Dynamic Multipoint VPN (DMVPN)

Dynamic Multipoint VPN (DMVPN) is available for at least 10 years I can say. Also, there are many blog posts including Cisco about this topic, but because I am preparing for an exam, I am doing a lab about it then why not share it here for iNET9s’ readers.

Introduction to DMVPN

DMVPN stands for Dynamic Multipoint Virtual Private Network. It is a great solution to build a scalable VPN topology dynamically between network sites. When we say “dynamic”, it is of course reduce administrative overhead and time. We believe that you do not want your branch offices access each other through the corporate network (Hub and Spoke topology). DMVPN is normally combined with some other technologies such as Multipoint GRE (mGRE), Next-Hop Resolution Protocol (NHRP), Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP), Dynamic IPsec encryption, and Cisco Express Forwarding (CEF).

The Network Topology

Example, you have iNET9-HQ and some branch offices iNET9-West and iNET9-East. If you are operating traditional network connectivity, each branches would have to go through HQ in order to talk to each others (Hub and Spoke). What you have to do is bring tunnel up between branch and HQ, then DMVPN will be a hero to create a secure tunnel between each branches dynamically. Cool, right?

Physical View

Logical View

Next Hop Resolution Protocol (NHRP)

NHRP (RFC 2332) is the main protocol that is designed for dynamic tunnel establishment. Its job is to resolve tunnel-to-physical interface address. Spoke routers (NHRP clients) send requests to the hub (next hop server) to get physical IP address of another spoke router. When each spoke routers have info for other end, dynamic tunnel establishment will happen.

DMVPN Configuration

Based on the network topology above, here is the configuration part to get this working. Let start from iNET9-HQ router.

interface GigabitEthernet0/0
 ip address 121.0.0.1 255.255.255.248
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.0
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 tunnel source 121.0.0.1
 tunnel mode gre multipoint
!

 

Now, let do it on iNET9-West router.

interface GibabitEthernet0/0
 ip address 122.0.0.2 255.255.255.248
!
interface Tunnel0
 ip address 172.16.0.2 255.255.255.0
 ip nhrp map 172.16.0.1 121.0.0.1
 ip nhrp map multicast 121.0.0.1
 ip nhrp network-id 10
 ip nhrp nhs 172.16.0.1
 tunnel source 122.0.0.2
 tunnel mode gre multipoint
!

 

iNET9-East router configuration would not different from iNET9-West.

interface GibabitEthernet0/0
 ip address 123.0.0.3 255.255.255.248
!
interface Tunnel0
 ip address 172.16.0.3 255.255.255.0
 ip nhrp map 172.16.0.1 121.0.0.1
 ip nhrp map multicast 121.0.0.1
 ip nhrp network-id 10
 ip nhrp nhs 172.16.0.1
 tunnel source 123.0.0.3
 tunnel mode gre multipoint
!

 

After above configuration is applied on different routers, you would see the tunnel is up like below output.

iNET9-HQ# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Tunnel0, Type:Hub, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- ----- 
 10     122.0.0.2     172.16.0.2    UP 00:15:35 D    
 10     123.0.0.3     172.16.0.3    UP 00:10:12 D

 

Magic Part

As you can see, we did configuration to create tunnel between two spokes to hub router. Here is the magic part happen, tunnel between two spokes would create dynamically by its own.

iNET9-West# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Tunnel0, Type:Spoke, NHRP Peers:1, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- ----- 
 10     122.0.0.1     172.16.0.1    UP 00:20:43 S
.................
iNET9-West# ping 172.16.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 21/30/40 ms
.................
iNET9-West# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Tunnel0, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- ----- 
 10     122.0.0.1     172.16.0.1    UP 00:21:38 S
 10     123.0.0.3     172.16.0.3    UP 00:00:55 D

 

Add Some Security Features

For simplicity, the above example configuration is for cleartext. We would recommend to include IPSec encryption to secure the tunnels over untrusted network. And below is the sample configuration on iNET9-HQ. The configuration on Spokes would not much different. You have to modify it a little bit then you are good to go.

!
crypto isakmp policy 10
 group 2
 encryption aes 256
 hash sha
 authentication pre-share
!
crypto isakmp key [email protected] address 0.0.0.0 0.0.0.0
! 
crypto ipsec transform-set iNET9SET esp-sha-hmac esp-aes 256
!
crypto ipsec profile iNET9VPN
 set transform-set iNET9SET
!
interface Tunnel0
 tunnel protection ipsec profile iNET9VPN
!

 

After IPSec encryption is added, you would see tunnels are rebuilt.

iNET9-HQ# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Tunnel0, Type:Hub, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 10     121.0.0.1     172.16.0.2    UP 00:03:36 D    
 10     122.0.0.2     172.16.0.3    UP 00:03:38 D    

iNET9-HQ# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
121.0.0.1     122.0.0.2     QM_IDLE          601    0 ACTIVE
121.0.0.1    123.0.0.3     QM_IDLE           602    0 ACTIVE

 

Cool huh? Let us know in the comment below! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *