EIGRP Routing over DMVPN IPSec Tunnels

EIGRP Routing over DMVPN IPSec Tunnels

Introduction On the last lab I explained how to configure a Static IPSec Tunnel. I mentioned in the conclusion that static IPSec tunnel has its limit

Packet Tracer IP Telephony Lab using Communications Manager Express (CME)
Establish WAN eBGP Connection
Static IPSec Tunnel VPN Configuration between Cisco Routers

Introduction

On the last lab I explained how to configure a Static IPSec Tunnel. I mentioned in the conclusion that static IPSec tunnel has its limitations of cumbersomeness in design and configuration. This lab will show you how to overcome the limitation by DMVPN (Dynamic Multipoint VPN). When I start this lab, I went into the wrong path, thanks to my mentor, she points me to the right direction and explains to me how to approach the problem, the following are the steps, DO NOT GO TO THE NEXT STEP UNTIL YOU HAVE YOUR CURRENT STEP COMPLETED AND VERIFIED.

The key configuration steps can be summarised as below:

Step 1 – Configure and Test WAN Interfaces Connection
Configure physical interface addresses, loopback interface addresses and basic connection between routers with VRF, and just the routers not loopback interfaces.

Step 2 – Configure and Test Dynamic Tunnels
Create mGRE DMVPN tunnel between HUB and SPOKE, SPOKE and SPOKE

Step 3 – Configure and Test IPSec Tunnel Protection
Create IPSec profile and apply to interfaces

And then you can configure your favorite routing protocol over the tunnel.

Lab Overview

The topology of this lab is as below, with single hub router in a data centre and two spoke routers at two sites. The router in the middle simulates carriage/WAN environment. Data Centre and Site routers connected to WAN via static routing. Red lines demonstrate tunnels. Site-to-site traffic transits through the tunnels, using EIGRP dynamic routing protocol.

Configuration Steps

Step 1 – Configure and Test WAN Interfaces Connection

Configure physical interface addresses, loopback interface addresses and basic connection between router with VRF.

There are two VRFs, namely FVRF and IVRF. The two VRFs will help segment the less secured carriage environment from the higher secured corporate internal environment. FVRF stands for Front door VRF, while IVRF stands for Internal VRF.

I will assign physical WAN interfaces into FVRF, and Loopback and Tunnel interfaces into IVRF. I will just use static route to link the physical interfaces together. In a production environment, we normally use eBGP and sometimes static to connect to WAN.

Step 1 – Carriage
conf t
ip vrf FVRF
exit
ip vrf IVRF
exit
interface e1/0
ip vrf forwarding FVRF
ip add 20.20.20.10 255.255.255.252
no sh
exit
interface e1/1
ip vrf forwarding FVRF
ip add 20.20.20.2 255.255.255.252
no sh
exit
interface e1/2
ip vrf forwarding FVRF
ip add 20.20.20.6 255.255.255.252
no sh
exit

Step 1 – Data Centre (HUB)
conf t
ip vrf FVRF
exit
ip vrf IVRF
exit
interface loopback 0
ip vrf forwarding IVRF
ip add 3.3.3.3 255.255.255.255
exit
interface tunnel 0
ip vrf forwarding IVRF
ip add 192.168.1.1 255.255.255.0
exit
interface e1/0
ip vrf forwarding FVRF
ip add 20.20.20.9 255.255.255.252
no sh
ip route vrf FVRF 20.20.20.0 255.255.255.252 20.20.20.10
ip route vrf FVRF 20.20.20.4 255.255.255.252 20.20.20.10

Step 1 – Site1 (Spoke)
conf t
ip vrf FVRF
exit
ip vrf IVRF
exit
interface loopback 0
ip vrf forwarding IVRF
ip add 1.1.1.1 255.255.255.255
exit
interface tunnel 0
ip vrf forwarding IVRF
ip add 192.168.1.3 255.255.255.0
exit
interface e1/1
ip vrf forwarding FVRF
ip add 20.20.20.1 255.255.255.252
no sh
ip route vrf FVRF 20.20.20.8 255.255.255.252 20.20.20.2
ip route vrf FVRF 20.20.20.4 255.255.255.252 20.20.20.2

Step 1 – Site2 (Spoke)
conf t
ip vrf FVRF
exit
ip vrf IVRF
exit
interface loopback 0
ip vrf forwarding IVRF
ip add 2.2.2.2 255.255.255.255
exit
interface tunnel 0
ip vrf forwarding IVRF
ip add 192.168.1.2 255.255.255.0
exit
interface e1/2
ip vrf forwarding FVRF
ip add 20.20.20.5 255.255.255.252
no sh
ip route vrf FVRF 20.20.20.8 255.255.255.252 20.20.20.6
ip route vrf FVRF 20.20.20.0 255.255.255.252 20.20.20.6

Step 1 – Verification

DataCentre (HUB): Ping Site1 and Site2 WAN interfaces from the data centre router to verify WAN connectivity. You may also use source ping to verify bi-directional connectivity with specific source, “ping vrf FVRF 20.20.20.1 source 20.20.20.9”.

Site1 and Site2 (Spokes): Ping Data Centre and Site 2 or 1 WAN interfaces from the Site 1 or 2 router to verify WAN connectivity

Make sure you got all the ping (connectivity) work before you go to next step

 Step 2 – Configure and Test Dynamics Tunnels (DMVPN)

Create DMVPN GRE tunnel between HUB and SPOKE. Dynamics tunnels will  establish between SPOKE and SPOKE. Spoke-to-spoke traffic will not detour to HUB, but transits directly from one site to another.

Step 2 – Data Centre (HUB)
interface tunnel 0
ip vrf forwarding IVRF
ip add 192.168.1.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source e1/0
tunnel mode gre multipoint
tunnel vrf FVRFip nhrp redirect
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
exit
router eigrp 90
address-family ipv4 vrf IVRF
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
 
ip nhrp map multicast dynamic
allows NHRP to automatically add spoke routers to the multicast NHRP mappings.

ip nhrp network-id 1
Enables NHRP on an interface and add network id, all hub and spoke should have the same network id.

tunnel mode gre multipoint
Sets the encapsulation mode to mGRE for the tunnel interface.

ip nhrp redirect 
should be configured on the hub, which informs to the spoke that it can communicate to other intended spoke directly.
 
Tunnel vrf 
is used to tell the tunnel to use the NBMA interface in the VRF.

no ip split-horizon eigrp
no ip next-hop-self eigrp
the purpose is to disable split horizon behaviour in which a router doesn’t advertise a subnet out the same interface on which it was received.  In a hub/spoke topology like DMVPN, you don’t want that on the hub, so it must be disabled.  If you don’t disable it, as default split horizon is on, so a spoke will never learn about the other spokes.

Next Hop Resolution Protocol (NHRP)
is a protocol used to discover addresses of clients (spokes) on Non-Broadcast Multiple Access (NBMA) networks. With NHRP, systems attached to an NBMA network dynamically learn the NBMA address of the other systems that are part of that network. Each of the spokes still uses the hub as a Next Hop Server (NHS) which allows the hub to keep track of each of the spoke sites, This information can then be used for each of the spokes to dynamically set up mGRE tunnels between each of the other spokes as the need is required.

Step 2 – Site1 (Spoke)
interface Tunnel0
Ip vrf forwarding IVRF
ip address 192.168.1.3 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 20.20.20.9
ip nhrp map multicast 20.20.20.9
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source e1/1
tunnel mode gre multipoint
tunnel vrf FVRF
ip nhrp shortcut
exit
router eigrp 90
address-family ipv4 vrf IVRF
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
 
ip nhrp map 192.168.1.1 20.20.20.9
Statically configures the IP-to-NBMA (non-broadcast multiple access network) address mapping of IP destinations connected to an NBMA network

  • hub-tunnel-ip-address –Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub.
  • hub-physical-ip-address –Defines the static public IP address of the hub.

 
ip nhrp map multicast 20.20.20.9
Enables the use of a dynamic routing protocol between the spoke and hub, and sends multicast packets to the hub router.

ip nhrp shortcut
should be configured on the spoke which is responsible to rewrite the Cisco Express Forwarding (CEF) entry after getting the redirect message from hub.

ip nhrp nhs 192.168.1.1
Configures the hub router as the NHRP next-hop server.

Step 2 – Site2 (Spoke)
interface Tunnel0
ip vrf forwarding IVRF
ip address 192.168.1.2 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 20.20.20.9
ip nhrp map multicast 20.20.20.9
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source e1/2
tunnel mode gre multipoint
tunnel vrf FVRF
ip nhrp shortcut
exit
router eigrp 90
address-family ipv4 vrf IVRF
network 2.2.2.2 0.0.0.0
network 192.168.1.0 0.0.0.255

Step 2 – Verification

Data Centre (HUB): traceroute to Site1 and Site2 loopback interface from the Data Centre router, making sure the packets go through the tunnel

Site1 (Spoke): Trace DataCentre and Site2 loopback interface, making sure the packets go through the tunnel, and is a direct tunnel from Site1 to Site2, not Site1 to DataCentre then to Site2

If you end up with the result above, ping their VRF physical interface, then try again, you should have the following result

Site2 (Spoke): Trace DataCentre and Site1 loopback interface, making sure the packets go through the tunnel, and is a direct tunnel from Site2 to Site1, not Site2 to DataCentre then to Site1

Make sure you got all the trace work before you go to next step

Step 3 – Configure and Test IPSec Tunnel Protection

Create IPSec profile and apply to interfaces. step 3 almost the same as Static IPSec VPN Tunnel, if you are not sure about any of the following command, please refer to Static IPSec VPN Tunnel, the difference is that you need to configure them with VRF.

Step 3 – Data Centre (HUB)
crypto keyring vpnkey vrf FVRF
pre-shared-key address 20.20.20.0 255.255.255.0 key cisco
exit
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
exit
crypto isakmp profile vpnisaprofile
keyring vpnkey
match identity address 20.20.20.0 255.255.255.0 FVRF
exit
crypto ipsec transform-set vpntrans esp-aes esp-sha-hmac
exit
crypto ipsec profile vpnsecprofile
set transform-set vpntrans
set isakmp-profile vpnisaprofile
exit
interface Tunnel 0
tunnel protection ipsec profile vpnsecprofile
exit

Step 3 – Site1 (Spoke)
crypto keyring vpnkey vrf FVRF
pre-shared-key address 20.20.20.0 255.255.255.0 key cisco
exit
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
exit
crypto isakmp profile vpnisaprofile
keyring vpnkey
match identity address 20.20.20.0 255.255.255.0 FVRF
exit
crypto ipsec transform-set vpntrans esp-aes esp-sha-hmac
exit
crypto ipsec profile vpnsecprofile
set transform-set vpntrans
set isakmp-profile vpnisaprofile
exit
interface Tunnel 0
tunnel protection ipsec profile vpnsecprofile
exit
 
Step 3 – Site2 (Spoke)
crypto keyring vpnkey vrf FVRF
pre-shared-key address 20.20.20.0 255.255.255.0 key cisco
exit
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
exit
crypto isakmp profile vpnisaprofile
keyring vpnkey
match identity address 20.20.20.0 255.255.255.0 FVRF
local-address e1/2
exit
crypto ipsec transform-set vpntrans esp-aes esp-sha-hmac
exit
crypto ipsec profile vpnsecprofile
set transform-set vpntrans
set isakmp-profile vpnisaprofile
exit
interface Tunnel 0
tunnel protection ipsec profile vpnsecprofile
exit

Step 3 – Verification

DataCentre (HUB)

show crypto isakmp sa

show crypto session

 Site1 (Spoke)

show crypto isakmp sa

If you end up with the result above, ping Site2 loopback interface with source Site1 loopback interface, then try again, you should have the following result

show crypto session

Site2 (Spoke)

show crypto isakmp sa

show crypto session

Conclusion 

With static IPSec VPN Tunnel, when a new VPN tunnel wants to connect to the current VPN, configurations need to be done on each of the routers, but with DMVPN, the configurations only to done on the new Spoke router, you can just copy the configurations from one of the Spoke and copy into a new Spoke, just make sure you change the IP addresses and the interfaces.

COMMENTS

WORDPRESS: 0
DISQUS: 0