Professional Documents
Culture Documents
Multipoint GRE / DMVPN: Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)
Multipoint GRE / DMVPN: Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)
Los
Angeles
150.5.5.0/24
10.1.1.0/24 c10.2.2.0/24
199.1.1.0/24
Internet 200.1.1.0/24
Dubai London
75.1.1.0/24
Sydney
10.4.4.0/24
M-GRE/DMVPN
Normal GRE is a Point – To – Point protocol. It can only have a single destination.
This is a disadvantage from the perspective of scalability in a Large environment as you would need to
create a separate tunnel interface for each site that needs to be connected.
c
MGRE is a variation of the Normal GRE Point-to-Point that allows you to connect multiple sites on the
same tunnel interface.
MGRE uses a protocol called Next Hop Resolution Protocol (NHRP) to map each internal tunnel IP to it’s
corresponding Outer (Public) IP.
This can be done manually. Manually will require each site to have a static outer IP (Public IP).
M-GRE also allows the sites to register their mappings to a designated router on the this network. This
designated router is known as the Next Hop Server (NHS). This allows the M-GRE tunnel to add new
sites dynamically as is known as DMVPN.
M-GRE Configuration
In the above diagram, we want to connect the 4 sites in a single Multi-point network.
We will assign this multipoint network an IP Address of 192.168.1.0/24 with Los Angeles being (.3), Dubai (.1),
Sydney (.4) & London (.2).
To create a multipoint interface in Los Angeles, we will need to configure the following:
c
Los Angeles
Generally, the routing is run in a Hub – n – spoke manner with the Head
c
quarter site being the Hub. We will setup Los Angeles the hub.
We need to create a separate mapping for multicast as the IGPs are going
to establish the neighbor relationship based on multicast traffic.
Los
Angeles
150.5.5.0/24
10.1.1.0/24 c10.2.2.0/24
199.1.1.0/24
Internet 200.1.1.0/24
Dubai London
75.1.1.0/24
Sydney
10.4.4.0/24
DMVPN Configuration
There are 2 main drawbacks to MGRE. They are:
Each site will have manual maps to all the other sites, which is not a very scalable solution.
All sites need to have Static Public IP’s.
To get around these drawbacks, we have allc the sites register them to a specific router. This
router is known as the Next-Hop-Server (NHS).
We configure all the sites to register their Public IP with the NHS. The NHS will get the
mappings from all the sites.
The sites will only have a static mapping towards the NHS. If the client sites want to
communicate to each other, they will ask the NHS for the mapping.
This mapping is cached for 2 hours. For the next 2 hours, client sites connect to each other
directly.
DMVPN Configuration
The configuration for the NHS is as follows:
Los Angeles
The Clients will need to configured with the IP address of the NHS and the mapping to reach it.
Los Angeles
Interface Tunnel 1
ip nhrp map multicast Dynamic
The reason behind it is that the NHS changes the Next Hop address of the
LAN Segments to itself before forwarding it from spoke to spoke.
DMVPN Phase I is the default Phase for EIGRP as the Routing Protocol.
DMVPN Phase II
The Control Plane (Routing Traffic) is all phases is generally setup based on Hub - n - Spoke
with the NHS being the Hub.
In Phase II, the Data Plane traffic is forwarded directly between the spokes.
c
This is accomplished by tweaking the Routing protocol.
You need to configure the NHS NOT to change the Next Hop of the routes that it propagates
from Spoke - to - Spoke.
R1 - NHS
Interface Tunnel 1
no ip next-hop-self eigrp 111
DMVPN Phase III
The Control Plane (Routing Traffic) is all phases is generally setup based on Hub - n - Spoke with the NHS being the Hub.
In Phase II, the Data Plane traffic is forwarded directly between the spokes. This is accomplished by tweaking the NHRP.
You need to configure the NHS NOT to change the Next Hop of the routes that it propagates from Spoke - to - Spoke. This
configuration is done on the NHS.
c
The main advantage of Phase III over Phase II is that it directly creates a Mapping between the LAN Segment and the Public IP.
This eliminates a Dual check.
It also allows the Hub to perform Route Summarization for all the Spoke routes reducing the size of the Spoke Routing table.
R1 - NHS
Interface Tunnel 1
ip nhrp redirect
R2, R3, R4
Interface Tunnel 1
ip nhrp Shortcut
Encrypting the DMVPN Tunnel
Although DMVPN provides scalability to the network, it is
still based on GRE.
c
The Data is transmitted in Clear Text.
You can use IPSec to encrypt the traffic by using the same
method to encrypt the Tunnel Interface as we used for GRE
Point – To – Point.
This is also referred to as GRE Over IPSec.
Configuring IPSec to Encrypt the
DMVPN Tunnel
Los Angeles Dubai
crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode transport mode transport
crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode transport mode transport