DMVPN Overview

DMVPN: From Basics to Scalable Networks
Ivan Pepelnjak (ip@nil.com)

NIL Data Communications
This material is copyrighted and licensed for the sole use by Hakan Akca (hakotheman@yahoo.com [195.191.119.2]). More information
at http://www.ioshints.info/Webinars
Agenda
DMVPN Phase 1 and Phase 2 overview
Spoke enhancements
• Split Default Routing
• Multihomed Remote Site
Scalability solutions
• Simple spoke-to-hub routing protocol
• Spoke-to-spoke traffic with default routing (DMVPN Phase 3)
• Unidirectional routing
• Hierarchical hub structure
2 © NIL Data Communications 2010
at http://www.ioshints.info/Webinars Choose the Optimal VPN Service
DMVPN
DMVPN Overview
Site-A Third-party IP backbone Central
Site
CE-A C1
Site-B
CE-B C2
DMVPN = Phase I: hub-and-spoke

• mGRE + • mGRE on hub, GRE on spoke
• Dynamic NHRP with NHS + Phase II: spoke-to-spoke
• IPSec tunnel protection • Dynamic IPSec tunnels
(shared key or certificates) Phase III: scalability
• NHRP redirects and shortcuts
DMVPN
DMVPN Phase 1
Traffic flow
S1
• Multicasts only between hub and
spokes
• Data traffic through the hub
mGRE
S2 Hub
NHRP
• Hub = NHS
S3
• Dynamic spoke registration
• P2P GRE on spoke routers Routing protocols

• mGRE on hub router • Next-hop must be Hub
• OSPF: P2MP
• Default routing on spokes
• EIGRP: disable split horizon
• EBGP: use next-hop-self
DMVPN Phase 1 Configuration
P2P GRE on Spoke Routers

S1 interface Loopback0
ip address 10.0.1.5 255.255.255.255
!
mGRE interface Tunnel0
S2 Hub
bandwidth 2000
ip address 192.168.0.5 255.255.255.0
ip mtu 1400
S3 ip tcp adjust-mss 1360
tunnel source Serial1/0
tunnel destination 10.0.7.17
Notes tunnel key 12345
!
• Static route for tunnel interface FastEthernet0/0
destination is required ip address 172.16.11.1 255.255.255.0
!
• Set tunnel MTU and TCP MSS interface Serial1/0
description Link to Internet(ROUTER) s1/2
• Specify tunnel bandwidth ip address 10.0.7.9 255.255.255.252
encapsulation ppp
• Tunnel key is optional in no peer neighbor-route
Phase 1 DMVPN !
ip route 10.0.7.17 255.255.255.255 Serial1/0
P2MP GRE on Hub Routers

interface Loopback0 S1
ip address 10.0.1.1 255.255.255.255
!
interface Tunnel0 mGRE
S2 Hub
bandwidth 10000
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip mtu 1400 S3
ip tcp adjust-mss 1360

tunnel mode gre multipoint
tunnel key 12345
GRE routing
!
interface FastEthernet0/0
• Default route to the Internet
ip address 172.16.0.1 255.255.255.0 is needed to reach spokes
!
interface Serial1/0 Tunnel key
description Link to Internet
ip address 10.0.7.17 255.255.255.252
encapsulation ppp
• Optional for hubs with a
no peer neighbor-route single tunnel interface
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
DMVPN Phase 1 Concepts
GRE Tunnel Key Explained

Challenge S1
• Mapping incoming GRE packets to multiple

tunnel interfaces (redundant DMVPN only) S2
mGRE
Hub
Mapping methods S3
• Unique tunnel destination

• Unique tunnel source/destination pair for P2P tunnels
• Unique tunnel keys
Caveat
• Tunnel keys cause CPU-based switching on a 6500/7600
NHRP Configuration – Spoke Router

interface Tunnel0
ip nhrp authentication WanExamp S1
ip nhrp map 192.168.0.1 10.0.7.17

ip nhrp network-id 12345
ip nhrp holdtime 60 mGRE
S2 Hub
ip nhrp nhs 192.168.0.1

ip nhrp registration [timeout 30 | no-unique]
S3
• NHRP network ID & password

• Hub tunnel IP = NHS server
• Static mapping for hub tunnel IP  hub physical IP (protocol-to-
NBMA mapping) is required for proper NHRP operation
• Multicast NHRP mapping is not required on P2P GRE tunnels
• Optional: registration timeouts and non-unique registrations
Non-Unique NHRP Registrations

Default behavior ISDN
• Protocol-to-NBMA mappings are fixed
for the duration of an NHRP registration
• NHS server rejects registration requests Site
DSL mGRE
Hub
with existing protocol address and different
NBMA address
• Marginal protection against configuration
errors and spoofing
• Major problem in environments where
NBMA addresses change (DHCP-assigned IP addresses, xDSL)
Non-unique registrations
• Already-registered NBMA address can change
• Spoke routers send registration requests at every NBMA address change
NHRP Configuration – Hub Router

interface Tunnel0
ip nhrp authentication WanExamp S1
ip nhrp map multicast dynamic

mGRE
S2 Hub
• NHRP password & network ID

S3
• Dynamic NHRP multicast maps
Multicast over mGRE principles

• Multicasts are sent only to destinations configured with ip nhrp
map multicast (Includes routing updates and hellos)
• Workaround: BGP or non-broadcast OSPF/EIGRP neighbors
• Dynamic maps can be created on NHS at spoke registration time
OSPF Routing S1
interface Loopback0
ip ospf 1 area 11
mGRE
! S2 Hub
interface Tunnel0
ip ospf network point-to-multipoint
ip ospf 1 area 11 S3
!
ip ospf 1 area 11
!
router ospf 1
interface Loopback0
log-adjacency-changes
ip ospf 1 area 0
area 11 stub no-summary
!
interface Tunnel0
Hub router must be IP next-hop ip ospf network point-to-multipoint
ip ospf 1 area 11
• Point-to-multipoint network type !
ip ospf 1 area 0
Minimize routing updates to spokes !
• Totally stubby area router ospf 1
• Flooding filter + static default route area 11 stub no-summary
EIGRP Routing S1
router eigrp 1
network 10.0.0.0 mGRE
S2 Hub
network 192.168.0.0 0.0.255.255

passive-interface Loopback0
eigrp stub [ leak-map EIGRPLeak ] S3
!
ip prefix-list EIGRPLeak seq 10 permit 10.0.0.0/8
ip prefix-list EIGRPLeak seq 15 permit 10.0.1.0/24 ge 32
ip prefix-list EIGRPLeak seq 20 permit 0.0.0.0/0
!
route-map EIGRPLeak permit 10
match ip address prefix-list EIGRPLeak interface Tunnel0
bandwidth value
no ip split-horizon eigrp 1
ip summary-address eigrp 1 10.0.0.0
Minimize routing updates: 255.0.0.0
• Summarize on the hub router !
router eigrp 1
• Spokes should be stub routers no auto-summary
network 10.0.0.0 0.255.255.255
network 172.16.0.0 0.15.255.255
network 192.168.0.0 0.0.255.255
BGP Routing S1
router bgp 65005 mGRE

no synchronization S2 Hub
bgp log-neighbor-changes
redistribute connected route-map Internal
neighbor 192.168.0.1 remote-as 65000 S3
!
ip prefix-list Internal seq 5 permit 172.16.0.0/16 ge 20
ip prefix-list Internal seq 10 permit 10.0.0.0/8 ge 32
!
route-map Internal permit 10 router bgp 65000
match ip address prefix-list Internal template peer-policy DMVPN
next-hop-self
send-community
Hub router must be IP next-hop [ route-map FilterUpdates out ]
• next-hop-self on all BGP neighbors [ default-originate ]
exit-peer-policy
• Use policy templates !
no synchronization
Minimize routing updates to spokes bgp log-neighbor-changes
• Filter BGP updates neighbor 192.168.0.3 remote-as 65003
• Advertise default route to the spokes neighbor 192.168.0.3 inherit peer-policy DMVPN
Dynamic BGP Neighbors S1
• Inbound BGP sessions are accepted if the mGRE

source IP address is in specified range
S2 Hub
• All spoke routers should use the same AS S3
number
IOS releases 12.2(33)SXH and 15.0(1)S
router bgp 65000

neighbor spokes peer-group
bgp listen range 192.168.0.0/24 peer-group spokes
neighbor spokes remote-as 65001
neighbor spokes next-hop-self
neighbor spokes send-community
neighbor spokes default-originate
untested
DMVPN Redundancy
interface Tunnel0
mGRE-A
ip address 192.168.0.5 255.255.255.0 S1 H1
ip nhrp authentication WanExamp

ip nhrp map 192.168.0.1 10.0.7.17
ip nhrp network-id 12345 mGRE-B
ip nhrp nhs 192.168.0.1 S2 H2

ip ospf 1 area 11
tunnel source Serial1/0 Two tunnel interfaces on spokes
!
tunnel destination 10.0.7.17 • Shared Internet uplink
interface Tunnel1 • Tunnel keys are optional
ip address 192.168.1.5 255.255.255.0
ip nhrp authentication WanExamp • Shared NHRP authentication
ip nhrp map 192.168.1.1 10.0.7.13
• Different network IDs
ip nhrp nhs 192.168.1.1 • Different IP subnets
ip ospf 1 area 11 • Different NHRP mappings and NHS
tunnel destination 10.0.7.13
• Same OSPF area
• Primary/Backup or load sharing based
on OSPF cost
IPSec configuration – Pre-shared Key

crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key TESTING S1
!
crypto isakmp policy 10
authentication pre-share mGRE
group 2 S2 Hub
!
!
crypto ipsec transform-set DMVPN esp-des esp-sha-hmac
mode transport S3
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
interface Tunnel0
tunnel protection ipsec profile DMVPN
• Define IPSec profile

• Apply IPSec profile as tunnel protection
• Hub configuration almost identical
• No change in redundant design
IPSec configuration – Certificates

crypto pki trustpoint ca.example.com
enrollment url http://ca.example.com:80 S1
revocation-check crl
auto-enroll
! mGRE
crypto pki certificate chain ca.example.com S2 Hub
certificate 07 nvram:ca#7.cer
certificate ca 01 nvram:ca#1CA.cer
!
crypto isakmp policy 10 S3
group 2
!
mode transport
!
!
interface Tunnel0
tunnel protection ipsec profile DMVPN
• Shared keys are replaced by certificates

• No other configuration changes
DMVPN Phase 1 Monitoring
IP Routing Table on a Spoke Router

LAN subnets
R3#show ip route 172.16.0.0

Routing entry for 172.16.0.0/16, 4 known subnets
Attached (2 connections)
Variably subnetted with 2 masks
O 172.16.10.0/24 [110/2001] via 192.168.1.1, 00:13:34, Tunnel1
[110/2001] via 192.168.0.1, 00:14:00, Tunnel0
O 172.16.11.0/24 [110/2001] via 192.168.1.1, 00:13:34, Tunnel1
[110/2001] via 192.168.0.1, 00:13:24, Tunnel0
C 172.16.12.0/24 is directly connected, FastEthernet0/0
L 172.16.12.1/32 is directly connected, FastEthernet0/0
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
IP Routing Table on a Hub Router

C1#show ip route 172.16.0.0
C 172.16.0.0/24 is directly connected, FastEthernet0/0
L 172.16.0.1/32 is directly connected, FastEthernet0/0
O 172.16.10.0/24 [110/1001] via 192.168.0.4, 00:45:34, Tunnel0
[110/1001] via 192.168.0.3, 00:46:41, Tunnel0
O 172.16.11.0/24 [110/1001] via 192.168.0.5, 00:17:30, Tunnel0
O 172.16.12.0/24 [110/1001] via 192.168.0.6, 00:18:06, Tunnel0
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
IPsec Sessions on the Spoke Router

R3#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 10.0.7.13 port 500
IKE SA: local 10.0.7.5/500 remote 10.0.7.13/500 Active
IPSEC FLOW: permit 47 host 10.0.7.5 host 10.0.7.13
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.7.17 port 500
IKE SA: local 10.0.7.5/500 remote 10.0.7.17/500 Active
IPSEC FLOW: permit 47 host 10.0.7.5 host 10.0.7.17 S1A
Active SAs: 2, origin: crypto map

mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
DMVPN Status on the Spoke Router

R3#show dmvpn interface tunnel 0
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details

IPv4 Registration Timer: 30 seconds
IPv4 NHS: 192.168.0.1 RE

Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target
S1A
Network
----- --------------- --------------- ----- -------- ----- -----------------
mGRE-A
1 10.0.7.17 192.168.0.1 UP 00:09:05 S 192.168.0.1/32 Hub-1
S1B
S2 mGRE-B
Hub-2
S3
NHRP mappings on a Hub Router

C1#show ip nhrp
192.168.0.3/32 via 192.168.0.3
Tunnel0 created 00:50:26, expire 00:00:41
Type: dynamic, Flags: unique registered
NBMA address: 10.0.7.22
192.168.0.4/32 via 192.168.0.4
Type: dynamic, Flags: unique registered used
192.168.0.5/32 via 192.168.0.5
Type: dynamic, Flags: unique registered used
192.168.0.6/32 via 192.168.0.6 S1A
Type: dynamic, Flags: unique registered used mGRE-A
NBMA address: 10.0.7.5 S1B
Hub-1
C1#show ip nhrp multicast

I/F NBMA address
Tunnel0 10.0.7.22 Flags: dynamic S2 mGRE-B
Hub-2
Tunnel0 10.0.7.26 Flags: dynamic
Tunnel0 10.0.7.5 Flags: dynamic
Tunnel0 10.0.7.9 Flags: dynamic S3
DMVPN Phase I Troubleshooting
Detailed Initialization Sequence

A spoke router tries to contact the hub router S1
1. IPsec keys are exchanged (IKE)

mGRE
2. IPsec session (SA) is established S2 Hub
3. Spoke uses NHRP to register with the

hub router S3
4. Hub creates dynamic NHRP mapping for the spoke and a

dynamic multicast map
5. Hub and spoke exchange routing protocol hellos and routing
updates
DMVPN Phase I Troubleshooting
Troubleshooting concepts
Routing protocol adjacency? S1
YES: Check the routing protocol

mGRE
NO: Dynamic NHRP map on the hub router? S2 Hub
YES: Recursive routing?

S3
NO: IPsec session established on the spoke?

YES: Check NHRP parameters
NO: Spoke-to-hub ping works over the Internet?
YES: Check IKE parameters and keys
Agenda
Spoke enhancements
DMVPN
DMVPN Phase II Traffic flow

• Multicasts only between hub and
spokes
S1
1 • Data traffic spoke-to-spoke
2
NHRP
mGRE
S2 Hub • Hub = NHS
• On-demand tunnel destination
S3
resolution
• mGRE on all routers Routing protocols

• Dynamic tunnel destination • Next-hop must be egress router
resolution • OSPF: broadcast (priority=0 on
spokes)
• Every spoke needs all spoke • EIGRP: disable split horizon, no
routes next-hop-self
DMVPN Phase II
Packet flow details

Routing table on a spoke router has another spoke router as next hop
1. Shortcut not established  send packets to the hub router

2. Use NHRP to get tunnel IP  NBMA IP mapping from the NHS
3. Install NHRP mapping into NHRP dynamic cache
4. Try to set up IKE session with the other spoke
5. Try to set up IPSec SA with the other spoke
6. NHRP entry is operational  send traffic directly to the other spoke
7. Refresh dynamic NHRP mapping registration timeout seconds before it
expires
Reverse traffic triggers the same mechanisms on the other spoke router
DMVPN Phase II
P2MP GRE on Spoke Routers

interface Tunnel0
ip address 192.168.0.5 255.255.255.0 S1
ip nhrp authentication WanExamp 1

2
ip nhrp map 192.168.0.1 10.0.7.17
ip nhrp map multicast 10.0.7.17 mGRE
S2 Hub
ip nhrp nhs 192.168.0.1
tunnel mode gre multipoint S3
tunnel key 12345
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
• No changes on the hub router

• NHRP multicast map needed for the hub router (not for BGP)
• Remove tunnel destination on spokes
• Change tunnel mode on spokes to gre multipoint
• Default route on spokes points to the Internet
• Tunnel key mandatory when multiple tunnels share the same source interface
DMVPN Phase II
OSPF Configuration
interface Tunnel0 S1
ip ospf network broadcast 1

2
ip ospf priority 0
ip ospf 1 area 11 mGRE
S2 Hub
!
router ospf 1
area 11 stub S3
interface Tunnel0
ip ospf network broadcast
ip ospf 1 area 11
IP next hop: DMVPN egress router !
• Broadcast OSPF network type router ospf 1
• Set spoke priority to zero area 11 stub
• OSPF multicasts packets delivered only over

configured or dynamic NHRP multicast maps
Minimize routing updates to spokes

• Stub area (default routing to hub no longer possible)
DMVPN Phase II
EIGRP Configuration
S1
1
IP next hop: DMVPN egress router 2
• Disable EIGRP split-horizon on the hub router S2
mGRE
Hub
to propagate updates between spokes
• Disable EIGRP next-hop processing on the
hub router S3
• Do not use summarization

• Routing update filters (distribute-list) are OK
interface Tunnel0
bandwidth 10000
No changes on the spoke routers no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0 0.0.15.255
network 192.168.0.0 0.0.255.255
DMVPN Phase II
BGP Configuration
S1
IP next hop: DMVPN egress router 1
2
• Remove next-hop-self on the hub router mGRE
S2 Hub
Minimize routing updates to spokes

• Filter non-DMVPN routes
router bgp 65000 S3
• Advertise default route template peer-policy DMVPN

route-map DMVPN-Out out
No changes on the spokes default-originate
send-community
exit-peer-policy
!
neighbor 192.168.0.3 remote-as 65003
neighbor 192.168.0.3 inherit peer-policy DMVPN
!
ip access-list standard DMVPN-NH
permit 192.168.0.0 0.0.3.255
!
route-map DMVPN-Out permit 10
match ip next-hop DMVPN-NH
DMVPN Phase II
IPSec and DMVPN Redundancy

interface Tunnel0
mGRE-A
tunnel protection ipsec profile DMVPN shared S1 H1
!
interface Tunnel1
tunnel protection ipsec profile DMVPN shared
mGRE-B H2
S2
• IPSec profiles on Tunnel0 and Tunnel1 might have the same

source and destination address in a spoke-to-spoke SA
• Must use the shared keyword (do not use it in other cases)
Rule of thumb: If you need tunnel-key you probably need shared SA
DMVPN Phase II

R3#show ip route 172.16.0.0 | exclude ^[CL]
O IA 172.16.0.0/24 [110/1001] via 192.168.1.1, 00:00:45, Tunnel1
[110/1001] via 192.168.0.1, 00:00:55, Tunnel0
O 172.16.10.0/24 [110/1001] via 192.168.1.4, 00:00:45, Tunnel1
[110/1001] via 192.168.1.3, 00:00:45, Tunnel1
[110/1001] via 192.168.0.4, 00:00:45, Tunnel0
[110/1001] via 192.168.0.3, 00:00:45, Tunnel0
O 172.16.11.0/24 [110/1001] via 192.168.1.5, 00:00:45, Tunnel1
[110/1001] via 192.168.0.5, 00:00:55, Tunnel0
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
DMVPN Phase II
Initial NHRP mapping on a Spoke Router

R3#show ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel0 created 00:03:15, never expire
Type: static, Flags: used
192.168.1.1/32 via 192.168.1.1
R3#show ip nhrp multicast
I/F NBMA address
Tunnel0 10.0.7.17 Flags: static
Tunnel1 10.0.7.13 Flags: static
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
DMVPN Phase II
Spoke-to-Spoke Traffic Flow

R3#trace 172.16.10.1
Type escape sequence to abort.

Tracing the route to 172.16.10.1
1 192.168.0.1 120 msec 48 msec

192.168.1.1 60 msec
2 192.168.1.4 52 msec
192.168.0.3 44 msec *
R3#trace 172.16.10.1

Tracing the route to 172.16.10.1
S1A
1 192.168.1.3 48 msec
192.168.1.4 12 msec mGRE-A
192.168.0.3 12 msec S1B
Hub-1
S2 mGRE-B
Hub-2
S3
DMVPN Phase II
Dynamic NHRP Mappings on a Spoke Router

R3#show ip nhrp dynamic
192.168.0.3/32 via 192.168.0.3
Type: dynamic, Flags: router
192.168.1.3/32 via 192.168.1.3
192.168.1.4/32 via 192.168.1.4
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
Coffee break
Agenda
Spoke enhancements
Split Default Routing
Overview
Requirement S1
1
• Default routing over DMVPN 2
toward hub site (routing mGRE
optimization or central firewall) S2 Hub
Problem S3
• DMVPN Phase II allows

direct spoke-to-spoke traffic
• Unknown spokes have to be reachable over the Internet
• Default route toward the Internet is needed
Technical Requirements
• GRE (or IPSec/GRE) packets should mGRE
use default route over Internet link
• All other traffic should use Internet
default route over DMVPN tunnel S1
Default routing for
DMVPN packets
Solutions
S3
Policy-based routing
Split routing with VRF (Internet link in the VRF)
Tunnel and VRF Configuration on a Spoke Router

ip cef
! mGRE
ip vrf Internet
rd 65000:1
! Internet
interface Tunnel0 S1
tunnel source Serial1/0 Default routing for
tunnel mode gre multipoint DMVPN packets
tunnel key 12345
tunnel vrf Internet
!
interface Serial1/0
description Link to Internet
encapsulation ppp
ip vrf forwarding Internet
ip address negotiated
!
ip route vrf Internet 0.0.0.0 0.0.0.0 Serial1/0
IPSec Configuration on a Spoke Router

crypto keyring DMVPN vrf Internet
pre-shared-key address 0.0.0.0 0.0.0.0 key TESTING mGRE
!
crypto isakmp policy 10
authentication pre-share
Internet
group 2 S1
! Default routing for
! DMVPN packets
mode transport
!
!
interface Tunnel0
tunnel vrf Internet
tunnel protection ipsec profile DMVPN shared

R3#show ip route | begin Gateway
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/1001] via 192.168.1.1, 00:01:30, Tunnel1

[110/1001] via 192.168.0.1, 00:01:40, Tunnel0
10.0.0.0/32 is subnetted, 6 subnets
O IA 10.0.1.1 [110/1001] via 192.168.0.1, 00:01:40, Tunnel0
O IA 10.0.1.2 [110/1001] via 192.168.1.1, 00:01:30, Tunnel1
O 10.0.1.3 [110/1001] via 192.168.1.3, 00:01:30, Tunnel1
[110/1001] via 192.168.0.3, 00:01:30, Tunnel0
O 10.0.1.4 [110/1001] via 192.168.1.4, 00:01:30, Tunnel1
[110/1001] via 192.168.0.4, 00:01:30, Tunnel0
O 10.0.1.5 [110/1001] via 192.168.1.5, 00:01:30, Tunnel1
[110/1001] via 192.168.0.5, 00:01:40, Tunnel0 S1A
C 10.0.1.6 is directly connected, Loopback0
... mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
VRF Routing Table on a Spoke Router

R3#show ip vrf
Name Default RD Interfaces
Internet 65000:1 Se1/0
R3#show ip route vrf Internet | begin gateway
S* 0.0.0.0/0 is directly connected, Serial1/0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.7.4/30 is directly connected, Serial1/0
L 10.0.7.5/32 is directly connected, Serial1/0
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
ISAKMP SA on a Spoke Router

R3#show crypto isakmp sa detail | exclude Engine|IPv6
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 10.0.7.5 10.0.7.17 Internet ACTIVE des sha psk 2 23:53:19
1002 10.0.7.5 10.0.7.13 Internet ACTIVE des sha psk 2 23:53:19

S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
IPSEC SA on a Spoke Router

R3#show crypto ipsec sa addr
fvrf/address: Internet/10.0.7.5
protocol: ESP
spi: 0x5EA3F56F(1587803503)
transform: esp-des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, sibling_flags 80000006, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4437907/3053)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xD3150F08(3541372680)
transform: esp-des esp-sha-hmac ,
in use settings ={Transport, } S1A
conn id: 3, flow_id: SW:3, sibling_flags 80000006, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4593533/3053) mGRE-A
IV size: 8 bytes S1B
Hub-1
replay detection support: Y

Status: ACTIVE
S2 mGRE-B
Hub-2
S3
DMVPN Status on a Spoke Router

R3#show dmvpn interface tunnel 0 detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 192.168.0.6, VRF ""

Tunnel Src./Dest. addr: 10.0.7.5/MGRE, Tunnel VRF "Internet"
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN"
Interface State Control: Disabled
IPv4 Registration Timer: 30 seconds
S1A
IPv4 NHS: 192.168.0.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 1 mGRE-A
Hub-1
S1B
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.0.7.17 192.168.0.1 IKE 00:00:25 S 192.168.0.1/32
S2 mGRE-B
Hub-2
... rest deleted ...

S3
Agenda
Spoke enhancements
Redundantly Connected Spoke Site
Overview
Requirements mGRE-A
• Two ISP connections
ISP-A
• Redundant DMVPN setup
(two DMVPN clouds) S1
ISP-B
Facts
mGRE-B
• Destinations in each DMVPN cloud are unknown
• Default routing required for both DMVPN clouds
• Spoke router needs two default routes (one for each ISP)
• ISPs might perform uRPF check
Challenge
• IPSec/GRE packets have to use the correct ISP link
Solution#1: Tunnel Route-via

mGRE-A
Facts
ISP-A
• New feature added in IOS 12.4(11)T
• More convenient form of policy routing
S1
ISP-B
• Tunnel (GRE) packets use a subset of IP mGRE-B

routing table
• Loose or strict mode
• Works for P2P or mGRE tunnels
Caveats
• Does not work together with IPSec (tunnel protection)
Tunnel Route-via Configuration

interface Tunnel0
mGRE-A
ISP-A
tunnel route-via Serial1/0 mandatory
tunnel vrf Internet
S1
!
interface Tunnel1 ISP-B
tunnel mode gre multipoint mGRE-B
tunnel route-via Serial1/1 mandatory
tunnel vrf Internet
!
interface Serial1/0
description Link to ISP-A
!
interface Serial1/1
description Link to ISP-B
!
Solution #2: Use Two VRFs

ip vrf Internet mGRE-A
rd 65000:1
! ISP-A
ip vrf Internet_Backup
rd 65000:2 S1
! ISP-B
interface Tunnel0
tunnel source Serial1/0 mGRE-B
tunnel vrf Internet
!
interface Tunnel1
interface Serial1/0
description Link to ISP-A
tunnel vrf Internet_Backup
!
Don’t forget interface Serial1/1
description Link to ISP-B
• Per-VRF keyrings ip vrf forwarding Internet_Backup
• Per-VRF profiles !
Two VRFs and IPSec

crypto keyring DMVPN_Backup vrf Internet_Backup mGRE-A
pre-shared-key address 0.0.0.0 0.0.0.0 key TESTING
crypto keyring DMVPN vrf Internet ISP-A
pre-shared-key address 0.0.0.0 0.0.0.0 key TESTING
! S1
crypto isakmp policy 10 ISP-B

authentication pre-share
group 2 mGRE-B
!
!
mode transport
!
crypto ipsec profile DMVPN interface Tunnel0
set transform-set DMVPN tunnel source Serial1/0
! tunnel mode gre multipoint
crypto ipsec profile DMVPN_BACKUP tunnel vrf Internet
set transform-set DMVPN tunnel protection ipsec profile DMVPN
!
interface Tunnel1
tunnel vrf Internet_Backup
tunnel protection ipsec profile DMVPN_BACKUP
Agenda
Spoke enhancements
DMVPN Scalability Limitations
• IKE processing (CPU overload) – limit # of IKE SA’s
• IPsec throughput – use hardware encryption
• NHRP overload – increase the NHRP registration timeout
• Multicast replication – use unidirectional RIP, BGP or static routes
• Routing protocol overhead – use EIGRP or RIP/ODR, not OSPF
• Amount of routing information – use default routing with Phase 3 DMVPN
Scaling beyond single-hub architectures:

• Hub load balancing (Phase 1 only)
Agenda
Spoke enhancements
Scalability
Distance Vector Spoke-to-Hub Routing Protocol

Requirements S1A
• Large scale DMVPN deployment S1B

mGRE-A
Hub-1
• High spoke-to-hub ratio

• Scalability more important than convergence S2 mGRE-B
Hub-2
S3
Solutions
• Use a simple distance vector protocol on spoke sites with a single
router
• RIPv2 or ODR work just fine; RIPv2 gives you more options
• ODR makes sense if you already use CDP over the tunnels
• Don’t use ODR on spoke sites with multiple redundant routers
Scalability: ODR in DMVPN
ODR Basics
• CDP updates contain IP prefixes of
OSPF
S1A
directly connected interfaces
mGRE-A
• CDP updates can be used to build IP S1B
Hub-1
routing tables (similar to RIP)

• Hub: explicit configuration with router odr mGRE-B
ODR
S2
Hub-2
– Collect IP prefixes of CDP neighbors S3
– Insert them in IP routing table

– Redistribute them into core IGP
• Spokes: implicit configuration
– Default route toward any router CDP neighbor is created if a router has no
routing protocol
CDP timers need tweaking for reasonable convergence
Spoke Configuration
OSPF
S1A
interface Tunnel0
cdp enable mGRE-A
tunnel source Serial1/0 S1B
Hub-1

tunnel key 12345
tunnel vrf Internet mGRE-B
ODR
S2
Hub-2
!
interface Tunnel1
cdp enable S3

tunnel mode gre multipoint Caveats
tunnel key 12346
!
tunnel vrf Internet • Do not configure a routing
ip route vrf Internet 0.0.0.0 0.0.0.0 protocol
!
Serial1/0
• ODR creates a default route 
Transmit timer split default routing is mandatory
cdp timer 8
cdp holdtime 255
• Next-hop of the default route is
the CDP neighbor (hub router)
Receive timeout • All traffic flows through the hub(s)
Hub Configuration
interface Tunnel0
OSPF
cdp enable S1A

mGRE-A
tunnel mode gre multipoint Hub-1
S1B
tunnel key 12345
! Receive timeout
router odr mGRE-B
S2
ODR
timers basic 8 24 0 1 Hub-2
distribute-list prefix PrivateOnly in

! S3
router ospf 1
area 11 stub Caveats
redistribute odr subnets
! • ODR collects all spoke IP
cdp timer 8
!
Transmit timer addresses
ip prefix-list PrivateOnly seq 6 permit
10.0.1.0/24 ge 25 • Use inbound filter on hub router
ip prefix-list PrivateOnly seq 10
permit 172.16.0.0/16 ge 17 • Redistribute ODR into core IGP
• CDP timers are somewhat tricky
CDP and ODR on a Hub Router

C1#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID

R2 Tunnel0 253 R 7206VXR Tunnel0
R3 Tunnel0 254 R 7206VXR Tunnel0
C2 Fas 0/0 179 R 7206VXR Fas 0/0
C1#show ip route odr | begin Gateway

o 10.0.1.5/32 [160/1] via 192.168.0.5, 00:00:07, Tunnel0
o 10.0.1.6/32 [160/1] via 192.168.0.6, 00:00:06, Tunnel0
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks S1A
o 172.16.11.0/24 [160/1] via 192.168.0.5, 00:00:07, Tunnel0

o 172.16.12.0/24 [160/1] via 192.168.0.6, 00:00:06, Tunnel0 mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
This material is copyrighted and licensed for the sole use by Hakan Akca (hakotheman@yahoo.com [195.191.119.2]).
S3 More information
IP Routing on a Spoke Router

R2#show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "nhrp"

Maximum path: 0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 0)
R2#show ip route | begin Gateway

o* 0.0.0.0/0 [160/1] via 192.168.1.1, 00:00:01, Tunnel1

[160/1] via 192.168.0.1, 00:00:01, Tunnel0 S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
Traffic Flow on a Spoke Router

R2#trace R3LAN

Tracing the route to R3LAN (172.16.12.1)
1 192.168.0.1 12 msec
192.168.1.1 12 msec
192.168.0.1 8 msec
2 192.168.1.6 12 msec
192.168.0.6 12 msec *
Caveats S1A
• Spoke routers have just the default route mGRE-A

Hub-1
• All the traffic goes through the hub site S1B
S2 mGRE-B
Hub-2
S3
Agenda
Spoke enhancements
Scalability
DMVPN Phase 3
Traffic flow
• Multicasts only between NHRP
S1 2 neighbors
1
3 • Data traffic optimal
mGRE
S2 Hub NHRP
• Hub(s): NHS
• Hub-to-hub: static NHRP
S3
• Traffic-driven shortcuts
• mGRE on all routers
• Inter-tunnel NHRP does not work
• Dynamic next-hop resolution
• DMVPN cloud = 1 subnet
• No limits on routing
spoke-to-spoke with default routes
Routing protocols
• No restrictions
+65 © NIL Data Communications 2010
Scalability: DMVPN phase 3
interface Tunnel0
S1 2
ip nhrp shortcut 1
3 interface Tunnel0
ip nhrp redirect
mGRE
S2 Hub
S3
ip nhrp redirect enables NHRP redirects

• Use on hub routers, do not use on spokes
ip nhrp shortcut enables NHRP shortcuts (based on NHRP redirects)
• Use on spoke routers
• Do not use on hub routers with full routing visibility
DMVPN Phase 3 in Action: Idle State
S1 2
1
3
mGRE
S2 Hub
S1#show ip route odr | begin Gateway

S3
o* 0.0.0.0/0 [160/1] via 192.168.0.1, 00:00:06, Tunnel0
S1#show ip nhrp
192.168.0.1/32 via 192.168.0.1
S1#show ip nhrp dynamic
S1#
DMVPN Phase 3 in Action: Shortcut is Built
S1 2
1
3
mGRE
S2 Hub
S1#trace S2Host

Tracing the route to S3Host (172.16.12.2)
S3
1 192.168.0.1 28 msec 12 msec 8 msec
2 192.168.0.6 60 msec * 16 msec
S1#
S1#trace S2Host

Tracing the route to S2Host (172.16.12.2)
1 192.168.0.6 36 msec * 36 msec
DMVPN Phase 3 in Action: NHRP Shortcuts
S1 2
1
3
S1#show ip nhrp dynamic
172.16.12.0/24 via 192.168.0.6
mGRE Tunnel0 created 00:00:19, expire 00:00:40
S2 Hub
172.16.12.1/32 via 192.168.0.6
S3
192.168.0.5/32 via 192.168.0.5
Type: dynamic, Flags: router unique local
(no-socket)
192.168.0.6/32 via 192.168.0.6
Type: dynamic, Flags: router implicit used
Coffee break
Agenda
Spoke enhancements
Scalability
Unidirectional Routing
Challenge S1A
• Scalability is limited by multicast S1B

mGRE-A
Hub-1
replication on hub routers

S2 mGRE-B
Hub-2
Solution
S3
• Make hub routers totally passive
Technical details
• RIPv2 is the only routing protocol option
• Static default routing is needed on spoke routers
• Reliable static routing is required in redundant designs
Scalability: Unidirectional routing
Hub Router Configuration

Disable dynamic NHRP multicast RIP OSPF
• No multicast replication to spokes
mGRE
Hub
RIP update
RIP is totally passive
• Unidirectional route collection interface Tunnel0
• Redistribute RIP routes into your IGP !
no ip nhrp map multicast dynamic
router ospf 1
redistribute rip subnets
Caveats distance ospf external 180
• Tweak RIP timers for faster !
router rip
convergence version 2
timers basic 10 30 5 5
• OSPF external routes have to be passive-interface default
network 192.168.0.0
worse than RIP routes no auto-summary
OSPF-RIP Interaction Challenges

• RIP routes are redistributed into OSPF RIP OSPF
• OSPF external routes have better AD
than RIP routes mGRE
Hub-1
• RIP updates are ignored at the
OSPF E2
RIP update
second hub router
Spoke
Problems RIP update

• Suboptimal traffic flow mGRE STOP
Hub-2
• Slower convergence
RIP
Solution
• Increase the AD of OSPF external routes (distance ospf external)
+74 © NIL Data Communications 2010
Spoke configuration – Single DMVPN Uplink
router rip S1
version 2
timers basic 10 30 5 5
network 172.16.0.0 mGRE
network 192.168.0.0 S2 Hub
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Tunnel0 192.168.0.1 S3
• RIP timers are adjusted for faster convergence

• Static default route needs an explicit next hop (mGRE tunnel)
• SLA tracking is not required for non-redundant attachment
Spoke Configuration – Redundant DMVPN

Uplinks
S1A
ip sla 1
icmp-echo 192.168.0.1 source-interface Tunnel0 mGRE-A
threshold 500 S1B
Hub-1
frequency 5
ip sla schedule 1 life forever start-time now
! S2 mGRE-B
Hub-2
track 1 ip sla 1 reachability
default-state up
delay down 20 up 20 S3
!
ip route 0.0.0.0 0.0.0.0 Tunnel0 192.168.0.1 track 1
ip route 192.168.0.1 255.255.255.255 Tunnel0 192.168.0.1 permanent
• IP SLA verifies DMVPN hub availability

• Use permanent host route to hub site to avoid routing/SLA loops
• Adjust SLA frequency and track delay timers to match your
convergence/stability needs
• Repeat the configuration for the second tunnel interface
IP Routing Table on a Hub Router

C1#show ip route rip | begin Gateway

R 10.0.1.3/32 [120/1] via 192.168.0.3, 00:00:08, Tunnel0
R 10.0.1.4/32 [120/1] via 192.168.0.4, 00:00:07, Tunnel0
R 10.0.1.5/32 [120/1] via 192.168.0.5, 00:00:00, Tunnel0
R 10.0.1.6/32 [120/1] via 192.168.0.6, 00:00:06, Tunnel0
R 172.16.10.0/24 [120/1] via 192.168.0.4, 00:00:07, Tunnel0
[120/1] via 192.168.0.3, 00:00:08, Tunnel0
R 172.16.11.0/24 [120/1] via 192.168.0.5, 00:00:00, Tunnel0
R 172.16.12.0/24 [120/1] via 192.168.0.6, 00:00:06, Tunnel0
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3

S1A
mGRE-A
Hub-1
S1B
R2#show ip route | exclude ^[CL]

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
mGRE-B
S2
N1 - Hub-2
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
S3
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
S* 0.0.0.0/0 [1/0] via 192.168.1.1, Tunnel1

[1/0] via 192.168.0.1, Tunnel0
10.0.0.0/32 is subnetted, 1 subnets
S 192.168.0.1/32 [1/0] via 192.168.0.1, Tunnel0
S 192.168.1.1/32 [1/0] via 192.168.1.1, Tunnel1
Reliable Static Routing on a Spoke Router

S1A
R2#show track
Track 1
mGRE-A
IP SLA 1 reachability
Hub-1
S1B
Reachability is Up
2 changes, last change 00:34:01
S2
Delay up 20 secs, down 20 secs
mGRE-B
Hub-2
Latest operation return code: OK
Latest RTT (millisecs) 43
S3
Tracked by:
STATIC-IP-ROUTING 0
Track 2
IP SLA 2 reachability
Reachability is Up
2 changes, last change 00:34:01
Delay up 20 secs, down 20 secs
Latest operation return code: OK
Latest RTT (millisecs) 13
Tracked by:
STATIC-IP-ROUTING 0
R2#show ip route track-table
ip route 0.0.0.0 0.0.0.0 Tunnel0 192.168.0.1 track 1 state is [up]
ip route 0.0.0.0 0.0.0.0 Tunnel1 192.168.1.1 track 2 state is [up]
Detecting Hub Failure on a Spoke Router

R2#debug ip routing static detail
IP static routing detail debugging is on
R2#debug track
Track debugging is on
R2#
11:44:21.631: Track: 1 Down change delayed for 20 secs
11:44:41.635: Track: 1 Down change delay expired
11:44:41.639: Track: 1 Change #3 ip sla 1, reachability Up->Down
11:44:41.643: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
11:44:41.647: IP-ST(default): updating same distance on 0.0.0.0/0
11:44:41.651: IP-ST(default): 0.0.0.0/0 [1], Tunnel1 Path = 1, add succeed,
active state
S1A
mGRE-A
Hub-1
S1B
S2 mGRE-B
Hub-2
S3
Agenda
Spoke enhancements
Scalability
Distributed / Hierarchical Hubs

Challenge S1A
DMVPN
• Number of spoke sites exceed the Hub-1
capability of the hub routers S1B
• Widespread hub sites (regional hubs)

Hub-2
S2 mGRE-B
Hub-3
S3
Solution
• Each spoke connects to a subset of hubs
• Hubs arranged in hierarchy, full-mesh or daisy-chain
• Two routing protocols: spoke-to-hub and hub-to-hub
• NHRP redirects required for direct spoke-to-spoke connectivity
Alternative: Regional DMVPN clouds linked with inter-hub links
Scalability: Distributed / Hierarchical Hubs
Design Guidelines
Generic guidelines S1A
DMVPN
• GRE NHRP shortcuts work only on a single Hub-1
interface S1B
• All routers must belong to the same IP subnet

Hub-2
S2 mGRE-B
• You should use two routing protocols: Hub-3
Spoke-to-hub and hub-to-hub routing protocol S3
Routing protocols suggestions

• Use a scalable spoke-to-hub solution (unidirectional RIP)
• Use your primary IGP between hubs
• Alternatives: OSPF+BGP, EIGRP+BGP, BGP-only
• Do not use two routing protocols that require multicast
Scalability: Distributed / Hierarchical Hubs
Design Guidelines – NHRP

Spoke routers S1A
DMVPN
• Configure hub router as NHS Hub-1
• Configure NHRP + multicast map for NHS

S1B
Hub-2
• Use two hub routers for redundancy S2 mGRE-B
Hub-3
S3
Hub routers
• Avoid dynamic multicast maps on hub routers
• Create a (failure-resistant) hierarchy or mesh of NHS servers
Dual tree, full mesh or daisy chain
• Configure NHS servers
• Configure NHRP + multicast for NHS mesh
Always run OSPF in P2MP mode between hub routers
Scalability: Distributed / Hierarchical hubs
Hub configuration DMVPN

S1A
interface Tunnel0
ip address 192.168.0.2 255.255.255.0 Hub-1
no ip redirects
S1B
ip nhrp authentication WanExamp
ip nhrp map 192.168.0.1 10.0.7.17 Hub-2
ip nhrp map multicast 10.0.7.17 mGRE-B

ip nhrp map 192.168.0.13 10.0.7.29 S2
ip nhrp map multicast 10.0.7.29 Hub-3

ip nhrp nhs 192.168.0.13 S3
ip nhrp nhs 192.168.0.1

ip nhrp shortcut
ip nhrp redirect
ip rip advertise 10
ip ospf network broadcast
ip ospf 1 area 11
tunnel key 12345
• Full mesh between all hub routers

• All other hub routers defined as NHS
• Run OSPF and RIP on DMVPN interface
Conclusions
at http://www.ioshints.info/Webinars
Conclusions
Non-trivial DMVPN is complex
• Hub-and-spoke is easiest, try to avoid Phase 3
• Split default routing is almost mandatory in any-to-any design
• Split default routing on the hub for clean firewall design
Scaling steps
• Distance vector routing protocol between spokes and hubs
• Mesh of regional DMVPN clouds is simpler than huge Phase 3
DMVPN
Questions?

DMVPN Overview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DMVPN Overview

Uploaded by

Copyright:

Available Formats

DMVPN: From Basics to Scalable Networks

Ivan Pepelnjak (ip@nil.com)

DMVPN = Phase I: hub-and-spoke

• P2P GRE on spoke routers Routing protocols

P2P GRE on Spoke Routers

P2MP GRE on Hub Routers

ip tcp adjust-mss 1360

GRE Tunnel Key Explained

• Mapping incoming GRE packets to multiple

• Unique tunnel destination

NHRP Configuration – Spoke Router

ip nhrp map 192.168.0.1 10.0.7.17

ip nhrp nhs 192.168.0.1

• NHRP network ID & password

Non-Unique NHRP Registrations

NHRP Configuration – Hub Router

ip nhrp map multicast dynamic

• NHRP password & network ID

• Dynamic NHRP multicast maps

Multicast over mGRE principles

network 192.168.0.0 0.0.255.255

router bgp 65005 mGRE

Dynamic BGP Neighbors S1

• Inbound BGP sessions are accepted if the mGRE

• All spoke routers should use the same AS S3

IOS releases 12.2(33)SXH and 15.0(1)S

router bgp 65000

ip nhrp authentication WanExamp

ip ospf network point-to-multipoint

IPSec configuration – Pre-shared Key

• Define IPSec profile

IPSec configuration – Certificates

• Shared keys are replaced by certificates

IP Routing Table on a Spoke Router

R3#show ip route 172.16.0.0

IP Routing Table on a Hub Router

IPsec Sessions on the Spoke Router

Active SAs: 2, origin: crypto map

DMVPN Status on the Spoke Router

Interface: Tunnel0, IPv4 NHRP Details

IPv4 NHS: 192.168.0.1 RE

NHRP mappings on a Hub Router

C1#show ip nhrp multicast

Detailed Initialization Sequence

1. IPsec keys are exchanged (IKE)

3. Spoke uses NHRP to register with the

4. Hub creates dynamic NHRP mapping for the spoke and a

YES: Check the routing protocol

YES: Recursive routing?

NO: IPsec session established on the spoke?

DMVPN Phase II Traffic flow

• mGRE on all routers Routing protocols

Packet flow details

1. Shortcut not established  send packets to the hub router

P2MP GRE on Spoke Routers

ip nhrp authentication WanExamp 1

• No changes on the hub router

ip ospf network broadcast 1

• OSPF multicasts packets delivered only over

Minimize routing updates to spokes

• Do not use summarization

Minimize routing updates to spokes

• Advertise default route template peer-policy DMVPN