Professional Documents
Culture Documents
Advanced DMVPN Deployments PDF
Advanced DMVPN Deployments PDF
Deployments
BRKSEC-3006
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Housekeeping
Session ID
Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Agenda
DMVPN phases
Phase 2 and phase 3 comparison
Shortcut Switching
NHRP forwarding
Designing with DMVPN phase 3
Basic Scalable Design – passing the 1,000 nodes barrier with a single hub
Dual Homed Scalable Design – hub resilience, beyond 1,000 nodes using IP SLA
Very large scale DMVPN design – limitless aggregation
Deployment tips and tricks
Using ISAKMP profiles to map users to tunnels
VRF and DMVPN
Recent DMVPN enhancements
DMVPN and IPv6
Per Tunnel QoS
GET vs DMVPN
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Sessions objectives
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
DMVPN phase 2-3
comparison
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Nomenclature – Transport
NBMA
Hub
Transport 192.168.254.0/24
Address
Network
Physical: 172.16.254.1
Tunnel: 10.0.0.254
Spoke 1 Spoke 2
192.168.0.0/29 192.168.0.8/29
DMVPN
Tunnels
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Nomenclature – Overlay
Hub
Tunnel
Overlay network 192.168.254.0/24 Address
Physical: 172.16.254.1
Tunnel: 10.0.0.254
Spoke 1 Spoke 2
192.168.0.0/29 192.168.0.8/29
Overlay/Private
Addresses
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Spoke Registration
ip address 10.0.0.254 255.255.255.0
ip nhrp network-id 1
Hub
192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
st
Tunnel: 10.0.0.254
e
equ
R
n
t io
ra
ist
Physical: 172.16.1.1 Reg Physical: 172.16.2.1
Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Route exchange
Routing table
C 10.0.0.0 Tunnel0 ip nhrp map multicast dynamic
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Tunnel: 10.0.0.254
a
attee
d
pd
UUp
gg
t
t iinn
uu
RRoo Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Hub & Spoke design
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0 Tunnel0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Tunnel: 10.0.0.254
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
DMVPN phase 2 shortcuts (1)
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
t Tunnel: 10.0.0.254
ues
q
Re
n
tio
u
s ol
Physical: 172.16.1.1 Re Physical: 172.16.2.1
Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
DMVPN phase 2 shortcuts (2)
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Tunnel: 10.0.0.254
y
e pl
R
n
utio
s ol
Physical: 172.16.1.1 Re Physical: 172.16.2.1
Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
DMVPN phase 2 shortcuts (3)
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Tunnel: 10.0.0.254
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
DMVPN phase 3 design style
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0 Hub advertises back summary prefix
D 192.168.0.0/29 10.0.0.1 Hub pointing to hub.
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Tunnel: 10.0.0.254
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
DMVPN phase 3 shortcuts (1)
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
9) Tunnel: 10.0.0.254
.0.
8
.16
92
(1
n
c tio
e
Physical: 172.16.1.1 ndir Physical: 172.16.2.1
I
Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
DMVPN phase 3 shortcuts (2)
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Re
9)
.0. so Tunnel: 10.0.0.254
8 lu
.16 tio
n
92 (1
(1 92
n .16
tio 8.
lu 0.9
Physical: 172.16.1.1 eso ) Physical: 172.16.2.1
Tunnel: 10.0.0.1 R Resolution Reply Tunnel: 10.0.0.2
192.168.0.8/29
192.168.0.8/29
10.0.0.2
10.0.0.2172.16.2.1
NHRP table NHRP table
10.0.0.254 172.16.254.1 10.0.0.254 172.16.254.1
10.0.0.2 172.16.2.1 Spoke 1 Spoke 2 10.0.0.1 172.16.1.1
192.168.0.8/29 172.16.2.1 192.168.0.0/29 192.168.0.8/29
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
DMVPN phase 3 shortcuts (3)
Routing table
C 10.0.0.0 Tunnel0
C 192.168.254.0/24 Eth0
D 192.168.0.0/29 10.0.0.1 Hub
D 192.168.0.8/29 10.0.0.2 192.168.254.0/24
NHRP table
10.0.0.1 172.16.1.1
10.0.0.2 172.16.2.1
Physical: 172.16.254.1
Tunnel: 10.0.0.254
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
For your
reference
DMVPN phase 3 data packet forwarding
Route lookup determines output interface and next-hop
The packet and next-hop are passed to the interface
Assuming the interface is NHRP enabled
Destination address is looked up in the NHRP cache
If success, use entry to encapsulate
Next-hop address is looked up in the NHRP cache
Is success, use entry to encapsulate
Fallback: send packet to configured NHS
Use NHS NHRP entry
Resolve next-hop address via resolution-request
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
For your
reference
DMVPN phase 3 resolution triggers
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
For your
reference
DMVPN phase 3 resolution forwarding
Address look up in NHRP cache
If authoritative entry present, answer w/ entry
Otherwise lookup address in routing table (RIB)
If next-hop belongs to same DMVPN
i.e. nhrp network-id of next-hop same as incoming request
Treat found next-hop as NHS
Forward resolution-request to next-hop
If next-hop does not belong to DMVPN
i.e. Network-id is different or interface not NHRP-enabled
Respond with full prefix found in routing table – maybe < /32
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Phase 3: Platform
Support Summary
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Cisco IOS Code and Platform Support
IOS Code
Phase 1 & 2
12.3(17), 12.3(14)T6, 12.4(7), 12.4(4)T
Phase 1, 2 & 3
12.4(6)T
Platforms
6500/7600 (12.2(18)SXF4) with VPN-SPA + sup720
No Phase 3 capability yet
7301, 7204/6, 38xx, 37xx, 36xx, 28xx, 26xx,
18xx, 17xx, 87x, 83x
Phase 1, 2 & 3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Dual Homed
Spokes Scalable
Design
Using IP SLA
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
IP SLA and Reliable Static Routing
IP SLA is an IOS feature to monitor an Service Levels
Probes are sent to measure network performances
Availability, delay, jitter,…
Probes can be ICMP, UDP,…
Tracking Objects report the status of SLA probes
Object status goes up or down as the SLA monitor hits triggers
Routes can be injected based on the Tracking Object
Routes injected when the tracked object is up
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Dual homed DMVPN spokes
192.168.0.0/24
Single DMVPN Dual Hub .2 .1
Single mGRE tunnel on
all nodes
Physical: 172.17.0.5 Physical: 172.17.0.1
Tunnel0: 10.0.0.2 Tunnel0: 10.0.0.1
Physical: (dynamic)
Tunnel0: 10.0.0.12
Spoke B .1
.37
Physical: (dynamic) 192.168.2.0/24
Tunnel0: 10.0.0.11 Web
.
..
Spoke A
.1
.25 ...
192.168.1.0/24
PC
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Dual homed DMVPN spokes
Hub1
interface Tunnel0
Common bandwidth 1000
ip address 10.0.0.1 255.255.255.0
Subnet ip mtu 1400
ip nhrp map multicast dynamic
Activate
ip nhrp redirect
redirection ip nhrp network-id 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof
!
router rip
Make RIP network 10.0.0.0
Passive passive-interface default
!
Make hub ip sla responder
SLA responder ip sla responder udp-echo ipaddress 10.0.0.1 port 2000
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Dual homed DMVPN spokes
Hub2
interface Tunnel0
Common bandwidth 1000
ip address 10.0.0.2 255.255.255.0
Subnet ip mtu 1400
ip nhrp map multicast dynamic
Activate
ip nhrp redirect
redirection ip nhrp network-id 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof
!
router rip
Make RIP network 10.0.0.0
Passive passive-interface default
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
Dual homed DMVPN spokes
Spokes – part 1
interface Tunnel0
bandwidth 1000
Hub1 NHRP ip address 10.0.0.<x> 255.255.255.0 ! <x> = 11,12,…
mappings ip mtu 1400
ip nhrp map multicast 172.17.0.1
ip nhrp map 10.0.0.1 172.17.0.1
Hub2 NHRP ip nhrp map multicast 172.17.0.5
mappings ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Dual homed DMVPN spokes
Spokes – part 2 Poll 10.0.0.1
UDP Port 2000
Poll every second ip sla 1
Timeout: 1 second udp-echo 10.0.0.1 2000 control disable
timeout 1000
Fail after 21 seconds frequency 1
threshold 21000
ip sla schedule 1 life forever start-time now
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Large Scale
DMVPN
Hub & Spoke
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
Overall solution
HQ network
Aggregation router
Spokes
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
High level description
Spokes believe there is a single hub
NHRP map points to the Load Balancer’s Virtual IP Address
The Load Balancer is configured in forwarding mode (no NAT)
All the hubs have the same DMVPN configuration
Same Tunnel interface address
Same Loopback address (equal to the VIP)
All the spokes have the same DMVPN configuration
Same hub NBMA address
Same NHS
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
The Load Balancer in general
The Load Balancer owns a Virtual IP Address (VIP)
When IKE or ESP packets are targeted at the VIP, the LB chooses
a hub
The hub choice is policy (predictor) based:
weighted round-robin
least-connections
…
When hub chosen for a “tunnel”, all packets go to the same hub
stickyness
Once a decision is made for IKE, the same is made for ESP
buddying
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Topology and addresses
10.1.2.0/24
.1
.2 .3
10.1.1.0/24
Loopback: 172.17.0.1 Loopback: 172.17.0.1
Tunnel0: 10.0.255.254/16 Tunnel0: 10.0.255.254/16
10.1.0.0/24
.2 .3
.1
Load Balancer
VIP: 172.17.0.1
(no tunnel)
Physical: (dynamic)172.16.2.1
Physical: (dynamic)172.16.1.1 Tunnel0: 10.0.0.2
Tunnel0: 10.0.0.1
Spoke A
192.168.1.1/29 Spoke B 192.168.2.1/29
Supernet: 192.168.0.0/16
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
Load Balancer
We will use an IOS-SLB
IOS SLB runs on top of c7200 or Catalyst6500
As of today, opt for 12.2S or 12.1E releases
The LB must be able to do layer 3 and 4 load
balancing. Upper layers are useless (encrypted)
Content Switching Module 3.1 or above will work too
but we do not need most of its features (layer 5+)
ACE is ok but need to disable NAT-T
Any SLB will do…
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
IOS SLB performances
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
For your
reference
IOS SLB cluster definition
real 10.1.0.3
weight 4
inservice
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
For your
reference
IOS SLB VIP definition
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
For your
reference
Monitoring and managing
SLB-7200#sh ip slb connections
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Hub Tunnel configuration
interface Loopback0
ip address 172.17.0.1 255.255.255.255
interface Tunnel0
end
bandwidth 10000
ip address 10.0.255.254 255.255.0.0 Must be same on all hubs
no ip redirects
Mask is /32
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1 Must be same on all hubs
ip nhrp holdtime 3600
Mask allows 216-2 nodes
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile tp
cdp enable
end interface FastEthernet0/0
ip address 10.1.0.{2,3} 255.255.255.0
interface FastEthernet0/1
ip address 10.1.1.{2,3} 255.255.255.0
Physical interface ip addresses
unique on each hub
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Spoke tunnel configuration
Remember…
All the spokes have the same configuration
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Current status – Tunnel setup
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Spoke routing configuration
interface Tunnel0
Activate ODR over tunnel cdp enable
Tunnel packet physical ip route 0.0.0.0 0.0.0.0 Dialer0
Private traffic (summary) ip route 192.168.0.0 255.255.0.0 10.0.0.1
Tunnel 0 ip route 10.0.0.0 255.0.0.0 10.0.0.1
Physical: (dynamic)172.16.1.1
Tunnel0: 10.0.0.11 Spoke A
192.168.1.1/29
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Hub Routing Protocol configuration
• Only allow private networks in
the routing table
• Prevents recursive routing
interface Tunnel0
Activate ODR over tunnel cdp enable
router odr
Tunnel packet physical distribute-list 1 in
access-list 1 permit 192.168.0.0 0.0.255.255
router bgp 1
Redistribute
ODR BGP redistribute odr
Send information to
neighbor 10.1.1.1 remote-as 1
aggregation router
neighbor 10.1.1.1 next-hop-self
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
For your
reference
HQ Edge BGP configuration
router bgp 1
no synchronization
bgp log-neighbor-changes
aggregate-address 10.0.0.0 255.0.0.0 summary-only
aggregate-address 192.168.0.0 255.0.0.0 summary-only
neighbor HUB peer-group
neighbor HUB remote-as 1
neighbor 10.1.1.2 peer-group HUB
neighbor 10.1.1.3 peer-group HUB
neighbor <other hubs> peer-group HUB
no auto-summary
HQ network
Aggregation router
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
For your
reference
Edge router OSPF configuration
OSPF attracts traffic from the HQ DMVPN
Floating static route to Null0 discards packets to unconnected
spokes
router ospf 1
redistribute static
network 10.1.2.0 0.0.0.255 area 1
HQ network
(10.0.0.0/8)
Runs OSPF – segment in area 1
10.1.2.0/24
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Routing protocols
Route Propagation spoke aggregation
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.0.8/29 10.1.1.3
B 192.168.0.16/29 10.1.1.2
B 192.168.0.24/29 10.1.1.3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Hub&Spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Large Scale
DMVPN
Spoke – Spoke
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Shortcut switching
Spoke configurations get a single extra line:
interface Tunnel0
ip nhrp shortcut ! that’s it!!
Hub get an extra line:
interface Tunnel0
ip nhrp redirect ! that’s it!!
Spokes on a given hub will create direct tunnels
Spokes on different hubs will NOT create tunnels
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Basic spoke-spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Basic spoke-spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 54
Basic spoke-spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Cross-hubs spoke-spoke tunnels
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Linking the hubs
interface Tunnel1
ip address 10.1.3.2 255.255.255.0
no ip redirects
ip mtu 1400 Same network ID as Tunnel0 !!
ip nhrp network-id 1
ip nhrp redirect Send indirection notifications
ip nhrp map 10.1.3.3 10.1.0.3
tunnel source FastEthernet0/1
end
10.1.2.0/24
.1
.2 .3
10.1.1.0/24
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Routing across hubs
10.1.2.0/24
.1
.2 .3
10.1.1.0/24
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58
Hub&Spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
Routing table Routing table
o 192.168.0.0/29 10.0.0.1 o 192.168.8.0/29 10.0.0.2
o 192.168.16.0/29 10.0.0.3 o 192.168.24.0/29 10.0.0.4
B 192.168.8.0/29 10.1.3.3 B 192.168.0.0/29 10.1.3.2
B 192.168.24.0/29 10.1.3.3 B 192.168.16.0/29 10.1.3.2
B 192.168.0.0 10.1.1.1 B 192.168.0.0/16 10.1.1.1
B 10.0.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1
NHRP table t NHRP table
10.0.0.1 172.16.1.1 10.0.0.2 172.16.2.1
c
10.0.0.3 172.16.3.1 10.0.0.4 172.16.4.1
ire
red
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59
Hub&Spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
Routing table Routing table
o 192.168.0.0/29 10.0.0.1 o 192.168.8.0/29 10.0.0.2
o 192.168.16.0/29 10.0.0.3 o 192.168.24.0/29 10.0.0.4
B 192.168.8.0/29 10.1.3.3 B 192.168.0.0/29 10.1.3.2
B 192.168.24.0/29 10.1.3.3 B 192.168.16.0/29 10.1.3.2
B 192.168.0.0 10.1.1.1 B 192.168.0.0/16 10.1.1.1
B 10.0.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1
NHRP table t NHRP table
10.0.0.1 172.16.1.1 10.0.0.2 172.16.2.1
t c
10.0.0.3 172.16.3.1 10.0.0.4 172.16.4.1
esiren
qud tio
rre eolu
s
re
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 60
Hub&Spoke packet flow
Routing table
HQ B 192.168.0.0/29 10.1.1.2
network
B 192.168.8.0/29 10.1.1.3
B 192.168.16.0/29 10.1.1.2
B 192.168.24.0/29 10.1.1.3
Routing table Routing table
o 192.168.0.0/29 10.0.0.1 o 192.168.8.0/29 10.0.0.2
o 192.168.16.0/29 10.0.0.3 o 192.168.24.0/29 10.0.0.4
B 192.168.8.0/29 10.1.3.3 B 192.168.0.0/29 10.1.3.2
B 192.168.24.0/29 10.1.3.3 B 192.168.16.0/29 10.1.3.2
B 192.168.0.0 10.1.1.1 B 192.168.0.0/16 10.1.1.1
B 10.0.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1
NHRP table NHRP table
10.0.0.1 172.16.1.1 10.0.0.2 172.16.2.1
10.0.0.3 172.16.3.1 10.0.0.4 172.16.4.1
es n
qu tio
t
r e o lu
NHRP table
s
10.0.255.254 172.16.0.1
re
NHRP table
10.0.255.254 172.16.0.1 10.0.0.1 172.16.1.1
Physical: 172.16.1.1 172.16.2.1 172.16.3.1 172.16.4.1
192.168.1.0/29 172.16.1.1
192.168.24.0/29 172.16.4.1
Tunnel: 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4
10.0.0.4 172.16.4.1
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 61
Adding hubs
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 62
Linking the hubs – option 1
interface Tunnel1
ip address 10.1.3.2 255.255.255.0
. . .
ip nhrp map 10.1.3.3 10.1.0.3 Create a manual full mesh
ip nhrp map 10.1.3.4 10.1.0.4
ip nhrp map 10.1.3.5 10.1.0.5 Do the same with BGP…
. . .
end
10.1.2.0/24
.1
.2 .3 .4 .5
10.1.1.0/24
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Linking the hubs – option 2
interface Tunnel1
ip address 10.1.3.2 255.255.255.0
ip nhrp network-id 1 Use the edge router as
ip nhrp redirect NHRP hub
ip nhrp map 10.1.3.1 10.1.0.1
ip nhrp nhs 10.1.3.1
Use the edge as a RR
end
10.1.2.0/24
Tunnel1:
10.1.3.1/24
.1
.2 .3 .4 .5
10.1.1.0/24
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64
Large Scale Design Summary
Virtually limitless scaling w/ automatic load management
Load balancing AND resilience
Multiply performances by number of hubs
Tunnel creation rate, speed, max SA’s
Resilience in N+1
No need to touch the hubs while adding a spoke
All spokes have the same configuration
New hubs can be added/removed on the fly
BGP needs to be told about the new hub
EIGRP may be used instead of BGP full automatic
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65
Virtual Routing &
Forwarding (VRF)
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66
VRF’s very short rehearsal
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67
Router without VRF
Layer 4
Layer 3
helpers
Layer 3
Layer 2
Loopback Tunnel
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 68
Forwarding without encapsulation
Layer 4
Layer 3
helpers
Layer 3 Routing
Layer 2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Forwarding with encapsulation
Layer 4
Layer 3
helpers
Layer 2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 70
Add VRF’s to the router
ip vrf red
ip vrf blue
ip vrf green
interface FastEthernet 0/0
ip vrf forwarding red
interface FastEthernet 0/1
ip vrf forwarding red
interface Tunnel 0
ip vrf forwarding red
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 71
Router with VRF’s
Layer 4
Layer 3
helpers
Layer 2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 72
Source the tunnel from a VRF
interface FastEthernet 1/0
ip vrf forwarding blue
interface Tunnel 0
ip vrf forwarding red
tunnel source FastEthernet 1/0
tunnel destination …
tunnel vrf blue
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 73
VRF tunneling
Layer 4
Layer 3
helpers
Layer 2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 74
Watch out the network ID
interface Tunnel 0
ip vrf forwarding red
tunnel source FastEthernet 1/0
tunnel destination …
ip nhrp network-id 1
tunnel vrf blue
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 75
ISAKMP profiles in
DMVPN
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 76
Purpose of the exercise
Assume two groups of users
Finance and Engineering
The hub hosts two DMVPN’s,
On the same the tunnel-source
Each group of user should access its own DMVPN
And not the other…
Each DMVPN sits in its own VRF
To fully separate the traffic from each group
We will use ISAKMP profiles to solve the exercise
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 77
Multi-DMVPN on a single hub
192.168.0.0/24
Single HUB terminating .1
Two distinct DMVPN’s Physical: 172.17.0.1
Tunnel2: 10.0.1.1
Physical: 172.17.0.1
Tunnel1: 10.0.0.1
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 78
Assume two groups of users
Group 1 – Engineering Group 2 – Finance
Certificate Certificate
Status: Available Status: Available
Certificate Serial Number: 100 Certificate Serial Number: 300
Certificate Usage: General Purpose Certificate Usage: General Purpose
Issuer: Issuer:
cn=blue-lab CA cn=blue-lab CA
o=CISCO o=CISCO
Subject: Subject:
Name: Router100.cisco.com Name: Router300.cisco.com
o=CISCO o=CISCO
ou=Engineering
ou=Engineering ou=Finance
ou=Finance
Validity Date: Validity Date:
start date: 14:34:30 UTC Mar 31 2004 start date: 14:34:30 UTC Mar 31 2004
end date: 14:34:30 UTC Apr 1 2009 end date: 14:34:30 UTC Apr 1 2009
Associated Trustpoints: LaBcA Associated Trustpoints: LaBcA
There is a single CA
Each user either belongs to ou=Engineering or ou=Finance
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 79
What are ISAKMP profiles ?
ISAKMP profiles map an IKE session to an IPsec SA
IKE sessions are identified by
Peer identity
VRF
Local-address
IPsec SA’s can be derived from
a crypto map
an IPsec profile
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 80
Certificate maps
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Defining the ISAKMP profiles
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 82
The IPsec profiles
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 83
Defining the tunnels
interface tunnel1
ip vrf forwarding Engineering
ip address 10.0.0.1 255.255.255.0
tunnel key 1
ip nhrp network-id 1
ip nhrp …
tunnel source loopback0
tunnel protection ipsec profile eng-
eng-ipsec-
ipsec-prof
interface tunnel2
Each tunnel links
ip vrf forwarding Finance To a specific ISAKMP
ip address 10.0.1.1 255.255.255.0 Profile
tunnel key 2
ip nhrp network-id 2
ip nhrp …
tunnel source loopback0
tunnel protection ipsec profile fin-
fin-ipsec-
ipsec-prof
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 84
Session mapping example
Engineering Finance
Tunnel Tunnel
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 85
DMVPN IPv6
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 86
DMVPN IPv6
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 87
Spoke configuration
Spoke
interface Tunnel0
ipv6 address fe80::2002 link-local Unique Link-Local address
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 88
Hub configuration
Hub
interface Tunnel0
ipv6 address fe80::2001 link-local Unique Link-Local address
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 89
Subtle differences
Hub#show ipv6 nhrp
2001::2/128 via 2001::2 Global and Link-Local
Tunnel0 created 00:04:47, expire 01:59:49 registered!!
Type: dynamic, Flags: unique registered used
NBMA address: 1.0.0.2
2001::3/128 via 2001::3
Tunnel0 created 00:04:03, expire 01:59:49
Type: dynamic, Flags: unique registered used
NBMA address: 1.0.0.3
FE80::2/128 via 2001::2
Tunnel0 created 00:04:47, expire 01:59:49
Type: dynamic, Flags: unique registered
NBMA address: 1.0.0.2 Global and Link-Local
FE80::3/128 via 2001::3 registered!!
Tunnel0 created 00:04:43, expire 01:59:49
Type: dynamic, Flags: unique registered
NBMA address: 1.0.0.3
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 90
Per-tunnel QoS
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 91
The need for QoS – the obvious
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 92
Need for QoS – the greedy spoke
Interface w/
limited downstream rate
Hub
ISP Greedy
router Spoke 3
Crypto engine
or Wan link
Spoke 1 Spoke 2
The greedy spoke calls for a lot of traffic (VoIP calls, DB x-fer,...)
It overruns the hub CE or the WAN link
Packets are dropped
Starves other spokes
Greedy spoke downlink gets overloaded and packets are dropped
damages data throughput, impacts phone conversations…
We want to limit the amount of traffic sent to each spoke
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 93
QoS and (DM)VPN – problem statement
QoS with MQC is complex to deploy with DMVPN
Static MQC configuration
Long configurations on hubs
Only works with static spoke addresses
Performances of QoS/MQC is weak with lots of shapers
Pre-Crypto-Engine QoS is limited
Only priority queuing
Serious QoS can only be applied after the crypto engine
Classification uneasy after packet encapsulation (DSCP)
Pre-classification not always useful (e.g. NBAR)
Shaping, multiple classes, etc… only in MQC
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Horror MQC policy – DMVPN
Problem: static and slow
policy-map child
class routing-protocol Interface Tunnel0
bandwidth 100 kbps (qos pre-classify optional)
class voice
priority 200 kbps
class data Interface GigabitEthernet0/1
police 500 kbps service-policy out parent
class class-default
!
policy-map parent
class tunnel1 Access-list 101 permit esp hub spoke1
bandwidth 400 kbps class-map tunnel1
shape average 1mbps match access-group 101
service policy child
class tunnel2
bandwidth 400 kbps Access-list 102 permit esp hub spoke2
class-map tunnel2
shape average 1mbps
service policy child match access-group 102
class tunnel3
Access-list 103 permit esp hub spoke3
bandwidth 400 kbps
class-map tunnel3
shape average 1mbps
match access-group 103
service policy child
class class-default
shape average 2mbps
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Changes to the QoS infrastructure
MQC stands for Modular QoS CLI
MQC was also the name of the queuing and scheduling infrastructure
The situation has changed
12.4(15)T introduced CCE
12.4(20)T introduced HQF
Mostly internal changes but there is an impact
MQC CLI
CCE Common Classification Engine
HQF Hierarchical Queuing Framework
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 96
Per-tunnel QoS
Per Tunnel QoS will apply dynamic per spoke QoS policy on hub
Spokes are be split into groups
Groups are mapped to a QoS template
HQF / CCE framework will be used
Performances improve over current MQC framework
The feature will apply to DMVPN and EzVPN dVTI
Not supported for crypto map based designs
Hub CE and WAN link overruns are rare
WAN link overrun could be addressed with aggregate QoS
Spoke downlinks overruns are more frequent
Nothing could be done
This is the primary goal of per-tunnel QoS
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 97
Per-tunnel QoS high level view
Classification happens at the tunnel level
Before encapsulation and before the crypto engine
Policing (dropping) and marking also applied at tunnel
Queuing and scheduling happen at the physical interface
QoS policy Classification
QoS Policy policing, marking Hierachical queueing per Tunnel
Derived
Tunnel 2 - data Data
Crypto Tunnel 2 Physical
Tunnel 2 - voice Engine Voice policy Interface
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 98
More per-tunnel QoS information
Performances depend on
The number of tunnels
The number of active shapers
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 99
Provisioning DMVPN QoS
group 1 Group 2
Spokes
policy-map PM1
class class-default Offer 1 Mbps to each tunnel
shape average 1000000
HUB
Policy-map PM2
class class-default
Offer 500 kbps to each tunnel
shape average 500000
interface Tunnel0
ip nhrp map group <name1> service policy output PM1
ip nhrp map group <name2> service policy output PM2
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 100
QoS policy limiting tunnel bandwidth
Hub
class-map Control
match ip precedence …
class-map Voice
match ip precedence …
policy-map PM1
class class-default
shape average 1000000 Offer 1Mbps to each tunnel
interface Tunnel0
ip nhrp map group G1 service-policy output PM1
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 101
Hierarchical shaper
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 102
QoS policy limiting tunnel bandwidth
Hub
class-map Control
match ip precedence …
class-map Voice
match ip precedence …
policy-map PM1
class class-default
shape average 1000000 Offer 1Mbps to each tunnel
service-policy SubPolicy
policy-map SubPolicy
class Control
bandwidth 20 20Kbps guaranteed to Control
class Voice
priority percent 60 LLQ for voice
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 103
DMVPN vs.
GET VPN
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 104
GET VPN in a nutshell
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 105
10,000 feet over GET VPN
TEK
192.168.0.0/24 Key server
.1
Group Member
TEK
TEK
IP(s=
IP(s=PC,d=Web) .1
PC,d=Web) TCP…
IP(s=
IP(s=PC,d=Web)
PC,d=Web) ESP … .37
TEK 192.168.3.0/24
Web
TEK
.1
.25
192.168.1.0/24 IP(s=
IP(s=PC,d=Web)
PC,d=Web) TCP… .1
.37
PC
192.168.2.0/24
Web
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 106
Scopes of DMVPN and GET VPN
DMVPN is an overlay VPN
Creates tunnels over the transport network
Isolates protected networks from transport network
Allows private protected addresses over a public transport network
Hubs concentrate connections – all spokes must connect
Hubs concentrate part of the spoke-spoke traffic
Hubs need to know about all the private networks RP scale
Multicast requires replication before encryption – usually on hubs
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 107
GET and DMVPN not enemies
GET only works if protected addresses are routable
Usually recommended over an other (Virtual) Network (MPLS)
Core needs to be multicast aware for mcast to work at all
When the transport network is optimized GET has a lead
When the transport network is “dumb” DMVPN just works
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 108
12.4 T DMVPN
New Features
Summary
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 109
For your
reference
DMVPN Enhancements
Previous Limitation New Feature & Associated Benefits
Shortcut switching introduced
Large routing tables at spokes Route summarization now possible
sometimes caused network
instability. Higher scalability
12.4(6)T
Packets CEF switched via hub
Delays in setting up voice calls
between spokes. Reduced latency during call setup
12.4(6)T
NAT/PAT not possible in spoke- NAT and static PAT now supported
spoke designs 12.4(9)T
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 110
For your
reference
DMVPN Enhancements
Previous Limitation New Feature & Associated Benefits
DMVPN debug enhancements
All tables with a single show command
Complex troubleshooting
Per-peer debugging also possible
12.4(9)T
NHRP MIB
Network monitoring difficult or
impossible Monitoring of NHRP tables via SNMP
12.4(20)T
DMVPN IPv6
Limited to IPv4 Allows IPv6 in the overlay network
12.4(20)T
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 111
Session Summary
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 112
Shortcut switching
Routing protocols revisited
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 113
Summary
Phase 3 subtly different from phase 2
Most visible on the routing topology
Shortcut switching helps picking the best protocol
Usually, the choice relates to scalability
DMVPNv6 is now a reality
one more step in the right direction
Per-SA QoS finally made it
ISAKMP profiles enhance security of multi-DMVPN
Very useful for VRF separation
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 114
Recommended
Sessions
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 115
Recommended sessions
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 116
Q and A
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 117
Meet The Expert
Session ID
Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 118
BRKSEC-3006 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 119