DMVPN Explained | DMVPN Tunnels Part 1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
GRE tunnels are our friend they are inexpensive way links they are migration tools and they get us out of a jam when we need to connect to network islands but GRE tunnels have a natural enemy and this enemy can really diminish Jerry's potential in this video we will see what that enemy is and how it can be defeated we work for a retail company that sells clothes and accessories we have a head office where all the data processing work takes place we also have retail outlets where our products are sold to the public these are usually small locations we have two or three computers a router and an internet link dedicated when links are expensive so some time ago we decided to use the cheaper option of tunneling to connect our outlets to the head office but those were the old days our company is growing and we now have plans for several hundred outlets across the country and now we can see what gr E's enemy is scalability several hundred outlets means several hundred tunnels to build manage and troubleshoot maybe even more if you have backup tunnels we need something a little less manual a little more dynamic there are a few options we could investigate st when for example but the hero of today's story is going to be dmvpn it is built using GRE tunnel technology and it is still an inexpensive solution our head office will have one or more hub routers for the outlets to connect to this is called a hub and spoke to Paulo G when we use regular GRE tunnels we need to statically configure them between two points' dmvpn on the other hand is dynamic and multi-point that's how it gets named dynamic multi-point VPN to keep things simple we're going to start by looking at a single hub a single spoke and how the tunnel is dynamically built between them if we're using JRE we would need to configure an interface like this one for every spoke router that's several hundred interfaces to support our retail outlets that is not scalable so dmvpn changes the tunnel type from GRE to multi-point GRE this type of tunnel does not have a specific end point the dynamic nature of dmvpn is also made possible using a protocol called NH RP we'll have a look at that in more detail soon the result is that we can now use a single tunnel interface on our hub router instead of several hundred the hub router doesn't have any destination statically defined anymore instead the spoke routers use NH RP to register themselves with the hub in NH RP terminology the hub router is called the next hop server or NHS we also need a way to map the hubs tunnel IP to its real IP this is where the spoke will send GRE packets this is the simplest way to configure dmvpn it's called phase one dmvpn there are also phase two and phase three which come with more features we'll talk about those a bit later on for now though we need to understand NH IP and how it works with dmvpn generally we need to reach some network behind the remote router the addresses that we reach over the tunnels is called the overlay address the router will look at the routing table and see that a tunnel IP is the next half to get to the overlay address but we don't have static tunnels anymore so in most cases we don't know a routers real IP address and which tunnel address that maps to and if we don't know which router owns this particular tunnel address that we don't know which real address we need to send the GRE packets to the critical task then is obviously to map the tunnel IP to the public IP and we need a solution that's dynamic we need something like up which dynamically maps an IP address to a MAC address on a LAN but technologies like art won't work over networks like the Internet and why because they rely on broadcast and the internet is not a broadcast net we can think of it as an nvm a network or non-broadcast multi-access and that is where an HR p or next-hop resolution protocol really comes in it's been around for ages it's been used with frame relay networks and ATM networks its job is essentially defined efficient paths through an NB M a network as we briefly discussed NH RP uses a client and a server model the hub router as we said earlier is the next hop server or NHS the spokes are the next hop clients and the real IP addresses are called NB MA addresses I also mentioned earlier that this spoke registers itself with the hub it does this by sending an NH RP registration message this is like saying hi I'm here I would like to build a tunnel to you the hub accepts this and records the spokes information including the tunnel address to NB ma address mapping in a database this dynamic process also makes it possible for us to use internet connections with dynamic public IPS whatever our public IP is at our spoke site the hub will learn that during this dynamic registration process if the hub wants to send traffic over the tunnel to the spoke it simply looks up the tunnel to NB MA address mapping in its database encapsulate the traffic in GRE headers and forwards the packets to the NB ma address now do you want to see this in action of course you do here's the topology we'll be using there is one hub router and two spokes the basic configuration is already done so we can focus on the dmvpn parts this topology and others are available to download for patreon subscribers if you'd like to follow along or try it for yourself we're going to move this pretty quickly so we can see how the traffic moves through the topology on the hub we create the tunnel we give it an IP address we set the MTU and MSS and we tell it which IP to use to send encapsulated packets from so far this is just like a regular GRE tunnel now we move into the world of dmvpn and enable n HRP and M GRE spoke routers are much the same at least until we get into the NH RP configuration you after enabling an HR P we configure the IP address of the next top server that's the hub routers a tunnel address we follow up by mapping the tunnel address to the NB ma address that's the real address on the Internet there is a simpler way to configure this NHS addressing and mapping if your router isn't you enough I've included that config on the site if you want to check it out and now we just quickly confirm that tunnel is up by pinging the hub and we're good if we run show dmvpn we can see all the pier addresses that this router knows about so far it knows about the hub router only in the flags column you can see the S flag showing that this is a statically configured pier the spoke shows as appear on the Rahab router as well however notice that this has the D flag this is because it has been dynamically learned on the hub the hub has no configuration to tell it where the spoke is it's all learned through NH RP pretty neat right speaking of NH RP we can see the raw NH RP information with show IP and h RP this also shows whether the information was learned dynamically or if we can figure that statically in addition we can see the tunnel IP mapping to the NB MA IP now we'll quickly get the final spoke configured it's pretty much the same so we'll speed right through it you a quick traceroute between the spokes shows the tunnel ease up it also shows that the traffic flows through the hub router to get to the remote spoke remember this it's important to know for the next video and finally we can see the same results with a show dmvpn and show IP and HRP there are a few different ways to use dmvpn as i've said earlier what we've seen so far is called phase one don't be confused by the term phase though it's not a step in the process it's not a security phase like IPSec it's more like a version number or a feature set but the problem is phase one has some limitations phase two was created to address these limitations and phase three improves further on that so in the next video we're going to look at Phase two and three how they improve on what we've seen here and how they can figured I hope to see you then
Info
Channel: Network Direction
Views: 35,161
Rating: 4.9866886 out of 5
Keywords: Dmvpn, dmvpn concept, Dynamic multipoint vpn, dynamic multipoint vpn, dmvpn bgp, dmvpn - concepts & configuration, dynamic multipoint virtual private network, Gre, mgre, Multipoint, Phase 1, Phase 2, Phase 3, Nhrp, Cisco, Hub, Spoke, Nhs, nhc, Nbma, Tunnel, Configuration, Ccnp, Ccie, Point to point, ccna security, gns3 dmvpn, gre tunnel, tunneling protocol, vpn network, cisco training, site to site, network direction
Id: J-w_n9LCRj8
Channel Id: undefined
Length: 10min 17sec (617 seconds)
Published: Tue Nov 13 2018
Related Videos
Phase 2 and 3 DMVPN | DMVPN Tunnels Part 2
Network Direction
19K
VxLAN | Part 2 - Header Format and Encapsulation
Network Direction
89K
Dynamic Multipoint VPN - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
68K
Subnet Mask - Explained
PowerCert Animated Videos
91K
How GRE Tunnels Work | VPN Tunnels Part 1
Network Direction
53K
CISCO DMVPN Concepts & Configuration
Ahmad Nadeem
14K
VLAN Trunk Links | Network Fundamentals Part 13
Network Direction
46K
Running a Buffer Overflow Attack - Computerphile
Computerphile
1.6M
Establishing Connections With TCP's Three Way Handshake | Network Fundamentals Part 8
Network Direction
70K
OSPF Area Types
CCIE Quick Study
118K
Juniper’s Routing Table | Introduction to Juniper and JNCIA Part 15
Network Direction
2.1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.