Skip to main content

Note on DMVPN

I still remember it was back in 2014 I heard about DMVPN and had just started my networking journey back then. I had no concept of VPN whatsoever and obviously the benefits that this technology would provide. I even labbed up using GNS3 watching over few youtube videos where I performed DMVPN over IPsec but still was just typing up the configuration command and unsurprisingly bingo the configuration was completed . Over the years coming across some  genius minds, came to learn that configuring is not a big thing which you can easily find up in internet now a days grabbing the concept was the main part which I had not done at that particular moment. I finally got the chance in 2017 where I  configured it in the organization that I was working on and this time I first got the concept and then configured it in live scenario using 2960 as my HUB router with few Cisco 881 routers in the branch side. 

DMVPN is a CISCO IOS Software Solution for building an easy, dynamic and scalable VPN solution with the help of NHRP, multipoint GRE, routing protocols like EIGRP,OSPF. DMVPN provides full meshed connectivity with simple configuration of HUB and SPOKE. DMVPN itself is not a protocol to be noted its just a design. A static GRE tunnel between HUB and SPOKE is always possible where we do have create multiple tunnels for each SPOKE we add . This may be a very useful solution for a small scale, it easily grows unwieldy as spokes multiply in number using different components which I will be discussing hereby with this blog.

DMVPN FEATURES AND BENEFITS
  • Provide full mesh connectivity with simple configuration of HUB and SPOKE.
  • Spokes can be dynamically addressed
  • Reduces the cost of secure communications and connections between branches by integrating VPN
  • Allows for easier branch-to-branch communications and connections through a centralized HUB.
  • Usable with or without IPSec .
COMPONENTS OF DMVPN

1. NHRP 


  •  NHRP registration must be done which is done by the Spoke router mentioning their NBMA        address    as well as internal private IP to the NHS  (HUB) router.
  •  Control plane traffic will always be done by the HUB Router and the data plane traffic depends on the DMVPN Phase that we use. In DMVPN Phase II and Phase III data traffic can directly move from one spoke to another which also reduces the resource utilization on the HUB router.
2. mGRE
  • Single tunnel interface which means we do not need to create single P2P tunnel for individual SPOKE.
  • Dynamic building of destination.
3. ROUTING PROTOCOLS
EIGRP is the most suited protocol for DMVPN although it does support other protocols like RIPV2/OSPF.

4. IPSec
IPSec can be used along with DMVPN but it is optional. DMVPN support both IKEV1 as well as IKEV2.

5. UNDERLAY VS OVERLAY INTERFACE
There are basically two things when it comes to DMVP interface i.e Underlay Interface and Overlay Interface. Underlay basically means the public IP which must be reachable from each other before even we start the DMVPN configuration.  Overlay Interface means the tunnel interface (Private IP) which we define manually on each router (HUB & SPOKE ) from where our traffic transverse.  

DMVPN PHASE I 
  • Spoke to Spoke cannot directly communicate and must transmit through HUB because HUB's Overlay IP  will always be the next hop for the Spoke.
  • Control Plane and Data Plane traffic will always come from the HUB itself.
  • Split Horizon must be disabled.
  • Load on HUB router will be high.

DMVPN PHASE-II
  • Spoke to Spoke direct communication can happen where data plane traffic move directly but as said earlier control plane traffic will always happen through HUB.
  • Spoke1 will learn about Spoke 2 using HUB. HUB will forward (NHRP FORWARD) the request (NHRP REQUEST) sent by Spoke 1  to Spoke 2 . Spoke 2 will now be able to reply(NHRP REPLY) packet directly to the Spoke 1 as a unicast packet.
  • The next-hop IP will always be the SPOKE Underlay IP.
  • Doesn't support for summarization which means if HUB summarizes the traffic Spoke to Spoke communication will never happen directly and will work like DMVPN PHASE I. 
  • Split Horizon must be enabled.


DMVPN PHASE III
  • Supports summarization which is the main benefit over DMVPN PHASE II.
  • Concept of NHRP Redirect is introduced where a redirect message is sent by the HUB incase if SPOKE-1 wants to communicate with SPOKE-2 mentioning about a better path. SPOKE-1 will then send a NHRP Request mentioning the destination IP which then will be forwarded towards SPOKE-2 by HUB. Then SPOKE-2 will be directly be able to communicate with SPOKE-1.

The blog is getting pretty lengthy and will demonstrate a lab configuration later on my blog.














Labels:

Comments

Post a Comment

Popular posts from this blog

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

High Availability Palo Alto (Active/Standby)

 High Availability is usually performed in most of the data centers networks today which ensures application availability . High Availability is usually achieved in case one of the appliance goes down or have some physical or logical connectivity issues.  Achieving high availability in Palo Alto firewall is relatively very easy. Palo Alto firewall can work in both Active/Standby mode or in Active/Active. We will basically be talking about Active/Standby mode in this article. There are basically two links that needs to be configure in Palo Alto for HA. 1. Control Links Control Links are associated with control plane traffic which is mainly used for heartbeat exchanged, configuration synchronization. Dedicate HA ports are available in higher series of Palo Alto or even a HA interface can be created for some inband ports.   2. Data Links Data Links are mainly used for session synchronization, forwarding table synchronization. Dedicated HSCI Ports are available for highe...
Post a Comment
Read more

Virtual Chassis Juniper EX 3400 (PREPROVISONED)

Juniper has always been an technology that I have always liked right from the beginning of my career when I was working as an Jr Network Administrator. The logical command as well as the hierarchy based Juniper devices has always made me love the device. Let me today talk about a very useful and an interesting topic which we usually called stack in the world of Cisco and virtual chassis in the world of Juniper, both of them mean the same thing logically make two or more than two switch as a one and configure and manage the device as a single unity. High Availability, managed configuration and maintenance are few of the benefits that a virtual chassis can provide. The configuration for virtual chassis can be found easily in the juniper sites but my objective about writing this is making it more simpler in context to Juniper's document. There are basically two ways of configuring virtual chassis in Juniper. 1.   Nonprovisioned configuration  :  The master switch assig...
Post a Comment
Read more