Skip to main content

Note on DMVPN

I still remember it was back in 2014 I heard about DMVPN and had just started my networking journey back then. I had no concept of VPN whatsoever and obviously the benefits that this technology would provide. I even labbed up using GNS3 watching over few youtube videos where I performed DMVPN over IPsec but still was just typing up the configuration command and unsurprisingly bingo the configuration was completed . Over the years coming across some  genius minds, came to learn that configuring is not a big thing which you can easily find up in internet now a days grabbing the concept was the main part which I had not done at that particular moment. I finally got the chance in 2017 where I  configured it in the organization that I was working on and this time I first got the concept and then configured it in live scenario using 2960 as my HUB router with few Cisco 881 routers in the branch side. 

DMVPN is a CISCO IOS Software Solution for building an easy, dynamic and scalable VPN solution with the help of NHRP, multipoint GRE, routing protocols like EIGRP,OSPF. DMVPN provides full meshed connectivity with simple configuration of HUB and SPOKE. DMVPN itself is not a protocol to be noted its just a design. A static GRE tunnel between HUB and SPOKE is always possible where we do have create multiple tunnels for each SPOKE we add . This may be a very useful solution for a small scale, it easily grows unwieldy as spokes multiply in number using different components which I will be discussing hereby with this blog.

DMVPN FEATURES AND BENEFITS
  • Provide full mesh connectivity with simple configuration of HUB and SPOKE.
  • Spokes can be dynamically addressed
  • Reduces the cost of secure communications and connections between branches by integrating VPN
  • Allows for easier branch-to-branch communications and connections through a centralized HUB.
  • Usable with or without IPSec .
COMPONENTS OF DMVPN

1. NHRP 


  •  NHRP registration must be done which is done by the Spoke router mentioning their NBMA        address    as well as internal private IP to the NHS  (HUB) router.
  •  Control plane traffic will always be done by the HUB Router and the data plane traffic depends on the DMVPN Phase that we use. In DMVPN Phase II and Phase III data traffic can directly move from one spoke to another which also reduces the resource utilization on the HUB router.
2. mGRE
  • Single tunnel interface which means we do not need to create single P2P tunnel for individual SPOKE.
  • Dynamic building of destination.
3. ROUTING PROTOCOLS
EIGRP is the most suited protocol for DMVPN although it does support other protocols like RIPV2/OSPF.

4. IPSec
IPSec can be used along with DMVPN but it is optional. DMVPN support both IKEV1 as well as IKEV2.

5. UNDERLAY VS OVERLAY INTERFACE
There are basically two things when it comes to DMVP interface i.e Underlay Interface and Overlay Interface. Underlay basically means the public IP which must be reachable from each other before even we start the DMVPN configuration.  Overlay Interface means the tunnel interface (Private IP) which we define manually on each router (HUB & SPOKE ) from where our traffic transverse.  

DMVPN PHASE I 
  • Spoke to Spoke cannot directly communicate and must transmit through HUB because HUB's Overlay IP  will always be the next hop for the Spoke.
  • Control Plane and Data Plane traffic will always come from the HUB itself.
  • Split Horizon must be disabled.
  • Load on HUB router will be high.

DMVPN PHASE-II
  • Spoke to Spoke direct communication can happen where data plane traffic move directly but as said earlier control plane traffic will always happen through HUB.
  • Spoke1 will learn about Spoke 2 using HUB. HUB will forward (NHRP FORWARD) the request (NHRP REQUEST) sent by Spoke 1  to Spoke 2 . Spoke 2 will now be able to reply(NHRP REPLY) packet directly to the Spoke 1 as a unicast packet.
  • The next-hop IP will always be the SPOKE Underlay IP.
  • Doesn't support for summarization which means if HUB summarizes the traffic Spoke to Spoke communication will never happen directly and will work like DMVPN PHASE I. 
  • Split Horizon must be enabled.


DMVPN PHASE III
  • Supports summarization which is the main benefit over DMVPN PHASE II.
  • Concept of NHRP Redirect is introduced where a redirect message is sent by the HUB incase if SPOKE-1 wants to communicate with SPOKE-2 mentioning about a better path. SPOKE-1 will then send a NHRP Request mentioning the destination IP which then will be forwarded towards SPOKE-2 by HUB. Then SPOKE-2 will be directly be able to communicate with SPOKE-1.

The blog is getting pretty lengthy and will demonstrate a lab configuration later on my blog.














Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

Device Mapper Multipath with LVM in Oracle Linux

This blog describes you the step by step procedure for configuring multipath in liunx using Device Mapper and will also help you understanding what Device Mapper is. Simply stating Device Mapper is an interface to Linux Kernel which helps us to configure multiple I/O path between the server and the storage arrays.  Device Mapper interface allows the linux kernel to communicate with LVM Logical Volumes, EVMS Volumes , Software RAID, multipath and many other solutions. Multipathing is a must for all those mission critical applications as we all know that data is the most important thing in an enterprise network . Let me now share the installation process for multipathing. Installing Device Mapper #yum install device-mapper-multipath -y #rpm -qa | grep device-mapper Enabling Multipath #cp /usr/sare/doc/device-mapper-multipath - */multipath.conf   /etc/multipath.conf #mpathconf -enable -user_firendly_names n #modprobe dm_multipath #lsmod | grep dm_multip...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more