This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.
As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.
This post covers the following:
Front Door VRF
Dual DMVPN Hub configuration
DMVPN Spoke configuration
DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
- DMVPN Phase 3
The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.
The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.
Continue reading Configuring DMVPN Phase 3 Dual Hub
CCNP ROUTE 2.0 Exam Blueprint: VPN Technologies
- Configure and verify GRE
- Describe DMVPN
- Describe Easy Virtual Networking (EVN)
Configure and Verify GRE
- Generic Routing Encapsulation (GRE) was designed to carry multiprotocol and IP multicast traffic between sites
- Encapsulated protocols included IP, Appletalk, DECnet or IPX
- GRE encapsulates an inside IP address within an outside IP address
- Is NOT encrypted by default
- GRE tunnels can run through IPSec tunnels. When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec
- Multicast traffic GRE tunnels do support transporting IP multicast and broadcast packets to the other end of the GRE tunnel
- GRE tunnels add an additional 20 byte IP header and a 4 byte GRE tunnel header. 24 byte overhead in total
GRE can be configured as either point-to-point or point-to-multipoint tunnels.
Point-to-Point – simple configuration between 2 peers, does not require NHRP
Point-to-Multipoint – only one tunnel configured on a router to support multiple GRE peers (great for scalability), requires NHRP to build dynamic tunnels (allows peers with DHCP assigned public IP addresses).
Continue reading CCNP ROUTE 2.0: VPN Technologies
I’ve been testing a new DMVPN with IPSec encryption utilising brand new Cisco 3945 ISR G2 routers. I performed some basic performance tests using “iperf” with just a GRE tunnel (no encryption) between 2 sites and I was consistently getting 91Mbps throughput (not bad). Upon adding the encryption (AES-128) and re-running the tests the result were erratic with the throughput ranging from 16Mbps – 52.7Mbps with an average around 30Mbps.
Continue reading Cisco ISR G2 Router bad IPSec performance
The Dynamic Multipoint VPN (DMVPN) allows for a large scale IPSec VPN deployment with reduced configuration/complexity. It uses GRE, Next Hop Resolution Protocol (NHRP) and IPSec Encryption and unlike traditional IPSec VPNs DMVPN does not require Crypto ACLs, instead DMVPN requires a single mGRE tunnel interface and a single IPSec profile. In a large DMVPN environment this greatly reduces the size of configuration on the hub router.
DMVPN can be deployed using two models; Hub-and-Spoke and Spoke-to-Spoke:
Hub-and-Spoke (Phase 1) – requires each spoke have a point-to-point to GRE interface to build a tunnel to the hub router, all traffic flows through the hub router.
Spoke-to-Spoke (Phase 2 and Phase 3) – requires each spoke to have an mGRE interface, to provide spoke-to-spoke communication in addition to Hub-and-spoke communication.
Continue reading Configuring Dynamic Multipoint VPN (DMVPN)