Thursday, August 30, 2012

Tunnels and DMVPN


  • GRE over IPSec with static crypto
    • Standard tunnels with an IPSec overlay. Just create access-list to match the GRE traffic. You ISAKMP keys will be based on the physical address. Seemed pretty straight forward if you have ever created a tunnel and turned up a L2L VPN before.
  • GRE over IPSec with profiles
    • The difference with profiles is IPSec is initiated from the loopbacks hence you need to configure your keys for the loopback address and not the physical address. You create a profile 'crypto ipsec profile VPN' and attach the transform set 'set transform-set 3DES_MD5_TRANS' and then apply the profile to the tunnel 'tunnel protection ipsec profile VPN'
  • DMVPN w/ PSK
    • Now on to something new I have not done before. I did take a few classes on DMVPN at Cisco Live this year in preparation for my exam.
    • DMVPN basic -
      • Dynamic next-hop resolution using NHRP
      • Ability to build dynamic site-to-site tunnels instead of the hub and spoke model
      • Utilizes multipoint GRE
    • I need to go back and read some more about DMVPN - mainly the NHRP. Just to get familiar again with what the various commands mean such as 'ip nhrp map'.
    • Wildcard IKE keys are necessary for dynamic tunnels
    • ip nhrp map multicast dynamic  - allows NHRP to automatically add spoke routers to multicast NHRP mappings
    • NHRP network IDs are locally significant although it makes sense to use unique IDs
    • ip nhrp map x.x.x.x y.y.y.y maps the tunnel address (x.x.x.x) to the physical address (y.y.y.y) on the spoke
      • Statically configures the IP-to-NBMA address mapping of IP destinations connected to an MBMA network.
        • hub-tunnel-ip-address --Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub.
        • hub-physical-ip-address --Defines the static public IP address of the hub.
    • ip nhrp map multicast y.y.y.y - enables the use of dynamic routing protocols and sends multicast packets to the hub router
    • DMVPN Monitoring commands
      • clear dmvpn session
      • clear dmvpn statistics
      • debug dmvpn
      • debug nhrp condition
      • debug nhrp error
      • logging dmvpn
      • show dmvpn
      • show dmvpn traffic
      • Other standard IPSec/ISAKMP monitoring commands
    • An important note is split-horizon in a DMVPN network. You will need to disable this on the hub tunnel to ensure full EIGRP routing table
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)