Tag Archives: DMVPN

Configuring DMVPN Phase 3 Dual Hub

This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.

As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.

This post covers the following:

  • Front Door VRF
  • Crypto Keyring
  • Dual DMVPN Hub configuration
  • DMVPN Spoke configuration
  • DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
  • DMVPN Phase 3

The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.

The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.

Continue reading Configuring DMVPN Phase 3 Dual Hub


CCNP ROUTE 2.0: VPN Technologies

CCNP ROUTE 2.0 Exam Blueprint: VPN Technologies

  • Configure and verify GRE
  • Describe DMVPN
  • Describe Easy Virtual Networking (EVN)

Configure and Verify GRE

  • Generic Routing Encapsulation (GRE) was designed to carry multiprotocol and IP multicast traffic between sites
  • Encapsulated protocols included IP, Appletalk, DECnet or IPX
  • GRE encapsulates an inside IP address within an outside IP address
  • Is NOT encrypted by default
  • GRE tunnels can run through IPSec tunnels. When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec
  • Multicast traffic GRE tunnels do support transporting IP multicast and broadcast packets to the other end of the GRE tunnel
  • GRE tunnels add an additional 20 byte IP header and a 4 byte GRE tunnel header. 24 byte overhead in total

GRE can be configured as either point-to-point or point-to-multipoint tunnels.

Point-to-Point – simple configuration between 2 peers, does not require NHRP
Point-to-Multipoint – only one tunnel configured on a router to support multiple GRE peers (great for scalability), requires NHRP to build dynamic tunnels (allows peers with DHCP assigned public IP addresses).
Continue reading CCNP ROUTE 2.0: VPN Technologies

Cisco ISR G2 Router bad IPSec performance

I’ve been testing a new DMVPN with IPSec encryption utilising brand new Cisco 3945 ISR G2 routers. I performed some basic performance tests using “iperf” with just a GRE tunnel (no encryption) between 2 sites and I was consistently getting 91Mbps throughput (not bad). Upon adding the encryption (AES-128) and re-running the tests the result were erratic with the throughput ranging from 16Mbps – 52.7Mbps with an average around 30Mbps.

Continue reading Cisco ISR G2 Router bad IPSec performance

Configuring Dynamic Multipoint VPN (DMVPN)

The Dynamic Multipoint VPN (DMVPN) allows for a large scale IPSec VPN deployment with reduced configuration/complexity. It uses GRE, Next Hop Resolution Protocol (NHRP) and IPSec Encryption and unlike traditional IPSec VPNs DMVPN does not require Crypto ACLs, instead DMVPN requires a single mGRE tunnel interface and a single IPSec profile. In a large DMVPN environment this greatly reduces the size of configuration on the hub router.

DMVPN can be deployed using two models; Hub-and-Spoke and Spoke-to-Spoke:

Hub-and-Spoke (Phase 1) – requires each spoke have a point-to-point to GRE interface to build a tunnel to the hub router, all traffic flows through the hub router.

Spoke-to-Spoke  (Phase 2 and Phase 3) – requires each spoke to have an mGRE interface, to provide spoke-to-spoke communication in addition to Hub-and-spoke communication.

Continue reading Configuring Dynamic Multipoint VPN (DMVPN)