Describe DMVPN (single hub)

Exam: Cisco 300-101 - CCNP Implementing Cisco IP Routing (ROUTE v2.0)


Overview

Cisco Dynamic Multipoint VPN (DMVPN) is a dynamic tunneling technology that enables you to construct IPsec virtual private networks. DMVPN provides a centralized network management that allows communication between multiple branch offices over the Internet or a private service provider network.

Major Components of DMVPN are:

  • Next Hop Resolution Protocol (NHRP) - Creates a distributed (NHRP) mapping database of all the spoke tunnels to real (public interface) addresses
  • Multipoint GRE Tunnel Interface - One GRE interface that supports multiple GRE and IPsec tunnels and simplifies configuration

You can build a simple, hub-and-spoke DMVPN model by performing static configuration of hubs on the spokes. You can use this network to dynamically configure tunnels between spokes. The configured IPsec tunnels from spokes will be linked with hub (central site). DMVPN addresses many network problems using the IPSec, NHRP, and GRE technologies. A dynamic routing protocol such as EIGRP or OSPF can be used for efficient and dynamic routing in the network. You can also configure additional hub routers to provide high availability and load balancing.

Some of the popular DMPVPN models are:

  • Hub-and-spoke—This basic DMVPN model facilitates Spoke-to-spoke traffic through a single hub.
  • Spoke-to-spoke—This model enables spoke-to-spoke tunnels that are dynamic in nature.

Some of the benefits of DMVPN are:

  • Hubs can be configured with static NAT and spokes with dynamic NAT
  • Supports dynamic addressing of spoke routers
  • Additional, new spoke routers don’t require any configuration
  • Supports IPSec, NHRP, and GRE tunnels
  • Simple hub and spoke deployment can provide full-mesh connectivity
  • Supports Unicast, Multicast, and dynamic routing protocols
  • Deployments can be with or without IPsec encryption
  • Supports partial- or full-mesh VPNs

Configuring DMVPN

Consider this example DMVPN network that connects the company headquarters (HQ) network to its BranchX and BranchY networks. The HQ router is the hub router and the BranchX and BranchY are spoke routers. The network topology details are as given in the table below:

Router Characteristic Internal Network and Interface Tunnel and Interface Public IP
HQ (Headquarters) Hub 192.168.10.10/24 – Fa0/1 Tunnel 25 – 10.1.2.3 – Fa0/2 1.2.3.4
BranchX Spoke 192.168.20.20/24 – Fa0/1 Tunnel 25 – 10.1.2.4 – Fa0/2 2.3.4.5
BranchY Spoke 192.168.30.30/24 – Fa0/1 Tunnel 25 – 10.1.2.5 – Fa0/2 3.4.5.6

To configure GRE multipoint, perform these steps on the HQ, BranchX and Branch Y routers:

1. Configure the HQ (Hub) router:

HQ(config)# interface Fa0/1
HQ(config-if)# ip address 192.168.10.10 255.255.255.0
HQ(config-if)# interface Fa0/2
HQ(config-if)# ip address 1.2.3.4 255.255.255.0
HQ(config-if)# interface tunnel 25
HQ(config-if)# ip address 10.1.2.3 255.255.255.0
HQ(config-if)# ip nhrp authentication secure
HQ(config-if)# ip nhrp map multicast dynamic
HQ(config-if)# ip nhrp network-id 5
HQ(config-if)# tunnel mode gre multipoint
HQ(config-if)# tunnel source 1.2.3.4

NHRP is a network protocol that helps the sending hosts to identify direct routes to the destination hosts. To enable secured NHRP communication, use the ip nhrp authentication command. In the above example, we have used “secure” as the NHRP authentication password. Use the ip nhrp map multicast dynamic command to enable multicast traffic flow when dynamic routing protocols like OSPF or EIGRP is used in the network. You need to configure a unique network ID for each DMVPN deployment using the ip nhrp network-id command. To define the tunnel as a multipoint GRE tunnel, use the tunnel mode gre multipoint command. The tunnel source can be the IP address defined for the exit interface or the exit interface itself.

2. Configure the Branch1 (spoke) router:

BranchX(config)# interface Fa0/1
BranchX(config-if)# ip address 192.168.20.20 255.255.255.0
BranchX(config-if)# interface Fa0/2
BranchX(config-if)# ip address 2.3.4.5 255.255.255.0
BranchX(config-if)# interface tunnel 25
BranchX(config-if)# ip address 10.1.2.4 255.255.255.0
BranchX(config-if)# ip nhrp authentication secure
BranchX(config-if)# ip nhrp map multicast dynamic
BranchX(config-if)# ip nhrp map 10.1.2.3 1.2.3.4
BranchX(config-if)# ip nhrp map multicast 1.2.3.4
BranchX(config-if)# ip nhrp network-id 5
BranchX(config-if)# ip nhrp nhs 10.1.2.3
BranchX(config-if)# tunnel mode gre multipoint
BranchX(config-if)# tunnel source Fa0/2

The ip hnrp nhs command directs the Branch (spoke) routers to the next hop server, which is the tunnel IP address of the HQ (Hub) router as per this example.

3. Configure the Branch2 (spoke) router:

BranchY(config)# interface Fa0/1
BranchY(config-if)# ip address 192.168.30.30 255.255.255.0
BranchY(config-if)# interface Fa0/2
BranchY(config-if)# ip address 3.4.5.6 255.255.255.0
BranchY(config-if)# interface tunnel 25
BranchY(config-if)# ip address 10.1.2.5 255.255.255.0
BranchY(config-if)# ip nhrp authentication secure
BranchY(config-if)# ip nhrp map multicast dynamic
BranchY(config-if)# ip nhrp map 10.1.2.3 1.2.3.4
BranchY(config-if)# ip nhrp map multicast 1.2.3.4
BranchY(config-if)# ip nhrp network-id 5
BranchY(config-if)# ip nhrp nhs 10.1.2.3
BranchY(config-if)# tunnel mode gre multipoint
BranchY(config-if)# tunnel source Fa0/2

4. Verify the DMVPN configuration on the HQ (Hub) router using the show dmvpn command:

HQ# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel25, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent      Peer NBMA Addr         Peer Tunnel Add    State     UpDn Tm   Attrb
 -----     ----------------------  ---------------    -----     --------  -----
   1          2.3.4.5               10.1.2.4            UP      00:03:28     D
   1          3.3.3.10              10.1.2.5            UP      00:03:56     D

5. Verify the DMVPN configuration on the BranchX and BranchY (spokes) routers using the show dmvpn command:

BranchX# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel25, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent      Peer NBMA Addr         Peer Tunnel Add    State     UpDn Tm   Attrb
 -----     ----------------------  ---------------    -----    --------   -----
   1         1.2.3.4                 10.1.2.3          UP       00:03:28     D

BranchY# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel25, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

 # Ent      Peer NBMA Addr         Peer Tunnel Add    State     UpDn Tm   Attrb
 -----     ----------------------  ---------------    -----    --------   -----
   1         1.2.3.4                 10.1.2.3          UP       00:04:02     D

Perform this configuration on the HQ, BranchX and BranchY routers to encrypt DMVPN Tunnels with IPSec:

crypto isakmp policy 30

encryption aes

hash md5

authentication pre-share

group 10

lifetime 90000

crypto isakmp key SECURE address 0.0.0.0

crypto ipsec transform-set TRANSET esp-aes esp-md5-hmac

crypto ipsec profile DMVPN

set security-association lifetime seconds 90000

set transform-set TRANSET

interface Tunnel 25

tunnel protection ipsec profile DMVPN

Use the show crypto session command to verify IPSec encryption over the DMVPN tunnels.

Perform this configuration on the HQ, BranchX and BranchY routers, to enable routing between the DMVPN tunnels:

Note: You can use Static routing or Dynamic routing depending on your requirements. This example shows static routing configuration between the tunnels.

HQ(config)# ip route 192.168.20.0 255.255.255.0 10.1.2.4
HQ(config)# ip route 192.168.30.0 255.255.255.0 10.1.2.5

BranchX(config)# ip route 192.168.10.0 255.255.255.0 10.1.2.3
BranchX(config)# ip route 192.168.30.0 255.255.255.0 10.1.2.5

BranchY(config)# ip route 192.168.10.0 255.255.255.0 10.1.2.3
BranchY(config)# ip route 192.168.20.0 255.255.255.0 10.1.2.4

Use the show ip route command on the routers to verify routing configuration. You can also ping the end hosts to verify connectivity.

Exam Question

Which of the following is not a characteristic of DMVPN tunnels?

  1. Supports dynamic addressing of spoke routers
  2. Simple hub and spoke deployment can provide full-mesh connectivity
  3. Additional, new spoke routers don’t require any configuration
  4. IPsec encryption is mandatory for all the DMVPN deployments

Answer: 4

Explanation: Configuration of DMVPN tunnels over IPSec is optional. IPSec encryption provides security to the tunnels, but is not mandatory for all the deployments.


Related IT Guides

  1. Configure and verify default routing
  2. Configure and verify IPv4 and IPv6 DHCP
  3. Configure and Verify network types, area types, and router types
  4. Configure and Verify RIPv2
  5. Configure and verify static routing
  6. Describe administrative distance
  7. Describe device security using IOS AAA with TACACS+ and RADIUS
  8. Describe IPv6 NAT
  9. Describe, configure, and verify BGP peer relationships and authentication
  10. Explain BGP attributes and best-path selection
  11. Explain Frame Relay
  12. Explain general network challenges
  13. Layer 3 technologies - Describe administrative distance
  14. Use Cisco IOS troubleshooting tools