LAB1: DMVPN Theory. DMVPN Theory. Disclaimer. Pag e

Transcription

1 LAB1: DMVPN Thory Disclaimr This Configuration Guid is dsignd to assist mmbrs to nhanc thir skills in rspctiv tchnology ara. Whil vry ffort has bn mad to nsur that all matrial is as complt and accurat as possibl, th nclosd matrial is prsntd on an as is basis. Nithr th authors nor Forum assum any liability or rsponsibility to any prson or ntity with rspct to loss or damags incurrd from th information containd in this guid. This Lab Guid was dvlopd by RSTForum. Any similaritis btwn matrial prsntd in this configuration guid and any othr matrial is compltly coincidntal. DMVPN Thory

2 INTRODUCTION Dynamic Multipoint VPN 1. Provids dynamic scur ovrlay ntworks. DMVPN is combination of th following tchnologis 1. Multipoint GRE (mgre) 2. Nxt-Hop Rsolution Protocol (NHRP) 3. Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP) 4. Dynamic IPsc ncryption 5. Cisco Exprss Forwarding (CEF) A Dynamic Multipoint VPN is an volvd itration of hub and spok tunnling. DMVPN itslf is not a protocol but mrly a dsign concpt. A gnric hub and spok topology implmnt static tunnls btwn a cntrally locatd hub routr and its spoks, which gnrally attach branch offics. Tunnl can b GRE or IPsc (typically IPsc) Each nw spok rquirs additional configuration on th hub routr and traffic btwn spoks must b dtourd through th hub to xit on tunnl and ntr anothr. Whil this may b an accptabl solution on a small scal, it bcoms a mss as spoks multiply in numbr. DMVPN offrs an lgnt solution to this problm: multipoint GRE tunnling

3 A GRE tunnl ncapsulations IP packts with a GRE hadr and a nw IP hadr. A Point-to-point GRE tunnl has xactly two ndpoints. Convrsly, a multipoint GRE tunnl allows for mor than two ndpoints and is tratd as a non-broadcast multipoint accss (NBMA) ntwork.

4 Lgacy hub and spok stup would rquir thr sparat tunnls spanning from R1 to ach of th spok routrs. Convrsly mgre allows all four routrs to hav a singl tunnl intrfac in th sam IP subnt ( /24). This NBMA configuration is nabld by Nxt Hop Rsolution Protocol, which allows multipoint tunnls to b built dynamically.

5 NEXT HOP RESOLUTION PROTOCOL NHRP facilitats dynamic tunnl stablishmnt providing tunnl-tophysical intrfac addrss rsolution. NHRP clints (spok routrs) issu rqusts to th nxt hop srvr (hub routr) to obtain th physical addrss of anothr spok routr.

6 DMVPN CONFIGURATION R1: intrfac fastthrnt 0/0 ip addrss no shutdown xit intrfac tunnl 0 ip addrss ip nhrp map multicast dynamic!(enabls forwarding of multicast traffic across th tunnl to dynamic spoks rquird by most routing protocol) ip nhrp ntwork-id 1!(Uniquly idntifis th DMVPN ntwork; tunnls will not form btwn routr with diffring ntwork IDs.) tunnl sourc tunnl mod gr multipoint

7 !(Hr tunnl dos not hav an xplicit dstination spcifid bcaus multipoint tunnls ar built dynamically from th spoks to th hub routr; th hub routr dosn t nd to b prconfigurd with spok addrsss.) R2: intrafac fastthrnt0/0 ip addrss no shutdown xit intrfac tunnl 0 ip addrss ip nhrp map ! (Statically maps th NHS addrss to R1 s physically addrss) ip nhrp map multicast ! (Multicast traffic is only allowd from spoks to th hub, not from spok to spok.) ip nhrp ntwork-id 1 ip nhrp nhs ! (ip nhrp nhs dsignats R1 as th Nxt Hop Srvr) tunnl sourc tunnl mod gr multipoint Not: R3 and R4 crat similar configuration on all spok routrs. Vrify DMVPN Sssions R1# show dmvpn Lgnd: Attrb > S Static, D Dynamic, I Incomplt N NATd, L Local, X No Sockt # Ent > Numbr of NHRP ntris with sam NBMA pr Tunnl0, Typ:Hub, NHRP Prs:3, # Ent Pr NBMA Addr Pr Tunnl Add Stat UpDn Tm Attrb UP 00:57:47 D UP 00:45:56 D UP 00:45:46 D Dynamic Tunnling Brillianc of DMVPN lis in its ability to dynamically stablish spok-tospok tunnls. In a lgacy hub and spok dsign a packt dstind from R2 to R4 would nd to b routd through R1 to xit th R2 tunnl and th gt r-ncapsulatd to ntr th R4 tunnl.

8 Clarly a bttr path lis dirctly via R5 and DMVPN allows us to tak advantag of this. Vrify Packt captur of traffic from R2 to R4. Traffic initially follows th path through R1 as dscribd abov whil a dynamic tunnl is built from R2 to R4 using NHRP. Aftr th nw tunnl has bn an stablishd traffic flow across it bypassing R1 compltly. W can s a nw tunnl has bn stablishd aftr traffic dstind for R4 is dtctd: R2# show dmvpn Tunnl0, Typ:Spok, NHRP Prs:1, # Ent Pr NBMA Addr Pr Tunnl Add Stat UpDn Tm Attrb UP 01:08:02 S R2# ping Typ scap squnc to abort. Snding 5, 100-byt ICMP Echos to , timout is 2 sconds:!!!!! Succss rat is 100 prcnt (5/5), round-trip min/avg/max = 28/37/56 ms R2# show dmvpn Tunnl0, Typ:Spok, NHRP Prs:2, # Ent Pr NBMA Addr Pr Tunnl Add Stat UpDn Tm Attrb UP 01:08:27 S UP 00:00:03 D Notic that th tunnl to R4 has bn flaggd as dynamic, in contrast to th static tunnl to th hub/nhs. IPSEC: ADDING CRYPTO IPsc protction policy is applid on th tunnl intrfac of ach routr.

9 A simpl IPsc profil using a pr-shard ISAKMP ky is includd blow for dmonstration. crypto isakmp policy 10 authntication pr-shar crypto isakmp ky P4ssw0rd addrss ! crypto ipsc transform-st My TransformSt sp-as sp-sha-hmac! crypto ipsc profil MyProfil st transform-st My TransformSt! Intrfac tunnl 0 Tunnl protction ipsc profil MyProfil (Aftr bumping th tunnl intrfacs, w can s th DMVPN sssions hav bn rbuilt, this tim sporting som slick military-grad ncryption.) Vrification R1# show dmvpn Tunnl0, Typ:Hub, NHRP Prs:3, # Ent Pr NBMA Addr Pr Tunnl Add Stat UpDn Tm Attrb UP 00:02:28 D UP 00:02:26 D UP 00:02:25 D R1# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src stat conn-id slot status QM_IDLE ACTIVE QM_IDLE ACTIVE QM_IDLE ACTIVE