Cisco DMVPN

Jun 26, 2017

Version 2.0

Created by Andre Barros Longo

 Agenda

Part 1 Tunnel Interface

What is DMVPN
Flowchart
DMVPN Tunnel Implementation Steps It is a Hands-On Course !!!
fVRF Scenario

Questions and Answers
Connect on EVE and
enjoy!!!!
Part 2 - IPsec
Security Acronyms
What is IPsec, ISAKMP and IKE
IPsec Structure
DMVPN - IPsec Implementation Steps
fVRF Scenario
DMVPN Troubleshooting
Questions and Answers

Part 3 - Routing
DMVPN - BGP
iBGP and eBGP scenarios
Dual HUB scenario
DMVPN EIGRP
DMVPN OSPF
Questions and Answers
 What is DMVPN

DMVPN means Dynamic Multipoint Virtual Private Network

DMVPN is a technical solution that provide connectivity
between spoke-to-hub and spoke-to-spoke sites through a
underlay network. Using minimal configuration lines to be
implemented DMVPN permit a better management and
simplification of the configuration file of the routers.

DMVPN is usually used to protect the corporative data that is

transmitted through a unsafe network, like public Internet.

DMVPN protect the corporative data using IPsec technology

DMVPN Flowchart Steps

Begin

Underlay YES Create the

Network Tunnel
is OK ? Interface

NO

Create IPsec
Fix it
Parameters

Apply IPsec on
Tunnel
Interfaces

END
 DMVPN Implementation Steps (Tunnel)

1st Be sure that your UNDERLAY network has fully connectivity;

HUB

Underlay
Interface
1.1.1.1

ISP or MPLS or
SPOKE-A
Underlay
3rd Party Transit Underlay
SPOKE-D
Interface Cloud Interface
2.2.2.2 5.5.5.5

Underlay
Underlay
Interface
Interface
4.4.4.4
3.3.3.3

SPOKE-B SPOKE-C

Back to
Flowchart
 DMVPN Implementation Steps

2nd Create the Tunnel Interface on the HUB and SPOKE routers;
3rd Apply IP MTU to avoid fragmentation;
4th Apply the OVERLAY address;
5th Specify the Tunnel Source (Underlay Interface);
6th Specify the tunnel mode as GRE Multipoint;

HUB SPOKE

HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

HUB(config-if)#ip mtu 1400
HUB(config-if)#ip tcp adjust-mss 1360
HUB(config-if)#ip address 192.168.1.1 255.255.255.0
HUB(config-if)#tunnel source GigabitEthernet0/0
HUB(config-if)#tunnel mode gre multipoint
HUB(config-if)#
SPOKE(config-if)#ip mtu 1400
SPOKE(config-if)#ip tcp adjust-mss 1360
SPOKE(config-if)#ip address 192.168.1.10 255.255.255.0
SPOKE(config-if)#tunnel source GigabitEthernet0/0
SPOKE(config-if)#tunnel mode gre multipoint
SPOKE(config-if)#

With the IP MTU setted to 1400 when adding the IPsec and GRE overhead, it will not exceed the 1500 MTU of
the interface, preventing additional fragmentation.

* The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept
in a single TCP/IP datagram. To avoid truncation, should be 40 bytes less than IP MTU command on interface.
 DMVPN Implementation Steps

NHRP (Next Hop Resolution Protocol)

NHRP is a resolution protocol that allows one NHC client (spoke) to dynamically discover the logical
VPN IP to physical NBMA IP mapping for another NHC client (spoke) within the same NBMA network.

NHRP is used to facilitate building a VPN. In this context, a VPN consists of a virtual Layer 3 network
that is built on top of an actual Layer 3 network. The topology you use over the VPN is largely
independent of the underlying network, and the protocols you run over it are completely
independent of it. The VPN network (DMVPN) is based on GRE IP logical tunnels that can be
protected by adding in IPsec to encrypt the GRE IP tunnels.
Connected to the NBMA network are one or more stations that implement NHRP, and are known as
NHSs and NHCs.
 DMVPN Implementation Steps

7th Configure NHRP (Next Hop Resolution Protocol) on the routers;

8th Specify the HUB as NHS on all spoke routers;

Underlay IP
Overlay IP
HUB SPOKE
HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10
HUB(config-if)#ip nhrp network-id 123 [1 to 4294967295] SPOKE(config-if)#ip nhrp network-id 123 [1 to 4294967295]
HUB(config-if)#ip nhrp server-only SPOKE(config-if)#ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast
HUB(config-if)# SPOKE(config-if)#
HUB(config-if)# it will not initiate or respond to SPOKE(config-if)#
an attempt to establish an NHRP
shortcut SVCs.

Old IOS Versions of commands Old IOS Versions of commands

HUB(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1 255.255.255.255 SPOKE(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1 255.255.255.255
HUB(config-if)#ip nhrp map 192.168.1.1 1.1.1.1 SPOKE(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

or or

HUB(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1/32 SPOKE(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1/32
HUB(config-if)#ip nhrp map 192.168.1.1 1.1.1.1 SPOKE(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

The HUB routers will dynamically populate the dmvpn map
table with the IP overlay and IP underlay addresses of each
spoke router. Use the commad show dmvpn to see the
result.
The SPOKE routers will statically populate the dmvpn map
table with the IP overlay and IP underlay addresses of the hub
router. With this entry the spoke will use the HUB as a
server/database to learn the IP overlay and IP underlay of
others spokes routers. Use the commad show dmvpn to see
the result.
 DMVPN Implementation Steps

9th Configure additional NHRP commands;

* How long the Cisco IOS software tells other routers to keep the
address mappings it is providing in NHRP responses. This controls
how long a spoke-to-spoke shortcut path will stay up after it is
no longer used or how often the spoke-to-spoke short-cut path
mapping entry will be refreshed if it is still being used. We
HUB recommend that a value from 300 to 600 seconds be used.
SPOKE

RT(config)#interface tunnel 10
* If not configured, the default is one-third of the holdtime. It is
RT(config-if)#ip nhrp holdtime 600
the time frequency that a routers should refresh the registration
with the NHS router via NHRP registrations requests.
RT(config-if)#ip nhrp registration timeout 200

RT(config-if)#ip nhrp registration no-unique

* Apply on SPOKE only, it is necessary in case since the spoke's
outside IP (NBMA) address may change at any time. This will
RT(config-if)#ip nhrp authentication STRING
permit the HUB overwrite the NHRP map with the new spoke
address.
RT(config-if)#if-state nhrp
* Only routers configured with the same string can communicate
each other using NHRP

* On Spoke routers - Detect if NHS is down and put the interface

tunnel in down state, if NHS is up the interface tunnel is put in
up state.
 DMVPN Implementation Steps

10th Configure NHRP Redirect on HUB routers;

11th Configure NHRP shortcut on SPOKE routers;

HUB SPOKE

HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

HUB(config-if)#ip nhrp redirect SPOKE(config-if)#ip nhrp shortcut
HUB(config-if)# SPOKE(config-if)#

* Tell to spoke routers when there is a better path to use. * Make the spoke router choose the best path shortcut to
somewhere.
Permitting a spoke-to-spoke temporary connection.
 DMVPN Implementation Steps

12nd Configure Multicast support;

HUB SPOKE

HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

HUB(config-if)#ip pim nbma-mode SPOKE(config-if)#ip pim nbma-mode
HUB(config-if)#ip pim sparse-dense-mode SPOKE(config-if)#ip pim sparse-dense-mode
HUB(config-if)#ip nhrp map multicast dynamic SPOKE(config-if)#ip nhrp map multicast dynamic
SPOKE(config-if)#ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast

Old IOS Versions of commands Old IOS Versions of commands

HUB(config-if)#ip nhrp map multicast 1.1.1.1 HUB(config-if)#ip nhrp map multicast 1.1.1.1
 DMVPN Implementation Steps
Validate Be sure that your OVERLAY network has fully connectivity;
HUB

Temporary Tunnel Overlay Interface

192.168.1.1
Permanent Tunnel

ISP or MPLS or 3rd

SPOKE-A Party Transit SPOKE-D
Overlay Interface Cloud Overlay Interface
192.168.1.10 192.168.1.13

Overlay Interface
Overlay Interface
192.168.1.12
192.168.1.11

SPOKE-B SPOKE-C
 DMVPN Implementation Steps
Dual HUB with Front VRF scenario and example;
AS 65001
HUB1
interface Tunnel10
ip vrf forwarding ACME
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 54321
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp redirect
Ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel vrf INTERNET
AS 65002
HUB2
interface Tunnel10
ip vrf forwarding ACME
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 54321
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp redirect
Ip nhrp server-only
INTERNET ip tcp adjust-mss 1360
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel vrf INTERNET
interface Tunnel10
ip address 192.168.1.11 255.255.255.0
if-state nhrp
ip mtu 1400
ip nhrp authentication 54321
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1 nbma 1.0.0.1 multicast
SPOKE-B ip nhrp nhs 192.168.1.2 nbma 2.0.0.2 multicast
ip nhrp shortcut
AS 65001 ip tcp adjust-mss 1360
tunnel source Ethernet0/0
tunnel mode gre multipoint
Questions and Answers
 Agenda

Part 1 Tunnel Interface

What is DMVPN
Flowchart
DMVPN Tunnel Implementation Steps It is a Hands-On Course !!!
fVRF Scenario

Questions and Answers
Connect on EVE and
enjoy!!!!
Part 2 - IPsec
Security Acronyms
What is IPsec, ISAKMP and IKE
IPsec Structure
DMVPN - IPsec Implementation Steps
fVRF Scenario
DMVPN Troubleshooting
Questions and Answers

Part 3 - Routing
DMVPN - BGP
iBGP and eBGP scenarios
Dual HUB scenario
DMVPN EIGRP
DMVPN OSPF
Questions and Answers
Security Acronyms

?
MD5

HA HMAC SHA

? ?
ESP IPsec DES

IKEv1 ISAKMP 3DES

IKEv2 KINK AES

DH

?
 What is IPsec, ISAKMP and IKE

IPsec means Internet Protocol SECurity

IPsec is a framework of open and standard technologies used to ensure
private and secure communications over IP networks.

ISAKMP means Internet Security Association and Key Management Protocol

ISAKMP is a framework for authentication and key exchange and is designed
to be key exchange independent.

IKE means Internet Key Exchange

IKE is the protocol used to set up a security association (SA) in the IPsec
protocol framework.
 DMVPN IPsec Structure
IPsec
While AH can be used to provide message
authentication, ESP can be used to provide both
Authentication Method encryption and message authentication.

PreShared Public Key

Key Infrastructure HA (Hash Algorithm)

HA (Hash Algorithm)
ISAKMP SHA MD5

SHA MD5

Cryptography Algorithm
Authen
IKEv1 Header DES AES

Cryptography Algorithm Phase 1 Phase 2

Secure the Secure the Data
IKEv2 Encap
Channel / Tunnel 3DES HMAC
DES AES (Peer)
Security
Payload

Key Points
3DES HMAC
Diffie-Hellman Group
Reliability
1 2 5
Diffie-Hellman Group Integrity
1 2 5
Privacy
is a specific method of securely
exchanging cryptographic keys
IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5

"Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the
IPSec security policy configured in the IPSec peers starts the IKE process.
 IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5

IKE phase 1 - Negotiation

Initiator Router Responder Router

Sends MM1 packet with policy proposals to Responder routers

crypto keyring DMVPN-KEYRING Reply MM2 packet

pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEYRING
!
crypto keyring DMVPN-KEYRING-2
pre-shared-key address 192.168.1.2 255.255.255.255 key STRINGKEYRING-2

Sends MM3 packet

Reply MM4 packet

Sends MM5 packet

Reply MM6 packet

Phase 1 Finished
 IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5

IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase,
setting up a secure channel for negotiating IPSec SAs in phase 2.

IKEv1 IKEv2
Keyring Policy Profile Keyring Policy Profile

crypto keyring DMVPN-KEYRING <fVRF> crypto ikev2 keyring DMVPN-KEYRING

pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEYRING peer ANY
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key STRINGKEYRING

crypto isakmp policy 10 crypto ikev2 proposal DMVPN-PROPOSAL

encr aes 256
encryption aes-cbc-256
authentication pre-share
integrity sha256 sha384 sha512
group 2 group 2

crypto ikev2 policy DMVPN-POLICY

match fvrf <fVRF Name>
match address local <underlay ip>
proposal DMVPN-PROPOSAL
crypto isakmp profile DMVPN-Internet-Profile-V1
keyring DMVPN-EUCH1-KEYRING
match identity address 0.0.0.0 <fVRF>
crypto ikev2 profile IKEv2_Prof_Shared
isakmp authorization list default
match fvrf <fVRF Name>
local-address Ethernet1/0
match address local interface <Underlay Interface>
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_SHARED_KEY
 DMVPN Implementation Steps (Security)

1st Configure the Authentication Credentials;

- Pre-Shared Key
HUB

SPOKE
Name of Keyring For fVRF scenarios. If the fVRF is not
specified the keyring will be part of
global vrf.

!
crypto keyring DMVPN-KEYRING vrf DMVPN-Internet-Transport-V1
pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEY
!

A crypto keyring is a repository of preshared and PKI.

Specify the IP address String that must be

of the peers, on this common with all
case, means any IP interested peers

crypto ikev2 keyring DMVPN-KEYRING

peer <Peer-Name>
address 0.0.0.0 0.0.0.0
pre-shared-key STRINGKEY
 DMVPN Implementation Steps (Security)

2nd Configure the Authentication Credentials;

- Policy Proposal
HUB
Priority ID
SPOKE
!
crypto isakmp policy 10 Cryptography
encryption aes 256 Algorithm
authentication pre-share
group 2 Authentication Method
!
Diffie-Hellman Group

!
crypto ikev2 proposal DMVPN-PROPOSAL
encryption aes-cbc-256
integrity sha256 sha384 sha512
group 2
!

crypto ikev2 policy DMVPN-POLICY

proposal DMVPN-PROPOSAL
match fvrf <fVRF Name>
match address local <Underlay IP>
 DMVPN Implementation Steps (Security)

3rd Configure the Authentication Credentials;

- ISAKMP Profile
HUB

SPOKE

!
crypto isakmp profile DMVPN-Profile Profile Name
inside VRF
vrf <iVRF> * used with crypto maps only
keyring DMVPN-KEYRING Keyring Name
match identity address 0.0.0.0 <fVRF> front VRF
* Used when target underlay addresses
isakmp authorization list default are hosted on a front VRF
local-address Ethernet1/0
! Permitted peers, where 0.0.0.0
means any IP

AAA authorization list

Local Exit Interface, usually the ISP

crypto ikev2 profile DMVPN-Profile
match fvrf <fVRF Name>
match address local interface <Underlay Interface>
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING
interface.
Same interface used on Tunnel Source
command. The IP address on this
interface will be used as identity to
be match on the peers.
 IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5

IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the
peers.

IKEv1 IKEv2
Transform-Set Profile Apply Transform-Set Profile Apply

crypto ipsec transform-set DMVPN-TRANSFORMSET-V1 esp-aes 256 esp- crypto ipsec transform-set DMVPN-TRANSFORMSET-V2 esp-aes 256 esp-
sha-hmac sha256-hmac
mode transport mode transport

crypto ipsec profile DMVPN-IPSEC-PROFILE-V1 crypto ipsec profile DMVPN-IPSEC-PROFILE-V2

set transform-set DMVPN-TRANSFORMSET-V1 set transform-set DMVPN-TRANSFORMSET-V2
set isakmp-profile DMVPN-ISAKMP-PROFILE set ikev2-profile DMVPN-Internet-Profile-V2

Without this command

* IKEv1 is tried first

Interface tunnel 10 Interface tunnel 10

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-V1 Shared tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-V2 Shared

Used when many VTIs use

the same ipsec profile
 DMVPN Implementation Steps (Security)

4th Configure the Data Protection;

- IPsec Transform-Set
HUB

SPOKE

Security association [SA] anti-replay is a security service in which the

receiver can reject old or duplicate packets to protect itself against replay
attacks.
!
Set the quantity of packets received
crypto ipsec security-association replay window-size 512 in a window. Default is 64.
!
crypto ipsec transform-set DMVPN-TRANSFORMSET esp-aes 256 esp-sha-hmac
mode transport
!
Transformset Name

Transport Mode Encapsulate the Payload Only. Cryptography and Hash Algorithms
Tunnel Mode Encapsulate the Datagram IP
 DMVPN Implementation Steps (Security)

5th Configure the Authentication Credentials;

- IPsec Profile
HUB

SPOKE

SPOKE
! IPsec Profile Name
crypto ipsec profile DMVPN-IPSEC-PROFILE
set transform-set DMVPN-TRANSFORMSET Transform-set Name
!

crypto ipsec profile DMVPN-IPSEC-PROFILE-V2

set transform-set DMVPN-TRANSFORMSET-V2
set ikev2-profile DMVPN-Internet-Profile-V2 IKEv2 Profile Name
 DMVPN Implementation Steps (Security)

6th Configure the Data Protection;

- Apply the IPsec profile on Tunnel Interface
HUB

SPOKE

IPsec profile name

!
Interface tunnel 10
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE shared
!

The Sharing IPsec with Tunnel Protection feature allows an IP Security

(IPsec) Security Association Database (SADB) to be shared between two
or more generic routing encapsulation (GRE) tunnel interfaces when
tunnel protection is used. These tunnel interfaces share a single
underlying cryptographic SADB, cryptographic map, and IPsec profile in
the Dynamic Multipoint Virtual Private Network (DMVPN) configuration.
IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5

Data Transfer. Data is transferred between IPSec peers based on the IPSec parameters and
keys stored in the SA database.

Tunnel IPsec
IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5

IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.

Tunnel IPsec

Timing Out
 IPsec for Front VRF IKEv1
Dual HUB with Front VRF scenario and example;
AS 65001 AS 65002
HUB1 HUB2

# Same for both HUBs devices

!
crypto keyring SHARED_KEY vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key SH4R3D_K3Y
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
! crypto keyring SHARED_KEY
crypto isakmp keepalive 60 5
! INTERNET pre-shared-key address 0.0.0.0 0.0.0.0 key SH4R3D_K3Y
!
crypto isakmp profile ISA_Prof_Shared crypto isakmp policy 10
keyring SHARED_KEY encr aes 256
match identity address 0.0.0.0 INTERNET authentication pre-share
local-address Ethernet0/0 group 2
! !
crypto ipsec security-association replay window-size 512 crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set Transf_Shared esp-aes 256
crypto isakmp profile ISA_Prof_Shared
esp-sha-hmac keyring SHARED_KEY
mode transport match identity address 0.0.0.0
! local-address Ethernet0/0
crypto ipsec profile IPSEC_Prof_Shared !
set transform-set Transf_Shared crypto ipsec security-association replay window-size 512
set isakmp-profile ISA_Prof_Shared !
! crypto ipsec transform-set Transf_Shared esp-aes 256 esp-sha-hmac
mode transport
SPOKE-B !
AS 65001 crypto ipsec profile IPSEC_Prof_Shared
set transform-set Transf_Shared
For Spoke sites with VRFs, follow the set isakmp-profile ISA_Prof_Shared
same script used on HUB devices !
 IPsec for Front VRF IKEv2
Dual HUB with Front VRF scenario and example;
AS 65001 AS 65002
HUB1 HUB2
!
crypto ikev2 proposal IKEv2_Prop_Shared
encryption aes-cbc-256
integrity sha256 sha384 sha512
group 2
!
crypto ikev2 policy IKEv2_Poli_Shared
match fvrf <fVRF Name>
match address local <fVRF Underlay IP>
proposal IKEv2_Prop_Shared
!
crypto ikev2 keyring IKEv2_SHARED_KEY
peer ISP2_SPOKES
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
INTERNET pre-shared-key IKEv2_SH4R3D_K3Y
!
crypto ikev2 profile IKEv2_Prof_Shared
match fvrf <fVRF Name>
match address local interface <fVRF Interface>
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_SHARED_KEY
!
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set Transf_Shared esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IKEv2_IPsec_Prof_Shared
set transform-set Transf_Shared
set ikev2-profile IKEv2_Prof_Shared
SPOKE-B !
AS 65001
For Spoke sites with VRFs, follow the
same script used on HUB devices
 DMVPN Troubleshooting

Commands Function
show dmvpn Display dmvpn map

show crypto isakmp sa To display current Internet Key Exchange (IKE) security associations (SAs)

show crypto ipsec sa To display the settings used by IPsec security associations (SAs)

show crypto ikev2 sa To display an Internet Key Exchange Version 2 (IKEv2) security associations
(SAs)
show crypto session To display status information for active crypto sessions

debug dmvpn Display dmvpn negotiation

debug crypto Displays crypto negotiation

clear ipsec sa Displays the configured transform sets.

PS: IKEv1 and IKEv2 can not share the same underlay interface.

ROUTING: Do not learn/publish the underlay IP via DMVPN tunnel

interfaces, this will make the DMVPN tunnel flap.
Questions and Answers
 Agenda

Part 1 Tunnel Interface

What is DMVPN
Flowchart
DMVPN Tunnel Implementation Steps It is a Hands-On Course !!!
fVRF Scenario

Questions and Answers
Connect on EVE and
enjoy!!!!
Part 2 - IPsec
Security Acronyms
What is IPsec, ISAKMP and IKE
IPsec Structure
DMVPN - IPsec Implementation Steps
fVRF Scenario
DMVPN Troubleshooting
Questions and Answers

Part 3 - Routing
DMVPN - BGP
iBGP and eBGP scenarios
Dual HUB scenario
DMVPN EIGRP
DMVPN OSPF
Questions and Answers
 BGP Implementation
Dynamic neighbours

HUB SPOKE

Step 1
Under router bgp command, add the command bellow Normal ibgp neighbour configuration
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
Associates a subnet range with a BGP peer group and activates the BGP dynamic
neighbors feature.

Step 2
Under router bgp command, add the command bellow
bgp listen limit 254
Sets a global limit of BGP dynamic subnet range neighbors.
Use the optional limit keyword and max-number argument to define the
maximum number of BGP dynamic subnet range neighbors that can be created.

Step 3
Under address-family ipv4, add the commands bellow
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME route-reflector-client
 BGP Implementation
Permanent Tunnel
router bgp 65001
bgp router-id 192.168.1.11
bgp log-neighbor-changes
! Tunnel
address-family ipv4
network 30.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
exit-address-family
iBGP Scenario using dynamic neighbours
HUB
router bgp 65001
bgp router-id 192.168.1.1
bgp log-neighbor-changes
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
Tunnel 0 bgp listen limit 254
192.168.1.1 !
address-family ipv4
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME route-reflector-client
exit-address-family
Unsecured
Cloud
router bgp 65001
bgp router-id 192.168.1.12
bgp log-neighbor-changes
Tunnel !
address-family ipv4
192.168.1.11 192.168.1.12 network 40.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB
SPOKE-B SPOKE-C neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
exit-address-family
 BGP Implementation
Permanent Tunnel
router bgp 65011
bgp router-id 192.168.1.11
bgp log-neighbor-changes
! Tunnel
address-family ipv4
network 30.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
exit-address-family
eBGP Scenario
HUB
router bgp 65001
bgp router-id 192.168.1.1
bgp log-neighbor-changes
!
Tunnel 0 address-family ipv4
192.168.1.1 network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor 192.168.1.11 remote-as 65011
neighbor 192.168.1.11 description SPOKE-B
neighbor 192.168.1.11 activate
neighbor 192.168.1.11 next-hop-self
neighbor 192.168.1.12 remote-as 65012
neighbor 192.168.1.12 description SPOKE-C
neighbor 192.168.1.12 activate
neighbor 192.168.1.12 next-hop-self
Unsecured exit-address-family
Cloud
router bgp 65012
bgp router-id 192.168.1.12
bgp log-neighbor-changes
Tunnel !
address-family ipv4
192.168.1.11 192.168.1.12 network 40.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB
SPOKE-B SPOKE-C neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
exit-address-family
 BGP Implementation
Dual HUB scenario
AS 65001
HUB1
Tunnel 0
router bgp 65001 192.168.1.1
bgp router-id 192.168.1.1
bgp log-neighbor-changes
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
bgp listen limit 254
! !
address-family ipv4 vrf ACME
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001 Unsecured
neighbor iBGP-ACME timers 2 6
neighbor iBGP-ACME route-reflector-client Cloud
exit-address-family
To make the convergence quick. The values used here are as
example, choose what is better to your environment.
You can use the BFD feature on interface tunnel instead Tunnel
timers commands, but all routers must be using Cisco IOS XE 192.168.1.11
16.3 release
router bgp 65001
bgp router-id 192.168.1.11
bgp log-neighbor-changes
neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB1
neighbor 192.168.1.1 timers 2 6
neighbor 192.168.1.2 remote-as 65001
neighbor 192.168.1.2 description HUB2
! exit-address-family
AS 65002
Permanent Tunnel HUB2
Tunnel 0
192.168.1.2 router bgp 65002
bgp router-id 192.168.1.2
bgp log-neighbor-changes
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
bgp listen limit 254
address-family ipv4 vrf ACME
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME local-as 65001
exit-address-family
address-family ipv4
network 30.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 weight 100
SPOKE-B
neighbor 192.168.1.2 activate
AS 65001 neighbor 192.168.1.2 next-hop-self
neighbor 192.168.1.2 weight 150
Questions and Answers