Embed Size (px)
Citation preview
in a nutshell: DMVPN
Typical Site-to-Site VPN Model
1 2Fa0/0 Fa0/0
Typical Site-to-Site VPN ModelWhat are the Limitations?
1 2Fa0/0 Fa0/0
Hub and Spoke Scale: SucksComplex Hub Crypto Configuration & Saturation
1 3
4
2
Fa0/0 Fa0/0
Fa0/0
Fa0/0
Typical Site-to-Site VPN Model - Hub & Spoke
Federated Full Mesh Topology (Hub-less)Number of tunnels = n(n-1)/2With these four routers: 4*3/2 = 6 tunnels
1 3
4
2
Fa0/0 Fa0/0
Fa0/0
Fa0/0
Typical Site-to-Site VPN Model - Full Mesh
And with eight routers: 6*5/2 = 15 tunnels to maintain
1
5
6
4Fa0/0
Fa0/0
Fa0/0
Fa0/0
Typical Site-to-Site VPN Model - Full Mesh
2 Fa0/0
3 Fa0/0
Built Ugly, Pain to MaintainOperationally-heavy, manual crypto configurations (you’re all too
familiar)If you need to add a network for a site, all tunnel configs must be
updated everywhereNo support for dynamic routing (OSPF, EIGRP, BGP, etc.) for route
exchange
Configuration change on one end usually ripples to all routers in topology.
Very rigid form of traffic engineering
“There has to be a better way!”
DMVPNDynamic Multipoint VPN
DMVPN OperationMain benefit of using DMVPN:
Better, scalable Hub-and-Spoke network designThis enhanced ability also means reduced latency and optimized
performance for traffic exchange between spoke sitesPeering occurs linearly in IGP versus exponentially in full mesh
E.g. 100 spokes = 100 IGP peers in DMVPNversus n(n-1/2), or 100*98/2 = 4,900 Full Mesh Peerings
DMVPN OperationTranslates directly to:
Dynamic tunneling across existing topologies (Internet)Reduced latencyReduced router configurationAllows “zero-touch” spoke router additions Support for routing protocols
DMVPN ComponentsDMVPN is broken down into a combination of these technologies:
IPSecGeneric Routing Encapsulation (GRE)Next-Hop Resolution Protocol (NHRP)Dynamic Routing Protocol (IGP)
DMVPN Components: IPSecSame Old IPSec Phase 1 and Phase 2 Configurations (IOS Variant)What ends up in the crypto domain/proxy-id’s is the public peer
addresses as src and dest for IP protocol 47 (GRE)Usually able to utilize ‘Transport’ mode for less overhead (20 bytes
saved)Crypto map NOT applied to physical interface (or anywhere else)IPSec instead “wraps” the GRE Tunnel interface traffic to protect it
DMVPN Components: IPSecExample Phase 2 SA:
GREcrypto map and peers the same
DMVPN Components: GREPackets that are destined to the Tunnel interface are encapsulated in
GRE, sent to the tunnel destinationIP Protocol 47Transports packets across the Internet, even multicast packetsEnables use of routing protocols (yay!)DMVPN uses multipoint GRE (mGRE) since no destination is specified
in tunnel interface, only source
DMVPN Components: NHRPNext-Hop Resolution ProtocolUsed by spokes to lookup outside addresses (“next-hop”) of other
spokesThe Hub acts as next-hop server (NHS), stores the table (Routing and
NHRP)Implies that spokes must first query the hub before forming direct
tunnel to each other
Example NHRP table (from hub):
DMVPN Components: IPSec + GRE + NHRPExample Spoke Tunnel interface configuration with IPSec encryption:
Spoke IPSec configuration:
crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key OdoylRules! address 0.0.0.0 0.0.0.0crypto ipsec transform-set TSET esp-3des esp-sha-hmac no mode transportcrypto ipsec profile DMVPN set transform-set TSET
Spoke GRE Configuration:
int Tunnel0 ip address 10.255.255.4 255.255.255.0 ip nhrp authentication MyK3y ip nhrp map multicast dynamic ip nhrp map 10.255.255.1 172.16.0.1 ip nhrp map multicast 172.16.0.1 ip nhrp network-id 1 ip nhrp nhs 10.255.255.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 12345 tunnel protection ipsec profile DMVPN
DMVPN Components: IPSec + GRE + NHRPAgain, example Hub Tunnel interface configuration with IPSec
encryption:Spoke IPSec configuration (no change):
crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key OdoylRules! address 0.0.0.0 0.0.0.0crypto ipsec transform-set TSET esp-3des esp-sha-hmac no mode transportcrypto ipsec profile DMVPN set transform-set TSET
Spoke GRE Configuration (slight change):
int Tunnel0 ip address 10.255.255.1 255.255.255.0 ip nhrp authentication MyK3y ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 12345 tunnel protection ipsec profile DMVPN
DMVPN Components: Dynamic Routing Protocol (IGP)Routers can simply enable their routing process (OSPF, EIGRP, even
BGP) on the tunnel interface for it to participate in routing
Peering is only spoke-to-hub, NOT spoke-to-spoke
This, over static IP routes, is an important piece in the ‘zero-touch’ provisioning for new spokes
DMVPN (Hub and Spoke)
192.168.1.0/24 192.168.3.0/24
Hub 1 Spoke 3
192.168.4.0/24
Spoke 4
192.168.2.0/24
Spoke 2
Fa0/0 Fa0/0
Fa0/0
Fa0/0
Dynamic, Direct GRE over IPsec tunneling between spokes
src dst int
src dst int
src dst int
Routing Table
Tun0
Tun0
Tun0
Tun0
src dst int
src dst int
src dst int
NHRP Table
Verify and Troubleshoot - The Usual Suspectsshow crypto engine connection active — Displays total encrypts and decrypts per SA.
show crypto ipsec sa — Displays the stats on the active tunnels.
show crypto isakmp sa — Displays the state for the the ISAKMP SA.
debug crypto ipsec — Displays IPSec events.
debug crypto isakmp — Displays messages about Internet Key Exchange (IKE) events.
debug crypto engine — Displays information from the crypto engine.
Verify and Troubleshoot - Debugging NHRPDMVPN is a function of NHRP
Therefor DMVPN is NHRPRouter# debug nhrpAug 9 13:13:41.486: NHRP: Attempting to send packet via DEST 10.1.1.99Aug 9 13:13:41.486: NHRP: Encapsulation succeeded. Tunnel IP addr 10.11.11.99Aug 9 13:13:41.486: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 105Aug 9 13:13:41.486: src: 10.1.1.11, dst: 10.1.1.99Aug 9 13:13:41.486: NHRP: 105 bytes out Tunnel0Aug 9 13:13:41.486: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 125Aug 9 13:13:41.486: NHRP: netid_in = 0, to_us = 1
http://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html
(Most Common DMVPN Troubleshooting Solutions)
To ConcludeDMVPN isn’t that new, and it actually really isn’t even complicatedIt requires use of IOS-based features (GRE/Tunnel interface, NHRP, and
an IGP)Existing spokes are “zero-touch” once they’re deployedIt represents a large step in evolution of VPN topologyIt’s awesome!
Questions?
You’d better!
