Dynamic Multipoint VPN – Dual hub
March 6, 2010
In a previous article, I exposed how to setup a basic DMVPN network with one hub router in a central location and several spoke routers negotiating a dynamically built IPSec protected GRE tunnel. I also explained the central site should be secured by deploying two hub routers… Here is one solution among others using DMVPN and OSPF. (Should you need another solution you can always contact our professional services)
In this scenario, the spoke routers will have two GRE tunnels, one ending on each hub routers.
First we configure the hub routers with mGRE interfaces and OSPF.
The tunnel interfaces use point-to-point OSPF network type by default, we will need to reconfigure them with NBMA OSPF network type as we will have several spoke routers ending their tunnel on them. We will also set the OSPF costs in order to have R0 acting as the preferred hub router and R1 as the backup hub router.
Hub router R0′s config
interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp network-id 1 ip ospf network non-broadcast ip ospf cost 10 tunnel source FastEthernet2/1 tunnel mode gre multipoint tunnel key 1 ! interface FastEthernet2/0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet2/1 ip address 10.4.0.1 255.255.255.0 ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 10 network 10.10.10.0 0.0.0.255 area 10 ! ip route 0.0.0.0 0.0.0.0 10.4.0.2
Hub router R0′s config
interface Tunnel1 ip address 10.1.1.1 255.255.255.0 no ip redirects ip nhrp network-id 1 ip ospf network non-broadcast ip ospf cost 100 tunnel source FastEthernet2/1 tunnel mode gre multipoint tunnel key 1 ! interface FastEthernet2/0 ip address 10.10.10.2 255.255.255.0 ! interface FastEthernet2/1 ip address 10.4.1.1 255.255.255.0 ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 10 network 10.10.10.0 0.0.0.255 area 10 ! ip route 0.0.0.0 0.0.0.0 10.4.1.2
Then we can start to add spoke routers. The spoke routers will use point-to-point GRE (as we don’t want spoke-to-spoke direct communication) with NBMA OSPF network type in order to be compatible with the hub routers’ settings. We also need to define the neighbors as we’re on an NBMA network. I’ve chosen to do that on the spoke routers as ì don’t want to have to touch the hub routers config when new spoke routers are added.
Spoke router R2′s config
interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp map 10.0.0.1 10.4.0.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 ip ospf network non-broadcast ip ospf cost 10 ip ospf priority 0 tunnel source FastEthernet1/0 tunnel destination 10.4.0.1 tunnel key 1 ! interface Tunnel1 ip address 10.1.1.2 255.255.255.0 ip nhrp map 10.1.1.1 10.4.1.1 ip nhrp network-id 1 ip nhrp nhs 10.1.1.1 ip ospf network non-broadcast ip ospf cost 100 ip ospf priority 0 tunnel source FastEthernet1/0 tunnel destination 10.4.1.1 tunnel key 1 ! interface FastEthernet1/0 ip address 10.4.2.1 255.255.255.0 ! router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 10 network 10.0.0.0 0.0.0.255 area 10 network 10.1.1.0 0.0.0.255 area 10 neighbor 10.0.0.1 neighbor 10.1.1.1 ! ip route 0.0.0.0 0.0.0.0 10.4.2.2
Same config is applied on spoke router R3, only the IP change.
To check the GRE tunnels are operational, we only have to ping the tunnels’ internal IP from one router to the others three.
From spoke router R2 :
R2#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms R2#ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/24 ms R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/24 ms R2#ping 10.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/32 ms
If we check the NHRP entries on the hubs R0 or R1, we can see the two entries have been learned dynamically and the public IP used by the remote routers.
R1#sh ip nhrp 10.1.1.2/32 via 10.1.1.2, Tunnel1 created 02:08:37, expire 01:38:57 Type: dynamic, Flags: authoritative unique registered used NBMA address: 10.4.2.1 10.1.1.3/32 via 10.1.1.3, Tunnel1 created 02:08:36, expire 01:38:57 Type: dynamic, Flags: authoritative unique registered used NBMA address: 10.4.3.1
R0#sh ip nhrp 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:15:15, expire 01:53:44 Type: dynamic, Flags: authoritative unique registered NBMA address: 10.4.2.1 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 02:11:04, expire 01:53:44 Type: dynamic, Flags: authoritative unique registered NBMA address: 10.4.3.1
Now, check OSPF is doing what we want. First we check the ospf neighbors on spoke router R2
R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.2 1 FULL/DR 00:01:54 10.1.1.1 Tunnel1 10.10.10.1 1 FULL/DR 00:01:55 10.0.0.1 Tunnel0
Then we can check corporate subnet 10.10.10.0/24 and other spokes (here R3′s Loopback 3.3.3.3) are reachable via the primary hub router R0.
R2#sh ip route ospf
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/11] via 10.0.0.3, 00:42:46, Tunnel0
10.0.0.0/24 is subnetted, 4 subnets
O 10.10.10.0 [110/11] via 10.0.0.1, 00:42:46, Tunnel0
On the hub routers we can check the spoke routers are always reached via R0.
R0#sh ip route ospf
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 10.0.0.2, 00:49:41, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/11] via 10.0.0.3, 00:49:41, Tunnel0
10.0.0.0/24 is subnetted, 4 subnets
O 10.1.1.0 [110/101] via 10.10.10.2, 00:49:41, FastEthernet2/0
R1#sh ip route ospf
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/12] via 10.10.10.1, 00:50:52, FastEthernet2/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/12] via 10.10.10.1, 00:50:52, FastEthernet2/0
10.0.0.0/24 is subnetted, 4 subnets
O 10.0.0.0 [110/11] via 10.10.10.1, 00:50:52, FastEthernet2/0
Now that we have IP connectivity, we can enable IPSec exactly as we did last time.
crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set mySet esp-aes esp-sha-hmac ! crypto ipsec profile myDMVPN set security-association lifetime seconds 120 set transform-set mySet set pfs group2 interface Tunnel0 tunnel protection ipsec profile myDMVPN interface Tunnel1 tunnel protection ipsec profile myDMVPN
That’s all folks! Now we have a DMVPN setup with redundant hub routers…
ACE software upgrade
February 10, 2010
Cisco Application Control Engine Module (ACE) loadbalancers are designed to work in standalone mode or in cluster mode. When running in standalone mode, software upgrade has obviously a great impact on the traffic going through the loadbalancer. All the sessions will be dropped and no new session will be accepted until the ACE restarts with the new image (up to 8 minutes).
Now, in cluster mode, you can do the software upgrade with no or very limited impact if you follow the correct sequence of operations. Here are the steps I used last time and it went perfectly and transparent for the users.
Note this procedure has been tested on ACE modules for Catalyst 6500 only but it should remain valid for the ACE 4710 appliances.
Step 1
First you need to ensure all the contexts are properly synchronized and the standby contexts are in STANDBY_HOT state.
ACE_1/Admin# sh ft group brief
FT Group ID: 1 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT
Context Name: Admin Context Id: 0
FT Group ID: 2 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_COLD
Context Name: C1 Context Id: 4
FT Group ID: 3 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT
Context Name: C2 Context Id: 3
Here as you can see context C1 is stuck in STANDBY_COLD state. Usually put that context out of service on the standby ACE and then put it back in service solve the issue. If it is not the case you won’t have a fully transparent software upgrade for that context; current session will be dropped but new session will be accepted after the failover. If it is acceptable for you, go on with the upgrade otherwise try to find out why it is not in STANDBY_HOT state.
Note it might take several minutes to leave the STANDBY_BULK state (it took 2 minutes during my tests).
ACE_2/Admin(config)# ft group 2 ACE_2/Admin(config-ft-group)# no inservice ACE_2/Admin(config-ft-group)# do sh ft group 2 detail FT Group : 2 No. of Contexts : 1 Context Name : C1 Context Id : 4 Configured Status : out-of-service Maintenance mode : MAINT_MODE_OFF My State : FSM_FT_STATE_INIT My Config Priority : 90 My Net Priority : 90 My Preempt : Enabled Peer State : FSM_FT_STATE_UNKNOWN Peer Config Priority : Unknown Peer Net Priority : Unknown Peer Preempt : Unknown Peer Id : 1 Last State Change time : Wed Feb 3 14:35:36 2010 Running cfg sync enabled : Enabled Running cfg sync status : Startup cfg sync enabled : Enabled Startup cfg sync status : Bulk sync done for ARP: 0 Bulk sync done for LB: 0 Bulk sync done for ICM: 0 ACE_2/Admin(config-ft-group)# inservice NOTE: Configuration mode has been disabled on all sessions ACE_2/Admin(config-ft-group)# do sh ft group 2 detail FT Group : 2 No. of Contexts : 1 Context Name : C1 Context Id : 4 Configured Status : in-service Maintenance mode : MAINT_MODE_OFF My State : FSM_FT_STATE_STANDBY_BULK My Config Priority : 90 My Net Priority : 90 My Preempt : Enabled Peer State : FSM_FT_STATE_ACTIVE Peer Config Priority : 120 Peer Net Priority : 120 Peer Preempt : Enabled Peer Id : 1 Last State Change time : Wed Feb 3 14:36:02 2010 Running cfg sync enabled : Enabled Running cfg sync status : Running configuration sync has completed Startup cfg sync enabled : Enabled Startup cfg sync status : Startup configuration sync has completed Bulk sync done for ARP: 1 Bulk sync done for LB: 0 Bulk sync done for ICM: 0 ACE_2/Admin(config-ft-group)# do sh ft group 1 detail FT Group : 2 No. of Contexts : 1 Context Name : C1 Context Id : 4 Configured Status : in-service Maintenance mode : MAINT_MODE_OFF My State : FSM_FT_STATE_STANDBY_HOT My Config Priority : 90 My Net Priority : 90 My Preempt : Enabled Peer State : FSM_FT_STATE_ACTIVE Peer Config Priority : 120 Peer Net Priority : 120 Peer Preempt : Enabled Peer Id : 1 Last State Change time : Wed Feb 3 14:37:51 2010 Running cfg sync enabled : Enabled Running cfg sync status : Running configuration sync has completed Startup cfg sync enabled : Enabled Startup cfg sync status : Startup configuration sync has completed Bulk sync done for ARP: 1 Bulk sync done for LB: 2 Bulk sync done for ICM: 2
Step 2
On the ACE, preemption is enabled by default for all the contexts. It needs to be disabled to perform a manual failover.
ACE_1/Admin(config)# ft group 1 ACE_1/Admin(config-ft-group)# no preempt ACE_1/Admin(config-ft-group)# ft group 2 ACE_1/Admin(config-ft-group)# no preempt ACE_1/Admin(config-ft-group)# ft group 3 ACE_1/Admin(config-ft-group)# no preempt ACE_1/Admin(config-ft-group)# end
Step 3
Download the new software image to the active and standby ACEs. Here I’ve chosen to use tftp because I hadn’t an ftp server configured in the lab… ftp can be used and is definitely faster.
ACE_1/Admin# copy tftp: image:
Enter source filename[]? c6ace-t1k9-mz.A2_2_3.bin
Enter the destination filename[]? [c6ace-t1k9-mz.A2_2_3.bin]
Address of remote host[]? 10.1.1.1
Trying to connect to tftp server......
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(…)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
TFTP get operation was successful
31361516 bytes copied
ACE_1/Admin#
ACE_1/Admin# dir image:
30788103 Apr 15 13:14:48 2009 c6ace-t1k9-mz.A2_1_4a.bin
31361516 Feb 3 14:43:45 2010 c6ace-t1k9-mz.A2_2_3.bin
Usage for image: filesystem
461848576 bytes total used
577126400 bytes free
1038974976 total bytes
Check the file size is correct…
Step 4
Change the boot string on the active ACE, it will be synced to the standby ACE. By the way, configuration mode is disabled on the standby ACE therefore it is the only option…
ACE_1/Admin# sh run | i boot Generating configuration.... boot system image:c6ace-t1k9-mz.A2_1_4a.bin ACE_1/Admin# conf t Enter configuration commands, one per line. End with CNTL/Z. ACE_1/Admin(config)# no boot system image:c6ace-t1k9-mz.A2_1_4a.bin ACE_1/Admin(config)# boot system image:c6ace-t1k9-mz.A2_2_3.bin ACE_1/Admin(config)# exit ACE_1/Admin# wr mem all Generating configuration.... running config of context Admin saved Generating configuration.... running config of context C2 saved Generating configuration.... running config of context C1 saved Please wait ... sync to compact flash in progress. This may take a few minutes to complete Sync Done
Step 5 (optional)
Create checkpoint in all contexts on active and standby devices
ACE_2/Admin# checkpoint create 20100203 Generating configuration.... Created configuration checkpoint '20100203' ACE_2/Admin# changeto C2 NOTE: Configuration mode has been disabled on all sessions ACE_2/C2# checkpoint create 20100203 Generating configuration.... Created configuration checkpoint '20100203' ACE_2/C2# changeto C1 NOTE: Configuration mode has been disabled on all sessions ACE_2/C1# checkpoint create 20100203 Generating configuration.... Created configuration checkpoint '20100203' ACE_2/C1# changeto Admin
Step 6
Reload the standby device
ACE_2/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes] no (already done in step 4)
Perform system reload. [yes/no]: [yes]
NOTE: Configuration mode is enabled on all sessions
Connection to ACE_2 closed by remote host.
Connection to ACE_2 closed.
Step 7
Check the standby device is running the new software version.
ACE_2/Admin# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://C2 .cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://C2 .gnu.org/licenses/gpl.html.
Software
loader: Version 12.2[120]
system: Version A2(2.3) [build 3.0(0)A2(2.3)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_2_3.bin
installed license: ACE-VIRT-020
Hardware
Cisco ACE (slot: 6)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
memory info:
total: 827128 kB, free: 256000 kB
shared: 0 kB, buffers: 1824 kB, cached 0 kB
cf info:
filesystem: /dev/cf
total: 1014624 kB, used: 451040 kB, available: 563584 kB
last boot reason: reload command by Admin
configuration register: 0x1
ACE_2 kernel uptime is 0 days 0 hour 8 minute(s) 45 second(s)
Step 8
Wait until all the contexts on the standby devices stabilize in STANDBY_WARM or STANDBY_HOT state.
ACE_2/Admin# sh ft group brief
FT Group ID: 1 My State:FSM_FT_STATE_STANDBY_WARM Peer State:FSM_FT_STATE_ACTIVE
Context Name: Admin Context Id: 0
FT Group ID: 2 My State:FSM_FT_STATE_STANDBY_WARM Peer State:FSM_FT_STATE_ACTIVE
Context Name: C1 Context Id: 4
FT Group ID: 3 My State:FSM_FT_STATE_STANDBY_WARM Peer State:FSM_FT_STATE_ACTIVE
Context Name: C2 Context Id: 3
For your information, here is what Cisco says about STANDBY_WARM state :
In the STANDBY_WARM state, as with the STANDBY_HOT state, configuration mode is disabled on the standby ACE and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state. However, while stateful failover is possible for a WARM standby, it is not guaranteed. In general, modules should be allowed to remain in this state only for a short period of time.
Step 9
Perform a failover from the active ACE to the standby ACE for all the contexts.
ACE_1/Admin# ft switchover all This command will cause card to switchover (yes/no)? [no] yes NOTE: Configuration mode has been disabled on all sessions
Step 10
Check the newly upgraded ACE is well become active.
ACE_1/Admin# sh ft group brief
FT Group ID: 1 My State:FSM_FT_STATE_STANDBY_BULK Peer State:FSM_FT_STATE_ACTIVE
Context Name: Admin Context Id: 0
FT Group ID: 2 My State:FSM_FT_STATE_STANDBY_BULK Peer State:FSM_FT_STATE_ACTIVE
Context Name: C1 Context Id: 4
FT Group ID: 3 My State:FSM_FT_STATE_STANDBY_BULK Peer State:FSM_FT_STATE_ACTIVE
Context Name: C2 Context Id: 3
Step 11
Reload the 2nd ACE (previously active).
ACE_1/Admin# reload This command will reboot the system Save configurations for all the contexts. Save? [yes/no]: [yes] no Perform system reload. [yes/no]: [yes] NOTE: Configuration mode is enabled on all sessions Connection to ACE_1 closed by remote host. Connection to ACE_1 closed.
Step 12
When the 2nd ACE state stabilize to FSM_FT_STATE_STANDBY_HOT state, perform again a failover for all the contexts.
ACE_2/Admin# sh ft group brief
FT Group ID: 1 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT
Context Name: Admin Context Id: 0
FT Group ID: 2 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT
Context Name: C1 Context Id: 4
FT Group ID: 3 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT
Context Name: C2 Context Id: 3
Step 13 (If you’re not superstitious)
Reconfigure preemption if it is in your standard… (personally I don’t like preemption because if a device has failed I prefer to check exactly why before activating it again)
ACE_1/Admin(config)# ft group 1 ACE_1/Admin(config-ft-group)# preempt ACE_1/Admin(config-ft-group)# ft group 2 ACE_1/Admin(config-ft-group)# preempt ACE_1/Admin(config-ft-group)# ft group 3 ACE_1/Admin(config-ft-group)# preempt ACE_1/Admin(config-ft-group)# end ACE_1/Admin# wr mem
And that’s it, you have upgraded your ACE cluster with no or limited impact. If you find this post helpful you may leave a comment to encourage me to publish more articles…
Dynamic Multipoint VPN
September 22, 2009
Ever wonder how to provision several hundreds of VPNs from remote offices with dynamic IP to a central site with minimal configuration? Cisco offer an elegant solution called Dynamic Multipoint VPN. With DMVPN the central site does not need to know the remote site IP in advance, it will learn it via NHRP protocol when the remote router will come up.
First we will create IP connectivity via GRE tunnels and NHRP then we will secure the GRE tunnels with IPSec.
The hub router will use a multipoint GRE interface for ease of management. That way we do not need to provision a new tunnel interface per remote office. In fact, the central router will not need to be reconfigured at all for any additional remote site.
Hub router R1:
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
interface Fa0/0
ip address 1.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
Spoke routers (R2 and R3 in this example) will use point-to-point GRE tunnel pointing to central site’s hub router R1. NHRP will be configured to use R1 as next-hop server. With this setup, spoke-to-spoke traffic will flow through the hub making the hub a central point where you can enforce security…
Spoke router R2:
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
ip nhrp map 10.10.10.1 1.1.1.2
ip nhrp network-id 1
ip nhrp nhs 10.10.10.1
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel key 1
interface Fa0/0
ip address 2.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 2.2.2.1
Spoke router R3
interface Tunnel0
ip address 10.10.10.3 255.255.255.0
ip nhrp map 10.10.10.1 1.1.1.2
ip nhrp network-id 1
ip nhrp nhs 10.10.10.1
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel key 1
interface Fa0/0
ip address 3.3.3.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 3.3.3.1
At this stage, if the router can communicate with each others via their Fa0/0 interface then the GRE tunnels are usable. In this example, “Internet” router is directly connected to all the routers and the routers R1, R2 and R3 simply have a default route pointing to the “Internet” router.
To check the GRE tunnels are operational, we only have to ping the tunnels’ internal IP from one router to the others two.
R2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 272/313/420 ms
R2#ping 10.10.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 312/564/876 ms
If we check the NHRP entries on the hub R1, we can see the two entries have been learned dynamically and the public IP used by the remote routers.
R1#sh ip nhrp
10.10.10.2/32 via 10.10.10.2, Tunnel0 created 00:11:31, expire 01:48:28
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 2.2.2.2
10.10.10.3/32 via 10.10.10.3, Tunnel0 created 00:08:19, expire 01:51:52
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 3.3.3.2
Same info without the timers…
R1#sh ip nhrp brief
Target Via NBMA Mode Intfc Claimed
10.10.10.2/32 10.10.10.2 2.2.2.2 dynamic Tu0 < >
10.10.10.3/32 10.10.10.3 3.3.3.2 dynamic Tu0 < >
Statistics about the NHRP protocol itself
R1#sh ip nhrp traffic
Tunnel0
Sent: Total 3
0 Resolution Request 0 Resolution Reply 0 Registration Request
3 Registration Reply 0 Purge Request 0 Purge Reply
0 Error Indication
Rcvd: Total 3
0 Resolution Request 0 Resolution Reply 3 Registration Request
0 Registration Reply 0 Purge Request 0 Purge Reply
0 Error Indication
R1#sh ip nhrp summary
IP NHRP cache 2 entries, 496 bytes
0 static 2 dynamic 0 incomplete
On the spoke routers we can check the same… Here we can see the NHRP entry is statically defined
R3#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:13:31, never expire
Type: static, Flags: authoritative
NBMA address: 1.1.1.2
R3#sh ip nhrp summary
IP NHRP cache 1 entry, 248 bytes
1 static 0 dynamic 0 incomplete
And we can check the NHRP’s next-hop server used.
R3#sh ip nhrp nhs
Legend:
E=Expecting replies
R=Responding
Tunnel0:
10.10.10.1 RE
Should you want to allow spoke-to-spoke tunnels to be built dynamically, you only need to replace the tunnel destination 1.1.1.2 command on the spokes by tunnel mode gre multipoint making the spokes’ tunnel interface an mGRE interface. For the remaining of this article, we won’t use mGRE interfaces on the spokes.
Now that we have IP connectivity, we still have to secure those dynamically created GRE tunnels with IPSec. Here for simplicity we will use pre-shared key as authentication method which is not recommended for production deployment…
On the hub and spoke routers, just configure ISAKMP/IPSec parameters and enable IPSec on the tunnel insterfaces.
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set mySet esp-aes esp-sha-hmac
!
crypto ipsec profile myDMVPN
set security-association lifetime seconds 120
set transform-set mySet
set pfs group2
interface Tunnel0
tunnel protection ipsec profile myDMVPN
Check IPSec SA are well negotiated
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 121, #pkts encrypt: 121, #pkts digest: 121
#pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xA2BC2FED(2730242029)
inbound esp sas:
spi: 0x2884EDEA(679800298)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: SW:5, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4463708/83)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA2BC2FED(2730242029)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4463708/82)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
That’s it! The DMVPN setup is ready for wide deployment… Of course central hub router should be duplicated for redundancy, it will exposed in a future post.
Thanks for leaving a comment if you found this useful
J-Partner Consultant
April 24, 2009
exp-NETWORKS is proud to announce it became J-Partner Consultant. This partnership with Juniper is a guarantee you can count on exp-Networks expertise on Juniper products.
Here is what Juniper says about J-Partner Consultant:
Consultants play a critical role understanding, deploying, and provisioning high-performance networks. Juniper Networks recognizes this and is responding to the consultant sector by providing critical information on Juniper’s technology, products, services, and solutions specifically tailored to the independent role that consultants play.
Juniper Networks J-partner program for Consultants enables authorized consultants to gain timely access to key data on Juniper’s enterprise and service provider solutions; some of this information is available exclusively to Juniper Networks Consultant partners. In addition, Juniper may also selectively invite authorized consultants to participate in enhanced activities such as certification training, conferences, or technology and business innovation opportunities.
Consultants are a part of a diverse, global community of individuals or organizations who provide professional advice, services, guidance, or knowledge-based input. Consultants span global and regional enterprise, service provider, and public sector market opportunities. Consultants are Not product resellers, dedicated managed service partners, analysts, or members of the press. as with all J-partner relationships, Juniper reserves the right to deny entry or remove a partner from the program.
Cisco certified
April 24, 2009
All our consultants are Cisco certified.
Here what Cisco says about certifications:
Cisco Certified Network Professional validates knowledge and skills required to install, configure and troubleshoot converged local and wide area networks. With a Cisco certification, a network professional demonstrates the knowledge and skills required to manage the routers and switches that form the network core, as well as edge applications that integrate voice, wireless, and security into the network.
Recent Comments