SNRS – Dynamic Multipoint VPN (DMVPN)
Solution
- Uses hub-and-spoke design
- Supports redundancy
- Does not use crypto maps
- Multipoint GRE tunnel interfaces
- Spokes connect to the HUB and never vice versa
- Multiple or single topology
-
- Single topology: only one subnet on the HUB side
- Multiple topology: multiple subnets on the HUB side
Components
- Multipoint GRE (mGRE) tunnel interface
- Next Hop Resolution Protocol (NHRP)
-
- 20 years old, originally designed for ATM/X.25 tunnels
- Before sending a packet, the spoke does an NHRP query to the HUB that acts as an NHRP server
- The server answers with the real IP address and advertise the destination network
- If the destination is not the HUB router, the spoke sets up an IPSec tunnel directly to the remote spoke, if using mGRE, bypassing the router
- Spoke-to-spoke tunnels are automatically removed if idle for a certain time
- IPSec profiles
- Replace static crypto maps, still needs a transform set
rt(config)# crypto isakmp policy priority_# rt(config-isakmp)# authentication rsa-sign|rsa-encr|pre-share rt(config-isakmp)# encryption des|3des|aes|aes 192|aes 256 rt(config-isakmp)# group 1|2|5 rt(config-isakmp)# hash md5|sha rt(config-isakmp)# lifetime #_of_seconds rt(config-isakmp)# exit rt(config)# crypto isakmp key key address 0.0.0.0 rt(config)# crypto ipsec transform-set tsname ts_1 [ts2 [ts3]] rt(config)# mode tunnel
- Profile instead of map
rt(config)# crypto ipsec profile profile_name rt(ipsec-profile)# set transform-set tsname ts_1 [ts2 [ts3]] rt(ipsec-profile)# set pfs group1|group2|group3 rt(ipsec-profile)# set security-association lifetime …
- HUB configuration
rt(config)# interface tunnel int_# rt(config-if)# ip address ip_addr rt(config-if)# ip mtu 1416 rt(config-if)# ip nhrp authentication key rt(config-if)# ip nhrp map multicast dynamic - needed for routing! rt(config-if)# ip nhrp network-id id# rt(config-if)# ip nhrp holdtime seconds rt(config-if)# tunnel source public_int_name rt(config-if)# tunnel key key_# rt(config-if)# tunnel mode gre multipoint rt(config-if)# tunnel protection ipsec profile profile
- Spoke configuration
Configuration
rt(config)# interface tunnel int_# rt(config-if)# ip address ip_addr rt(config-if)# ip mtu 1416 rt(config-if)# ip nhrp authentication key rt(config-if)# ip nhrp map HUB_public_IP rt(config-if)# ip nhrp map multicast HUB_public_IP rt(config-if)# ip nhrp nhs HUB_tunnel_IP rt(config-if)# ip nhrp network-id id# rt(config-if)# ip nhrp holdtime seconds rt(config-if)# tunnel source public_int_name rt(config-if)# tunnel key key_# rt(config-if)# tunnel mode gre multipoint rt(config-if)# tunnel protection ipsec profile profile
- Disable split horizon for EIGRP
- no eigrp next-hop-self
- eigrp stub connected
- on OSPF, set the bandwidth parameter in the interface tunnel – does not affect functionality but may help in limiting fragmentation and increase performances
- on OSPF, the HUB needs to have OSPF broadcast enabled
