DMVPN LAB Configuration || DMVPN IPSEC Protection || NHRP|| MGRE

DMVPN LAB

DMVPN HUB And Spoke Configuration

DMVPN technology is wider solution fit for all type network small, medium and enterprise network environment. Even Public Cloud network (Azure, AWS) also support DMVPN with help Cisco CSR1000V.

DMVPN technology introduced by Cisco System which is very scalable and less Router configurations complexity is required in connecting branch offices network to a central HQ Hub site.

If you are new bee in networking and DMVPN is new technology for you, Please refer the link DMVPN HUB and Spoke that cover basic fundamental on DMVPN before proceeding with DMVPN configuration.

The beauty of DMVPN is quick and fast move technology gear where you can quickly built numerous sites under a single umbrella technology without investing extra money and time. Cisco routers is an ideal choice for DMVPN.

In this article we are deploying DMVPN solution on Cisco 3725 Router Version 12.4(15)T14. This Network design have 2 branch sites, One Hub Site and Data Center.

All branch sites having DMVPN connectivity and Data center have dedicated MPLS (Point to Point) link connected to Hub site.


DMVPN Network Design –

The HUB Site Router acts as the DMVPN Hub called it DMVPN Server. Must have static IP address on its WAN interface.

Branch sites (Site-A and Site-B) acts as the Spoke routers called them DMVPN Client. Static or dynamic public IP on it WAN Interface. (Recommend Static).

All Spoke and Hub site have internet connectivity. Since, DMVPN is an internet overlay technology.

Branch sites (Spoke Site) should have a permanent GRE tunnel with the Central site (Hub). IPsec is an optional (IPsec over GRE) in case deployment extra encryption layer.

All tunnels interface must using Multipoint mGRE tunnel mode GRE Multipoint.

Spoke to Spoke sites will establish the tunnel on demand, if they sense traffic between the Spoke sites.


DMVPN Network Connectivity –

  • All spokes and Hub site having internet connection.
  • Data Center have point-to-point MPLS connection to Hub Router.
  • ISP internet routing built on BGP with Spokes and Hub site.
  • All spokes Site and Hub and Data center connectivity having via static routing.
  • DMVPN configuration deployed on Hub Router, Site-A and Site-B.
  • Site connectivity toward Data Center is via Hub site over DMVPN.
  • Site to site connectivity directly over DMVPN.

DMVPN Characteristics-

The main components of DMVPN is a MGRE and NHRP.

MGRE – Multipoint GRE create a multiple dynamic virtual tunnel to establish connection between spoke to spoke sites directly. And mGRE Tunnel Interface is most useful feature of DMVPN is that it provides excellent scalability by reducing the number of tunnel interfaces configured on the hub and spokes.

NHRP – Next Hop Resolution Protocol is work on client/server model where Client (Spoke) dynamically register themselves into NHRP server called DMVPN HUB Router. The NHRP Hub Router maintains a dynamic database with all the Spoke public IP addresses. NHRP provides address resolution in NBMA networks like DMVPN. NHRP work is similar like as ARP provides address resolution in Ethernet. This is how network to allow spoke-to-spoke traffic flows (via NHRP Resolution Requests) or normal hub and spoke communications.

IPsec – IPsec is not mandatory in DMVPN, it’s an optional components which provide extra layer of encryption to data traverse between spoke to spoke sites. Since, DMVPN build on Internet as the underlay network, it might be wise to encrypt the tunnels.


HUB Router Configuration-

Below Configuration of DMVPN Hub Router (HUB) – Here we are configuring first Internet WAN and MPLS Point to Point Internet. Point-to Point connectivity going to Data Center behind sitting to HUB Site.


Basic Interface Configuration –

HUB-Router
!
interface FastEthernet0/0
 description MPLS P2P Link
 ip address 172.16.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description WAN Internet
 ip address 200.100.0.2 255.255.255.252
 duplex auto
 speed auto
!
router bgp 12
 no synchronization
 bgp log-neighbor-changes
 neighbor 200.100.0.1 remote-as 100
 no auto-summary
!
ip forward-protocol nd
ip route 10.1.1.0 255.255.255.0 172.20.1.2
ip route 10.2.2.0 255.255.255.0 172.20.1.3
!

DMVPN Configuration –

Below highlighted configuration of DMVPN Tunnel0 interface including some important configuration like NHRP and MGRE.

HUB-Router
!
interface Tunnel0
 description DMVPN Tunnel-Hub
 ip address 172.20.1.1 255.255.255.0
 no ip redirects
 ip nhrp authentication techmusa
 ip nhrp map multicast dynamic
 ip nhrp network-id 20
 tunnel source 200.100.0.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile Secure-DMVPN-Tunnel
!

Tunnel 0 is virtual tunnel created for DMVPN connectivity to Spokes site.

ip nhrp map multicast dynamic command get done a static NHRP mapping on the Hub Router that allows it to send all multicast traffic ( Routing protocol OSPF and EIGRP hellos) to all dynamically learned spokes.

ip nhrp network-id 20 command is used specify a unique DMVPN network ID. All DMVPN routers in this same DMVPN network (Hub and Spokes) must have shared the same network-id to create dynamic tunnel between them.

ip nhrp authentication command use to authentication the spoke query with the Hub Router before NHS registration and ensuring to maintain the legitimate NHS database.

tunnel mode gre multipoint command mentioned the interface as a multipoint GRE interface.

tunnel source 200.100.0.2 command mentioned the source of the tunnel interface IP .


Spoke Configuration – Site-A & B

Below Configuration of DMVPN Spoke Router – Here we are configuring first Internet WAN and LAN Interface. And highlighted configuration of DMVPN.


Sita-A
!
interface Loopback0
 description LAN
 ip address 10.1.1.1 255.255.255.0

!
interface FastEthernet0/0
 description WAN Internet
 ip address 50.1.1.2 255.255.255.252
 duplex auto
 speed auto
!
!
interface Tunnel0
 description Site-A-DMVPN Tunnel
 ip address 172.20.1.2 255.255.255.0
 no ip redirects
 ip nhrp authentication techmusa
 ip nhrp map multicast dynamic
 ip nhrp map 172.20.1.1 200.100.0.2
 ip nhrp map multicast 200.100.0.2
 ip nhrp network-id 20
 ip nhrp nhs 172.20.1.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile Secure-DMVPN-Tunnel
!
!
router bgp 10
 no synchronization
 bgp log-neighbor-changes
 network 50.1.1.0
 network 50.1.1.0 mask 255.255.255.0
 neighbor 50.1.1.1 remote-as 100
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.20.1.1
!
!

 

Site-B
!
interface Loopback0
 description LAN
 ip address 10.2.2.1 255.255.255.0
!
interface Tunnel0
 description Site-B-DMVPN Tunnel
 ip address 172.20.1.3 255.255.255.0
 no ip redirects
 ip nhrp authentication techmusa
 ip nhrp map multicast dynamic
 ip nhrp map 172.20.1.1 200.100.0.2
 ip nhrp map multicast 200.100.0.2
 ip nhrp network-id 20
 ip nhrp nhs 172.20.1.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile Secure-DMVPN-Tunnel
!
interface FastEthernet0/0
 description WAN Internet
 ip address 60.1.1.2 255.255.255.252
 duplex auto
 speed auto
!
router bgp 11
 no synchronization
 bgp log-neighbor-changes
 neighbor 60.1.1.1 remote-as 100
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.20.1.1
!

ip nhrp nhs 172.20.1.1 command show how to reach to the next hop server Next Hop Server (NHS) in the network. In this case I have mentioned HUB Router tunnel0 Interface IP.

ip nhrp map 172.20.1.1 200.100.0.2 command maps the NHS address (172.16.0.1) to the Hub Router public IP address (1.1.1.10).

ip nhrp map multicast 172.20.1.1  use to exchange multicast traffic between spokes to the hub. Multicast traffic only receive from the hub.

tunnel source FastEthernet0/0 command mentioned the source of the tunnel interface. The address of this interface must be advertised in the registration message and it should be reachable via the spokes router.


IPsec Encrypting DMVPN

Now Our DMVPN connectivity has been established and Dynamic GRE tunnel (MGRE) are up and running between Hub and Spokes and Spoke and Spoke directly. But we want to put extra encryption security layer to ensure data confidentiality. Let’s implement IPsec over GRE.


HUB IPSec Configuration

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key techmusa address 50.1.1.2
crypto isakmp key techmusa address 60.1.1.2
!
!
crypto ipsec transform-set techmusa20 esp-3des esp-md5-hmac
!
crypto ipsec profile Secure-DMVPN-Tunnel
 set security-association lifetime seconds 86400
 set transform-set techmusa20

As you can see above its normal IPsec configuration we have applied on Hub router which defined crypto isakmp policy IKE parameter, and crypto IPsec transform-set etc.

But you may notice a command crypto isakmp key techmusa address 50.1.1.2 and 60.1.1.2 mentioned specific static peer address validating isakmp key. If you have dynamic IP addresses assigned on spoke router then 0.0.0.0 0.0.0.0 must be used.


Spoke Router IPsec Configuration.

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key techmusa address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set techmusa20 esp-3des esp-md5-hmac
!
crypto ipsec profile Secure-DMVPN-Tunnel
 set security-association lifetime seconds 86400
 set transform-set techmusa20
!
!

This completes the DMVPN configuration on our central hub and two spoke routers.  It is now time to verify the DMVPNs are working correctly.


HUB DMVPN Verification

HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:2,
 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 50.1.1.2 172.20.1.2 UP never D
 1 60.1.1.2 172.20.1.3 UP never D

HUB#

HUB#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/29/40 ms
HUB#ping 10.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/30/48 ms
HUB#


HUB#sh crypto ipsec sa
interface: Tunnel0
 Crypto map tag: Tunnel0-head-0, local addr 200.100.0.2
protected vrf: (none)
 local ident (addr/mask/prot/port): (200.100.0.2/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): (50.1.1.2/255.255.255.255/47/0)
 current_peer 50.1.1.2 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 0, #recv errors 0

Site-A and B DMVPN Verification

Site-A#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 200.100.0.2 172.20.1.1 UP 01:12:18 S

Site-A#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/60 ms
Site-A#ping 10.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/73/108 ms
Site-A#

Author: Ronnie Singh

4 thoughts on “DMVPN LAB Configuration || DMVPN IPSEC Protection || NHRP|| MGRE

    1. Here…

      HUB IPSec Configuration

      crypto isakmp policy 20
      encr 3des
      hash md5
      authentication pre-share
      group 2
      crypto isakmp key techmusa address 50.1.1.2
      crypto isakmp key techmusa address 60.1.1.2
      !
      !
      crypto ipsec transform-set techmusa20 esp-3des esp-md5-hmac
      !
      crypto ipsec profile Secure-DMVPN-Tunnel
      set security-association lifetime seconds 86400
      set transform-set techmusa20

  1. sory i was meaning the ISP router i mean the bgp relationship between the hub/spoke and the providers router.

    thank you for your reply

Your Feedback is Valuable for us. Pls do comments.