DMVPN – Dynamic Multipoint Virtual Private Network (Part-3)

DMVPN – Dynamic Multipoint Virtual Private Network (Part-3)

Continuing the previous configuration left from Part 1 and Part 2 we will finally enter the dynamic creation of tunnels between the SPOKES.

To achieve this we will need to change the configuration in the tunnel interfaces of both the HUB and the SPOKES.

Starting a clean sheet with the same initial configuration as before.

INITIAL CONFIGURATION
INTERNET
hostname INTERNET
 !
 interface Ethernet0/0
 description Connects to HUB
 ip address 10.0.0.2 255.255.255.252
 no shutdown
 !
 interface Ethernet0/1
 description Connects to SPOKE1
 ip address 10.0.0.6 255.255.255.252
 no shutdown
 !
 interface Ethernet0/2
 description Connects to SPOKE2
 ip address 10.0.0.10 255.255.255.252
 no shutdown
 !
 interface Ethernet0/3
 description Connects to SPOKE3
 ip address 10.0.0.14 255.255.255.252
 no shutdown
HUB
hostname HUB
 !
 interface Loopback0
 description Local Lan 0
 ip address 172.16.0.1 255.255.254.0
 !
 interface Loopback1
 description Local Lan 1
 ip address 172.16.2.1 255.255.255.0
 !
 interface Loopback2
 description Local Lan 2
 ip address 172.16.3.1 255.255.255.0
 !
 interface Loopback3
 description Local Lan 3
 ip address 172.16.4.1 255.255.252.0
 !
 interface Ethernet0/0
 description Internet Connection
 ip address 10.0.0.1 255.255.255.252
 no shutdown
 !
 ip route 0.0.0.0 0.0.0.0 10.0.0.2
SPOKES
hostname SPOKE1
 !
 interface Loopback0
 description Local 0
 ip address 172.17.0.1 255.255.255.0
 !
 interface Loopback1
 description Local 1
 ip address 172.17.1.1 255.255.255.0
 !
 interface Ethernet0/0
 description INTERNET Connection
 ip address 10.0.0.5 255.255.255.252
 no shutdown
 !
 ip route 0.0.0.0 0.0.0.0 10.0.0.6
hostname SPOKE2
 !
 interface Loopback0
 description Local 0
 ip address 172.18.0.1 255.255.255.0
 !
 interface Loopback1
 description Local 1
 ip address 172.18.1.1 255.255.255.0
 !
 interface Ethernet0/0
 description INTERNET Connection
 ip address 10.0.0.9 255.255.255.252
 no shutdown
 !
 ip route 0.0.0.0 0.0.0.0 10.0.0.10
hostname SPOKE3
 !
 interface Loopback0
 description Local 0
 ip address 172.19.0.1 255.255.255.0
 !
 interface Loopback1
 description Local 1
 ip address 172.19.1.1 255.255.255.0
 !
 interface Ethernet0/0
 description INTERNET Connection
 ip address 10.0.0.13 255.255.255.252
 no shutdown
 !
 ip route 0.0.0.0 0.0.0.0 10.0.0.14
OUR GOAL – TOPOLOGY

dmvpn3-1

FIRST THE IPSEC PARAMETERS

! HUB, SPOKE1, SPOKE2, SPOKE3 CONFIGURATION
crypto isakmp policy 1
 authentication pre-share
 hash md5
 encryption des
 group 1
!
crypto isakmp key hub$poke address 0.0.0.0
!
crypto ipsec transform-set TSET esp-des esp-md5-hmac
 mode transport
crypto ipsec profile IPSEC-PROFILE
 set transform−set TSET
ROUTING CONFIGURATION
! HUB CONFIGURATION
router EIGRP 100
 network 172.16.0.0 0.0.7.255
 network 192.168.0.1 0.0.0.0
 no auto-summary
! SPOKE1 CONFIGURATION
router eigrp 100
 network 172.17.0.0 0.0.1.255
 network 192.168.0.2 0.0.0.0
 no auto-summary
! SPOKE2 CONFIGURATION
router eigrp 100
 network 172.18.0.0 0.0.1.255
 network 192.168.0.3 0.0.0.0
 no auto-summary
! SPOKE3 CONFIGURATION
router eigrp 100
 network 172.19.0.0 0.0.1.255
 network 192.168.0.4 0.0.0.0
 no auto-summary
TUNNEL CONFIGURATION
! HUB CONFIGURATION
interface Tunnel0
 ip address 192.168.0.1 255.255.255.248
 ! the hub will leave the originating spoke address 
 ! as the next-hop for the updates recieved
 no ip next-hop-self eigrp 100
 ! dynamic mapping configuration
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ! disable eigrp default split horizon behaviour 
 ! in hub-spoke topologies
 no ip split-horizon eigrp 100
 tunnel source 10.0.0.1
 tunnel mode gre multipoint
 ! Protect the tunnel traffic with the IPSec profile
 tunnel protection ipsec profile IPSEC-PROFILE
! SPOKE1 CONFIGURATION
interface Tunnel0
 ip address 192.168.0.2 255.255.255.248
 ! Map the HUB external address
 ip nhrp map 192.168.0.1 10.0.0.1
 ip nhrp map multicast 10.0.0.1
 ip nhrp network-id 1
 ! Identify the HUB address as the Next-Hop Server
 ip nhrp nhs 192.168.0.1
 tunnel source 10.0.0.5
 ! Configure the tunnel as a GRE Multipoint i order to 
 ! establish multi tunnels to the Hub and to the other spokes
 tunnel mode gre multipoint
 ! Protect the tunnel traffic with the IPSec profile
 tunnel protection ipsec profile IPSEC-PROFILE
! ON SPOKE 2 and SPOKE3 ONLY THE ADDRESS CHANGES
! SPOKE2
interface Tunnel0
 ip address 192.168.0.3 255.255.255.248
 tunnel source 10.0.0.9
! SPOKE3
interface Tunnel0
 ip address 192.168.0.4 255.255.255.248
 tunnel source 10.0.0.13
VERIFY CONFIGURATIONS
HUB# show dmvpn 

< output omitted>

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:3, 

 # Ent Peer  NBMA Addr Peer Tunnel Add State UpDn Tm  Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.0.0.5        192.168.0.2     UP    00:00:53 D
     1 10.0.0.9        192.168.0.3     UP    00:00:34 D
     1 10.0.0.13       192.168.0.4     UP    00:00:25 D

HUB# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst       src        state        conn-id   status
10.0.0.1  10.0.0.5   QM_IDLE      1001      ACTIVE
10.0.0.1  10.0.0.13  QM_IDLE      1003      ACTIVE
10.0.0.1  10.0.0.9   QM_IDLE      1002      ACTIVE
SPOKE1# show dmvpn

< output omitted>

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent Peer NBMA Addr  Peer Tunnel Add State  UpDn Tm  Attrb
 ----- --------------- --------------- ----- --------  -----
     1 10.0.0.1        192.168.0.1     UP    00:10:34  S

SPOKE1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.1        10.0.0.5        QM_IDLE        1001 ACTIVE

IPv6 Crypto ISAKMP SA
VERIFY ROUTING
HUB# show ip route eigrp



Gateway of last resort is 10.0.0.2 to network 0.0.0.0

      172.17.0.0/24 is subnetted, 2 subnets
D        172.17.0.0 [90/27008000] via 192.168.0.2, 00:04:49, Tunnel0
D        172.17.1.0 [90/27008000] via 192.168.0.2, 00:04:49, Tunnel0
      172.18.0.0/24 is subnetted, 2 subnets
D        172.18.0.0 [90/27008000] via 192.168.0.3, 00:04:40, Tunnel0
D        172.18.1.0 [90/27008000] via 192.168.0.3, 00:04:40, Tunnel0
      172.19.0.0/24 is subnetted, 2 subnets
D        172.19.0.0 [90/27008000] via 192.168.0.4, 00:04:15, Tunnel0
D        172.19.1.0 [90/27008000] via 192.168.0.4, 00:04:15, Tunnel0
HUB#
SPOKE1# show ip route eigrp 



Gateway of last resort is 10.0.0.6 to network 0.0.0.0

      172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
D        172.16.0.0/23 [90/27008000] via 192.168.0.1, 00:07:24, Tunnel0
D        172.16.2.0/24 [90/27008000] via 192.168.0.1, 00:07:24, Tunnel0
D        172.16.3.0/24 [90/27008000] via 192.168.0.1, 00:07:24, Tunnel0
D        172.16.4.0/22 [90/27008000] via 192.168.0.1, 00:07:24, Tunnel0
      172.18.0.0/24 is subnetted, 2 subnets
D        172.18.0.0 [90/28288000] via 192.168.0.3, 00:07:15, Tunnel0
D        172.18.1.0 [90/28288000] via 192.168.0.3, 00:07:15, Tunnel0
      172.19.0.0/24 is subnetted, 2 subnets
D        172.19.0.0 [90/28288000] via 192.168.0.4, 00:06:50, Tunnel0
D        172.19.1.0 [90/28288000] via 192.168.0.4, 00:06:50, Tunnel0
TEST CONNECTIVITY
HUB# ping 172.17.0.1 source 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

HUB# ping 172.18.0.1 source 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

HUB# ping 172.19.0.1 source 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
SPOKE1# ping 172.16.0.1 source 172.17.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

SPOKE1# ping 172.18.0.1 source 172.17.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/8 ms

SPOKE1# ping 172.19.0.1 source 172.17.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/8 ms

After the connectivity test from one of the spoke (SPOKE1 in the example) we can verify the dynamic tunnel creation.

SPOKE1# show dmvpn



Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:3, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.0.0.1            192.168.0.1    UP 00:23:49     S
     1 10.0.0.9            192.168.0.3    UP 00:00:12     D
     1 10.0.0.13           192.168.0.4    UP 00:00:09     D

SPOKE1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.9        10.0.0.5        QM_IDLE           1003 ACTIVE
10.0.0.5        10.0.0.13       QM_IDLE           1004 ACTIVE
10.0.0.5        10.0.0.9        QM_IDLE           1002 ACTIVE
10.0.0.13       10.0.0.5        QM_IDLE           1005 ACTIVE
10.0.0.1        10.0.0.5        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

And that’s it for DMVPN’s.

Until next time, stay good.

Advertisements