NHRP Crash Course

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so taking a look at dmvpn from a very high level we want to understand three separate components the first is mg re that we need to understand the second is going to be next hop resolution protocol and let's just go ahead and take NH RP for right now when we look at next up resolution protocol the reason that we use this is that dmvpn is really based on three different sets of addresses what I'm drawing here are three separate routers that are going to be located in three different geographic locations all connected by the internet like any old router that you'd normally see you're going to have a public interface in a private interface on each of these devices and then of course we're going to need a tunnel interface as part of the program one of the things that we talked about with VM VPN is the fact that you have m GRE right so when we look at these different sites let's go ahead and say this guy up top is headquarters therefore he is going to be the hub this is where we need to create that M schirra interface and then if you want to leverage the capability of dmvpn to perform dynamic spoke to spoke tunnels each of your spoke sites we need an EM GRE interface if you don't want spoke to spoke tunnels you want everything to traverse through the hub you could use a traditional GRE interface on each of these devices remember the difference between with with that giri m giri versus the end the multi-point Jerry is Jiri is traditionally going to be point-to-point so you've defined this is where it's sourced from this is where it's destined to and things go through that tunnel with M GRE you can dynamically create lots of other titles as we're going to see going forwards now in order to create those tunnels a couple of different things are going to happen you see the one of the advantages to dmvpn is the fact that we can build a full mesh topology but traditionally if we would try to do that with IPSec that's going to result in I crypt a map statement with tons of different entries lots of different crypto ACLs and we've got this requirement for static peer IP addressing or you've got to use dynamic DNS any char peepers removes that requirement because what's going to happen is each of these devices is gonna have a tunnel interface and we'll just call it tunnel zero in this tunnel interface is going to have an IP address so what happens is we basically have three sets of IP addresses now one set is the inside so let's say that our inside network is at 10110 10120 ten one three zero ten one four zero and we'll just assume these are all slash twenty fours and then we've got our public IP addresses my lucky IP address is 4.2.2 dot - that's not mine don't use it in the real life but we'll say that this is for dot 2.3.4 this could be 5.6 that's seven nine eight this could be 6.7 8.9 and then this could be seven eight nine ten just representing different public IP s what next hop resolution protocol does when each of these devices comes online these spoke sites can have dynamic addresses on their physical interface DHCP comes from the provider when the site first comes online the router boots up the fact that we have this tunnel interface and the fact that we have it configured for next hop resolution protocol means that as soon as the router boots he sees this interface he initializes it with the configuration he performs what's called an NH RP registration he takes the tunnel IP address and let's say that that's 172 16.1 dot - and we could say that the hub has a tunnel interface of 172 16.1 dot 1 this will be 172 16 1-3 and over here 172 16.1 dot 4 they're all in the same subnet what's going to happen is you have a registration that occurs where we register our tunnel interface 172 16 1/2 with the hub and I say hey hub I'm just here to register and I want to let you know if you ever want to get to 172 16 1/2 please come to my public IP address of 5.6 dot 7.8 the hub creates an NH RP registration table or binding table which combines the public IP address to tunnel interfaces just like site a did this site B and C are going to perform the same operation when they booth and NH RP registration occurs where they register their public IP to this tunnel interface again public IP to the tunnel interface all this goes into an NH RP binding table now how would we actually use that well one of the advantages that we talked about earlier in the class was that giri gives ipsec the support disk the ability to support multicast right so we can run our routing protocols through GRE historically whenever we built VPNs what you had to do was construct what was to be encrypted that goes in your crypto ACL pad encrypted that goes in your transform set where to send the encrypted traffic that goes into your pair statement and you'd have to do that for every single neighbor if your neighbor has public IP addresses which are moving around you're in trouble because you'd have to reconfigure a router every time every time a new office comes online let's say that we add site D a b and c would traditionally have to be updated not with and not with n HRP i am GRE dmvpn etc what we're gonna have here is the ability turnaround in protocol like OSPF EIGRP across this tunnel the really cool thing about that is when you the routing protocol runs what's happening is we're taking a statement like 10 1 to 0 and we're advertising that Network statement through the tunnel interface well when we send things for the tunnel interface it's gonna get an ESP header added right because this is all about encrypting things across the internet and then it goes into the central site just like we learned years and years ago in CCNA when we're looking at when interfaces we've got to think about rules like split horizon we've got to think about the next hops off the DI GRP does once we configure our hub site to manage the routing protocol appropriately over here at site B and its site c they've learned that the 10120 slash 24 network exists and they know that the next hop for this is 170 216 1.2 if they ever wanted to communicate with that particular address they could use n HRP to resolve it so basically let's say that B wanted to get there interesting packet comes in maybe somebody on the 10 1 3 subnet sends an ICMP ping to 10125 we look at our table we see Oh SPF we learned 10:1 two zeros reachable at 172 16 1/2 so we perform an NH RP look up to the hub he leverages that NH RP binding table and he sends a response back and he gives it this mapping that we saw earlier that 172 16 1.2 is reachable at 5.6 at 7.8 does that make sense what that's gonna do is allow us to form a site-to-site connection we can now send traffic to that host directly then let's say that it's an ICMP echo request it hits 10.1 at 2.5 he sends an ICMP echo reply the same thing occurs the echo reply comes into the router the router goes ok cool I know how to get to 10 1 3 0 it's reachable at 172 16 at 1.3 and he realizes with that any entropy configuration that he needs to look up where does 172 16 1-3 live so he performs that look up via the NH RP server again our hub site and he says 172 16 1 3 is reachable at 6.7 at 8 to 9 that's what was stored in this binding table so we get that answer back and then we can send the return traffic through the existing tunnel one of the important things to understand is that once our tunnel is established IPSec tunnels remember your iso camp si is bi-directional your IPSec assays are unidirectional but you're still going to create both of them at once the Farsight in this case it's going to be site a on the left when he performs the lookup and he knows who he needs to talk to he'll just use the existing tunnel that's already been established so that's basically a little messy but that's basically the purpose of any HRP within dmvpn

Info

Channel: Ryan Lindfield

Views: 15,133

Rating: undefined out of 5

Keywords: NRHP, Cisco, DMVPN

Id: __b4QC9C2So

Channel Id: undefined

Length: 9min 31sec (571 seconds)

Published: Thu Jul 09 2015