DMVPN Single-Hub Configuration

As I’m currently preparing for Cisco CCIE R&S Written exam I’d like to share some information on the subject of DMVPN (Dynamic Multipoint Virtual Private Network) as this is one of the new topics added to the Cisco CCIE R&S blueprint (on the written and lab exams). You only have to know about the single-hub toplogy, but it’s also not very difficult to do a dual-hub dual-cloud topology.

What is DMVPN?

DMVPN is a VPN which uses dynamic tunnels, this means that on the hub only 1 tunnel is needed to connect all the different spokes to the hub (so no more configuring an IPSEC-tunnel for each site you want to connect). It even automatically forms spoke-to-spoke tunnels on demand, so spoke-to-spoke traffic does not need traverse the hub. Another advantage in my opinion that it is very easy to setup and a very stable solution.

DMVPN is based on:

  • mGRE (Multipoint Generic Routing Encapsulation)
  • NHRP (Next Hop Resolution Protocol)
  • a Dynamic Routing Protocol (EIGRP, OSPF, BGP)
  • IPSEC (optional)

Configuration example

I’ve created a small topology in GNS3 to provide you with an configuration example to clarify the configuration proces. I’ll provide an explanation of the commands entered. This configuration is based on EIGRP as the dynamic routing protocol and uses IPSEC for encryption.

Topology

DMVPN topology

IPSEC Configuration (for both Hub and Spokes)

Create Crypto Keyring (with pre-shared key)

crypto keyring keyring_cloudfix 
 pre-shared-key address 0.0.0.0 0.0.0.0 key cloudfix

Create ISAKMP Policy

crypto isakmp policy 10
 hash sha512
 authentication pre-share 
 group 16

Create ISAKMP profile

crypto isakmp profile DMPVN_Cloudfix
 keyring keyring_cloudfix
 match identity address 0.0.0.0

Create IPSEC Transform-Set

crypto ipsec transform-set aes-sha512-hmac esp-aes esp-sha512-hmac 
mode transport

Create IPSEC Policy

crypto ipsec profile ipsec_cloudfix
 set transform-set aes-sha512-hmac 
 set isakmp-profile DMVPN_Cloudfix

Hub configuration

Create Tunnel interface for receiving spoke-to-hub tunnels

interface Tunnel0
 ! Assign VPN IP address
 ip address 192.168.254.1 255.255.255.0
 ! Set Maximum Transmission Unit to 1400
 ip mtu 1400
 ! Set TCP Maximum segment size to 1360
 ip tcp adjust-mss 1360
 ! Allow spoke-to-spoke routes (Disable hub as next-hop, DMVPN Phase 2)
 no ip next-hop-self eigrp 10
 ! Allow routing updates to go out same interface to spokes
 no ip split-horizon eigrp 10
 ! Enable NHRP Authentication (has to match between hub and spokes)
 ip nhrp authentication cloudfix
 ! Automatically create NHRP mappings (pseudo-broadcast) for registered NHRP Clients
 ip nhrp map multicast dynamic
 ! Set NHRP Network-id (has to match between hub/spokes)
 ip nhrp network-id 1
 ! Enable NHRP Redirect messages for scalability (DMVPN Phase 3)
 ip nhrp redirect
 ! Set Serial1/0 as tunnel source
 tunnel source Serial1/0
 ! Set tunnel mode to GRE Multi-Point
 tunnel mode gre multipoint
 ! Protect mGRE tunnel by IPSEC
 tunnel protection ipsec profile ipsec_cloudfix

Create EIGRP dynamic routing instance and publish networks

router eigrp 10
 ! Enable EIGRP for local networks
 network 11.11.11.0 0.0.0.255
 ! Enable EIGRP for DMVPN network
 network 192.168.254.0

Spoke configuration

 interface Tunnel0
 ! Assign VPN IP-address
 ip address 192.168.254.2 255.255.255.0
 ! Set Maximum Transmission Unit to 1400
 ip mtu 1400
 ! Enable NHRP Authentication
 ip nhrp authentication cloudfix
 ! Statically map VPN IP to NBMA-address for Hub
 ip nhrp map 192.168.254.1 1.1.1.1
 ! Enable pseudo-broadcast for NBMA-address for hub (to allow multicast traffic)
 ip nhrp map multicast 1.1.1.1
 ! Set NHRP Network-ID
 ip nhrp network-id 1
 ! Set Hub as NHRP Next-Hop-Server for NHRP resolving
 ip nhrp nhs 192.168.254.1
 ! Process received NHRP redirect messages (DMVPN Phase 3)
 ip nhrp shortcut
 ! Set Tunnel Source to Serial 1/0
 tunnel source Serial1/0
 ! Set tunnel mode to GRE Multipoint
 tunnel mode gre multipoint
 ! Protect tunnel traffic with IPSEC
 tunnel protection ipsec profile ipsec_cloudfix

Create EIGRP dynamic routing instance

router eigrp 10
 ! Enable EIGRP for local networks
 network 22.22.22.0 0.0.0.255
 ! Enable EIGRP for DMVPN network
 network 192.168.254.0

It’s easy now to configure the other spokes by just copying the IPSEC-configuration & Spoke-configuration into Notepad++ (or another editor) and modify the IP-address, tunnel source (if different) and the published networks.

Verification

To show the above example is working as configured, let’s show the detailed information about the DMVPN connections and see that all spokes are connected to the hub:

HQ-RTR01#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 192.168.254.1, VRF "" 
 Tunnel Src./Dest. addr: 1.1.1.1/MGRE, Tunnel VRF ""
 Protocol/Transport: "multi-GRE/IP", Protect "ipsec_cloudfix" 
 Interface State Control: Disabled
 nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 3

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
 1 2.2.2.2 192.168.254.2 UP 00:08:59 D 192.168.254.2/32
 1 3.3.3.3 192.168.254.3 UP 00:08:54 D 192.168.254.3/32
 1 4.4.4.4 192.168.254.4 UP 00:08:55 D 192.168.254.4/32


Crypto Session Details: 
--------------------------------------------------------------------------------
 
Interface: Tunnel0
Session: [0x68E2A278]
 IKEv1 SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active 
 Capabilities:D connid:1001 lifetime:23:50:57
 Crypto Session Status: UP-ACTIVE 
 fvrf: (none), Phase1_id: 2.2.2.2
 IPSEC FLOW: permit 47 host 1.1.1.1 host 2.2.2.2 
 Active SAs: 6, origin: crypto map
 Inbound: #pkts dec'ed 134 drop 0 life (KB/Sec) 4275914/3062
 Outbound: #pkts enc'ed 134 drop 0 life (KB/Sec) 4275913/3062
 Outbound SPI : 0xB2567ACA, transform : esp-aes esp-sha512-hmac 
 Socket State: Open

Interface: Tunnel0
Session: [0x68E2A088]
 IKEv1 SA: local 1.1.1.1/500 remote 3.3.3.3/500 Active 
 Capabilities:D connid:1003 lifetime:23:51:02
 Crypto Session Status: UP-ACTIVE 
 fvrf: (none), Phase1_id: 3.3.3.3
 IPSEC FLOW: permit 47 host 1.1.1.1 host 3.3.3.3 
 Active SAs: 4, origin: crypto map
 Inbound: #pkts dec'ed 130 drop 0 life (KB/Sec) 4292133/3065
 Outbound: #pkts enc'ed 131 drop 0 life (KB/Sec) 4292132/3065
 Outbound SPI : 0x6565C2E2, transform : esp-aes esp-sha512-hmac 
 Socket State: Open

Interface: Tunnel0
Session: [0x68E2A180]
 IKEv1 SA: local 1.1.1.1/500 remote 4.4.4.4/500 Active 
 Capabilities:D connid:1002 lifetime:23:51:00
 Crypto Session Status: UP-ACTIVE 
 fvrf: (none), Phase1_id: 4.4.4.4
 IPSEC FLOW: permit 47 host 1.1.1.1 host 4.4.4.4 
 Active SAs: 6, origin: crypto map
 Inbound: #pkts dec'ed 131 drop 0 life (KB/Sec) 4305973/3064
 Outbound: #pkts enc'ed 131 drop 0 life (KB/Sec) 4305972/3064
 Outbound SPI : 0x296941FC, transform : esp-aes esp-sha512-hmac 
 Socket State: Open

Pending DMVPN Sessions:

Let’s also show the NHRP information of the spokes which are registered to show the VPN IP to NBMA address mappings:

HQ-RTR01#show ip nhrp
192.168.254.2/32 via 192.168.254.2
 Tunnel0 created 00:09:09, expire 00:04:00
 Type: dynamic, Flags: unique registered 
 NBMA address: 2.2.2.2 
192.168.254.3/32 via 192.168.254.3
 Tunnel0 created 00:09:04, expire 00:03:54
 Type: dynamic, Flags: unique registered 
 NBMA address: 3.3.3.3 
192.168.254.4/32 via 192.168.254.4
 Tunnel0 created 00:09:05, expire 00:04:01
 Type: dynamic, Flags: unique registered 
 NBMA address: 4.4.4.4 

Ok. That’s looks fine. Now let’s prove that ondemand spoke-to-spoke tunnels are also forming correctly. Let’s ping the loopback address on router SITEC-RTR01 (44.44.44.44) from the loopback address configured on router SITEA-RTR01. See that DMVPN connection is automatically build and the traceroute shows SITEC-RTR01’s VPN IP address as the only hop (so traffic is not traversing the hub):

SITEA-RTR01#ping 44.44.44.44 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/131/140 ms
SITEA-RTR01#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 1.1.1.1 192.168.254.1 UP 00:16:21 S
 1 4.4.4.4 192.168.254.4 UP 00:00:08 D

SITEA-RTR01#show ip nhrp
192.168.254.1/32 via 192.168.254.1
 Tunnel0 created 00:16:44, never expire 
 Type: static, Flags: used 
 NBMA address: 1.1.1.1 
192.168.254.4/32 via 192.168.254.4
 Tunnel0 created 00:00:15, expire 00:04:47
 Type: dynamic, Flags: router used 
 NBMA address: 4.4.4.4 
SITEA-RTR01#traceroute 44.44.44.44
Type escape sequence to abort.
Tracing the route to 44.44.44.44
VRF info: (vrf in name/id, vrf out name/id)
 1 192.168.254.4 136 msec 116 msec 156 msec

Everything is working as expected.

Hope you find this article useful for learning about DMVPN, if you have any questions or want more information about setting up DMVPN look at the links below and don’t hesitate to contact me.

 

More information about DMVPN:

 

The following two tabs change content below.

Robert Verdam

Consultant at bConn ICT
My main focus is infrastructure (Storage, Networking and Computing), but I'm also very interested in designing and implementing VDI and Server Based Computing-environments.

Latest posts by Robert Verdam (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *