2020 the most complete DMVPN knowledge

Problems caused by traditional VPN

1. Too many VPNs make maintenance difficult and take up more equipment performance

2. VPN cannot achieve dynamic switching

3. Suitable for small-scale VPN networks

DMVPN Dynamic Multipoint VPN, is a Cisco private VPN

GRE Generic Routing Encapsulation

GRE general routing encapsulation can support common routing protocols. In essence, it establishes a tunnel, which can transmit a variety of traffic.

Advantages: Support multiple protocols, transmit multiple flows ipv4 ipv6

Disadvantages: just provide a tunnel to ensure specificity.

GRE OVER IPSec

DMVPN has the advantages and disadvantages of GRE VPN

DMVPN + IPSec VPN 

The essence of DMVPN: rely on the routing table to decide who to establish a VPN with

DMVPN: set up in a dynamic way. For a tunnel, the key parameters to establish a tunnel are the tunnel's source address and the tunnel's destination address.

MGRE: Multiple VPNs can be established under one interface

How DMVPN works

1) The VPN of HUB and SPOKE is established manually. The purpose is to make HUB and SPOKE logically directly connected, run a dynamic routing protocol, and learn the route of the private network.

Physical address: public network address

Tunnel address: logical address

2) SPOKE and SPOKE VPN are established in a dynamic way

When SPOKE has just started, it runs the NHRP protocol and sends its own NHRP mapping relationship to the HUB.

HUB and SPOKE --- establish VPN --- run routing protocol, learn routing information

When SPOKE visits SPOKE, look up the routing table, get the next hop address (tunnel address) --- NHRP mapping table --- physical address --- use him as the VPN destination address

Routing table      NHRP database

DMVPN is essentially a GRE VPN,

To establish GRE VPN, you need the source and destination addresses of the tunnel

Get the next hop address (tunnel address) through the routing table

Get the destination address (physical address) of the tunnel through the NHRP database

Look up the table according to the next hop address of the routing table to get the physical address, and then use the physical address as the tunnel destination address

DMVPN---GRE---The source and destination addresses of the tunnel?

First check the routing table-check the NHRP database-get the destination address

How to generate NHRP database?

When SPOKE just starts, it will send registration information (including the mapping relationship of tunnel-NBMA address) to HUB, and HUB has a complete NHRP information database.

Trigger the establishment of VPN between SPOKE and HUB.

When SPOKE searches the NHRP information database, it finds that there is no corresponding tunnel-NBMA mapping relationship, and queries the HUB.

How to generate routing table?

VPN is established manually between HUB and SPOKE to ensure the logical connection between HUB and SPOKE, and then run the routing protocol to generate routing table

DMVPN configuration steps

1. First ensure that the tunnel source (public network address) can communicate

2. Configure MGRE

3. Configure NHRP to ensure the integrity of the NHRP database

SPOKE:

Specify the address of the NHRP server

Need to establish a VPN with NHRP server

4. Configure routing protocols to ensure the integrity of the routing information database

5. Configure IPSec VPN (optional)

DMVPN configuration steps

1. First ensure that the tunnel source (public network address) can communicate

2. Configure MGRE

The purpose is to allow one interface to support the establishment of multiple VPNs

interface Tunnel0

tunnel source Serial1/1

 tunnel mode gre multipoint

3. Configure NHRP to ensure the integrity of the NHRP database

SPOKE

Interface tunnel 0

ip nhrp authentication 123SPOTO

 ip nhrp map 172.16.1.1 14.1.1.1

 ip nhrp network-id 123

     ip nhrp nhs 172.16.1.1

ip nhrp map multicast 14.1.1.1

SPOKE2#show ip nhrp

Show dmvpn

Test if the tunnel address can communicate

4. Configure routing protocols to ensure the integrity of the routing information database

It is clear that the routing protocol establishes neighbors through the tunnel0 port and transmits routing information

When running the distance vector routing protocol, you need to turn off split horizon.

Optimize next hop

1) Mechanism using EIGRP: no ip next-hop-self eigrp 100

2) Mechanism using NHRP

Hub:ip nhrp redirect spoke: ip nhrp shortcut

Walking HUB for the first time, SPOKE-SPOKE behind

The routing table is not visible.

If the OSPF protocol is configured

1) The NIC type of the interface, the default is P-T-P, which needs to be modified to broadcast

2) DR BDR election, control HUB is DR

5. Configure IPSec VPN (optional)

SPOKE---HUB needs a VPN to send registration message

VPN establishment requires at least the source address of the tunnel and the destination address of the tunnel

The destination address of the tunnel needs to be obtained by searching the NHRP database

Manually write a mapping relationship between the tunnel address and physical address of the HUB device

DMVPN troubleshooting steps

1. First check whether the tunnel source can communicate

Can't communicate:? ?

2. Show dmvpn Check if the VPN is established

Not established?

Go to view the MGRE NHRP configuration under the tunnel port

3. Test the connectivity of the tunnel address

4. View routing protocol neighbors and routing entries

The routing protocol configuration, the tunnel port should be announced

Multicast mapping

MPLS VPN: Relying on the routing table, pressing the label, there is no very clear tunnel mechanism, more relying on LSP, so that he has a fixed path.

IPSec VPN: The destination address of the tunnel is manually specified and manually established VPN

Rely on ACL to match, need to do traffic separation

DMVPN: Rely on the routing table and check the NHRP database to get the corresponding physical address as the destination address of the tunnel. The tunnel destination address is obtained in a dynamic way, dynamic multipoint VPN

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.