Router

DMVPN (Dynamic Multipoint VPN) Configuration Example

by

DMVPN Configuration Example:

In the DMVPN Overview  article We explained how DMVPN combines a number of technologies that give it its flexibility, low administrative overhead and ease of configuration. This article will cover the DMVPN Configuration including Hub, Spokes, Routing and Protecting the mGRE Tunnel.[boxads]

DMVPN Configuration is simple, if you’ve worked with GRE tunnels before.  If the GRE Tunnel concept is new to you, we would recommend reading through our Point-to-Point GRE IPSec Tunnel Configuration article before proceeding with DMVPN configuration.

DMVPN as a design concept is essentially the configuration combination of protected GRE Tunnel and Next Hop Routing Protocol (NHRP).

This article examines a specific DMVPN deployment architecture. Those seeking additional information on available DMVPN deplyment models can also visit my Dynamic Multipoint VPN DMVPN Architecture article.

DMVPN Operation – How DMVPN Operates:

Before diving into the configuration of our routers, we’ll briefly explain how the DMVPN is expected to work. This will help in understanding how DMVPN operates in a network:

  • Each spoke has a permanent IPSec tunnel to the hub but not to the other spokes within the network.
  • Each spoke registers as a client of the NHRP server. The Hub router undertakes the role of the NHRP server.
  • When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the real (outside) address of the destination (target) spoke.
  • After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.
  • The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.
  • The spoke-to-spoke links are established on demand whenever there is traffic between the spokes. Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.
  • All data traversing the GRE tunnel is encrypted using IPSecurity (optional)

Our DMVPN Network:

The diagram below depicts our DMVPN example network. Our goal is to connect the two remote networks (Remote 1 & 2) with the company headquarters. The headquarters router R1 is the central Hub router that will hold the NHRP database containing all spoke routers, their public IP addresses and LAN networks.

DMVPN Network Diagram
DMVPN Network Diagram

Read more

DMVPN Overview

by

DMVPN Overview:

Dynamic Multipoint VPN (DMVPN) is the increasing demands of enterprise companies to be able to connect branch offices with head offices and between each other while keeping low costs, minimizing configuration complexity and increasing flexibility.[bodyads]

With DMVPN, one central router, usually placed at the head office, undertakes the role of the Hub while all other branch routers are Spokes that connect to the Hub router so the branch offices can access the company’s resources. DMVPN consists of two mainly deployment designs:

  • DMVPN Hub & Spoke, used to perform headquarters-to-branch interconnections
  • DMVPN Spoke-to-Spoke, used to perform branch-to-branch interconnections

In both cases, the Hub router is assigned a static public IP Address while the branch routers (spokes) can be assigned static or dynamic public IP addresses.

DMVPN Overview
DMVPN Overview

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) to perform its job and save the administrator the need to define multiple static crypto maps and dynamic discovery of tunnel endpoints.

NHRP is layer 2 resolution protocol and cache, much like Address Resolution Protocol (ARP) or Reverse ARP (Frame Relay).

The Hub router undertakes the role of the server while the spoke routers act as the clients. The Hub maintains a special NHRP database with the public IP Addresses of all configured spokes.

Read more

Dynamic Multipoint VPN DMVPN Architecture

by

Dynamic Multipoint VPN DMVPN Architecture:

There is a number of different ways an engineer can implement a DMVPN network. The fact that there is a variety of DMVPN Architecture models, each one with its caveats and requirements, means that almost any VPN requirement can be met as long as we have the correct hardware, software license and knowledge to implement it. [boxads]

Speaking of implementation, no matter how complex the DMVPN network might get, it’s pretty straight forward once it’s broken down into sections.

Engineers already working with complex DMVPNs can appreciate this and see the simplicity in configuration they offer.  At the end, it’s all a matter of experience.

Providing configuration for each deployment model is out of this article’s scope, however, we will identify key services used in each deployment model along with their strong and weak points.

Future articles will cover configuration of all DMVPN Architecture deployment models presented here.

Following are the most popular DMVPN deployment models found in over 85% of DMVPN Architecture across the globe:

  • Single DMVPN Network/Cloud  – Single Tier Headend Architecture
  • Single DMVPN Network/Cloud  – Dual Tier Headend Architecture
  • Dual DMVPN Network/Cloud – Single Tier Headend Architecture
  • Dual DMVPN Network/Cloud – Dual Tier Headend Architecture

In every case a complete DMVPN deployment consists of the following services, also known as control planes:

  1. Dynamic Routing (Next Hop Resolution Protocol)
  2. mGRE Tunnels
  3. Tunnel Protection – IPSec Encryption that protects the GRE tunnel and data

It’s time now to take a look at each deployment model.

Read more

DMVPN Configuration With mGRE and NHRP

by

DMVPN Configuration:

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks. In short, DMVPN Configuration is combination of the following technologies: [boxads]

1) Multipoint GRE (mGRE)
2) Next-Hop Resolution Protocol (NHRP)
4) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
3) Dynamic IPsec encryption
5) Cisco Express Forwarding (CEF)

Assuming that reader has a general understanding of what DMVPN is and a solid understanding of IPsec/CEF, we are going to describe the role and function of each component in details. In this post we are going to illustrate two major phases of DMVPN evolution:

1) Phase 1 – Hub and Spoke (mGRE hub, p2p GRE spokes)
2) Phase 2 – Hub and Spoke with Spoke-to-Spoke tunnels (mGRE everywhere)

As for DMVPN Phase 3 – “Scalable Infrastructure”, a separate post is required to cover the subject. This is due to the significant changes made to NHRP resolution logic (NHRP redirects and shortcuts), which are better being illustrated when a reader has good understanding of first two phases. However, some hints about Phase 3 will be also provided in this post.

You may follow bellow professor jaya chandran DMVPN configuration video tutorial, for learning better.

[bodylink]

Multipoint GRE:

Let us start with the most basic building component of DMVPN Configuration – multipoint GRE tunnel. Classic GRE tunnel is point-to-point, but mGRE generalizes this idea by allowing a tunnel to have “multiple” destinations.

DMVPN point-to-point gre tunnels
DMVPN point-to-point gre tunnels

This may seem natural if the tunnel destination address is multicast (e.g. 239.1.1.1). The tunnel could be used to effectively distribute the same information (e.g. video stream) to multiple destinations on top of a multicast-enabled network. Actually, this is how mGRE is used for Multicast VPN implementation in Cisco IOS. However, if tunnel endpoints need to exchange unicast packets, special “glue” is needed to map tunnel IP addresses to “physical” or “real” IP addresses, used by endpoint routers. As we’ll see later, this glue is called NHRP.

Read more

BGP Attributes Categories

by

BGP Attributes Categories

BGP Attributes Categories are 1) WELL-KNOWN, MANDATORY , 2) WELL-KNOWN, DISCRETIONARY, 3) OPTIONAL, TRANSITIVE, 4) OPTIONAL, NON-TRANSITIVE. details are: [boxads]

BGP Attributes Categories
BGP Attributes Categories

WELL-KNOWN, MANDATORY

AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination.

Next-hop: The next-hop address that is used to reach the destination.

Origin: Indicates how BGP learned a particular route. There are three possible types — IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way).

WELL-KNOWN, DISCRETIONARY

Local Preference: Defines the preferred exit point from the local AS for a specific route.

Atomic Aggregate: Set if a router advertises an aggregate causes path attribute information to be lost.

Read more

BGP Routing Protocol Overview

by

BGP Routing Protocol Overview

Hi ! Today i will discuss about BGP Routing Protocol Overview. BGP is an Border gateway protocol, BGP mainly use for connect between different networks. It is the protocol used between Internet service providers (ISPs) and also can be used between an Enterprise and an ISP. BGP was built for reliability, scalability, and control. [boxads]

  • BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers.
  • BGP uses the concept of autonomous systems (AS). An autonomous system is a group of networks under a common administration. The Internet Assigned Numbers Authority (IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are private AS numbers.
  • Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP currently in use.
  • Routing between autonomous systems is called interdomain routing.
  • The administrative distance for EBGP routes is 20. The administrative distance for IBGP routes is 200.
  • BGP neighbors are called peers and must be statically configured.
  • BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and periodic keepalives.
  • Routers can run only one instance of BGP at a time.
  • BGP is a path-vector protocol. Its route to a network consists of a list of autonomous systems on the path to that network.
  • BGP’s loop prevention mechanism is an autonomous system number. When an update about a network leaves an autonomous system, that autonomous system’s number is prepended to the list of autonomous systems that have handled that update. When an autonomous system receives an update, it examines the autonomous system list. If it finds its own autonomous system number in that list, the update is discarded.

BGP Databases

BGP uses three databases. The first two listed are BGP-specific; the third is shared by all routing processes on the router:

  • Neighbor database: A list of all configured BGP neighbors. To view it, use the show ip bgp summary command.
  • BGP database, or RIB (Routing Information Base): A list of networks known by BGP, along with their paths and attributes. To view it, use the show ip bgp command.
  • Routing table: A list of the paths to each network used by the router, and the next hop for each network. To view it, use the show ip route command.

BGP Message Types

BGP has four types of messages:

  • 1) Open: After a neighbor is configured, BGP sends an open message to try to establish peering with that neighbor. Includes information such as autonomous system number, router ID, and hold time.
  • 2) Update: Message used to transfer routing information between peers. Includes new routes, withdrawn routes, and path attributes.
  • 3) Notification: When a problem occurs that causes a router to end the BGP peering session, a notification message is sent to the BGP neighbor and the connection is closed.
  • 4) Keepalive: BGP peers exchange keepalive messages every 60 seconds by default. These keep the peering session active.
  • ROUTE-REFRESH: An optional message (negotiated during capability advertisement) that is sent to request dynamic BGP route updates from the Adj-RIB-Out table of a remote BGP speaker

Read more