Dynamic Multipoint VPN (DMVPN) Setup

Since DMVPN has been added to the CCIE v5 BluePrint I figured that now was just as good of a time as any to write this blog.
 
DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks.
 
DMVPN is combination of the following technologies:
  • Multipoint GRE (mGRE)
  • Next-Hop Resolution Protocol (NHRP)
  • Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
  • Dynamic IPsec encryption
  • Cisco Express Forwarding (CEF)
Topology that we will be starting with:
Initial DMVPN Topolgy
First thing will be doing the base configurations on R1, R2 & R3. This will consist of configuring the IP addresses on the above interfaces and setting up the routing protocol to distribute the routes. In this case we will use EIGRP 123.

R1:
Rack1R1(config)#int s0/0/0
Rack1R1(config-if)#no shut
Rack1R1(config-if)#encap ppp
Rack1R1(config-if)#
Aug  1 19:22:33.379: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Rack1R1(config-if)#ip address 204.186.13.1 255.255.255.0
Rack1R1(config-if)#router eigrp 123
Rack1R1(config-router)# network 204.186.13.1 0.0.0.0

R2:
Rack1R2(config)#interface Serial0/0/0
Rack1R2(config-if)# no shutdown
Rack1R2(config-if)# ip address 204.186.23.2 255.255.255.0
Rack1R2(config-if)# encapsulation ppp
Rack1R2(config-if)#
Aug  1 19:28:56.915: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Rack1R2(config-if)#router eigrp 123
Rack1R2(config-router)# network 204.186.23.2 0.0.0.0

R3:
Rack1R3(config)#interface Serial0/0/0
Rack1R3(config-if)# no shutdown
Rack1R3(config-if)# ip address 204.186.13.3 255.255.255.0
Rack1R3(config-if)# encapsulation ppp
Rack1R3(config-if)#interface Serial0/1/0
Rack1R3(config-if)# no shutdown
Rack1R3(config-if)# ip address 204.186.23.3 255.255.255.0
Rack1R3(config-if)# encapsulation ppp
Rack1R3(config-if)#router eigrp 123
Rack1R3(config-router)# network 204.186.13.3 0.0.0.0
Rack1R3(config-router)# network 204.186.23.3 0.0.0.0

Looks like the neighbors have come up correctly, now lets just verify that the correct routes are showing up:

R1:
Rack1R1(config)#do sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
       E1 – OSPF external type 1, E2 – OSPF external type 2
       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
       ia – IS-IS inter area, * – candidate default, U – per-user static route
       o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
       a – application route
       + – replicated route, % – next hop override

Gateway of last resort is not set

      204.186.23.0/24 is variably subnetted, 2 subnets, 2 masks
D        204.186.23.0/24 [90/2681856] via 204.186.13.3, 00:03:36, Serial0/0/0
D        204.186.23.2/32 [90/2681856] via 204.186.13.3, 00:03:36, Serial0/0/0

R2:
Rack1R2(config-router)#do sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
       E1 – OSPF external type 1, E2 – OSPF external type 2
       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
       ia – IS-IS inter area, * – candidate default, U – per-user static route
       o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
       a – application route
       + – replicated route, % – next hop override

Gateway of last resort is not set

      204.186.13.0/24 is variably subnetted, 2 subnets, 2 masks
D        204.186.13.0/24 [90/2681856] via 204.186.23.3, 00:04:31, Serial0/0/0
D        204.186.13.1/32 [90/2681856] via 204.186.23.3, 00:04:31, Serial0/0/0

Looks like the routes are populating correctly,  I did not include the output from R2 because it will not need to learn any routes from EIGRP as both R1 and R3 are directly connected. Now that we have full reachability we can begin the actual DMVPN configuration. Here is what the new topology will look like once complete:
DMVPN TopologyDMVPN TopologyDMVPN Topology1
Next we will begin by creating the Tunnel interfaces on each router:

R1:
Rack1R1(config)#interface Tunnel0
Rack1R1(config-if)# ip address 173.1.123.1 255.255.255.0
Rack1R1(config-if)# no ip redirects
Rack1R1(config-if)# ip nhrp map multicast dynamic
Rack1R1(config-if)# ip nhrp network-id 99
Rack1R1(config-if)# ip nhrp holdtime 300
Rack1R1(config-if)# tunnel source Serial0/0/0
Rack1R1(config-if)# tunnel mode gre multipoint
Rack1R1(config-if)# tunnel key 100000

R2:
Rack1R2(config-router)#interface Tunnel0
Rack1R2(config-if)# ip address 173.1.123.2 255.255.255.0
Rack1R2(config-if)# no ip redirects
Rack1R2(config-if)# ip nhrp map 173.1.123.1 204.186.13.1
Rack1R2(config-if)# ip nhrp map multicast 204.186.13.1
Rack1R2(config-if)# ip nhrp network-id 99
Rack1R2(config-if)# ip nhrp nhs 173.1.123.1
Rack1R2(config-if)# tunnel source Serial0/0/0
Rack1R2(config-if)# tunnel mode gre multipoint
Rack1R2(config-if)# tunnel key 100000

R3:
Rack1R3(config-router)#interface Tunnel0
Rack1R3(config-if)# ip address 173.1.123.3 255.255.255.0
Rack1R3(config-if)# no ip redirects
Rack1R3(config-if)# ip nhrp map 173.1.123.1 204.186.13.1
Rack1R3(config-if)# ip nhrp map multicast 204.186.13.1
Rack1R3(config-if)# ip nhrp network-id 99
Rack1R3(config-if)# ip nhrp nhs 173.1.123.1
Rack1R3(config-if)# tunnel source Serial0/0/0
Rack1R3(config-if)# tunnel mode gre multipoint
Rack1R3(config-if)# tunnel key 100000

Now lets verify that the Tunnels have come up correctly:

R1:
Rack1R1(config-if)#do sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
        N – NATed, L – Local, X – No Socket
        # Ent –> Number of NHRP entries with same NBMA peer
        NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
        UpDn Time –> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 —– ————— ————— —– ——– —–
     1 204.186.23.2        173.1.123.2    UP 00:39:58     D
     1 204.186.13.3        173.1.123.3    UP 00:38:51     D

R2:
Rack1R2(config-if)#do sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
        N – NATed, L – Local, X – No Socket
        # Ent –> Number of NHRP entries with same NBMA peer
        NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
        UpDn Time –> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 —– ————— ————— —– ——– —–
     1 204.186.13.1        173.1.123.1    UP 00:41:20     S
     1 204.186.13.3        173.1.123.3    UP 00:08:43     D
 
R3:
Rack1R3(config-if)#do sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
        N – NATed, L – Local, X – No Socket
        # Ent –> Number of NHRP entries with same NBMA peer
        NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
        UpDn Time –> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 —– ————— ————— —– ——– —–
     1 204.186.13.1        173.1.123.1    UP 00:40:34     S
     1 204.186.23.2        173.1.123.2    UP 00:09:05     D

Next we need to verify connectivity across the tunnel:

R1:
Rack1R1(config-if)#do ping 173.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.2, timeout is 2 seconds:
!!!!!
Rack1R1(config-if)#do ping 173.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/16 ms

R2:
Rack1R2(config-if)#do ping 173.1.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack1R2(config-if)#do ping 173.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R3:
Rack1R3(config-if)#do ping 173.1.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack1R3(config-if)#do ping 173.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Alright, everything looks good. Next lets look at a few show commands:

R1:
Rack1R1(config-if)#do sh ip nhrp
173.1.123.2/32 via 173.1.123.2
   Tunnel0 created 00:16:27, expire 01:43:33
   Type: dynamic, Flags: unique registered nhop
   NBMA address: 204.186.23.2
173.1.123.3/32 via 173.1.123.3
   Tunnel0 created 00:15:20, expire 01:44:39
   Type: dynamic, Flags: unique registered nhop
   NBMA address: 204.186.13.3

R2:
Rack1R2(config-if)#do sh ip nhrp
173.1.123.1/32 via 173.1.123.1
   Tunnel0 created 00:17:55, never expire
   Type: static, Flags: used
   NBMA address: 204.186.13.1
 
R3:
Rack1R3(config-if)#do sh ip nhrp
173.1.123.1/32 via 173.1.123.1
   Tunnel0 created 00:17:00, never expire
   Type: static, Flags: used
   NBMA address: 204.186.13.1

Adding an additional spoke (similar to R2/R3) in this case would be very simple. Once the connection is established just adding the route map to go through the hub (R1).
 
You can follow me on Twitter at @ipv4freely
Posted in CCIE, Networking

Leave a Reply

Your email address will not be published. Required fields are marked *

*