.1.1.1
ip nhrp map 192.0.2.1 10.1.1.1
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp nhs 192.0.2.1
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf DMVPN
interface Tunnel1
description DMVPN-2
ip address 192.0.3.101 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PAS$vpn
ip nhrp map multicast 10.1.1.2
ip nhrp map 192.0.3.2 10.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 192.0.3.2
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf DMVPN ! Front door VRF
Spoke B VPNs
HUB A 
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.1.0.0 255.255.0.0
no ip next-hop-self
no ip split-horizon

exit-af-interface
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
network 192.0.2.1 0.0.0.0
exit-address-family
HUB B
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.1.0.0 255.255.0.0
no ip split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
network 192.0.3.2 0.0.0.0
exit-address-family
Spoke A
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.100.0.0 255.255.0.0
exit-af-interface
!
af-interface Tunnel1
summary-address 10.100.0.0 255.255.0.0
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.100.0.0 0.0.255.255
network 192.0.2.100 0.0.0.0
network 192.0.3.100 0.0.0.0
exit-address-family
Spoke B
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Tunnel1
summary-address 10.101.0.0 255.255.0.0
exit-af-interface
!
af-interface Tunnel0
summary-address 10.101.0.0 255.255.0.0
exit-af-interface
!
topology base
exit-af-topology
network 10.101.0.0 0.0.255.255
network 192.0.2.101 0.0.0.0
network 192.0.3.101 0.0.0.0
exit-address-famil
EIGRP NEIGHBORS
EIGRP Topology
EIGRP ROUTES
First trace, NHRP resolution: Spoke — hub — spoke
Second trace, Spoke to spoke
NHRP Entries
HUBs
interface Tunnel0
ip nhrp ridirect
!
router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 65001
!
af-interface Tunnel0
summary-address 10.0.0.0 255.0.0.0
exit-af-interface
SPOKES
interface tunnel0
ip nhrp shortcut
interface tunnel1
ip nhrp shortcut
Routes learned by NHRP H
Spoke A`s client ping to Spoke B`s client

Protect DMVPN with IPsec

! All routers 
! Phase 1
crypto keyring DMVPN-KEY vrf DMVPN ! FVRF
pre-shared-key address 0.0.0.0 0.0.0.0 key Sec*words
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14 !
! Pahse 2
crypto ipsec transform-set TRANS_DMVPN esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC-PROFILE-DMVPN
set transform-set TRANS_DMVPN
!HUBs
interface tunnel0
tunnel protection ipsec profile IPSEC-PROFILE-DMVPN
!SPOKES
interface tunnel0
tunnel protection ipsec profile IPSEC-PROFILE-DMVPN shared
interface tunnel1
tunnel protection ipsec profile IPSEC-PROFILE-DMVPN shared
Spoke-A#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.100.0.1 10.101.0.1 QM_IDLE 1005 ACTIVE
10.101.0.1 10.100.0.1 QM_IDLE 1004 ACTIVE
10.100.0.1 10.1.1.2 QM_IDLE 1002 ACTIVE
10.1.1.2 10.100.0.1 QM_IDLE 1001 ACTIVE
10.1.1.1 10.100.0.1 QM_IDLE 1003 ACTIVE
Spoke-A#show crypto ipsec sa peer 10.1.1.1interface: Tunnel1
Crypto map tag: IPSEC-PROFILE-DMVPN-head-1, local addr 10.100.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 245, #pkts encrypt: 245, #pkts digest: 245
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.100.0.1, remote crypto endpt.: 10.1.1.1
plaintext mtu 1454, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xB9FC8717(3120334615)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD5467763(3578165091)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298751/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:inbound pcp sas:outbound esp sas:
spi: 0xB9FC8717(3120334615)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298752/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:outbound pcp sas:interface: Tunnel0
Crypto map tag: IPSEC-PROFILE-DMVPN-head-1, local addr 10.100.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 245, #pkts encrypt: 245, #pkts digest: 245
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.100.0.1, remote crypto endpt.: 10.1.1.1
plaintext mtu 1454, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xB9FC8717(3120334615)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD5467763(3578165091)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298751/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:inbound pcp sas:outbound esp sas:
spi: 0xB9FC8717(3120334615)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80004040, crypto map: IPSEC-PROFILE-DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4298752/2541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:outbound pcp sas:

Conclusion

  • DMVPN has three phases and uses a lot of protocols (NHRP, GRE, IPsec, IP and routing protocols);
  • With FVRF, RIB WAN as isolated from global rib;
  • command tunnel vrf “leak” route on global rib;
  • IPsec was used to protect tunnel and traffic is crypted before GRE and NHRP;
  • Each routing protocol handling diferrent on DMVPN flavors;

Coffee, Jazz, English learner and a goal to become Network Expert | CC1E 0x00

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

PHPUnit worst practices

Hp Proliant Dl380 G7 Specifications

Deep copy vs. shallow copy — and how you can use them in Swift

MY REFLECTION ON ANDELA EPIC VALUES

Things You Should Know About Web Development.

Demystifying OOP in Scala

Network Topology Setup in such a way so that System A can ping to two Systems.

Cartesi Token (CTSI) will be Listed on Binance April 23, 2020 at 2:00AM UTC

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rafael Alves

Rafael Alves

Coffee, Jazz, English learner and a goal to become Network Expert | CC1E 0x00

More from Medium

SAP SuccessFactors Core HR and Payroll Software review

How does google.com resolves over the Internet

Why are Logarithms used in Time Complexity?

Realize Basic Logic Gates Using 2:1 MUX In Verilog