Thursday, 18 June 2015

DMVPN Part 1

So I briefly covered some points about DMVPN here from a night when I did a lab and wanted to remember some of it. I thought for my own sake I'd step back and really examine DMVPN. So back to the textbook.

DMVPN stands for "Dynamic Multipoint VPN". It is a way of creating dynamic VPNs for an organisation. This should remove the overhead of configuring individual VPNs. DMVPNs are ALWAYS setup in a hub & spoke configuration.

I've gone through the steps in the book using my home lab:

1. Basic Configuration of IP Addresses

Pretty easy... my routers are all connected to my switch and have 192.168.123.0/24 range IP addresses on their fast ethernet interfaces.

2. GRE Multipoint Tunnel configuration on all routers (for spoke-to-spoke connectivity).

This can be broken down further into two steps. Setup NHRP and setup mGRE - both of these are done under the tunnel interface.

An example of this is:

This is done on each router, however you don't have to do the nhrp map command to the hub router on the spoke routers. These are the commands underlined in red. They are not required on the hub router.
The authentication command is optional.
This can be verified using the following command:

The coolest thing about this is that we have two tunnels from the hub router to the spoke routers, but if the spoke routers decide to communicate, they will dynamically build a tunnel between them. Imagine in a DMVPN network, this is pretty useful.


Could do this all day!! It's so cool. However, the default operation of DMVPN is to send traffic as clear text. :O

3. Configure IPsec to Encrypt mGRE Tunnels

Apply IPsec to the configuration involves:
  1. Setting up the crypto isakmp policy
  2. Setting a key with the ip address 0.0.0.0 (because of the dynamic IP setting)
  3. Setting up a transform set
  4. Setting up an IPsec profile
  5. Applying the profile to the tunnel interface

No comments:

Post a comment