Dynamips DMVPN over NBMA Lab

From Internetworkpro

Jump to: navigation, search
This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration
This page contains configuration examples or information on dynamips
The examples on this page are intended for use with dynamips, the Cisco router emulator. This information is not intended for use on hardware routers, and is primarily used for troubleshooting, testing, and certification lab study.
Support of Dynamips is found on Hackis_Forum. For other dynamips pages see Category:Dynamips
This page or section provides VPN Configuration examples
The collection of articles under the VPN Category help to describe simple and complex VPN setups. These are often confusing and complicated so the Internetworkpro Wiki is attempting to create examples for many VPN setups - Site to site, remote access, automatic, one-way, ipsec, pptp, gre, vpdn, easyvpn, ssl, etc. Please ensure you understand your desired objectives before attempting to apply any examples listed. Guidance can be provided on irc://freenode.net/cisco
See more examples at Category:Configuration
See more VPN configuration at Category:VPN

Cisco has added Dynamic Multipoint VPN (DMVPN) to the CCIE Routing & Switching curriculum. While DMVPN is NOT on the CCIE R&S lab blueprint, it IS on the CCIE R&S written blueprint so it's always fair game to appear on the exam. DMVPN allows us to create a logical full mesh in a hub and spoke network by dynamically establishing IPSec VPN sessions between the hub and spokes. The hub keeps a dynamic mapping of the spokes with the help of the Next Hop Routing Protocol (NHRP). Once NHRP has the mappings, NHRP then alleviates traffic from the hub by allowing the spokes to "think" they are connected to each other via a tunnel interface. DMVPN uses multipoint GRE (mGRE) encapsulation and supports multicast traffic allowing dynamic routing protocols such as EIGRP, OSPF, RIP, etc.

Contents

[edit] Prerequisites

1. You MUST create an ISAKMP policy.
2. You MUST create an IPSEC profile.

[edit] Gotcha's

1. Don't forget the ISAKMP policy(ies).
2. Don't forget the IPSec profile(s).
3. Don't forget when configuring the tunnel to specify the tunnel source!!! (It may seem obvious, but it's easy to forget)
4. Don't forget about Split-Horizon!!! (Another nuance that can easily catch you off guard)
5. I use loopback interfaces here to simulate real world networks. This is equivalent to using a real network behind the Ethernet/Fast Ethernet port on a router.

[edit] Routers

4 x Cisco 3640 w/ IOS 12.4(16), (c3640-jk9s-mz.124-16.bin)

[edit] Topology

Image:DMVPN.png

[edit] Dynamips Configuration 

[localhost:7200]

[[3640]]
image = /home/nick/images/c3640-jk9s-mz.124-16.image
ram = 160
idlepc = 0x604f3e14

[[Router R1]]
model = 3640
s1/0 = FRS 1           

[[Router R2]]
model = 3640
s1/0 = FRS 2

[[Router R3]]
model = 3640
s1/0 = FRS 3

[[Router R4]]
model = 3640
s1/0 = FRS 4

[[FRSW FRS]]

# Typical Hub and spoke , R1 is the hub and R2, R3, and R4  are spokes
# For DMVPN - the Hub is directly connected to each spoke and has frame maps to each spoke, but each spoke WILL NOT
# have frame-relay maps to each other spoke (this is where the dynamic and VPN parts come into play
# THe spokes WILL however have a frame map to the HUB

# PVC R1 to R2
1:102 = 2:201

# PVC R1 to R3
1:103 = 3:301

# PVC R1 to R4
1:104 = 4:401

[edit] R1(HUB)

Configuration Notes:

The following command allows the spokes to "think" they have a direct spoke to spoke connection by not allowing the Hub router to advertise itself as the next hop. The reason being is to prevent the IGP from altering the routes learned by the spokes forcing a NHRP lookup. 

no ip next-hop-self eigrp 1

Here we tell the Hub (NHRP Server) to dynamically add the spokes to the NHRP mappings. 

ip nhrp map multicast dynamic

This uniquely identifies the VPN network membership. The concept is similar to route targets used in MPLS. 

ip nhrp network-id 99

Using a multipoint interface and NOT using sub-interfaces, the same logical interface is used for all traffic. Split-Horizon tells us "not to advertise routes back in the direction from which they came". We must disable split-horizon for our IGP to allow the Hub router to advertise routes from each of the spokes. 

no ip split-horizon eigrp 1


!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key dmvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpntrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
!
crypto ipsec profile DMVPN-PROF
 set transform-set vpntrans
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 bandwidth 1000
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 1
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 1
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN-PROF
!
interface Serial1/0
 ip address 172.16.1.1 255.255.255.248
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 172.16.1.3 103 broadcast
 frame-relay map ip 172.16.1.4 104 broadcast
 frame-relay map ip 172.16.1.1 102
 frame-relay map ip 172.16.1.2 102 broadcast
 no frame-relay inverse-arp
!
router eigrp 1
 network 1.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

[edit] R2 (SPOKE)

Configuration Notes:

This maps the Hub's tunnel IP to the Hub's physical IP (R1 - S1/0) 

ip nhrp map 192.168.1.1 172.16.1.1

This allows us to map multicast traffic to the Hub's physical IP address (R1 - S1/0). Initially this is used to allow us to use dynamic routing protocols, however this applies to all multicast traffic. 

ip nhrp map multicast 172.16.1.1

Configures the Hub router (R1) as the NHRP next hop server using the Hub's tunnel IP address (R1 - Tun0) 

ip nhrp nhs 192.168.1.1


!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key dmvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpntrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN-PROF
 set transform-set vpntrans
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication dmvpn
 ip nhrp map 192.168.1.1 172.16.1.1
 ip nhrp map multicast 172.16.1.1
 ip nhrp network-id 99
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN-PROF
!
interface Serial1/0
 ip address 172.16.1.2 255.255.255.248
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 172.16.1.1 201 broadcast
 frame-relay map ip 172.16.1.2 201
 no frame-relay inverse-arp
!
!
router eigrp 1
 network 2.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!

[edit] R3 (SPOKE)

Configuration Notes:

See R2 above
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key dmvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpntrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN-PROF
 set transform-set vpntrans
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Tunnel0
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication dmvpn
 ip nhrp map 192.168.1.1 172.16.1.1
 ip nhrp map multicast 172.16.1.1
 ip nhrp network-id 99
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN-PROF
!
interface Serial1/0
 ip address 172.16.1.3 255.255.255.248
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 172.16.1.3 301
 frame-relay map ip 172.16.1.1 301 broadcast
 no frame-relay inverse-arp
!
!
router eigrp 1
 network 3.0.0.0
 network 192.168.1.0
 no auto-summary
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

[edit] R4 (SPOKE)

Configuration Notes:

See R2 above
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key dmvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpntrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN-PROF
 set transform-set vpntrans
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
 ip address 192.168.1.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication dmvpn
 ip nhrp map 192.168.1.1 172.16.1.1
 ip nhrp map multicast 172.16.1.1
 ip nhrp network-id 99
 ip nhrp nhs 192.168.1.1
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN-PROF
!
interface Serial1/0
 ip address 172.16.1.4 255.255.255.248
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 172.16.1.4 401
 frame-relay map ip 172.16.1.1 401 broadcast
 no frame-relay inverse-arp
!
!
router eigrp 1
 network 4.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

--Plazma 10:46, 13 November 2008 (MST)

Back to Main Page

Retrieved from "http://inetpro.org/wiki/Dynamips_DMVPN_over_NBMA_Lab"
Personal tools