Вы находитесь на странице: 1из 40
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo

Cisco DMVPN

Jun 26, 2017 Version 2.0

Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo
Cisco DMVPN Jun 26, 2017 Version 2.0 Created by Andre Barros Longo

Created by Andre Barros Longo

Agenda
Agenda

Part 1 Tunnel Interface

What is DMVPN

Flowchart

DMVPN Tunnel Implementation Steps

fVRF Scenario

Questions and Answers

Part 2 - IPsec

Security Acronyms

What is IPsec, ISAKMP and IKE

IPsec Structure

DMVPN - IPsec Implementation Steps

fVRF Scenario

DMVPN Troubleshooting

Questions and Answers

Part 3 - Routing

DMVPN - BGP

iBGP and eBGP scenarios

Dual HUB scenario

DMVPN EIGRP

DMVPN OSPF

Questions and Answers

It is a Hands-On Course !!! Connect on EVE and enjoy!!!!
It is a Hands-On Course !!!
Connect on EVE and
enjoy!!!!
What is DMVPN
What is DMVPN

DMVPN means Dynamic Multipoint Virtual Private Network

DMVPN is a technical solution that provide connectivity between spoke-to-hub and spoke-to-spoke sites through a underlay network. Using minimal configuration lines to be implemented DMVPN permit a better management and simplification of the configuration file of the routers.

DMVPN is usually used to protect the corporative data that is transmitted through a unsafe network, like public Internet.

DMVPN protect the corporative data using IPsec technology

is transmitted through a unsafe network, like public Internet. DMVPN protect the corporative data using IPsec
DMVPN Flowchart Steps
DMVPN Flowchart Steps
Begin
Begin
Underlay YES Network is OK ? NO Fix it
Underlay
YES
Network
is OK ?
NO
Fix it
Steps Begin Underlay YES Network is OK ? NO Fix it Create the Tunnel Interface Create

Create the

Tunnel

Interface

Create IPsec

Parameters

Apply IPsec on Tunnel Interfaces

END
END
is OK ? NO Fix it Create the Tunnel Interface Create IPsec Parameters Apply IPsec on
is OK ? NO Fix it Create the Tunnel Interface Create IPsec Parameters Apply IPsec on
DMVPN Implementation Steps (Tunnel)
DMVPN Implementation Steps (Tunnel)

1 st Be sure that your UNDERLAY network has fully connectivity;

HUB

Underlay

Interface

1.1.1.1

has fully connectivity; HUB Underlay Interface 1.1.1.1 Underlay ISP or MPLS or 3rd Party Transit Cloud
Underlay ISP or MPLS or 3rd Party Transit Cloud SPOKE-D Underlay Interface Interface 2.2.2.2 5.5.5.5
Underlay
ISP or MPLS or
3rd Party Transit
Cloud
SPOKE-D
Underlay
Interface
Interface
2.2.2.2
5.5.5.5
Underlay
Underlay
Interface
Interface
4.4.4.4

3.3.3.3

2.2.2.2 5.5.5.5 Underlay Underlay Interface Interface 4.4.4.4 3.3.3.3 SPOKE-A SPOKE-B SPOKE-C Back to Flowchart
2.2.2.2 5.5.5.5 Underlay Underlay Interface Interface 4.4.4.4 3.3.3.3 SPOKE-A SPOKE-B SPOKE-C Back to Flowchart
2.2.2.2 5.5.5.5 Underlay Underlay Interface Interface 4.4.4.4 3.3.3.3 SPOKE-A SPOKE-B SPOKE-C Back to Flowchart
2.2.2.2 5.5.5.5 Underlay Underlay Interface Interface 4.4.4.4 3.3.3.3 SPOKE-A SPOKE-B SPOKE-C Back to Flowchart

SPOKE-A

2.2.2.2 5.5.5.5 Underlay Underlay Interface Interface 4.4.4.4 3.3.3.3 SPOKE-A SPOKE-B SPOKE-C Back to Flowchart

SPOKE-B

SPOKE-C

Back to

Flowchart

DMVPN Implementation Steps
DMVPN Implementation Steps

2 nd Create the Tunnel Interface on the HUB and SPOKE routers;

3 rd Apply IP MTU to avoid fragmentation; 4 th Apply the OVERLAY address; 5 th Specify the Tunnel Source (Underlay Interface); 6 th Specify the tunnel mode as GRE Multipoint;

HUB
HUB

HUB(config)#interface tunnel 10 HUB(config-if)#ip mtu 1400 HUB(config-if)#ip tcp adjust-mss 1360

HUB(config-if)#ip address 192.168.1.1 255.255.255.0 HUB(config-if)#tunnel source GigabitEthernet0/0 HUB(config-if)#tunnel mode gre multipoint

HUB(config-if)#

SPOKE
SPOKE

SPOKE(config)#interface tunnel 10 SPOKE(config-if)#ip mtu 1400 SPOKE(config-if)#ip tcp adjust-mss 1360

SPOKE(config-if)#ip address 192.168.1.10 255.255.255.0 SPOKE(config-if)#tunnel source GigabitEthernet0/0 SPOKE(config-if)#tunnel mode gre multipoint

SPOKE(config-if)#

With the IP MTU setted to 1400 when adding the IPsec and GRE overhead, it will not exceed the 1500 MTU of

the interface, preventing additional fragmentation.

* The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. To avoid truncation, should be 40 bytes less than IP MTU command on interface.

DMVPN Implementation Steps
DMVPN Implementation Steps

NHRP (Next Hop Resolution Protocol)

NHRP is a resolution protocol that allows one NHC client (spoke) to dynamically discover the logical VPN IP to physical NBMA IP mapping for another NHC client (spoke) within the same NBMA network.

NHRP is used to facilitate building a VPN. In this context, a VPN consists of a virtual Layer 3 network that is built on top of an actual Layer 3 network. The topology you use over the VPN is largely independent of the underlying network, and the protocols you run over it are completely independent of it. The VPN network (DMVPN) is based on GRE IP logical tunnels that can be protected by adding in IPsec to encrypt the GRE IP tunnels. Connected to the NBMA network are one or more stations that implement NHRP, and are known as NHSs and NHCs.

IP tunnels. Connected to the NBMA network are one or more stations that implement NHRP, and
IP tunnels. Connected to the NBMA network are one or more stations that implement NHRP, and
IP tunnels. Connected to the NBMA network are one or more stations that implement NHRP, and
DMVPN Implementation Steps
DMVPN Implementation Steps

7 th Configure NHRP (Next Hop Resolution Protocol) on the routers;

8 th Specify the HUB as NHS on all spoke routers;

HUB
HUB
Underlay IP Overlay IP
Underlay IP
Overlay IP
SPOKE
SPOKE

HUB(config)#interface tunnel 10

HUB(config-if)#ip nhrp network-id 123 [1 to 4294967295]

HUB(config-if)#ip nhrp server-only HUB(config-if)# HUB(config-if)#

SPOKE(config)#interface tunnel 10

SPOKE(config-if)#ip nhrp network-id 123 [1 to 4294967295]

SPOKE(config-if)#ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast SPOKE(config-if)# SPOKE(config-if)#

Old IOS Versions of commands

SPOKE(config-if)#ip nhrp nhs

192.168.1.1

1.1.1.1 255.255.255.255

SPOKE(config-if)#ip nhrp map

192.168.1.1

1.1.1.1

 

or

SPOKE(config-if)#ip nhrp nhs

192.168.1.1

1.1.1.1/32

 

SPOKE(config-if)#ip nhrp map

192.168.1.1

1.1.1.1

 

The SPOKE routers will statically populate the dmvpn map table with the IP overlay and IP underlay addresses of the hub

router. With this entry the spoke will use the HUB as a

server/database to learn the IP overlay and IP underlay of others spokes routers. Use the commad “show dmvpn” to see the result.

Use the commad “show dmvpn” to see the result. it will not initiate or respond to

it will not initiate or respond to an attempt to establish an NHRP shortcut SVCs.

Old IOS Versions of commands

HUB(config-if)#ip nhrp nhs

192.168.1.1

1.1.1.1 255.255.255.255

HUB(config-if)#ip nhrp map

192.168.1.1

1.1.1.1

 

or

HUB(config-if)#ip nhrp nhs

192.168.1.1

1.1.1.1/32

 

HUB(config-if)#ip nhrp map

192.168.1.1

1.1.1.1

 

The HUB routers will dynamically populate the dmvpn map

table with the IP overlay and IP underlay addresses of each

spoke router. Use the commad “show dmvpn” to see the

result.

with the IP overlay and IP underlay addresses of each spoke router. Use the commad “show
DMVPN Implementation Steps
DMVPN Implementation Steps

9 th Configure additional NHRP commands;

Steps 9 t h – Configure additional NHRP commands; HUB SPOKE RT(config)#interface tunnel 10 RT(config-if)#ip
HUB SPOKE
HUB
SPOKE

RT(config)#interface tunnel 10 RT(config-if)#ip nhrp holdtime 600

RT(config-if)#ip nhrp registration timeout 200

RT(config-if)#ip nhrp registration no-unique

timeout 200 RT(config-if)#ip nhrp registration no-unique RT(config-if)#ip nhrp authentication STRING

RT(config-if)#ip nhrp authentication STRING

no-unique RT(config-if)#ip nhrp authentication STRING RT(config-if)#if-state nhrp * How long the Cisco IOS

RT(config-if)#if-state nhrp

* How long the Cisco IOS software tells other routers to keep the

address mappings it is providing in NHRP responses. This controls how long a spoke-to-spoke shortcut path will stay up after it is no longer used or how often the spoke-to-spoke short-cut path mapping entry will be refreshed if it is still being used. We recommend that a value from 300 to 600 seconds be used.

* If not configured, the default is one-third of the holdtime. It is the time frequency that a routers should refresh the registration with the NHS router via NHRP registrations requests.

* Apply on SPOKE only, it is necessary in case since the spoke's outside IP (NBMA) address may change at any time. This will

permit the HUB overwrite the NHRP map with the new spoke

address.

* Only routers configured with the same string can communicate each other using NHRP

* On Spoke routers - Detect if NHS is down and put the interface

tunnel in down state, if NHS is up the interface tunnel is put in

up state.

- Detect if NHS is down and put the interface tunnel in down state, if NHS
DMVPN Implementation Steps
DMVPN Implementation Steps

10 th Configure NHRP Redirect on HUB routers; 11 th Configure NHRP shortcut on SPOKE routers;

HUB
HUB

HUB(config)#interface tunnel 10 HUB(config-if)#ip nhrp redirect HUB(config-if)#

* Tell to spoke routers when there is a better path to use.

SPOKE
SPOKE

SPOKE(config)#interface tunnel 10 SPOKE(config-if)#ip nhrp shortcut SPOKE(config-if)#

* Make the spoke router choose the best path “shortcut” to somewhere. Permitting a spoke-to-spoke temporary connection.

Make the spoke router choose the best path “shortcut” to somewhere. Permitting a spoke-to-spoke temporary connection.
DMVPN Implementation Steps
DMVPN Implementation Steps

12 nd Configure Multicast support;

HUB
HUB

HUB(config)#interface tunnel 10 HUB(config-if)#ip pim nbma-mode HUB(config-if)#ip pim sparse-dense-mode HUB(config-if)#ip nhrp map multicast dynamic

Old IOS Versions of commands HUB(config-if)#ip nhrp map multicast 1.1.1.1

SPOKE
SPOKE

SPOKE(config)#interface tunnel 10 SPOKE(config-if)#ip pim nbma-mode SPOKE(config-if)#ip pim sparse-dense-mode SPOKE(config-if)#ip nhrp map multicast dynamic SPOKE(config-if)#ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast

Old IOS Versions of commands HUB(config-if)#ip nhrp map multicast 1.1.1.1

ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast Old IOS Versions of commands HUB(config-if)# ip nhrp map
ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast Old IOS Versions of commands HUB(config-if)# ip nhrp map
ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast Old IOS Versions of commands HUB(config-if)# ip nhrp map
DMVPN Implementation Steps
DMVPN Implementation Steps

Validate Be sure that your OVERLAY network has fully connectivity;

HUB

Temporary Tunnel Overlay Interface 192.168.1.1 Permanent Tunnel SPOKE-A ISP or MPLS or 3rd Party Transit
Temporary Tunnel
Overlay Interface
192.168.1.1
Permanent Tunnel
SPOKE-A
ISP or MPLS or 3rd
Party Transit
Cloud
SPOKE-D
Overlay Interface
Overlay Interface
192.168.1.10
192.168.1.13
Overlay Interface
Overlay Interface
192.168.1.12
192.168.1.11
SPOKE-B
SPOKE-C
DMVPN Implementation Steps
DMVPN Implementation Steps

Dual HUB with Front VRF scenario and example;

AS 65001

HUB1

AS 65002

HUB2

INTERNET
INTERNET
scenario and example; AS 65001 HUB1 AS 65002 HUB2 INTERNET SPOKE-B AS 65001 interface Tunnel10 ip

SPOKE-B

AS 65001

interface Tunnel10 ip vrf forwarding ACME ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication 54321 ip nhrp map multicast dynamic ip nhrp network-id 12345 ip nhrp holdtime 600

ip nhrp redirect

Ip nhrp server-only ip tcp adjust-mss 1360 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel vrf INTERNET

interface Tunnel10

ip vrf forwarding ACME ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication 54321 ip nhrp map multicast dynamic ip nhrp network-id 12345 ip nhrp holdtime 600 ip nhrp redirect Ip nhrp server-only

ip tcp adjust-mss 1360

tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel vrf INTERNET

interface Tunnel10 ip address 192.168.1.11 255.255.255.0 if-state nhrp ip mtu 1400 ip nhrp authentication 54321

ip nhrp map multicast dynamic

ip nhrp network-id 12345 ip nhrp holdtime 600 ip nhrp nhs 192.168.1.1 nbma 1.0.0.1 multicast ip nhrp nhs 192.168.1.2 nbma 2.0.0.2 multicast ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source Ethernet0/0 tunnel mode gre multipoint

nbma 2.0.0.2 multicast ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source Ethernet0/0 tunnel mode gre
Questions and Answers
Questions and Answers
Questions and Answers
Questions and Answers
Questions and Answers
Agenda
Agenda

Part 1 Tunnel Interface

What is DMVPN

Flowchart

DMVPN Tunnel Implementation Steps

fVRF Scenario

Questions and Answers

Part 2 - IPsec

Security Acronyms

What is IPsec, ISAKMP and IKE

IPsec Structure

DMVPN - IPsec Implementation Steps

fVRF Scenario

DMVPN Troubleshooting

Questions and Answers

Part 3 - Routing

DMVPN - BGP

iBGP and eBGP scenarios

Dual HUB scenario

DMVPN EIGRP

DMVPN OSPF

Questions and Answers

It is a Hands-On Course !!! Connect on EVE and enjoy!!!!
It is a Hands-On Course !!!
Connect on EVE and
enjoy!!!!
Security Acronyms ? MD5 HA HMAC SHA ESP IPsec DES ? ? IKEv1 ISAKMP 3DES
Security Acronyms
?
MD5
HA
HMAC
SHA
ESP
IPsec
DES
?
?
IKEv1
ISAKMP
3DES
IKEv2
KINK
AES
DH

?

What is IPsec, ISAKMP and IKE
What is IPsec, ISAKMP and IKE

IPsec means Internet Protocol SECurity

IPsec is a framework of open and standard technologies used to ensure private and secure communications over IP networks.

ISAKMP means Internet Security Association and Key Management Protocol ISAKMP is a framework for authentication and key exchange and is designed to be key exchange independent.

IKE means Internet Key Exchange IKE is the protocol used to set up a security association (SA) in the IPsec protocol framework.

nternet K ey E xchange IKE is the protocol used to set up a security association
DMVPN IPsec Structure
DMVPN IPsec Structure
IPsec Authentication Method PreShared Public Key Key Infrastructure ISAKMP HA (Hash Algorithm) SHA MD5
IPsec
Authentication Method
PreShared
Public Key
Key
Infrastructure
ISAKMP
HA (Hash Algorithm)
SHA
MD5
Cryptography Algorithm DES AES 3DES HMAC Diffie-Hellman Group 1 2 5
Cryptography Algorithm
DES
AES
3DES
HMAC
Diffie-Hellman Group
1
2
5

is a specific method of securely exchanging cryptographic keys

Phase 1

Secure the

Channel / Tunnel (Peer)

IKEv1 IKEv2
IKEv1
IKEv2

While AH can be used to provide message

authentication, ESP can be used to provide both encryption and message authentication.

HA (Hash Algorithm) SHA MD5 Cryptography Algorithm Authen H eader DES AES Encap 3DES HMAC
HA (Hash Algorithm)
SHA
MD5
Cryptography Algorithm
Authen
H eader
DES
AES
Encap
3DES
HMAC
Security
Payload
Diffie-Hellman Group
1
2
5

Phase 2 Secure the Data

Key Points Reliability Integrity Privacy
Key Points
Reliability
Integrity
Privacy
IPsec – Negotiation Steps
IPsec – Negotiation Steps
Step 1
Step 1
Step 2
Step 2
Step 3
Step 3
Step 4
Step 4
Step 5
Step 5

"Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the

IPSec security policy configured in the IPSec peers starts the IKE process.

Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the
Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the
Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the
IPsec – Negotiation Steps
IPsec – Negotiation Steps
Step 1
Step 1
Step 2
Step 2

IKE phase 1 - Negotiation

Step 3
Step 3
Step 4
Step 4
Step 5
Step 5
Initiator Router Responder Router Sends MM1 packet with policy proposals to Responder routers Reply MM2
Initiator Router
Responder Router
Sends MM1 packet with policy proposals to Responder routers
Reply MM2 packet
crypto keyring DMVPN-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEYRING
!
crypto keyring DMVPN-KEYRING-2
pre-shared-key address 192.168.1.2 255.255.255.255 key STRINGKEYRING-2
Sends MM3 packet
Reply MM4 packet
Sends MM5 packet
Reply MM6 packet
Phase 1 Finished
IPsec – Negotiation Steps
IPsec – Negotiation Steps
Step 1
Step 1
Step 2
Step 2
Step 3
Step 3
Step 4
Step 4
Step 5
Step 5

IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2.

IKEv1 IKEv2 Keyring Policy Profile Keyring Policy Profile crypto keyring DMVPN-KEYRING <fVRF>
IKEv1
IKEv2
Keyring
Policy
Profile
Keyring
Policy
Profile
crypto keyring DMVPN-KEYRING <fVRF>
pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEYRING
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key STRINGKEYRING
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto ikev2 proposal DMVPN-PROPOSAL
encryption aes-cbc-256
integrity sha256 sha384 sha512
group 2
crypto ikev2 policy DMVPN-POLICY
match fvrf <fVRF Name>
match address local <underlay ip>
proposal DMVPN-PROPOSAL
crypto isakmp profile DMVPN-Internet-Profile-V1
keyring DMVPN-EUCH1-KEYRING
match identity address 0.0.0.0 <fVRF>
isakmp authorization list default
local-address Ethernet1/0
crypto ikev2 profile IKEv2_Prof_Shared
match fvrf <fVRF Name>
match address local interface <Underlay Interface>
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_SHARED_KEY
DMVPN Implementation Steps (Security)
DMVPN Implementation Steps (Security)

1 st Configure the Authentication Credentials;

- Pre-Shared Key HUB SPOKE Name of Keyring For fVRF scenarios. If the fVRF is
- Pre-Shared Key
HUB
SPOKE
Name of Keyring
For fVRF scenarios. If the fVRF is not
specified the keyring will be part of
global vrf.
!
crypto keyring DMVPN-KEYRING vrf DMVPN-Internet-Transport-V1
pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEY
!
A crypto keyring is a repository of preshared and PKI.

Specify the IP address of the peers, on this case, means any IP

String that must be common with all interested peers

crypto ikev2 keyring DMVPN-KEYRING peer <Peer-Name> address 0.0.0.0 0.0.0.0 pre-shared-key STRINGKEY
crypto ikev2 keyring DMVPN-KEYRING
peer <Peer-Name>
address 0.0.0.0 0.0.0.0
pre-shared-key STRINGKEY
peers crypto ikev2 keyring DMVPN-KEYRING peer <Peer-Name> address 0.0.0.0 0.0.0.0 pre-shared-key STRINGKEY
DMVPN Implementation Steps (Security)
DMVPN Implementation Steps (Security)

2 nd Configure the Authentication Credentials;

HUB SPOKE
HUB
SPOKE

- Policy Proposal

! crypto isakmp policy 10 encryption aes 256 authentication pre-share group 2 !
!
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 2
!
! crypto ikev2 proposal DMVPN-PROPOSAL encryption aes-cbc-256 integrity sha256 sha384 sha512 group 2 ! crypto
!
crypto ikev2 proposal DMVPN-PROPOSAL
encryption aes-cbc-256
integrity sha256 sha384 sha512
group 2
!
crypto ikev2 policy DMVPN-POLICY
proposal DMVPN-PROPOSAL
match fvrf <fVRF Name>
match address local <Underlay IP>
Name> match address local <Underlay IP> Priority ID Cryptography Algorithm Authentication Method
Name> match address local <Underlay IP> Priority ID Cryptography Algorithm Authentication Method

Priority ID

Cryptography

Algorithm

Authentication Method

Diffie-Hellman Group

match address local <Underlay IP> Priority ID Cryptography Algorithm Authentication Method Diffie-Hellman Group
match address local <Underlay IP> Priority ID Cryptography Algorithm Authentication Method Diffie-Hellman Group
DMVPN Implementation Steps (Security)
DMVPN Implementation Steps (Security)

3 rd Configure the Authentication Credentials;

3 r d – Configure the Authentication Credentials; - ISAKMP Profile HUB SPOKE ! crypto isakmp

- ISAKMP Profile

HUB SPOKE ! crypto isakmp profile DMVPN-Profile vrf <iVRF> keyring DMVPN-KEYRING match identity address
HUB
SPOKE
!
crypto isakmp profile DMVPN-Profile
vrf <iVRF>
keyring DMVPN-KEYRING
match identity address 0.0.0.0 <fVRF>
isakmp authorization list default
local-address Ethernet1/0
!
crypto ikev2 profile DMVPN-Profile
match fvrf <fVRF Name>
match address local interface <Underlay Interface>
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING
Profile Name
Profile Name

Keyring Name

keyring local DMVPN-KEYRING Profile Name Keyring Name inside VRF * used with crypto maps only front

inside VRF

* used with crypto maps only

front VRF

* Used when target underlay addresses are hosted on a front VRF

Permitted peers, where 0.0.0.0 means any IP

AAA authorization list

Local Exit Interface, usually the ISP interface. Same interface used on Tunnel Source command. The IP address on this

interface will be used as “identity” to

be match on the peers.

used on Tunnel Source command. The IP address on this interface will be used as “identity”
IPsec – Negotiation Steps
IPsec – Negotiation Steps
Step 1
Step 1
Step 2
Step 2
Step 3
Step 3
Step 4
Step 4
Step 5
Step 5

IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.

IKEv1 Transform-Set Profile Apply crypto ipsec transform-set DMVPN-TRANSFORMSET-V1 esp-aes 256 esp- sha-hmac mode
IKEv1
Transform-Set
Profile
Apply
crypto ipsec transform-set DMVPN-TRANSFORMSET-V1 esp-aes 256 esp-
sha-hmac
mode transport
crypto ipsec profile DMVPN-IPSEC-PROFILE-V1
set transform-set DMVPN-TRANSFORMSET-V1
set isakmp-profile DMVPN-ISAKMP-PROFILE
Interface tunnel 10
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-V1 Shared
IKEv2 Transform-Set Profile Apply crypto ipsec transform-set DMVPN-TRANSFORMSET-V2 esp-aes 256 esp- sha256-hmac mode
IKEv2
Transform-Set
Profile
Apply
crypto ipsec transform-set DMVPN-TRANSFORMSET-V2 esp-aes 256 esp-
sha256-hmac
mode transport
crypto ipsec profile DMVPN-IPSEC-PROFILE-V2
set transform-set DMVPN-TRANSFORMSET-V2
set ikev2-profile DMVPN-Internet-Profile-V2
Interface tunnel 10
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-V2 Shared

Without this command

* IKEv1 is tried first

DMVPN-IPSEC-PROFILE-V2 Shared Without this command * IKEv1 is tried first Used when many VTIs use the

Used when many VTIs use the same ipsec profile

DMVPN Implementation Steps (Security)
DMVPN Implementation Steps (Security)

4 th Configure the Data Protection;

- IPsec Transform-Set HUB SPOKE Security association [SA] anti-replay is a security service in which
- IPsec Transform-Set
HUB
SPOKE
Security association [SA] anti-replay is a security service in which the
receiver can reject old or duplicate packets to protect itself against replay
attacks.
!
crypto ipsec security-association replay window-size 512
Set the quantity of packets received
in a window. Default is 64.
!
crypto ipsec transform-set DMVPN-TRANSFORMSET esp-aes 256 esp-sha-hmac
mode transport
!
Transformset Name

Transport Mode Encapsulate the Payload Only. Tunnel Mode Encapsulate the Datagram IP

Cryptography and Hash Algorithms

Mode – Encapsulate the Payload Only. Tunnel Mode – Encapsulate the Datagram IP Cryptography and Hash
DMVPN Implementation Steps (Security)
DMVPN Implementation Steps (Security)

5 th Configure the Authentication Credentials;

HUB SPOKE
HUB
SPOKE

- IPsec Profile

SPOKE

! crypto ipsec profile DMVPN-IPSEC-PROFILE set transform-set DMVPN-TRANSFORMSET !
!
crypto ipsec profile DMVPN-IPSEC-PROFILE
set transform-set DMVPN-TRANSFORMSET
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-V2 set transform-set DMVPN-TRANSFORMSET-V2 set ikev2-profile
crypto ipsec profile DMVPN-IPSEC-PROFILE-V2
set transform-set DMVPN-TRANSFORMSET-V2
set ikev2-profile DMVPN-Internet-Profile-V2

IPsec Profile Name

Transform-set Name

IKEv2 Profile Name

set ikev2-profile DMVPN-Internet-Profile-V2 IPsec Profile Name Transform-set Name IKEv2 Profile Name
DMVPN Implementation Steps (Security)
DMVPN Implementation Steps (Security)

6 th Configure the Data Protection;

(Security) 6 t h – Configure the Data Protection; - Apply the IPsec profile on Tunnel

- Apply the IPsec profile on Tunnel Interface

HUB SPOKE IPsec profile name ! Interface tunnel 10 tunnel protection ipsec profile DMVPN-IPSEC-PROFILE shared
HUB
SPOKE
IPsec profile name
!
Interface tunnel 10
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE shared
!

The Sharing IPsec with Tunnel Protection feature allows an IP Security (IPsec) Security Association Database (SADB) to be shared between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. These tunnel interfaces share a single underlying cryptographic SADB, cryptographic map, and IPsec profile in

the Dynamic Multipoint Virtual Private Network (DMVPN) configuration.

SADB, cryptographic map, and IPsec profile in the Dynamic Multipoint Virtual Private Network (DMVPN) configuration.
IPsec – Negotiation Steps
IPsec – Negotiation Steps
Step 1
Step 1
Step 2
Step 2
Step 3
Step 3
Step 4
Step 4
Step 5
Step 5

Data Transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.

Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the
Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the

Tunnel IPsec

Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the
Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the
IPsec – Negotiation Steps
IPsec – Negotiation Steps
Step 1
Step 1
Step 2
Step 2
Step 3
Step 3
Step 4
Step 4
Step 5
Step 5

IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.

3 Step 4 Step 5 IPSec tunnel termination . IPSec SAs terminate through deletion or by
3 Step 4 Step 5 IPSec tunnel termination . IPSec SAs terminate through deletion or by

Tunnel IPsec

3 Step 4 Step 5 IPSec tunnel termination . IPSec SAs terminate through deletion or by
3 Step 4 Step 5 IPSec tunnel termination . IPSec SAs terminate through deletion or by
Timing Out
Timing Out
3 Step 4 Step 5 IPSec tunnel termination . IPSec SAs terminate through deletion or by
IPsec for Front VRF – IKEv1
IPsec for Front VRF – IKEv1

Dual HUB with Front VRF scenario and example;

AS 65001

AS 65002

HUB1 HUB2 # Same for both HUBs devices ! crypto keyring SHARED_KEY vrf INTERNET pre-shared-key
HUB1
HUB2
# Same for both HUBs devices
!
crypto keyring SHARED_KEY vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key SH4R3D_K3Y
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
!
crypto isakmp keepalive 60 5
INTERNET
crypto keyring SHARED_KEY
pre-shared-key address 0.0.0.0 0.0.0.0 key SH4R3D_K3Y
!
!
crypto isakmp profile ISA_Prof_Shared
keyring SHARED_KEY
match identity address 0.0.0.0 INTERNET
local-address Ethernet0/0
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
!
crypto ipsec security-association replay window-size 512
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set Transf_Shared esp-aes 256
crypto isakmp profile ISA_Prof_Shared
esp-sha-hmac
mode transport
!
keyring SHARED_KEY
match identity address 0.0.0.0
local-address Ethernet0/0
crypto ipsec profile IPSEC_Prof_Shared
!
set transform-set Transf_Shared
crypto ipsec security-association replay window-size 512
set isakmp-profile ISA_Prof_Shared
!
!
crypto ipsec transform-set Transf_Shared esp-aes 256 esp-sha-hmac
mode transport
SPOKE-B
!

AS 65001

For Spoke sites with VRFs, follow the

same script used on HUB devices

crypto ipsec profile IPSEC_Prof_Shared set transform-set Transf_Shared set isakmp-profile ISA_Prof_Shared

!

IPsec for Front VRF – IKEv2
IPsec for Front VRF – IKEv2

Dual HUB with Front VRF scenario and example;

AS 65001 AS 65002 HUB1 HUB2 INTERNET
AS 65001
AS 65002
HUB1
HUB2
INTERNET

SPOKE-B

AS 65001

For Spoke sites with VRFs, follow the

same script used on HUB devices

!

crypto ikev2 proposal IKEv2_Prop_Shared encryption aes-cbc-256 integrity sha256 sha384 sha512

group 2

!

crypto ikev2 policy IKEv2_Poli_Shared match fvrf <fVRF Name> match address local <fVRF Underlay IP> proposal IKEv2_Prop_Shared

!

crypto ikev2 keyring IKEv2_SHARED_KEY peer ISP2_SPOKES address 0.0.0.0 0.0.0.0 identity address 0.0.0.0

pre-shared-key IKEv2_SH4R3D_K3Y

!

crypto ikev2 profile IKEv2_Prof_Shared match fvrf <fVRF Name> match address local interface <fVRF Interface> match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share keyring local IKEv2_SHARED_KEY

!

crypto ipsec security-association replay window-size 512

!

crypto ipsec transform-set Transf_Shared esp-aes 256 esp-sha-hmac mode transport

!

crypto ipsec profile IKEv2_IPsec_Prof_Shared

set transform-set Transf_Shared set ikev2-profile IKEv2_Prof_Shared

!

DMVPN Troubleshooting
DMVPN Troubleshooting

Commands

Function

show dmvpn

Display dmvpn map

show crypto isakmp sa

To display current Internet Key Exchange (IKE) security associations (SAs)

show crypto ipsec sa

To display the settings used by IPsec security associations (SAs)

show crypto ikev2 sa

To display an Internet Key Exchange Version 2 (IKEv2) security associations (SAs)

show crypto session

To display status information for active crypto sessions

debug dmvpn

Display dmvpn negotiation

debug crypto

Displays crypto negotiation

clear ipsec sa

Displays the configured transform sets.

clear ipsec sa Displays the configured transform sets. PS: IKEv1 and IKEv2 can not share the

PS: IKEv1 and IKEv2 can not share the same underlay interface.

ROUTING: Do not learn/publish the underlay IP via DMVPN tunnel

interfaces, this will make the DMVPN tunnel flap.

Questions and Answers
Questions and Answers
Questions and Answers
Questions and Answers
Questions and Answers
Agenda
Agenda

Part 1 Tunnel Interface

What is DMVPN

Flowchart

DMVPN Tunnel Implementation Steps

fVRF Scenario

Questions and Answers

Part 2 - IPsec

Security Acronyms

What is IPsec, ISAKMP and IKE

IPsec Structure

DMVPN - IPsec Implementation Steps

fVRF Scenario

DMVPN Troubleshooting

Questions and Answers

Part 3 - Routing

DMVPN - BGP

iBGP and eBGP scenarios

Dual HUB scenario

DMVPN EIGRP

DMVPN OSPF

Questions and Answers

It is a Hands-On Course !!! Connect on EVE and enjoy!!!!
It is a Hands-On Course !!!
Connect on EVE and
enjoy!!!!
BGP Implementation Dynamic neighbours
BGP Implementation
Dynamic neighbours

Step 1

HUB
HUB

Under router bgp command, add the command bellow

bgp listen range 192.168.1.0/24 peer-group iBGP-ACME

Associates a subnet range with a BGP peer group and activates the BGP dynamic neighbors feature.

Step 2

Under router bgp command, add the command bellow

bgp listen limit 254

Sets a global limit of BGP dynamic subnet range neighbors. Use the optional limit keyword and max-number argument to define the maximum number of BGP dynamic subnet range neighbors that can be created.

Step 3

Under address-family ipv4, add the commands bellow

neighbor iBGP-ACME peer-group

neighbor iBGP-ACME remote-as 65001

neighbor iBGP-ACME route-reflector-client

SPOKE
SPOKE

Normal ibgp neighbour configuration

iBGP-ACME remote-as 65001 neighbor iBGP-ACME route-reflector-client SPOKE Normal ibgp neighbour configuration
iBGP-ACME remote-as 65001 neighbor iBGP-ACME route-reflector-client SPOKE Normal ibgp neighbour configuration
iBGP-ACME remote-as 65001 neighbor iBGP-ACME route-reflector-client SPOKE Normal ibgp neighbour configuration
BGP Implementation iBGP Scenario using dynamic neighbours
BGP Implementation
iBGP Scenario using dynamic neighbours
BGP Implementation iBGP Scenario using dynamic neighbours Permanent Tunnel router bgp 65001 bgp router-id 192.168.1.11

Permanent Tunnel

router bgp 65001 bgp router-id 192.168.1.11 bgp log-neighbor-changes

!

address-family ipv4

network 30.0.0.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 neighbor 192.168.1.1 description HUB neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self

exit-address-family

HUB

router bgp 65001 bgp router-id 192.168.1.1 bgp log-neighbor-changes Tunnel 0 bgp listen range 192.168.1.0/24
router bgp 65001
bgp router-id 192.168.1.1
bgp log-neighbor-changes
Tunnel 0
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
bgp listen limit 254
192.168.1.1
!
address-family ipv4
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME route-reflector-client
exit-address-family
Unsecured
Cloud
router bgp 65001
bgp router-id 192.168.1.12
bgp log-neighbor-changes
Tunnel
!
Tunnel
192.168.1.11 192.168.1.12
SPOKE-B
SPOKE-C
address-family ipv4
network 40.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
exit-address-family
BGP Implementation eBGP Scenario
BGP Implementation
eBGP Scenario
BGP Implementation eBGP Scenario Permanent Tunnel router bgp 65011 bgp router-id 192.168.1.11 bgp log-neighbor-changes !

Permanent Tunnel

router bgp 65011 bgp router-id 192.168.1.11 bgp log-neighbor-changes

!

address-family ipv4 network 30.0.0.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 neighbor 192.168.1.1 description HUB neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self exit-address-family

HUB

router bgp 65001 bgp router-id 192.168.1.1 bgp log-neighbor-changes ! Tunnel 0 192.168.1.1 address-family ipv4
router bgp 65001
bgp router-id 192.168.1.1
bgp log-neighbor-changes
!
Tunnel 0
192.168.1.1
address-family ipv4
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor 192.168.1.11 remote-as 65011
neighbor 192.168.1.11 description SPOKE-B
Unsecured
neighbor 192.168.1.11 activate
neighbor 192.168.1.11 next-hop-self
neighbor 192.168.1.12 remote-as 65012
neighbor 192.168.1.12 description SPOKE-C
neighbor 192.168.1.12 activate
neighbor 192.168.1.12 next-hop-self
exit-address-family
Cloud
router bgp 65012
bgp router-id 192.168.1.12
bgp log-neighbor-changes
Tunnel
!
Tunnel
192.168.1.11
192.168.1.12
SPOKE-B
SPOKE-C
address-family ipv4
network 40.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB
neighbor 192.168.1.1 activate

neighbor 192.168.1.1 next-hop-self

exit-address-family

BGP Implementation Dual HUB scenario
BGP Implementation
Dual HUB scenario

AS 65001

HUB1

AS 65002

HUB2

Dual HUB scenario AS 65001 HUB1 AS 65002 HUB2 Permanent Tunnel Tunnel 0 192.168.1.1 ! Unsecured

Permanent Tunnel

Tunnel 0 192.168.1.1 ! Unsecured Cloud Tunnel 192.168.1.11
Tunnel 0
192.168.1.1
!
Unsecured
Cloud
Tunnel
192.168.1.11

router bgp 65001

Tunnel 0 192.168.1.2 !
Tunnel 0
192.168.1.2
!

address-family ipv4

router bgp 65001 bgp router-id 192.168.1.1 bgp log-neighbor-changes

router bgp 65002 bgp router-id 192.168.1.2 bgp log-neighbor-changes

bgp listen range 192.168.1.0/24 peer-group iBGP-ACME bgp listen limit 254

address-family ipv4 vrf ACME

network 10.0.0.0 mask 255.255.255.0

network 20.0.0.0 mask 255.255.255.0 neighbor iBGP-ACME peer-group neighbor iBGP-ACME remote-as 65001 neighbor iBGP-ACME timers 2 6 neighbor iBGP-ACME route-reflector-client exit-address-family

iBGP-ACME route-reflector-client exit-address-family bgp listen range 192.168.1.0/24 peer-group iBGP-ACME bgp
iBGP-ACME route-reflector-client exit-address-family bgp listen range 192.168.1.0/24 peer-group iBGP-ACME bgp
iBGP-ACME route-reflector-client exit-address-family bgp listen range 192.168.1.0/24 peer-group iBGP-ACME bgp

bgp listen range 192.168.1.0/24 peer-group iBGP-ACME bgp listen limit 254

address-family ipv4 vrf ACME network 10.0.0.0 mask 255.255.255.0 network 20.0.0.0 mask 255.255.255.0 neighbor iBGP-ACME peer-group neighbor iBGP-ACME remote-as 65001 neighbor iBGP-ACME local-as 65001

exit-address-family

To make the convergence quick. The values used here are as example, choose what is better to your environment. You can use the BFD feature on interface tunnel instead timers commands, but all routers must be using Cisco IOS XE 16.3 release

but all routers must be using Cisco IOS XE 16.3 release bgp router-id 192.168.1.11 bgp log-neighbor-changes
but all routers must be using Cisco IOS XE 16.3 release bgp router-id 192.168.1.11 bgp log-neighbor-changes

bgp router-id 192.168.1.11 bgp log-neighbor-changes neighbor 192.168.1.1 remote-as 65001 neighbor 192.168.1.1 description HUB1 neighbor 192.168.1.1 timers 2 6 neighbor 192.168.1.2 remote-as 65001

neighbor 192.168.1.2 description HUB2

!

network 30.0.0.0 mask 255.255.255.0 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 weight 100

neighbor 192.168.1.2 activate

neighbor 192.168.1.2 next-hop-self neighbor 192.168.1.2 weight 150

SPOKE-B

AS 65001

exit-address-family

Questions and Answers
Questions and Answers
Questions and Answers
Questions and Answers
Questions and Answers