c

Multipoint GRE / DMVPN

KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
 Multipoint GRE / DMVPN Overview
 MGRE Configuration Commands
 Lab Configuration c

 DMVPN Configuration Commands

 Lab Configuration
M-GRE
10.3.3.0/24

Los
Angeles
150.5.5.0/24
10.1.1.0/24 c10.2.2.0/24

199.1.1.0/24
Internet 200.1.1.0/24

Dubai London
75.1.1.0/24

Sydney

10.4.4.0/24
M-GRE/DMVPN
 Normal GRE is a Point – To – Point protocol. It can only have a single destination.

 This is a disadvantage from the perspective of scalability in a Large environment as you would need to
create a separate tunnel interface for each site that needs to be connected.
c
 MGRE is a variation of the Normal GRE Point-to-Point that allows you to connect multiple sites on the
same tunnel interface.

 MGRE uses a protocol called Next Hop Resolution Protocol (NHRP) to map each internal tunnel IP to it’s
corresponding Outer (Public) IP.

 This can be done manually. Manually will require each site to have a static outer IP (Public IP).

 M-GRE also allows the sites to register their mappings to a designated router on the this network. This
designated router is known as the Next Hop Server (NHS). This allows the M-GRE tunnel to add new
sites dynamically as is known as DMVPN.
M-GRE Configuration
 In the above diagram, we want to connect the 4 sites in a single Multi-point network.

 We will assign this multipoint network an IP Address of 192.168.1.0/24 with Los Angeles being (.3), Dubai (.1),
Sydney (.4) & London (.2).

 To create a multipoint interface in Los Angeles, we will need to configure the following:
c
Los Angeles

Interface Tunnel 1 (0 – 2 billion)

ip address 192.168.1.1 255.255.255.0(The Tunnel IP that connects the devices)
tunnel source 150.5.5.1 (Local Device’s Public IP)
tunnel mode gre multipoint (Remote Device’s Public IP)
ip nhrp network-id 1 (Enable NHRP on the interface; 1 is locally significant)
ip nhrp map 192.168.1.2 199.1.1.1 (Maps the Remote Peer 192.168.1.2 to 199.1.1.1)
ip nhrp map 192.168.1.3 75.1.1.1 (Maps the Remote Peer 192.168.1.3 to 75.1.1.1)
ip nhrp map 192.168.1.4 200.1.1.1 (Maps the Remote Peer 192.168.1.4 to 200.1.1.1)
M-GRE Configuration
 We need to repeat the configuration on the other devices by the remote
devices in the same manner.

 Generally, the routing is run in a Hub – n – spoke manner with the Head
c
quarter site being the Hub. We will setup Los Angeles the hub.

 We need to create a separate mapping for multicast as the IGPs are going
to establish the neighbor relationship based on multicast traffic.

 We will forward all the client multicast traffic to LA by creating an Multicast

Mapping on the them. LA will create 3 mappings for each of the other sites.
M-GRE Configuration
 The Multicast Mapping is below:
Los Angeles
Interface Tunnel 1
ip nhrp map multicast 199.1.1.1 c
ip nhrp map multicast 75.1.1.1
ip nhrp map multicast 200.1.1.1
no ip split-horizon eigrp 100

All Other Sites

Interface Tunnel 1
ip nhrp map multicast 150.5.5.1
Lab Configuration
 Configure a multipoint GRE tunnel to connect the 4 sites to
each other in a single Tunnel.
c
 Use Static NHRP Mappings on each site.
 Run EIGRP in AS 100 on the Tunnel interface.
 Configure the appropriate multicast mapping on each site to
establish the tunnel.
Lab Configuration
Los Angeles
Interface Tunnel 1
Ip address 192.168.1.1 255.255.255.0
tunnel source 150.5.5.1
tunnel mode gre multipoint
ip nhrp map 192.168.1.2 199.1.1.1
ip nhrp map 192.168.1.3 75.1.1.1
ip nrhp map 192.168.1.4 200.1.1.1
ip nhrp map multicast 199.1.1.1
ip nhrp map multicast 75.1.1.1
ip nhrp map multicast 200.1.1.1
no ip split-horizon eigrp 100
! network 10.0.0.0
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
Dubai
Interface Tunnel 1
Ip address 192.168.1.2 255.255.255.0
tunnel source 199.1.1.1
c
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 150.5.5.1
ip nhrp map 192.168.1.3 75.1.1.1
ip nrhp map 192.168.1.4 200.1.1.1
ip nhrp map multicast 150.5.5.1
!
Router eigrp 100
network 192.168.1.0
Lab Configuration
Sydney
Interface Tunnel 1
Ip address 192.168.1.3 255.255.255.0
tunnel source 75.1.1.1
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 150.5.5.1
ip nhrp map 192.168.1.2 199.1.1.1
ip nrhp map 192.168.1.4 200.1.1.1
ip nhrp map multicast 150.5.5.1
! !
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
London
Interface Tunnel 1
Ip address 192.168.1.4 255.255.255.0
tunnel
c source 200.1.1.1
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 150.5.5.1
ip nrhp map 192.168.1.2 199.1.1.1
ip nhrp map 192.168.1.3 75.1.1.1
ip nhrp map multicast 150.5.5.1
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
DMVPN
10.3.3.0/24

Los
Angeles
150.5.5.0/24
10.1.1.0/24 c10.2.2.0/24

199.1.1.0/24
Internet 200.1.1.0/24

Dubai London
75.1.1.0/24

Sydney

10.4.4.0/24
DMVPN Configuration
 There are 2 main drawbacks to MGRE. They are:
 Each site will have manual maps to all the other sites, which is not a very scalable solution.
 All sites need to have Static Public IP’s.

 To get around these drawbacks, we have allc the sites register them to a specific router. This
router is known as the Next-Hop-Server (NHS).

 We configure all the sites to register their Public IP with the NHS. The NHS will get the
mappings from all the sites.

 The sites will only have a static mapping towards the NHS. If the client sites want to
communicate to each other, they will ask the NHS for the mapping.

 This mapping is cached for 2 hours. For the next 2 hours, client sites connect to each other
directly.
DMVPN Configuration
 The configuration for the NHS is as follows:
Los Angeles

Interface Tunnel 1 (0 – 2 billion)

ip address 192.168.1.1 255.255.255.0(The Tunnel IP that connects the devices)
tunnel source 150.5.5.1 (Local Device’s Public IP) c
tunnel mode gre multipoint (Remote Device’s Public IP)
ip nhrp network-id 1 (Enable NHRP on the interface; 1 is locally significant)

 The Clients will need to configured with the IP address of the NHS and the mapping to reach it.

Interface Tunnel 1 (0 – 2 billion)

ip address 192.168.1.X 255.255.255.0(The Tunnel IP that connects the devices)
tunnel source X.X.X.X (Local Device’s Public IP)
tunnel mode gre multipoint (Remote Device’s Public IP)
ip nhrp network-id 1 (Enable NHRP on the interface; 1 is locally significant)
ip nhrp nhs 192.168.1.1 (The Tunnel IP of the NHS)
ip nhrp map 192.168.1.1 150.5.5.1 (The mapping to reach the NHS)
DMVPN Configuration
 The multicast mapping on the clients will be pointing towards the NHS. On the
NHS, you will configure the router to use each dynamically registered address
for multicast destination.
c

Los Angeles
Interface Tunnel 1
ip nhrp map multicast Dynamic

All Other Sites

Interface Tunnel 1
ip nhrp map multicast 150.5.5.1
Lab Configuration
 Configure a DMVPN tunnel to connect the 4 sites to each other
in a single Tunnel.
 Use Los Angeles as the NHS.c Configure all the other sites to
register their Public to Tunnel IP mappings with the NHS.
 NHS should be the routing hub.
 Run EIGRP in AS 111 on the tunnel interface.
 Configure the appropriate multicast mapping on each site to
establish the tunnel.
Lab Configuration
Los Angeles Dubai

Interface Tunnel 1 Interface Tunnel 1

Ip address 192.168.1.1 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map multicast Dynamic
no ip split-horizon eigrp 100
! !
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
Ip address 192.168.1.2 255.255.255.0
tunnel
c source 199.1.1.1
tunnel mode gre multipoint
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 150.5.5.1
ip nhrp map multicast 150.5.5.1
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
Lab Configuration
Sydney
Interface Tunnel 1
Ip address 192.168.1.3 255.255.255.0
tunnel source 75.1.1.1
tunnel mode gre multipoint
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 150.5.5.1
ip nhrp map multicast 150.5.5.1
! !
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
London
Interface Tunnel 1
Ip address 192.168.1.4 255.255.255.0
tunnel
c source 200.1.1.1
tunnel mode gre multipoint
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 150.5.5.1
ip nhrp map multicast 150.5.5.1
Router eigrp 100
network 192.168.1.0
network 10.0.0.0
DMVPN Phase I
 The Control Plane (Routing Traffic) is all phases is generally setup based on
Hub - n - Spoke with the NHS being the Hub.

 In Phase I, the Data Plane traffic is also forwarded in a Hub - n - Spoke

c
manner where the NHS is the Data Plane Hub.

 The reason behind it is that the NHS changes the Next Hop address of the
LAN Segments to itself before forwarding it from spoke to spoke.

 DMVPN Phase I is the default Phase for EIGRP as the Routing Protocol.
DMVPN Phase II
 The Control Plane (Routing Traffic) is all phases is generally setup based on Hub - n - Spoke
with the NHS being the Hub.

 In Phase II, the Data Plane traffic is forwarded directly between the spokes.
c
 This is accomplished by tweaking the Routing protocol.

 You need to configure the NHS NOT to change the Next Hop of the routes that it propagates
from Spoke - to - Spoke.

 This configuration is done on the NHS.

R1 - NHS

Interface Tunnel 1
no ip next-hop-self eigrp 111
DMVPN Phase III
 The Control Plane (Routing Traffic) is all phases is generally setup based on Hub - n - Spoke with the NHS being the Hub.

 In Phase II, the Data Plane traffic is forwarded directly between the spokes. This is accomplished by tweaking the NHRP.

 You need to configure the NHS NOT to change the Next Hop of the routes that it propagates from Spoke - to - Spoke. This
configuration is done on the NHS.
c
 The main advantage of Phase III over Phase II is that it directly creates a Mapping between the LAN Segment and the Public IP.
This eliminates a Dual check.

 It also allows the Hub to perform Route Summarization for all the Spoke routes reducing the size of the Spoke Routing table.

R1 - NHS
Interface Tunnel 1
ip nhrp redirect

R2, R3, R4
Interface Tunnel 1
ip nhrp Shortcut
Encrypting the DMVPN Tunnel
 Although DMVPN provides scalability to the network, it is
still based on GRE.
c
 The Data is transmitted in Clear Text.
 You can use IPSec to encrypt the traffic by using the same
method to encrypt the Tunnel Interface as we used for GRE
Point – To – Point.
 This is also referred to as GRE Over IPSec.
Configuring IPSec to Encrypt the
DMVPN Tunnel
Los Angeles Dubai

crypto isakmp policy 10 crypto isakmp policy 10

auth pre-share auth pre-share
encryption 3des encryption 3des
hash md5 hash
group 2
c md5
group 2
crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode transport mode transport

crypto ipsec profile IPROF crypto ipsec profile IPROF

set transform-set TSET set transform-set TSET

Interface Tunnel 1 Interface Tunnel 1

tunnel protection ipsec profile IPROF tunnel protection ipsec profile IPROF
Configuring IPSec to Encrypt the
DMVPN Tunnel
Sydney London

crypto isakmp policy 10 crypto isakmp policy 10

auth pre-share auth pre-share
encryption 3des encryption 3des
hash md5 hash
group 2
c md5
group 2
crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode transport mode transport

crypto ipsec profile IPROF crypto ipsec profile IPROF

set transform-set TSET set transform-set TSET

Interface Tunnel 1 Interface Tunnel 1

tunnel protection ipsec profile IPROF tunnel protection ipsec profile IPROF
Whiteboard