Configuring Dynamic Multipoint VPN (DMVPN) Dual-Internet Deployment

Hi everyone, today I just would like to share a lab configuration on one of the Cisco IWAN DMVPN design models. As you may already know, DMVPN is an Overlay technology that runs on any underlay IP transport such Internet, MPLS, and 3G/4G. It uses a combination of protocols.

If you are looking for more detail explanation of all the protocols involved in DMVPN for certification purposes, you can refer to INE Blog – DMVPN Explained and INE Blog – DMVPN Phase 3.

In Cisco IWAN Deployment Guide there are a lot of advanced configurations but as for this lab will focus only on base configuration. The lab focus solely on how the configuration fits together in deploying the DMVP with a particular design which is the Dual router Hub, dual Internet (DMVPN cloud) and single and dual router remote-site (see figure below).

dmvpn1

As usual, we’re going to use GNS3 and Cisco IOU L2 and L3. Please refer to our topology to have a better overview of the configurations.

1 – Configure the DS-SW1-HQ

1.1 – Configure the interface connected to hub1, hub2, and edge-1:

########## ds-sw1-hq ##########
interface Ethernet0/1
 description hub1 e0/1
 no switchport
 ip address 192.168.1.6 255.255.255.252
!
interface Ethernet0/2
 description hub2 e0/1
 no switchport
 ip address 192.168.1.10 255.255.255.252
!
interface Ethernet0/0
 description edge-1 e0/0
 no switchport
 ip address 192.168.1.2 255.255.255.252
! Optionally configure a looback interface
interface Loopback0
 ip address 10.254.1.240 255.255.255.255

1.2 – Configure routing to form a neighbor relationship with hub1, hub2, and edge-1.

In this lab, EIGRP will be used as the routing protocol. You have the option to used two or one EIGRP process. If you want scalability and comfortable using redistribution and route-maps to avoid loop in routing, you can use two EIGRP process, but if you want simpler configuration and management, use one EIGRP process instead.

Note: You could also use named EIGRP.

########## ds-sw1-hq ##########
router eigrp 1
 no auto-summary
 network 10.80.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255 
 passive-interface default
 no passive-interface Ethernet0/0
 no passive-interface Ethernet0/1
 no passive-interface Ethernet0/2
 no passive-interface Vlan10
 no passive-interface Vlan11
 eigrp router-id 10.254.1.240

1.3 – Configure summary route:

It is also a good practice to summarize route towards neighbor if the routing table got too big. You could adjust the summary route based on your requirements.

########## ds-sw1-hq ##########
interface Ethernet0/0 !< summary route toward edge-1
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0
 ip summary-address eigrp 1 192.168.0.0 255.255.252.0
!
interface Ethernet0/1 !< summary route toward hub1
 ip summary-address eigrp 1 10.80.0.0 255.255.0.0
!
interface Ethernet0/1 !< summary route toward hub2
 ip summary-address eigrp 1 10.80.0.0 255.255.0.0

2 – Configure the HUB1

2.1 – Configure the interface connected to dmz-sw1 and ds-sw1-hq:

######### hub1 #########
interface Ethernet0/1
 description ds-sw-hq e0/1
 ip address 192.168.1.5 255.255.255.252
!
interface Ethernet0/0
 description dmz-sw1 e0/0
 ip address 192.168.254.1 255.255.255.0
! Optionally configure a loopback
interface Loopback0
 ip address 10.254.1.241 255.255.255.255

2.2 Configure VRF:

In this implementation of VRF is what they called Front-Door VRF (FVRF) because the internet contained in a VRF. FVRF solves the problems with having a multiple default route on the hub and spoke. One default route that used to communicate between the hub and spoke to established the tunnel, and another default route used by internal users to access the Internet.

If we refer to our topology, hub1 has a default route (via ip route/static command) to the to edge-1 to communicate between spokes, and also another default route learns via EIGRP that advertised by edge-1 via redistribute or ip summary command for the internal users access the Internet. If the two default route coexists on the hub and spoke, the default route which learns via ip route command will override the default route learned via EIGRP because of the administrative distance of static route of 1, does the default route learned via EIGRP will not be installed in the routing table.

So the routing between (including the default route learns via EIGRP) all devices remain in the global routing table, and the default route to communicate to tunnel contained in the VRF.

First, we will create a VRF named tunnel. You can optionally assign a description. Then, assign it to the interface connected to dmz-sw1.

Note that the current IP address of the interface will be removed after you assign it to the VRF. This way to remove also the interface in the global routing table and assign it to specific VRF routing table. Just configure the IP address again.

########## hub1 ##########
ip vrf FVRF
!
interface Ethernet0/0
 ip vrf forwarding FVRF
 ip address 192.168.254.1 255.255.255.0

2.3 – Configure a default route to edge-1:

The default route to the edge-1 will be contained in the VRF named FVRF which also be used by the GRE tunnel to established a tunnel between spokes.

########## hub1 ##########
ip route vrf FVRF 0.0.0.0 0.0.0.0 192.168.254.12

2.4 – Configure the GRE tunnel:

########## hub1 ##########
interface Tunnel0
 ip address 10.1.0.1 255.255.255.0
 ip nhrp map multicast dynamic
 ip nhrp network-id 101 
 ip nhrp redirect 
 tunnel source Ethernet0/0 
 tunnel mode gre multipoint 
 tunnel vrf FVRF

In the above configuration, the ip nhrp network-id is required if having multiple DMVPN clouds. The ip nhrp redirect command was introduced in DMPN Phase 3. As the name imply, it redirects the traffic to the intended spokes without the traffic going to the hub (except for the initial traffic, as you will later in the verification section if we look at traceroute and ip cef show command).  The tunnel vrf command tells the router to look for VRF routing table named FVRF and use it communicate with spoke or to establish the tunnel. In this case, the tunnel will use the interface Ethernet0/0 connected to the dmz-sw1. As you may notice later in the verification section that the tunnel remains in the global routing table, this command is different from ip vrf forwarding which moved the interface into a separate routing table.

As you may notice in various documentations, there are option commands like ip mtu, ip tcp adjust-mss, and bandwidth, these are performance metrics and required for production networks.

2.5 – Configure routing between distribution switch (ds-sw1-hq) and spokes:

########## hub1 ##########
router eigrp 1
 no auto-summary
 network 10.1.0.0 0.0.255.255
 network 192.168.1.0
 passive-interface default
 no passive-interface Tunnel0
 no passive-interface Ethernet0/1
 eigrp router-id 10.254.1.241

2.6 – Configure summary route towards spokes:

########## hub1 ##########
interface Tunnel0
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0
 ip summary-address eigrp 1 192.168.0.0 255.255.252.0

Summary route improved the scalability and routing performance of hubs and spokes. With summary route advertised from hubs, the spoke doesn’t need any specific route on each of the spoke. Also, disabling split horizon on the hub is not required.

If we refer to our topology and considering that the spokes have the 10.0.0.0/8 summary route installed, when spoke sp1-a needs to communicate with spoke sp1-b the initial traffic goes to hub1, then because hub1 has all the specific route on all of the spoke, hub1 can redirect the traffic to intended spoke.  The redirect feature is accomplished using DMVPN Phase 3 with ip nhrp redirect command. So the next time sp1-a send traffic to sp1-b, sp1-a can automatically communicate directly to sp1-b without the traffic goes to the hub1, and new next hop and interface in Cisco Express Forwarding are updated.

3 – Configure the HUB2

3.1 – Create a VRF:

########## hub2 ##########
ip vrf FVRF

3.2 – Configure the interface connected to dmz-sw1 and ds-sw1-hq:

########## hub2 ##########
interface Ethernet0/1
 description ds-sw-hq e0/2
 ip address 192.168.1.9 255.255.255.252
!
interface Ethernet0/0
 description dmz-sw1 e0/1
 ip vrf forwarding FVRF
 ip address 192.168.254.2 255.255.255.0
! Optionally configure a loopback
interface Loopback0
 ip address 10.254.1.242 255.255.255.255

3.3 – Configure a default route to edge-1:

########## hub2 ##########
ip route vrf FVRF 0.0.0.0 0.0.0.0 192.168.254.12

3.4 – Configure the GRE tunnel:

########## hub2 ##########
interface Tunnel0
 ip address 10.2.0.1 255.255.255.0
 ip nhrp map multicast dynamic
 ip nhrp network-id 102 
 ip nhrp redirect 
 tunnel source Ethernet0/0 
 tunnel mode gre multipoint 
 tunnel vrf FVRF

Assign a different ip nhrp network-id which will create an another DMVPN cloud.

3.5 – Configure routing between distribution switch (ds-sw1-hq) and spokes:

########## hub2 ##########
router eigrp 1
 no auto-summary
 network 10.2.0.0 0.0.255.255
 network 192.168.1.0
 passive-interface default
 no passive-interface Tunnel0
 no passive-interface Ethernet0/1
 eigrp router-id 10.254.1.241

3.6 – Configure summary route towards spokes:

########## hub2 ##########
interface Tunnel0
 ip summary-address eigrp 1 10.0.0.0 255.0.0.0
 ip summary-address eigrp 1 192.168.0.0 255.255.252.0

4 – Configure the EDGE-1

For this lab, We’re going to use a router as an edge device but for production network, it is recommended to used a security device like ASA.

4.1 – Configure the interface connected to dmz-sw1, ds-sw1-hq and the internet and specify which interface will participate in NAT:

########## edge-1 ##########
interface Ethernet0/0
 description ds-sw-hq e0/0
 ip address 192.168.1.1 255.255.255.252
 ip nat inside
!
interface Ethernet0/1
 description internet-1
 ip address 200.1.1.100 255.255.255.0
 ip nat outside
!
interface Ethernet0/2
 description internet-2
 ip address 220.1.1.100 255.255.255.0
ip nat outside
!
interface Ethernet1/0
 description dmz-sw1 e0/2
 ip address 192.168.254.12 255.255.255.0
 ip nat inside

4.2 – Create an access-list to be used by NAT:

########## edge-1 ##########
ip access-list extended NAT-1
 permit ip 10.80.0.0 0.0.15.255 any
 permit ip 10.81.0.0 0.0.15.255 any
 permit ip 10.82.0.0 0.0.15.255 any
!
ip access-list extended NAT-2
 permit ip 10.80.0.0 0.0.15.255 any
 permit ip 10.81.0.0 0.0.15.255 any
 permit ip 10.82.0.0 0.0.15.255 any

4.3 – Configure dynamic NAT for internal users access the internet:

########## edge-1 ##########
ip nat pool internet-access-1 200.1.1.10 200.1.1.15 netmask 255.255.255.0
ip nat pool internet-access-2 220.1.1.10 220.1.1.15 netmask 255.255.255.0
!
ip nat inside source list NAT-1 pool internet_access-1 overload
ip nat inside source list NAT-2 pool internet_access-2 overload

4.4 – Configure static NAT for the hubs:

The static NAT enables the spokes to communicate to the hubs even inside the network. When traffic from the spokes goes to hubs Public IP address, it’s then translated into Private IP of hubs.

########## edge-1 ##########
ip nat inside source static 192.168.254.1 200.1.1.2
ip nat inside source static 192.168.254.2 220.1.1.2

4.5 – Configure a default route to ISPs:

########## edge-1 ##########
ip route 0.0.0.0 0.0.0.0 200.1.1.1
ip route 0.0.0.0 0.0.0.0 220.1.1.1

4.6 – Configure routing to form neighbor relationship with ds-sw1-hq:

########## edge-1 ##########
router eigrp 1
 no auto-summary
 network 192.168.1.0
 passive-interface default
 no passive-interface Ethernet0/0

4.7 – Configure a summary route of 0.0.0.0 0.0.0.0 (default route) on the interface connected to ds-sw1-hq:

The following command will advertise a default route on all of the routers and enable internal users to access the Internet.

########## edge-1 ##########
interface Ethernet0/0
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0

As you notice that the design have the policy to have a centralised internet access on all branches. Now, there are some advantages of using a centralised internet connection, and the number is security, total control of traffic going to the web, simple management, etc.

Note: At some cases that you would want a local internet connection at your branches. You could refer to this design guide IWAN Direct Internet Access


The branch-A has dual routers connected to each ISP. Please refer to the topology.

5 – Configure the DS-SW1-A

5.1 – Configure the interface connected to sp1-a sp2-a:

########## dw-sw1-a ########
interface Ethernet0/0
 no switchport
 description sp1-a e0/1
 ip address 192.168.2.2 255.255.255.252
!
interface Ethernet0/1
 no switchport
 description sp2-a e0/1
 ip address 192.168.2.6 255.255.255.252
! Optionally configure a loopback
interface Loopback0
 ip address 10.254.2.240 255.255.255.255

5.2 – Configure routing to form neighbour relationship with sp1-a and sp2-a:

########## dw-sw1-a ########
router eigrp 1
 network 10.81.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 passive-interface default
 no passive-interface Ethernet0/0
 no passive-interface Ethernet0/1
 no passive-interface Vlan10
 no passive-interface Vlan11
 eigrp router-id 10.254.2.240

5.3 – Configure a summary route of VLANs toward sp1-a and sp2-a:

########## dw-sw1-a ########
interface Ethernet0/0 !< pointing to sp1-a
 ip summary-address eigrp 1 10.81.0.0 255.255.0.0
!
interface Ethernet0/1 !< pointing to sp2-a
 ip summary-address eigrp 1 10.81.0.0 255.255.0.0

6 – Configure the SP1-A

6.1 – Create a VRF:

########## sp1-a ########
ip vrf FVRF

6.2 – Configure the interfaces connected to ISP and ds-sw1-a:

########## sp1-a ########
interface Ethernet0/0
 description internet-1
 ip vrf forwarding FVRF
 ip address 100.1.1.2 255.255.255.0
!
interface Ethernet0/1
 description ds-sw1-a e0/0
 ip address 192.168.2.1 255.255.255.252
! Optionally configure a loopback
interface Loopback0
 ip address 10.254.2.241 255.255.255.255

6.3 – Configure a default route that contains within the VRF:

########## sp1-a ########
ip route vrf FVRF 0.0.0.0 0.0.0.0 100.1.1.1

6.4 – Configure the GRE tunnel:

########## sp1-a ########
interface Tunnel0
 ip address 10.1.0.2 255.255.255.0
 no ip redirects
 ip nhrp map multicast 200.1.1.2
 ip nhrp map 10.1.0.1 200.1.1.2
 ip nhrp network-id 101
 ip nhrp nhs 10.1.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel vrf FVRF

The ip nhrp network-id determine which DMVPN cloud will the spoke join. The ip nhrp shortcut is features implemented in DMVPN Phase 3 together with ip nhrp redirect, after the redirect message from the hub, now the spoke knows that there is a shortcut to that networks without the traffic having traverse to the hub and then the spoke overrides the next-hop address and interface to the network.

6.5 – Configure routing to form neighbor relationship with ds-sw1-a and hub1:

########## sp1-a ########
router eigrp 1
 network 10.1.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 passive-interface default
 no passive-interface Ethernet0/1
 no passive-interface Tunnel0
 eigrp router-id 10.254.2.241

7 – Configure the SP2-A

7.1 – Create a VRF:

########## sp2-a ########
ip vrf FVRF

7.2 – Configure the interfaces connected to ISP and ds-sw1-a:

########## sp2-a ########
interface Ethernet0/0
 description internet-2
 ip vrf forwarding FVRF
 ip address 50.1.1.2 255.255.255.0
!
interface Ethernet0/1
 description ds-sw1-a e0/1
 ip address 192.168.2.5 255.255.255.252
! Optionally configure a loopback
interface Loopback0
 ip address 10.254.2.242 255.255.255.255

7.3 – Configure a default route that contains within the VRF:

########## sp2-a ########
ip route vrf FVRF 0.0.0.0 0.0.0.0 50.1.1.1

7.4 – Configure the GRE tunnel:

########## sp2-a ########
interface Tunnel0
 ip address 10.2.0.2 255.255.255.0
 no ip redirects
 ip nhrp map multicast 220.1.1.2
 ip nhrp map 10.2.0.1 220.1.1.2
 ip nhrp network-id 102
 ip nhrp nhs 10.2.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel vrf FVRF

The sp2-a connect to different DMVPN cloud, where the hub2 also connect. Notice the values for attributes ip nhrp map 10.2.0.1 (tunnel IP address or Private IP) 220.1.1 (NBMA address or Public IP) are hub2 configurations values and network-id must match with hub2.

7.5 – Configure routing to form neighbor relationship with ds-sw1-a and hub2:

########## sp2-a ########
router eigrp 1
 network 10.2.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 passive-interface default
 no passive-interface Ethernet0/1
 no passive-interface Tunnel0
 eigrp router-id 10.254.2.242

The Branch-B has a single router connected to two DMVPN cloud.

8 – Configure the DS-SW1-B

8.1 – Configure the interfaces connected to ISP and ds-sw1-b:

########## ds-sw1-b ########
interface Ethernet0/0
 description sp1-b e1/0
 no switchport
 ip address 192.168.3.2 255.255.255.0
! Optionally configure a loopback
interface Loopback0
 ip address 10.254.3.240 255.255.255.255

8.2 – Configure routing to form neighbor relationship with sp1-b:

########## ds-sw1-b ########
router eigrp 1
 network 10.82.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 passive-interface default
 no passive-interface Ethernet0/0
 no passive-interface Vlan11
 no passive-interface Vlan10
 eigrp router-id 10.254.3.240

8.3 – Configure a summarized route of VLANs toward sp1-b:

########## ds-sw1-b ########
interface Ethernet0/0
 ip summary-address eigrp 1 10.82.0.0 255.255.0.0

9 – Configure the SP1-B

9.1 – Configure VRF:

########## sp1-b ########
ip vrf FVRF-1
!
ip vrf FVRF-2

9.2 – Configure the interfaces connected to ISP-1, ISP-2, and ds-sw1-b:

########## sp1-b ########
interface Ethernet0/0
 description internet-1
 ip vrf forwarding FVRF-1
 ip address 150.1.1.2 255.255.255.0
!
interface Ethernet0/1
 description internet-2
 ip vrf forwarding FVRF-2
 ip address 180.1.1.2 255.255.255.0
!
interface Ethernet1/0
 description ds-sw1-b e0/0
 ip address 192.168.3.1 255.255.255.252

9.3 – Configure a default route that contains within the VRF:

########## sp1-b ########
ip route vrf FVRF-1 0.0.0.0 0.0.0.0 150.1.1.1
ip route vrf FVRF-2 0.0.0.0 0.0.0.0 180.1.1.1

9.4 – Configure the GRE tunnel:

########## sp1-b ########
interface Tunnel0 
 ip address 10.1.0.3 255.255.255.0
 no ip redirects
 ip nhrp map multicast 200.1.1.2
 ip nhrp map 10.1.0.1 200.1.1.2
 ip nhrp network-id 101
 ip nhrp nhs 10.1.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel vrf FVRF-1
!
interface Tunnel1
 ip address 10.2.0.3 255.255.255.0
 no ip redirects
 ip nhrp map multicast 220.1.1.2
 ip nhrp map 10.2.0.1 220.1.1.2
 ip nhrp network-id 102
 ip nhrp nhs 10.2.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
 tunnel vrf FVRF

Notice above configuration, the tunnel0 points to the hub1 or the DMVPN-1 cloud and tunnel1 points to hub2 or DMVPN-2 cloud. One of the DMVPN design is that you could create only one DMVPN cloud, but you have a dual hub and dual Internet WAN transport, for that your network-id will be the same with all hubs and spokes. Regarding which hub will your spoke register with NHRP, you can determine it with the command  “ip nhrp map multicast”,ip nhrp map”, and  “ip nhrp nhs”. So, it depends on you which hubs will your spoke register.

9.5 – Configure routing to form a neighbor relationship with ds-sw1-b, hub1, and hub2:

########## sp1-b ########
router eigrp 1
 network 10.1.0.0 0.0.255.255
 network 10.2.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 passive-interface default
 no passive-interface Ethernet1/0
 no passive-interface Tunnel0
 no passive-interface Tunnel1
 eigrp router-id 10.254.3.241

10 – Verification:

Now we going to verify that our topology is working. Please refer to our topology, we will focus the verification on sp1-a.

Figure – 10.1 confirm that sp1-a is registered with hub1 by issuing show dmvpn on sp1-a.

shdmvpnsp1-a.PNG
Figure – 10.1

Figure – 10.2 is the routing table of sp1-a, notice the route 10.0.0.0/8 is the summary route that is advertised by hub1, you can see through via next-hop and the interface.

shiproutesp1-a
Figure – 10.2

Refer to the following figure – 10.3 we issue a command sh ip cef and the destination network which is the branch-B LABs. We confirm that in order to reach branch-B LAN, sp1-a can use 10.1.0.1 through tunnel0 which is basically the hub1. Then, we issue the tracroute command where we can see that the traffic goes to hub1 then to branch-B router (sp1-b). After that, we issue a command traceroute again and notice the traffic goes directly to branch-B router (sp1-b). Then, we verify again with CEF that in order to reach branch-B the next-hop is branch-B router (sp1-b) through Tunnel0.

traceroutesp1-a
Figure – 10.3

Refer to the following figure 10.4 where we issue a show dmvpn command again, we can confirm that branch-B is registered with the attribute of Dynamic (D) and Route Installed (DT1). What T1 means that the route is installed in the Routing Information Base (RIB) and if we issue a show ip route again (refer to Figure – 10.5) , we can verify that the branch-B network is installed and its learns via NHRP.

shdmvpnsp1-a-2.PNG
Figure – 10.4
shiproutenhrp-sp1-a.PNG
Figure – 10.5

We can also verify that the Internet access from one of our internal users from branch 1 LAN.

traceinternet.PNG

So we test by issuing the traceroute command to google.com ( I used the VPCS by the way under GNS3). Please refer to our topology.

  1. The first hop is the Switched Virtual Interface (SVI) of Vlan10
  2. Next, it goes to sp2-a, this time the ds-sw1-a choose sp2-a to forward the traffic because based on the routing table of ds-sw1-a it has two route with the same metric and administrative distance and so it has a load balancing capability.
  3. Next, the packet goes the hub2 tunnel interface.
  4. Next, the packet goes ds-sw1-hq, the point-to-point between hub2 and ds-sw1-hq.
  5. Next, the packet hits the edge-1 and apply and NAT based on Access-List we define and goes out to the Internet.
  6. The 200.1.1.1 is the point-to-point between edge-1 and the ISP. We also have the two  routes to the Internet one is 200.1.1 and 220.1.1.1.

Note: The 192.168.91.2 is just the IP of my VMware Workstation. 

There are features lacking on this lab mainly IPSec,  QoS, and PfR. But such topics are very broad and will not cover in this lab.

Hope you will find this post informative, and you can create your DMVPN deployment based on your requirements.

Thanks for stopping by.

Reference:

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-branch-wan/index.html#~designs

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s