CiscoDataCenterCertificatione Guide 2017

Cisco DMVPN
Jun 26, 2017

Version 2.0
Created by Andre Barros Longo

Agenda
Part 1 Tunnel Interface

What is DMVPN
Flowchart
DMVPN Tunnel Implementation Steps It is a Hands-On Course !!!
fVRF Scenario

Questions and Answers
Connect on EVE and
enjoy!!!!
Part 2 - IPsec
Security Acronyms
What is IPsec, ISAKMP and IKE
IPsec Structure
DMVPN - IPsec Implementation Steps
fVRF Scenario
DMVPN Troubleshooting
Part 3 - Routing
DMVPN - BGP
iBGP and eBGP scenarios
Dual HUB scenario
DMVPN EIGRP
DMVPN OSPF
What is DMVPN
DMVPN means Dynamic Multipoint Virtual Private Network

DMVPN is a technical solution that provide connectivity
between spoke-to-hub and spoke-to-spoke sites through a
underlay network. Using minimal configuration lines to be
implemented DMVPN permit a better management and
simplification of the configuration file of the routers.
DMVPN is usually used to protect the corporative data that is

transmitted through a unsafe network, like public Internet.
DMVPN protect the corporative data using IPsec technology

DMVPN Flowchart Steps
Begin
Underlay YES Create the

Network Tunnel
is OK ? Interface
NO
Create IPsec
Fix it
Parameters
Apply IPsec on
Tunnel
Interfaces
END
DMVPN Implementation Steps (Tunnel)
1st Be sure that your UNDERLAY network has fully connectivity;

HUB
Underlay
Interface
1.1.1.1
ISP or MPLS or
SPOKE-A
Underlay
3rd Party Transit Underlay
SPOKE-D
Interface Cloud Interface
2.2.2.2 5.5.5.5
Underlay
Underlay
Interface
Interface
4.4.4.4
3.3.3.3
SPOKE-B SPOKE-C
Back to
Flowchart
DMVPN Implementation Steps
2nd Create the Tunnel Interface on the HUB and SPOKE routers;
3rd Apply IP MTU to avoid fragmentation;
4th Apply the OVERLAY address;
5th Specify the Tunnel Source (Underlay Interface);
6th Specify the tunnel mode as GRE Multipoint;
HUB SPOKE
HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

HUB(config-if)#ip mtu 1400 SPOKE(config-if)#ip mtu 1400
HUB(config-if)#ip tcp adjust-mss 1360 SPOKE(config-if)#ip tcp adjust-mss 1360
HUB(config-if)#ip address 192.168.1.1 255.255.255.0 SPOKE(config-if)#ip address 192.168.1.10 255.255.255.0
HUB(config-if)#tunnel source GigabitEthernet0/0 SPOKE(config-if)#tunnel source GigabitEthernet0/0
HUB(config-if)#tunnel mode gre multipoint SPOKE(config-if)#tunnel mode gre multipoint
HUB(config-if)# SPOKE(config-if)#
With the IP MTU setted to 1400 when adding the IPsec and GRE overhead, it will not exceed the 1500 MTU of
the interface, preventing additional fragmentation.
* The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept
in a single TCP/IP datagram. To avoid truncation, should be 40 bytes less than IP MTU command on interface.
NHRP (Next Hop Resolution Protocol)
NHRP is a resolution protocol that allows one NHC client (spoke) to dynamically discover the logical
VPN IP to physical NBMA IP mapping for another NHC client (spoke) within the same NBMA network.
NHRP is used to facilitate building a VPN. In this context, a VPN consists of a virtual Layer 3 network
that is built on top of an actual Layer 3 network. The topology you use over the VPN is largely
independent of the underlying network, and the protocols you run over it are completely
independent of it. The VPN network (DMVPN) is based on GRE IP logical tunnels that can be
protected by adding in IPsec to encrypt the GRE IP tunnels.
Connected to the NBMA network are one or more stations that implement NHRP, and are known as
NHSs and NHCs.
7th Configure NHRP (Next Hop Resolution Protocol) on the routers;

8th Specify the HUB as NHS on all spoke routers;
Underlay IP
Overlay IP
HUB SPOKE
HUB(config-if)#ip nhrp network-id 123 [1 to 4294967295] SPOKE(config-if)#ip nhrp network-id 123 [1 to 4294967295]
HUB(config-if)#ip nhrp server-only SPOKE(config-if)#ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast
HUB(config-if)# it will not initiate or respond to SPOKE(config-if)#
an attempt to establish an NHRP
shortcut SVCs.
Old IOS Versions of commands Old IOS Versions of commands

HUB(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1 255.255.255.255 SPOKE(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1 255.255.255.255
HUB(config-if)#ip nhrp map 192.168.1.1 1.1.1.1 SPOKE(config-if)#ip nhrp map 192.168.1.1 1.1.1.1
or or
HUB(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1/32 SPOKE(config-if)#ip nhrp nhs 192.168.1.1 1.1.1.1/32
HUB(config-if)#ip nhrp map 192.168.1.1 1.1.1.1 SPOKE(config-if)#ip nhrp map 192.168.1.1 1.1.1.1
The HUB routers will dynamically populate the dmvpn map The SPOKE routers will statically populate the dmvpn map
table with the IP overlay and IP underlay addresses of each table with the IP overlay and IP underlay addresses of the hub
spoke router. Use the commad show dmvpn to see the router. With this entry the spoke will use the HUB as a
result. server/database to learn the IP overlay and IP underlay of
others spokes routers. Use the commad show dmvpn to see
the result.
9th Configure additional NHRP commands;
* How long the Cisco IOS software tells other routers to keep the
address mappings it is providing in NHRP responses. This controls
how long a spoke-to-spoke shortcut path will stay up after it is
no longer used or how often the spoke-to-spoke short-cut path
mapping entry will be refreshed if it is still being used. We
HUB recommend that a value from 300 to 600 seconds be used.
SPOKE
RT(config)#interface tunnel 10
* If not configured, the default is one-third of the holdtime. It is
RT(config-if)#ip nhrp holdtime 600
the time frequency that a routers should refresh the registration
with the NHS router via NHRP registrations requests.
RT(config-if)#ip nhrp registration timeout 200
RT(config-if)#ip nhrp registration no-unique

* Apply on SPOKE only, it is necessary in case since the spoke's
outside IP (NBMA) address may change at any time. This will
RT(config-if)#ip nhrp authentication STRING
permit the HUB overwrite the NHRP map with the new spoke
address.
RT(config-if)#if-state nhrp
* Only routers configured with the same string can communicate
each other using NHRP
* On Spoke routers - Detect if NHS is down and put the interface

tunnel in down state, if NHS is up the interface tunnel is put in
up state.
10th Configure NHRP Redirect on HUB routers;

11th Configure NHRP shortcut on SPOKE routers;
HUB SPOKE

HUB(config-if)#ip nhrp redirect SPOKE(config-if)#ip nhrp shortcut
* Tell to spoke routers when there is a better path to use. * Make the spoke router choose the best path shortcut to
somewhere.
Permitting a spoke-to-spoke temporary connection.
12nd Configure Multicast support;
HUB SPOKE

HUB(config-if)#ip pim nbma-mode SPOKE(config-if)#ip pim nbma-mode
HUB(config-if)#ip pim sparse-dense-mode SPOKE(config-if)#ip pim sparse-dense-mode
HUB(config-if)#ip nhrp map multicast dynamic SPOKE(config-if)#ip nhrp map multicast dynamic
SPOKE(config-if)#ip nhrp nhs 192.168.1.1 nbma 1.1.1.1 multicast
Old IOS Versions of commands Old IOS Versions of commands

HUB(config-if)#ip nhrp map multicast 1.1.1.1 HUB(config-if)#ip nhrp map multicast 1.1.1.1
Validate Be sure that your OVERLAY network has fully connectivity;
HUB
Temporary Tunnel Overlay Interface

192.168.1.1
Permanent Tunnel
ISP or MPLS or 3rd

SPOKE-A Party Transit SPOKE-D
Overlay Interface Cloud Overlay Interface
192.168.1.10 192.168.1.13
Overlay Interface
Overlay Interface
192.168.1.12
192.168.1.11
SPOKE-B SPOKE-C
Dual HUB with Front VRF scenario and example;
AS 65001 AS 65002
HUB1 HUB2
interface Tunnel10 interface Tunnel10

ip vrf forwarding ACME ip vrf forwarding ACME
ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.2 255.255.255.0
no ip redirects no ip redirects
ip mtu 1400 ip mtu 1400
ip nhrp authentication 54321 ip nhrp authentication 54321
ip nhrp map multicast dynamic ip nhrp map multicast dynamic
ip nhrp network-id 12345 ip nhrp network-id 12345
ip nhrp holdtime 600 ip nhrp holdtime 600
ip nhrp redirect ip nhrp redirect
Ip nhrp server-only Ip nhrp server-only
ip tcp adjust-mss 1360 INTERNET ip tcp adjust-mss 1360
tunnel source Ethernet0/0 tunnel source Ethernet0/0
tunnel mode gre multipoint tunnel mode gre multipoint
tunnel vrf INTERNET tunnel vrf INTERNET
interface Tunnel10
ip address 192.168.1.11 255.255.255.0
if-state nhrp
ip mtu 1400
ip nhrp authentication 54321
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1 nbma 1.0.0.1 multicast
SPOKE-B ip nhrp nhs 192.168.1.2 nbma 2.0.0.2 multicast
ip nhrp shortcut
AS 65001 ip tcp adjust-mss 1360
tunnel source Ethernet0/0
tunnel mode gre multipoint
Agenda

What is DMVPN
Flowchart
fVRF Scenario

Connect on EVE and
enjoy!!!!
Part 2 - IPsec
Security Acronyms
IPsec Structure
fVRF Scenario
Part 3 - Routing
DMVPN - BGP
Dual HUB scenario
DMVPN EIGRP
DMVPN OSPF
Security Acronyms
?
MD5
HA HMAC SHA
? ?
ESP IPsec DES
IKEv1 ISAKMP 3DES
IKEv2 KINK AES
DH
?
IPsec means Internet Protocol SECurity

IPsec is a framework of open and standard technologies used to ensure
private and secure communications over IP networks.
ISAKMP means Internet Security Association and Key Management Protocol

ISAKMP is a framework for authentication and key exchange and is designed
to be key exchange independent.
IKE means Internet Key Exchange

IKE is the protocol used to set up a security association (SA) in the IPsec
protocol framework.
DMVPN IPsec Structure
IPsec
While AH can be used to provide message
authentication, ESP can be used to provide both
Authentication Method encryption and message authentication.
PreShared Public Key

Key Infrastructure HA (Hash Algorithm)
HA (Hash Algorithm)
ISAKMP SHA MD5
SHA MD5
Cryptography Algorithm
Authen
IKEv1 Header DES AES
Cryptography Algorithm Phase 1 Phase 2

Secure the Secure the Data
IKEv2 Encap
Channel / Tunnel 3DES HMAC
DES AES (Peer)
Security
Payload
Key Points
3DES HMAC
Diffie-Hellman Group
Reliability
1 2 5
Diffie-Hellman Group Integrity
1 2 5
Privacy
is a specific method of securely
exchanging cryptographic keys
IPsec Negotiation Steps
Step 1 Step 2 Step 3 Step 4 Step 5
"Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the
IPSec security policy configured in the IPSec peers starts the IKE process.
IKE phase 1 - Negotiation
Initiator Router Responder Router
Sends MM1 packet with policy proposals to Responder routers
crypto keyring DMVPN-KEYRING Reply MM2 packet

pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEYRING
!
crypto keyring DMVPN-KEYRING-2
pre-shared-key address 192.168.1.2 255.255.255.255 key STRINGKEYRING-2
Sends MM3 packet
Reply MM4 packet
Sends MM5 packet
Reply MM6 packet
Phase 1 Finished
IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase,
setting up a secure channel for negotiating IPSec SAs in phase 2.
IKEv1 IKEv2
Keyring Policy Profile Keyring Policy Profile
crypto keyring DMVPN-KEYRING <fVRF> crypto ikev2 keyring DMVPN-KEYRING

pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEYRING peer ANY
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key STRINGKEYRING
crypto isakmp policy 10 crypto ikev2 proposal DMVPN-PROPOSAL

encr aes 256
encryption aes-cbc-256
authentication pre-share
integrity sha256 sha384 sha512
group 2 group 2
crypto ikev2 policy DMVPN-POLICY

match fvrf <fVRF Name>
match address local <underlay ip>
proposal DMVPN-PROPOSAL
crypto isakmp profile DMVPN-Internet-Profile-V1
keyring DMVPN-EUCH1-KEYRING
match identity address 0.0.0.0 <fVRF>
crypto ikev2 profile IKEv2_Prof_Shared
isakmp authorization list default
local-address Ethernet1/0
match address local interface <Underlay Interface>
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_SHARED_KEY
DMVPN Implementation Steps (Security)
1st Configure the Authentication Credentials;

- Pre-Shared Key
HUB
SPOKE
Name of Keyring For fVRF scenarios. If the fVRF is not
specified the keyring will be part of
global vrf.
!
crypto keyring DMVPN-KEYRING vrf DMVPN-Internet-Transport-V1
pre-shared-key address 0.0.0.0 0.0.0.0 key STRINGKEY
!
A crypto keyring is a repository of preshared and PKI.
Specify the IP address String that must be

of the peers, on this common with all
case, means any IP interested peers
crypto ikev2 keyring DMVPN-KEYRING

peer <Peer-Name>
address 0.0.0.0 0.0.0.0
pre-shared-key STRINGKEY
2nd Configure the Authentication Credentials;

- Policy Proposal
HUB
Priority ID
SPOKE
!
crypto isakmp policy 10 Cryptography
encryption aes 256 Algorithm
group 2 Authentication Method
!
Diffie-Hellman Group
!
crypto ikev2 proposal DMVPN-PROPOSAL
group 2
!
crypto ikev2 policy DMVPN-POLICY

proposal DMVPN-PROPOSAL
match address local <Underlay IP>
3rd Configure the Authentication Credentials;

- ISAKMP Profile
HUB
SPOKE
!
crypto isakmp profile DMVPN-Profile Profile Name
inside VRF
vrf <iVRF> * used with crypto maps only
keyring DMVPN-KEYRING Keyring Name
match identity address 0.0.0.0 <fVRF> front VRF
* Used when target underlay addresses
isakmp authorization list default are hosted on a front VRF
local-address Ethernet1/0
! Permitted peers, where 0.0.0.0
means any IP
AAA authorization list
Local Exit Interface, usually the ISP

interface.
crypto ikev2 profile DMVPN-Profile Same interface used on Tunnel Source
match fvrf <fVRF Name> command. The IP address on this
match address local interface <Underlay Interface> interface will be used as identity to
match identity remote address 0.0.0.0 be match on the peers.
keyring local DMVPN-KEYRING
IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the
peers.
IKEv1 IKEv2
Transform-Set Profile Apply Transform-Set Profile Apply
crypto ipsec transform-set DMVPN-TRANSFORMSET-V1 esp-aes 256 esp- crypto ipsec transform-set DMVPN-TRANSFORMSET-V2 esp-aes 256 esp-
sha-hmac sha256-hmac
mode transport mode transport
crypto ipsec profile DMVPN-IPSEC-PROFILE-V1 crypto ipsec profile DMVPN-IPSEC-PROFILE-V2

set transform-set DMVPN-TRANSFORMSET-V1 set transform-set DMVPN-TRANSFORMSET-V2
set isakmp-profile DMVPN-ISAKMP-PROFILE set ikev2-profile DMVPN-Internet-Profile-V2
Without this command

* IKEv1 is tried first
Interface tunnel 10 Interface tunnel 10

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-V1 Shared tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-V2 Shared
Used when many VTIs use

the same ipsec profile
4th Configure the Data Protection;

- IPsec Transform-Set
HUB
SPOKE
Security association [SA] anti-replay is a security service in which the

receiver can reject old or duplicate packets to protect itself against replay
attacks.
!
Set the quantity of packets received
crypto ipsec security-association replay window-size 512 in a window. Default is 64.
!
crypto ipsec transform-set DMVPN-TRANSFORMSET esp-aes 256 esp-sha-hmac
mode transport
!
Transformset Name
Transport Mode Encapsulate the Payload Only. Cryptography and Hash Algorithms
Tunnel Mode Encapsulate the Datagram IP
5th Configure the Authentication Credentials;

- IPsec Profile
HUB
SPOKE
SPOKE
! IPsec Profile Name
crypto ipsec profile DMVPN-IPSEC-PROFILE
set transform-set DMVPN-TRANSFORMSET Transform-set Name
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-V2

set transform-set DMVPN-TRANSFORMSET-V2
set ikev2-profile DMVPN-Internet-Profile-V2 IKEv2 Profile Name
6th Configure the Data Protection;

- Apply the IPsec profile on Tunnel Interface
HUB
SPOKE
IPsec profile name
!
Interface tunnel 10
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE shared
!
The Sharing IPsec with Tunnel Protection feature allows an IP Security

(IPsec) Security Association Database (SADB) to be shared between two
or more generic routing encapsulation (GRE) tunnel interfaces when
tunnel protection is used. These tunnel interfaces share a single
underlying cryptographic SADB, cryptographic map, and IPsec profile in
the Dynamic Multipoint Virtual Private Network (DMVPN) configuration.
Data Transfer. Data is transferred between IPSec peers based on the IPSec parameters and
keys stored in the SA database.
Tunnel IPsec
IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.
Tunnel IPsec
Timing Out
IPsec for Front VRF IKEv1
AS 65001 AS 65002
HUB1 HUB2
# Same for both HUBs devices

!
crypto keyring SHARED_KEY vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key SH4R3D_K3Y
!
crypto isakmp policy 10
encr aes 256
group 2
!
! crypto keyring SHARED_KEY
crypto isakmp keepalive 60 5
! INTERNET pre-shared-key address 0.0.0.0 0.0.0.0 key SH4R3D_K3Y
!
crypto isakmp profile ISA_Prof_Shared crypto isakmp policy 10
keyring SHARED_KEY encr aes 256
match identity address 0.0.0.0 INTERNET authentication pre-share
local-address Ethernet0/0 group 2
! !
crypto ipsec security-association replay window-size 512 crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set Transf_Shared esp-aes 256
crypto isakmp profile ISA_Prof_Shared
esp-sha-hmac keyring SHARED_KEY
mode transport match identity address 0.0.0.0
! local-address Ethernet0/0
crypto ipsec profile IPSEC_Prof_Shared !
set transform-set Transf_Shared crypto ipsec security-association replay window-size 512
set isakmp-profile ISA_Prof_Shared !
! crypto ipsec transform-set Transf_Shared esp-aes 256 esp-sha-hmac
mode transport
SPOKE-B !
AS 65001 crypto ipsec profile IPSEC_Prof_Shared
set transform-set Transf_Shared
For Spoke sites with VRFs, follow the set isakmp-profile ISA_Prof_Shared
same script used on HUB devices !
IPsec for Front VRF IKEv2
AS 65001 AS 65002
HUB1 HUB2
!
crypto ikev2 proposal IKEv2_Prop_Shared
group 2
!
crypto ikev2 policy IKEv2_Poli_Shared
match address local <fVRF Underlay IP>
proposal IKEv2_Prop_Shared
!
crypto ikev2 keyring IKEv2_SHARED_KEY
peer ISP2_SPOKES
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
INTERNET pre-shared-key IKEv2_SH4R3D_K3Y
!
crypto ikev2 profile IKEv2_Prof_Shared
match address local interface <fVRF Interface>
match identity remote address 0.0.0.0
keyring local IKEv2_SHARED_KEY
!
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set Transf_Shared esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IKEv2_IPsec_Prof_Shared
set transform-set Transf_Shared
set ikev2-profile IKEv2_Prof_Shared
SPOKE-B !
AS 65001
For Spoke sites with VRFs, follow the
same script used on HUB devices
Commands Function
show dmvpn Display dmvpn map
show crypto isakmp sa To display current Internet Key Exchange (IKE) security associations (SAs)
show crypto ipsec sa To display the settings used by IPsec security associations (SAs)
show crypto ikev2 sa To display an Internet Key Exchange Version 2 (IKEv2) security associations
(SAs)
show crypto session To display status information for active crypto sessions
debug dmvpn Display dmvpn negotiation
debug crypto Displays crypto negotiation
clear ipsec sa Displays the configured transform sets.
PS: IKEv1 and IKEv2 can not share the same underlay interface.
ROUTING: Do not learn/publish the underlay IP via DMVPN tunnel

interfaces, this will make the DMVPN tunnel flap.
Agenda

What is DMVPN
Flowchart
fVRF Scenario

Connect on EVE and
enjoy!!!!
Part 2 - IPsec
Security Acronyms
IPsec Structure
fVRF Scenario
Part 3 - Routing
DMVPN - BGP
Dual HUB scenario
DMVPN EIGRP
DMVPN OSPF
BGP Implementation
Dynamic neighbours
HUB SPOKE
Step 1
Under router bgp command, add the command bellow Normal ibgp neighbour configuration
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
Associates a subnet range with a BGP peer group and activates the BGP dynamic
neighbors feature.
Step 2
Under router bgp command, add the command bellow
bgp listen limit 254
Sets a global limit of BGP dynamic subnet range neighbors.
Use the optional limit keyword and max-number argument to define the
maximum number of BGP dynamic subnet range neighbors that can be created.
Step 3
Under address-family ipv4, add the commands bellow
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME route-reflector-client
BGP Implementation
iBGP Scenario using dynamic neighbours
HUB
router bgp 65001
Permanent Tunnel bgp router-id 192.168.1.1
bgp log-neighbor-changes
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
Tunnel 0 bgp listen limit 254
192.168.1.1 !
address-family ipv4
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME route-reflector-client
exit-address-family
Unsecured
Cloud
router bgp 65001 router bgp 65001

bgp router-id 192.168.1.11 bgp router-id 192.168.1.12
bgp log-neighbor-changes bgp log-neighbor-changes
! Tunnel Tunnel !
address-family ipv4 address-family ipv4
network 30.0.0.0 mask 255.255.255.0
192.168.1.11 192.168.1.12 network 40.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001 neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB neighbor 192.168.1.1 description HUB
neighbor 192.168.1.1 activate SPOKE-B SPOKE-C neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 next-hop-self
exit-address-family exit-address-family
BGP Implementation
eBGP Scenario
HUB
router bgp 65001
Permanent Tunnel bgp router-id 192.168.1.1
bgp log-neighbor-changes
!
Tunnel 0 address-family ipv4
192.168.1.1 network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor 192.168.1.11 remote-as 65011
neighbor 192.168.1.11 description SPOKE-B
neighbor 192.168.1.11 activate
neighbor 192.168.1.11 next-hop-self
neighbor 192.168.1.12 description SPOKE-C
neighbor 192.168.1.12 activate
neighbor 192.168.1.12 next-hop-self
Unsecured exit-address-family
Cloud
router bgp 65011 router bgp 65012

! Tunnel Tunnel !
address-family ipv4 address-family ipv4
network 30.0.0.0 mask 255.255.255.0
192.168.1.11 192.168.1.12 network 40.0.0.0 mask 255.255.255.0
neighbor 192.168.1.1 remote-as 65001 neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.1.1 description HUB neighbor 192.168.1.1 description HUB
neighbor 192.168.1.1 activate SPOKE-B SPOKE-C neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 next-hop-self
exit-address-family exit-address-family
BGP Implementation
Dual HUB scenario
AS 65001 AS 65002
HUB1 Permanent Tunnel HUB2
Tunnel 0 Tunnel 0
router bgp 65001 192.168.1.1 192.168.1.2 router bgp 65002
bgp listen range 192.168.1.0/24 peer-group iBGP-ACME bgp listen range 192.168.1.0/24 peer-group iBGP-ACME
bgp listen limit 254 bgp listen limit 254
! !
address-family ipv4 vrf ACME address-family ipv4 vrf ACME
network 10.0.0.0 mask 255.255.255.0 network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0 network 20.0.0.0 mask 255.255.255.0
neighbor iBGP-ACME peer-group neighbor iBGP-ACME peer-group
neighbor iBGP-ACME remote-as 65001 Unsecured neighbor iBGP-ACME remote-as 65001
neighbor iBGP-ACME timers 2 6 neighbor iBGP-ACME local-as 65001
neighbor iBGP-ACME route-reflector-client Cloud exit-address-family
exit-address-family
To make the convergence quick. The values used here are as

example, choose what is better to your environment.
You can use the BFD feature on interface tunnel instead Tunnel
timers commands, but all routers must be using Cisco IOS XE 192.168.1.11
16.3 release
router bgp 65001 address-family ipv4

bgp router-id 192.168.1.11 network 30.0.0.0 mask 255.255.255.0
bgp log-neighbor-changes neighbor 192.168.1.1 activate
neighbor 192.168.1.1 remote-as 65001 neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 description HUB1 neighbor 192.168.1.1 weight 100
SPOKE-B
neighbor 192.168.1.1 timers 2 6 neighbor 192.168.1.2 activate
AS 65001 neighbor 192.168.1.2 next-hop-self
neighbor 192.168.1.2 description HUB2 neighbor 192.168.1.2 weight 150
! exit-address-family

CiscoDataCenterCertificatione Guide 2017

Uploaded by

Copyright:

Available Formats

CiscoDataCenterCertificatione Guide 2017

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CiscoDataCenterCertificatione Guide 2017

Uploaded by

Copyright:

Available Formats

Cisco DMVPN

Jun 26, 2017

Created by Andre Barros Longo

Part 1 Tunnel Interface

DMVPN means Dynamic Multipoint Virtual Private Network

DMVPN is usually used to protect the corporative data that is

DMVPN protect the corporative data using IPsec technology

Underlay YES Create the

1st Be sure that your UNDERLAY network has fully connectivity;

HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

NHRP (Next Hop Resolution Protocol)

7th Configure NHRP (Next Hop Resolution Protocol) on the routers;

Old IOS Versions of commands Old IOS Versions of commands

9th Configure additional NHRP commands;

RT(config-if)#ip nhrp registration no-unique

* On Spoke routers - Detect if NHS is down and put the interface

10th Configure NHRP Redirect on HUB routers;

HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

12nd Configure Multicast support;

HUB(config)#interface tunnel 10 SPOKE(config)#interface tunnel 10

Old IOS Versions of commands Old IOS Versions of commands

Temporary Tunnel Overlay Interface

ISP or MPLS or 3rd

interface Tunnel10 interface Tunnel10

Part 1 Tunnel Interface

IKEv1 ISAKMP 3DES

IKEv2 KINK AES

IPsec means Internet Protocol SECurity

ISAKMP means Internet Security Association and Key Management Protocol

IKE means Internet Key Exchange

PreShared Public Key

Cryptography Algorithm Phase 1 Phase 2

IKE phase 1 - Negotiation

Initiator Router Responder Router

Sends MM1 packet with policy proposals to Responder routers

crypto keyring DMVPN-KEYRING Reply MM2 packet

Sends MM3 packet

Reply MM4 packet

Sends MM5 packet

Reply MM6 packet

crypto keyring DMVPN-KEYRING <fVRF> crypto ikev2 keyring DMVPN-KEYRING

crypto isakmp policy 10 crypto ikev2 proposal DMVPN-PROPOSAL

crypto ikev2 policy DMVPN-POLICY

1st Configure the Authentication Credentials;

A crypto keyring is a repository of preshared and PKI.

Specify the IP address String that must be

crypto ikev2 keyring DMVPN-KEYRING

2nd Configure the Authentication Credentials;

crypto ikev2 policy DMVPN-POLICY

3rd Configure the Authentication Credentials;

AAA authorization list

Local Exit Interface, usually the ISP

crypto ipsec profile DMVPN-IPSEC-PROFILE-V1 crypto ipsec profile DMVPN-IPSEC-PROFILE-V2

Without this command

Interface tunnel 10 Interface tunnel 10

Used when many VTIs use

4th Configure the Data Protection;

Security association [SA] anti-replay is a security service in which the

5th Configure the Authentication Credentials;