Configuring DMVP with mGRE, IPSec and NHRP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today I thought we'd take a look at dmvpn dynamic multi-point VPNs this is a good extension of the tutorial that I did a little while ago and using IPSec over GRE tunnel what you do with a dmvpn is you take that concept and you expand on it so I've drew up this little network map here that we're looking at to to give an idea let me explain the basic concept concept first and then we'll go through the through the configuration so if we had a situation like this where we had a you know our business and we had five sites on it and we wanted to do a full mesh config connection between the sites and there let's say they were all interconnected by the net by the internet we could set up a GRE tunnel using IPSec and if we want to do a full mesh what that would be is a tunnel from router 1 which is going to be our headquarters we'd have to configure a tunnel from router 1 to go to router 4 and a tunnel from router 1 to go to router to and from router 1 to router 3 and router 1 to router 5 and then for a full mesh we'd want these other sites that are represented by r2 r3 r4 and r5 to also have connections to each other so we'd have to do another tunnel from our 4 to r2 and another tunnel from our four to our 3 and another tunnel from our 4 to our 5 and so on and so on so you end up with configuring a lot of IPSec GRE tunnels to make that work what dmvpn does in a nutshell is it automates a lot of that process for you so again in this case we have our data center you have to think of dmvpn as kind of it's a hub-and-spoke configuration kind of mishmash tin with a frame relay styled Network where you have one hub site if you are doing our frame rate frame relay that was not a full mesh frame relay so what you do in a dmvpn configuration is you configure router one and you build a tunnel from router 1 to router two so you build a tunnel here and then you build a tunnel from router one to router three and a tunnel from router one to router four and tunnel from router one to router five same thing that we we have to do manually for a full mesh configuration using IPSec over GRE tunnel but for all these spokes are all these satellite sites to communicate to each other the administrator does not have to go in and configure our tunnel from router four to router two or a tunnel from router four to router three or from router four to router five the DMV NDM VPN configuration dynamically builds those tunnels as it's needed so if router four and if there's a network behind router four and it needs to talk to something in the network behind router three down here it dynamically builds this tunnel from router four to router three uses it waits for it to timeout and then it tear it up tears down that tunnel all that configuration and information is all stored if we will on our hub router in this case our data center so router four we have network behind router four it needs to talk to router three it goes down here into its hub site says hey I need to build a tunnel to router three router three says here's your next hop information router for says thank you very much it dynamically builds this tunnel these two talk to each other they're done processing data the tunnel is tore down the nice thing about dmvpn is that we can run our internal routing protocols across it now the way that this works is very very much like like a some frame relay implementations let's say we have router four here and we add a new network to router four and advertise it into our AI GRP process router four sends out an update it does not send the update to router to router through your router five it sends it only to the hub router so router four sends an update to the hub router the hub router receives it adds it to the routing table and sends it back out to the other routers that are in the configuration so it's a it's an interesting animal we got some IP set going on we got VPN tunnels going on we've got a throwback to an on broadcast multi access type of network infrastructure we got some we've got to turn off some split horizons to make this work we're going to be setting up some EM GRE tunnels multi-point GRE tunnels so just like this physical interface connects to everything we're going to set up a GRE tunnel one tunnel on each device to connect everything it really simplifies the work that you as an administrator have to do when you want to create IPSec tunnels between sites but there are some things to be aware of and some possible gotchas in the configuration as well so let's run through this real quick I'll show you how to do some basic configurations and then we'll do some show outputs and I'll show you some of the concerns that I have with dmvpn let me also state that I don't know much about dmvpn I got interested in it did a little research on it found some information on Cisco's websites I did a little research and thought I would mock it up and see what the ins and outs of it are so after we mock this up I'll show you some of the things that I found out some of the things that caused me some concern and we'll take it from there okay so as I mentioned in our configuration we're not going to configure for spoke sites are only going to configure two routers two and routers three four and five are going to be exactly the same and the more spoke site to have the more scalable DM VMP it becomes the less tunnel is you as an administrator have to create manually for our purpose we're only going to do router 2 and router 3 and router one is going to be at our hub site our data center side our main site each one of these routers has an internet connection notice the first three octets are the same but they are each in their own slash 30 network space and behind each router I put a let's call it a client network it's a loopback on the router but we're going to treat this as our client network each of these routers is running on AI GRP process number 10 advertising this client network into EIGRP but right now they have no kin no connection to each other so let's hop into router one and start that basic configuration on our hub router our hub router has the most configuration to it it's the one that has to tell r2 and r3 and r4 and r5 how to build their tunnels to other sites when they need to so we have to do a little bit more configuration on our hub router than we do on the spoke routers but not too much so let me let me bring up r1 and we'll get started okay let me pull this into the window here's our one our hub router so the first thing we're going to do is I'm going to verify that our one can actually reach these other routers so our ones IP address is dot one it's default gateway stat to router two's IP address is dot five it's gateways six and down here for router three its IP is nine its gateway is ten so I'm just going to do a quick thing make sure I can get all those 50 for it out 45 good lord 45 dots 12.1 which would be itself 2 is its default gateway 5 is router 2 6 is router two's default gateway through the internet here 9 is router 3 and 10 is router threes default gateway on the internet okay so we can ping all that we're good to proceed so what we do here for the first steps is the same thing that we went through and we set up a GRE tunnel using IPSec we have to set up our basic IPSec parameters so our ISO camp policy our ISO camp key because we're going to be using a pre shared key in this example we have to create our transform set for our IPSec transform set and then we're going to vary it a little bit from what we have to do we're not we don't create a crypto map we don't create an access list to tell it which information to encrypt so let's get the first few steps done so we have our get our basic IPSec tunnel up and running so the first thing we need to do is create a nice account policy so we're going to ice camp policy 10 I'm going to kind of fly through this rather quickly I did another video about IPSec over GRE where I explain this a little bit more detail so if I'm going to kind of fast just pop back over to that video and take a look so IPSec policy number ten we're going to use an encryption aes-192 bit we are going to use a hash of md5 let's set up our authentication we're going to use a pre-shared key because I don't want to mess with our certificate server and we're going to put it into fee Hellman group number two all right so we're done with our ice account policy now because we said we were going to use a pre-shared key for our authentication we have to define that pre-shared key so crypto iso camp key and then the name of our key we're going to call ours ice ax ice a key now what we got to do there's a zero we got to put in here at zero then ice a key address now in the previous video when we set up our AIESEC Camp key you had to specify the host address of the host name or address of the other end of this tunnel that was going to be using this IPSec GRE tunnel now because this is going to be a multi-point tunnel we can't specify a host I guess you could specify list of hosts but what we actually do here is we say any so any anything as long as I have this key they're allowed to initiate an iso sec phase 1 IPSec phase 1 or an iso camp configuration ok now let's set up our crypto map which is our IPSec phase so we go crypto IPSec this time instead of AIESEC camp we're going to do a transform set let's call it D MVP at vm v pn trans set we're going to use AES we'll use let's say 256 bit we're going to use md5 and boom that's our transform set alright we're doing with our transform set now when creating a point-to-point IPSec tunnel you normally would create a crypto map define your interesting traffic with an access list something like that what we do in a multi-point GRE that we're going to be using for a dmvpn is we create what's called a profile instead so crypto ipsec profile will give it a name diem VPN profile this is just the name of our profile we're going to set a timeout on this this is how long that dynamic tunnel waits before it is tore down before it automatically tears it down we're going to do it in seconds and the minimum we can do is 120 so we're going to set it to the minimum just so I can point out some of the things that I've noticed when messing around with this so a minimum of 120 seconds and then we say set transform set to be the name of our transform set which was right up here done okay so we're done with the with our profile on that one all right the next thing we need to do so that takes care of all of our IPSec stuff we've done our ISO camp which is phase done we've done our IPSec policy which is phase two we've done a profile which you can kind of think of as a map although it really isn't we do a lot of our map statements actually on the interface but the profile kind of ties things together so we're going to create our tunnel interface now interface tunnel zero we'd give it an IP address and back here on our map or our network map I noted for our dmvpn IP plan router one the tunnel interface is going to be one dot one router two is going to be one dot two and router three is going to be 1.3 so we're going to give this an IP address of one dot one one nine on nine two dot one six eight dot one dot one and they all are in the same network so slash 24 I hope if I put the keyword address in there all right we are going to do a no IP redirect we're going to reduce the MTU size down to we're going through the internet with encryption on top of the packets now we're going to get into something that does the next hop this is the configuration that when the spoke router has come to the hub routers it keeps a database that tells them where to go so if the hosts behind router 2 need to spoke speak to the host behind router 3 it's it uses a protocol called NH RP next hop resiliency protocol next hop something Protocol router 2 sends says to router 1 hey I need to get to this network what do I do router 1 says oh that's easy your next hop address is this router 2 says thank you very much it builds a tunnel between router 2 and router 3 and sends the traffic back and forth once 120 seconds have elapsed with no traffic that tunnel is tore down router 2 and router 3 in our instance have no knowledge of how to build this tunnel to each other they have to go to router 1 to get that tunnel information so let's drag router 1 back in here we're going to configure that part of the so I pn h RP authentication n h RP authentication and for the authentication we use our ice account key so up above here we define the iso Camp key as ISO key our phase 1 key our pre shared key so there's our ISO key we'll copy that and paste it down their IP and HRP multi-cat a map multicast now we're building what I had mentioned which is kind of like a crypto map it kind of does the same thing only much more so multicast dynamic what this tells us to do is to allow dynamic multicast protocols to use the dynamic tunnels and in this case we're using EW GRP which is a multicast protocol so we want to make sure that multicast is allowed IP and HRP we're going to give it a network ID we're going to call it network ID one in case we had more than one of these set up we are going to turn off split horizon for EIG our P process AI g RP process 10 now I had mentioned here when we looked at the map there is only one real interface here so if rotor 2 doesn't update it sends it to router 1 through fat 0 0 and then router 1 has to send it back out through that same interface to the other routers now in this case we're creating a GRE tunnels but it's still we don't have to create multiple tunnels we're creating a Multi multi multiple excuse me multi point GRE tunnel so there's going to be one tunnel coming in and the updates are going to come into that tunnel and router one has to turn out and send those updates back out through that same tunnel interface to the other routers that are in the d-m d-m VPN network so we got to turn off split horizon or else that won't work we also need to turn off next-hop self for that same process ok that takes care of the next hop self now we need to specify a tunnel source which is fast 0/0 tunnel source fast 0/0 and tunnel mode we going to tell it that it's going to be a gr e multi point tunnel and tunnel we're going to set up a tunnel key we'll use 0 and there our tunnel interface comes up and the last thing we want to do is add our IPSec layer on top of our tunnel interface or our our multi-point tunnel interface as we've configured here so we're going to say tunnel protection IPSec is going to be the profile that we created called diem VPN Oh file right right here this guy right here the profile that we created earlier so that's the encryption layer that we want put on that EM GRE tunnel multi-point GRE tunnel okay so we're done with our tunnel interface the last thing we need to do is add the new IP space that we created to our ERG EIGRP process so right here 10110 is the network that's behind router one we need to add this network our virtual tunnel interface network to the routing process as well so we are going to say router ERP 10 network 192.168.1.0 so we're adding our GRE tunnel interface IP space to the routing process all right that's all we need to do on router 1 now I'm just going to slide this up out of the way because we do need to come back to it let's get router too quickly now router 2 is our is our first spoke router our first spoke site so what we need to do on router 2 going to config mode and we this is the first process is the same we still need to setup all the same IPSec aiesec count policies IP set college policies the profile password all that stuff that we did on router 1 we need to recreate on router 2 so we can form the the tunnel so we're going to back another one show run and I'm just going to copy and paste all that information from router 1 right on to router 2 so this is all the information we need our ISO camp policy our password our transform set and our our profile so we're just going to copy that from router 1 flip over to router to paste it in there later now all of our policies match ok next thing we need to do is create our tunnel a credit tunnel face now here's the interesting thing let me point this out in case it got missed we are not creating a tunnel interface from router 1 to router 2 and another tunnel interface from router 1 to router 3 they're both using tunnel 0 so tunnel 0 goes to this one tunnel 0 goes to router 3 same thing from router 3 tunnel 0 is going to take it to router 1 when it needs to and tunnel 0 is also going to take it to router 3 or router for router 5 whenever it needs to that's why we're using em GRE multi-point GRE we can have multi-point configurations over this single interface again very much like a frame relay Network so that's why we're only creating a single tunner tunnel interface on each device okay so we created our tunnel the next thing we need to do is give it an IP address 192.168.1.1 dot - so there's its IP address we're going to know IP redirects on this one I PMT you same m/t you knock that down a little bit because of the encryption I don't know if I need to back this out or fiddle I think it will just overwrite it but okay IP next hop resiliency whatever protocol authentication I think we good it's going to again be our ISO camp key which we copied right up here ISO key goes in there we want to make sure our dynamic routing protocols can get across it so again multicast IP next our Pia I also forget the map multicast dynamic to allow dynamic multicast routing protocols to use our multipoint GRE tunnel we are going to say your IP next top RP the next hop server next top server or the one that can tell you how to form your tunnels is 192.168.1.1 this is our hub type the tunnel IP address of our hub right over here router one gets 1.1 it's our hub so we're telling router 2 you got to go to the hub to get your information to get your next hop information now we tell it by the way to get to 192.168.1.1 you need to use the real IP address on that interface 12.1 so this is our map says to get to 192 168 1.1 you really need to use 54 45 12.1 which is the real IP address of fast 0 0 so that takes care of that then we need to do something very similar fort allow the multicast to work Matt multicast and we're telling it to multicast you you also need to use this external IP address for your your multicast like AIG RP in our case we got to give it a ID and we used once our core so we'll use one on our hub we got use a tunnel source interface is going to be fast 0/0 that's the only interface that we've got I can use tunnel mode GRE multi point same thing as what we had to do on the on the website we're going to use tunnel key 0 and we have to add our IPSec tunnel protection IPSec policy Tunnel protection ipsec profile having trouble type in and the name of our profile which was dmvpn profile we take that put it down there and that's going to add the IPSec layer on top of our EM GRE tunnel we're going to exit out of that and just like we did on rotor one we have to add that tunnel subnet to our routing process so router AIG RP 10 network 192.168.1.0 alright so that adds the network to our process and just like that we see a new neighbor come up one 92168 1.1 remember our diagram 1.1 is the GRE tunnel IP address that we assigned a router 1 so router 2 that were configuring now now sees router 1 as an e IG RP neighbor so that's it for router 2 let's hop on over to router 3 and configure that now the nice thing about this once we have one spoke router configured the other spoke routers are almost identical the only thing we change is the IP address that we assigned to the tunnel interface so we can do lots of copying and pasting here so let's go back to router to do a show run we can grab our all of our IPSec information right here our isoquant map art nice to camp password our transform set and our policy we take all that from router 2 and we can pop it on to router 3 interface we're going to create our interface tunnel 0 give it an IP address 192.168.1.1 and then I did the same thing again didn't I forgot to use address and then router - we can copy all the other information from the tunnel interface and paste it into the third spoke router so everything except the IP address we copy all of this and put it into tunnel three now we should see our IPSec there we go and the last step again is to add in this router zi g api g RP process to add our new DMV and DM VPN network segment so router di g RP 10 network 192.168.1.0 and there we go we see another neighbor come up from router 3 so router 3 now sees the hub router router 1 as an e IG RP neighbor so let's back out of this a little bit so now that we have our neighbors formed let's uh let's do this from router 3 let's ping the well let's do it let's do this first of all let's make sure we see everything in our routing table so show IP route okay so this is router 3 so we see the 10 1 1 Network which came from router 1 we see the 192 17 which came from router 2 and you can see both of these are through aig RP if we do show CDP neighbors show IP eigrp neighbors you'll see that it actually only has a neighbor relationship with 1.1 which 1.1 was assigned to our our hub router from our VPN tunnel so it's got a relationship with 1.1 if we do a show crypto aiesec camp SI you'll see right here we only have a security association back to 12 1 which is our hub router and if we hop over to router 2 we should see the same thing only basically in Reverse show IP e AG or P neighbor it only has a neighbor with the hub router show to show IP route it knows about the it should know about the 192 is directly connected it knows about the 200 router which can't the 200 network which came from router 3 and was about to 10 10 the 10 1-1 network which came from another one again if we do a show crypto iso camp si it only has a tunnel open with the hub router so here's how this works if we're sitting on router 2 and we want to ping a host that sits behind router 3 so we're sitting on router 2 here we're going to ping a host a hind router 3 at 192 168 200 at 1 so paying 192.168.20.10 through let's do a traceroute trace route 192.168.20.10 phone to 1.3 which is the tunnel interface that we assigned right down here to router 3 remember on this side router 3 gets the 1.3 IP address so that's one hop away so now let's do a show crypto iso camp si we see now that it dynamically built this other IPSec tunnel while this is phase 1 so this is the phase 1 negotiation but we have a phase 1 tunnel between dot v and dot nine so if we look at this back here again dot v is the Eli P for the win interface on router 2 and 9 is the real IP for the win interface on router 3 so I dynamically built that tunnel if we do it if you remember up here we just did the same output I thought we did it must have been on the other right here when we did that previously we only had a tunnel built to the hub router but now that we needed to send traffic from router 3 to the networks between router 3 and router 2 it dynamically built that VPN tunnel for us so that we're only one logical hop away so if we hop onto router 3 we should see that show IP I so camp sa show crypto basic amp si now the reason I'm doing the eisah camp I mean that's really only phase one to see the IPSec tunnel we should be saying show crypto see ryp why show crypto IPSec si that shows us the actual you know I so I P sectile where we see packets are being encrypted and decrypted but dl+ pretty messy so here we see that it's going from that 9 which is routers threes winter face 2.1 and we tab down a little bit and here's our second interface that goes from 9 to 5 which is router 3 to router 2 and we can see the packets are encrypted and decrypted etc the reason I'm using the SI of the AIESEC camp si is because it shows the tunnels up and it's a much quicker and easier to look at output it does not show us however like we see with IPSec where we see that the packets are actually being encrypted by our IPSec policy so I mean there is a big difference I'm just using this as a shortcut to verify tunnels ok so now if we do a show IP e AGR Pai GRP neighbor we still only have the one neighbor back at the hub router so even though router 2 and router 3 are receiving the routes from each other it's using a hub-and-spoke configuration based very much on our frame relay so router 2 is advertising its client network through EIGRP its neighbor is the hub router router 1 on that tunnel 0 we disabled we disabled split horizon so router 1 receives that update from router 2 on the tunnel and it turns around and sends it out to the other multicast clients on that that multicast or that multi-point GRE tunnel so it comes into router 1 router 1 updates the routing table and then lets router 2 and router 4 and writer router 5 know about that so those are those are the basics for setting up a basic dmvpn so now I'll tell you the few things that have me concerned about dmvpn now that I've played with it and let me preface this by saying you know I have not been working with DMV dmvpn for long at all just started looking into it so I suspected a lot of the questions and the concerns that I have can be answered fairly easily once I get time to do a little bit more research into it but here's the here's the main - two main things that I'm concerned about with dmvpn at least in this configuration router 2 needs to get to a network in router 3 it doesn't know how to get there I mean it has to use the next hop the NH RP protocol it queries the hub says hey hub router I need to get to this network what's my next hop going to be router 1 tells it to use its next hop of 1.3 it builds this dynamic tunnel because they've all been configured with the same ISO camp and IPSec policies that dynamically builds this tunnel sends the information and then after 2 minutes of inactivity that tunnel is tore down also as far as EA GRP updates go when this router has an update it sends the update to the hub the hub turns around and sends it back out to everybody else so as you can see the hub router is extremely important these two devices even though there are only one logical hop away through the GRE tunnels they are not ew GRP neighbors they are only neighbors with the hub router so router 2 is not sending its updates directly to router 3 or router 3 setting them directly to router 2 or 4 or 5 they are all going through router 1 likewise when these two devices need to hug in that we've configured need to communicate with each other they don't know how to do it without going to router 1 first and asking router 1 to tell them what the next hop IP address is and it comes back and then once router 2 knows that then it can build this tunnel facilitate building this tunnel router 1 isn't used for the data transfer between router to and router 3 once the tunnels built they'll send information through the internet directly to each other but router 1 has to be consulted for building the tunnels and also for the dynamic routing protocol updates so and as a demonstration of that let's do this I think I've talked long enough let's see if router 2 if we started to see some timeouts on her ok so there you see it we went for 2 minutes and this tunnel disappeared 2 minutes went by or 120 seconds that tunnel was tore down so that's part of the dynamic you know multi of the VPN solution multi-point VPN solution it dynamically builds and rips down those tunnels so aside so I have three concerns with it number one the spoke routers are not direct neighbors to each other for your dynamic routing protocol I'm guessing with a little bit of looking and researching I can find out if there's a way to make these AI GRP neighbors or maybe you don't want to my bigger concern is the fact that everything relies on router 1 if you lose your hub router or your hub site or your hub site loses its connectivity to the Internet these spoke sites do not know how to communicate to each other so let's give an example of that so let's go into router - lets do a quick ping test paying 192.168 to 200 . 1 okay so router 2 can ping the loopback on router 3 here it's in the EIGRP routing table ok so it's in the routing table it's learned it through the tunnel interface through the dynamic VPN through that IP address we're good to go now let's go to router 1 and simulate a failure what we're going to do is on interface fast 0 0 which is what connects router 1 to the Internet we're going to shut it down we're going to simulate a failure of router 1 or router ones ISP or or what have you okay so router 1 went down the state went to down we started seeing our neighbors drop okay let's go back to router 2 and do the same ping command we lose it router 2 does cannot reach router 1 doesn't have the information in its routing table and can't reach router 1 to even ask router 1 how to build the tunnel between router 2 and router 3 now the redundancy aspect of it concerns me my guess is and I haven't had time to do any research on this is my guess is you can set up multiple hub sites so maybe this is our primary hub site and then we can configure our 5 or our 4 or some other site as a backup or maybe active active hub site so router 2 might try to contact this site if it can't reach it it goes to router 5 instead I'm just guessing on that I haven't had a chance to do any verification on it at all I can't see where you would ever move deploy this in a large larger scale environment given the fact that you have such a Achilles heel here if you will if you lose this connectivity your entire network goes down so think of it you're doing a change on this router or this link in the maintenance window perhaps but you're not just affecting the data center site or the data center site connectivity to the internet when you do that you affect when you take this down or make this on available router - can't get to router 4 can't get to router 3 you can't get to you know office at router 5 you're basically taking your whole network down when you when you make those changes so I got to believe there is a way to do a redundant DMV dmvpn Hub configuration I guess the other big concern or not so big concerned but the other concern I do have about this is again say router 2 can't get to the resources on router 3 in your troubleshooting it if you hop in there and you start looking at your routing protocols and you're not familiar with the site and you don't see these routes being advertised in AI GRP it could be trouble difficult to troubleshoot or could throw your troubleshooting off you need to make sure that like a network map like this is insufficient for this case you need to specify that there are tunnel interfaces in here and you need some text description of how your dmvpn is set up and configured coming in cold and trying to troubleshoot an issue with dmvpn could be a bit tricky whereas if you had point-to-point multiple tunnel interfaces to each site I would think the troubleshooting might be a little bit easier plus you'd reduce the fact that router 2 and router 3 could be directly IG RP neighbors and update each other as to their relative out having to go through router 1 also if you lost your hub site these other 4 or 5 or 6 or spoke sites they wouldn't be cut off completely yeah they couldn't reach your hub site which is maybe where your exchange server is and your other data center services are but they'd all be able to get to the internet and they'd all be able to get to each other if that's needed so again I have a lot of research to do on dmvpn I suspect a lot of the concerns that I have have been addressed and can be addressed fairly easily I just haven't had time to look into it all yet but if I do and I find out some good information I will do our part to follow up to this video and explain what I found out about how you can take care of some of the redundancy issues that are present here in a default dmvpn configuration so I hope this was is helpful to you and if you do know any of the answers to my dmvpn questions please leave a comment on YouTube and let me know if the answer is or point me to the resources to find that out I'd really appreciate it take care
Info
Channel: Doug Suida
Views: 37,536
Rating: 4.9282513 out of 5
Keywords: Cisco, router, config, configuration, DMVPN, IPSec, GRE, mGRE, software tutorial, EIGRP, WAN, configure, IOS, tunnel, VPN, ISAKMP
Id: WEzo1UvMpg0
Channel Id: undefined
Length: 42min 15sec (2535 seconds)
Published: Tue Jan 03 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.