DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING

Similar documents
IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

DMVPN for R&S CCIE Candidates

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Implementing Dynamic Multipoint VPN for IPv6

ADVANCED IPSEC DEPLOYMENTS AND CONCEPTS OF DMVPN NETWORKS

Sharing IPsec with Tunnel Protection

IPv6 over DMVPN. Finding Feature Information

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Dynamic Multipoint VPN between CradlePoint and Cisco Router Example

Scalability Considerations

HOME-SYD-RTR02 GETVPN Configuration

DMVPN to Group Encrypted Transport VPN Migration

Shortcut Switching Enhancements for NHRP in DMVPN Networks

Cisco Virtual Office High-Scalability Design

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

A-B I N D E X. backbone networks, fault tolerance, 174

Cisco Group Encrypted Transport VPN

Configuring FlexVPN Spoke to Spoke

Dynamic Multipoint VPN (DMVPN) Deployment Models

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Static VTI R1: (previous tunnel 0 config remains the same)

Virtual Private Networks Advanced Technologies

LARGE SCALE DYNAMIC MULTIPOINT VPN

Dynamic Multipoint VPN APPLICATION NOTE

Advanced Concepts of DMVPN (Dynamic Multipoint VPN)

DMVPN Topology. Page1

Virtual Private Networks Advanced Technologies

IP Addressing: NHRP Configuration Guide

Implementing Cisco Secure Mobility Solutions

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

LAB 5: DMVPN BGP. LAB 5: Diagram. Note: This Lab was developed on Cisco IOS Version15.2(4) M1 ADVENTERPRISEK9-M.

Cisco Exam Questions & Answers

Dynamic Multipoint VPN Configuration Guide

Operating and Monitoring the Network

Virtual Tunnel Interface

Restrictions for DMVPN Dynamic Tunnels Between Spokes. Behind a NAT Device. Finding Feature Information

Deploying Transit VPC for Amazon Web Services

Index. Numerics 3DES (triple data encryption standard), 21

CONFIGURING DYNAMIC MULTIPOINT VPN SPOKE ROUTER IN FULL MESH IPSEC VPN USING SECURITY DEVICE MANAGER

Pre-Fragmentation for IPSec VPNs

Advanced DMVPN Designs

FlexVPN HA Dual Hub Configuration Example

Cisco Multicloud Portfolio: Cloud Connect

IPsec Virtual Tunnel Interfaces

Managing Site-to-Site VPNs

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

no track object-number {decrement value shutdown} Objects and decrement priority per object are not tracked.

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

ip nat source through iterate-ip-addrs

UDLR Unidirectional Link Routing overview and examples

IPv4 IGP Troubleshooting. IPv4 Routing Workflow. IPv4 routing can be subdivided into three discrete steps

Virtual Tunnel Interface

Managing Site-to-Site VPNs: The Basics

OSPF. OSPF processs can be enabled on 2 levels

Cisco IOS IP Routing: EIGRP Command Reference

Managing Site-to-Site VPNs: The Basics

Dynamic Multipoint VPN (DMVPN) Troubleshooting Scenarios

Firepower Threat Defense Site-to-site VPNs

Securing Networks with Cisco Routers and Switches

Configuring EIGRP. Overview CHAPTER

Sample Business Ready Branch Configuration Listings

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Add Path Support in EIGRP

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

An Overview of Site-to- Site VPN Technologies Nisha Kuruvilla Technical Leader, Services Hector Mendoza Jr. Technical Leader, Services BRKSEC-1050

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Abstract. Avaya Solution & Interoperability Test Lab

ARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.

Návrh inteligentní WAN sítě

Configuring LAN-to-LAN IPsec VPNs

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Cisco CCIE Security Written.

Intelligent WAN Remote Site 4G LTE Deployment Guide

Introduction to Dynamic Routing Protocols

Configuring Remote Access IPSec VPNs

CCIE R&S LAB CFG H2/A5 (Jacob s & Jameson s)

Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)

Troubleshooting Dynamic Multipoint VPN (DMVPN)

IPsec Dead Peer Detection Periodic Message Option

Demystifying DMVPN. Ranjana Jwalaniah (CCIE # 10246) BRKSEC-3052

COURSE OUTLINE: Course: CCNP Route Duration: 40 Hours

Chapter 3 Network Foundation Protection (NFP) Overview 39. Configuring and Implementing Switched Data Plane Security Solutions 57

L2TP IPsec Support for NAT and PAT Windows Clients

Cisco Service Advertisement Framework Deployment Guide

EIGRP. About EIGRP. CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.7 1

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Cisco Exam CCNA Version: 4.1 [ Total Questions: 215 ]

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Configure ISDN Connectivity between Remote Sites

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

H Q&As. HCNA-HNTD (Huawei Network Technology and Device) Pass Huawei H Exam with 100% Guarantee

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Brocade Vyatta Network OS DMVPN Configuration Guide, 5.2R1

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Interconnecting Cisco Networking Devices Part 2 (ICND2 v3.0)

IP Enhanced IGRP Commands

IPv6 over IPv4 GRE Tunnel Protection

Transcription:

DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING NOVEMBER 2004 1

Direct Spoke To Spoke Tunnels Initially, spoke to spoke traffic can only travel via the hub In DMVPN, spokes can send packets directly to another spoke, if the routing table and NHRP table are available This does not change the principle so far 2

Routes and NHRP Between Two Spokes Tunnel address: 10.0.0.11/24 NBMA address: 172.16.1.2/24 Tunnel address: 10.0.0.1/24 NBMA address: 172.17.0.1/24 192.168.1.0/24 Routing Table 192.168.0.0/24 -> Tunnel 0, via 10.0.0.1 192.168.2.0/24 -> Tunnel 0, via 10.0.0.12 NHRP Table 10.0.0.1 -> 172.17.0.1 10.0.0.12 -> 172.16.2.2 192.168.0.0/24 NBMA address: 172.16.2.2/24 Tunnel address: 10.0.0.12/24 192.168.2.0/24 3

Learning process In order to create a spoke to spoke tunnel, a spoke must Learn a routing entry to the destination network The next hop must be the remote spoke tunnel IP address The spoke must learn the NBMA address of this next hop The IPsec tunnel is only built after that 4

Route Learning The routing protocol is only between the hub and the spokes In order for spoke to spoke to work, the hub must preserve and advertise the private networks next hop as advertised by the spokes themselves 5

Route Learning (cont d.) RIP keeps the next-hop information by default This can not be disabled The next-hop preservation in EIGRP is not a default It is turned on with the interface command no ip next-hop-self eigrp <as> Next hop preservation in BGP is a default It can be disabled with the BGP command neighbor <n> next-hop-self In OSPF, next-hop preservation happens naturally except in point-to-multipoint mode 6

NHRP Learning A spoke will send an NHRP resolution request to its NHS to learn an NBMA address The queried address can be a network address Ideally, the queried address should be a next-hop address The NHS will respond with an NBMA address from its cache The spoke will populate its cache with the answer 7

NHRP Learning (cont.) The resolution reply will have a lifetime set to the remaining lifetime in the hub cache If the NHS does not have the entry in its cache, it returns an error and the spoke will install an incomplete entry and forward packets to the NHS During the learning process, the spoke will forward all the packets to its NHS This occurs in process switching 8

Tunnel Buildup As soon as the NHRP entry is created but NOT inserted in the cache, an IPsec tunnel will be initiated The NHRP entry will be inserted in the cache and used when the IPsec tunnel is actually ready The IPsec tunnel will disappear when the NHRP entry times out 9

NHRP Registration Dynamically Addressed Spokes NHRP mapping Routing Table = Dynamic IPsec tunnels Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12 192.168.1.1/24 10.0.0.1 172.17.0.1 10.0.0.12 172.16.2.1 Spoke A Spoke B 192.168.2.1/24 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10

Building Spoke-Spoke Tunnels Host1 Spoke1 Hubs Spoke2 Host2 NHRP Resol. Req. NHRP Resol. Req. IKE Initialization NHRP Resol. Req. NHRP Resol. Req. IKE Initialization IKE/IPsec Established NHRP Resolution Replies Encrypted 11

IKE Call Access Control IKE Call Access Control (CAC) was introduced in Release 12.3(8)T This feature allows Cisco IOS Software to limit the number of IKE/IPsec connections It prevents small platforms from opening dozens of spoke to spoke tunnels (e.g. worm attack) crypto call admission limit ike sa <number> 12

DMVPN Hub Configuration crypto ca trustpoint CA enrollment terminal crl optional rsakeypair hub1 crypto ca certificate chain CA certificate 2368DB55000000000B4E certificate ca 1244325DE0369880465F977A18F61CA8 crypto isakmp policy 1 encryption 3des crypto ipsec transform-set ts esp-3des esp-sha-hmac crypto ipsec profile prof set transform-set ts interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 interface Serial1/0 ip address 172.17.0.1 255.255.255.252 13

DMVPN Hub Configuration (Cont d.) interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ip mtu 1416 ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 3600 no ip split-horizon eigrp 1 no ip next-hop-self eigrp 1 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile prof router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary For spoke to spoke configs 14

DMVPN Spoke Configuration crypto ca trustpoint CA enrollment terminal crl optional rsakeypair spoke1 crypto ca certificate chain CA certificate 236FD380000000000B4F certificate ca 1244325DE0369880465F977A18F61CA8 crypto isakmp policy 1 encryption 3des crypto ipsec transform-set ts esp-3des esp-sha-hmac crypto ipsec profile prof set transform-set ts interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 interface Serial1/0 ip address 172.16.1.1 255.255.255.252 15

DMVPN Spoke Configuration (Cont d.) interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 ip mtu 1416 ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 3600 ip nhrp nhs 10.0.0.1 ip nhrp server-only delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile prof router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.1.0 no auto-summary For pure hub and spoke 16

Recommendation The use of wildcard pre-shared keys is strongly discouraged With such topologies, it is recommended to use a Public Key Infrastructure (PKI) to authenticate nodes 17

18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback