{"id":1272,"date":"2018-09-06T12:24:08","date_gmt":"2018-09-06T05:24:08","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1272"},"modified":"2018-09-06T12:24:08","modified_gmt":"2018-09-06T05:24:08","slug":"understanding-cisco-dmvpn","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1272","title":{"rendered":"Understanding Cisco DMVPN"},"content":{"rendered":"<p>In an\u00a0<a href=\"http:\/\/www.ciscozine.com\/ipsec-vpn-ezvpn-gre-dmvpn-vti-getvpn\/\" target=\"_blank\" rel=\"noopener\">old post<\/a>, dated 2011, I explained various types of VPN technologies. In seven years several things have changed: SHA1 is deprecated, des and 3des are no more used for security issues, but some VPN technologies are still used with protocols more secure (SHA256, AES, \u2026). In this article, I explain\u00a0<strong>how DMVPN works<\/strong>\u00a0and what are the\u00a0<strong>key components<\/strong>\u00a0of it.<\/p>\n<p>Cisco\u00a0<strong>DMVPN<\/strong>\u00a0uses a\u00a0<strong>centralized<\/strong>\u00a0<strong>architecture<\/strong>\u00a0to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users.<span id=\"more-1648\"><\/span>\u00a0<strong>Key components are<\/strong>:<\/p>\n<ul>\n<li>Multipoint GRE (<strong>mGRE<\/strong>) tunnel interface: allows a single GRE interface to support multiple IPsec tunnels, simplifying the size and complexity of the configuration.<\/li>\n<li>Dynamic discovery of\u00a0<strong>IPsec tunnel<\/strong>\u00a0endpoints and crypto profiles: eliminates the need to configure static crypto maps defining every pair of IPsec peers, further simplifying the configuration.<\/li>\n<li><strong>Routing Protocol<\/strong>: used to learn network between hub and spokes.<\/li>\n<li><strong>NHRP<\/strong>: Allows\u00a0<strong>spokes<\/strong>\u00a0to be\u00a0<strong>deployed with dynamically<\/strong>\u00a0assigned\u00a0<strong>public<\/strong>\u00a0<strong>IP<\/strong>addresses (i.e., behind an ISP\u2019s router). The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots; when it needs to build direct tunnels with other spokes (only on phase2 and phase3), it queries the NHRP database for real addresses of the destination spokes.<\/li>\n<\/ul>\n<p>There are\u00a0<strong>three<\/strong>\u00a0different types of\u00a0<strong>DMVPN design<\/strong>:<\/p>\n<ul>\n<li><strong>Phase1<\/strong>: Provides\u00a0<strong>hub-and-spoke tunnel deployment<\/strong>. This means GRE tunnels are only built between the hub and the spokes. Traffic destined to networks behind spokes is forced to first traverse the hub.<a class=\"fancybox image\" href=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1657\" src=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-1.png\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" srcset=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-1.png 555w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-1-150x150.png 150w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-1-300x300.png 300w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-1-144x144.png 144w\" alt=\"Understanding-DMVPN-Phase-1\" width=\"500\" height=\"499\" \/><\/a><br \/>\nFor instance, to reach 192.168.3.0\/24 network from 192.168.2.0\/24 network (ethernet0\/0) the HUB router is always traversed:<\/p>\n<pre>Spoke2#traceroute 192.168.3.5 source ethernet 0\/0\nType escape sequence to abort.\nTracing the route to 192.168.3.5\nVRF info: (vrf in name\/id, vrf out name\/id)\n1 10.0.1.1 5 msec 5 msec 4 msec\n2 10.0.1.3 5 msec 5 msec 5 msec\nSpoke2#<\/pre>\n<p><strong>Note:\u00a0<\/strong>Because all spoke-to-spoke traffic in DMVPN Phase1 always traverses the hub, it is actually inefficient to even send the entire routing table from the hub to the spokes.<strong><br \/>\n<\/strong><\/li>\n<li><strong>Phase2<\/strong>: Allow spokes to build a<strong>\u00a0spoke-to-spoke tunnel<\/strong>\u00a0on demand with these restrictions: the\u00a0<strong>spokes<\/strong>\u00a0<strong>must receive specific routes<\/strong>\u00a0for all remote spoke subnets.<a class=\"fancybox image\" href=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1656\" src=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-2.png\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" srcset=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-2.png 555w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-2-150x150.png 150w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-2-300x300.png 300w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-2-144x144.png 144w\" alt=\"Understanding-DMVPN-Phase-2\" width=\"500\" height=\"499\" \/><\/a><br \/>\nFor instance, to reach 192.168.3.0\/24 network from 192.168.2.0\/24 network (ethernet0\/0), the first packet reaches the HUB, then the Spoke3 router:<\/p>\n<pre>Spoke2#traceroute 192.168.3.5 source ethernet 0\/0\nType escape sequence to abort.\nTracing the route to 192.168.3.5\nVRF info: (vrf in name\/id, vrf out name\/id)\n  1 10.0.1.1 5 msec 4 msec 2 msec\n  2 10.0.1.3 2 msec 5 msec 5 msec\nSpoke2#<\/pre>\n<p>This is\u00a0<strong>due to the incomplete next-hop<\/strong>\u00a0(10.0.1.3) adjacency:<\/p>\n<pre>Spoke2#show adjacency 10.0.1.3\nProtocol Interface                 Address\nIP       Tunnel1                   10.0.1.3(7) (incomplete)\nSpoke2#<\/pre>\n<pre>Spoke2#show ip cef  10.0.1.3 internal\n10.0.1.0\/24, epoch 0, flags attached, connected, cover dependents, need deagg, RIB[C], refcount 5, per-destination sharing\n  sources: RIB\n  feature space:\n   IPRM: 0x0003800C\n  subblocks:\n   gsb Connected chain head(1): 0xF4334728\n   Covered dependent prefixes: 3\n     need deagg: 2\n     notify cover updated: 1\n  ifnums:\n   Tunnel1(23)\n  path F34EABE8, path list F297DA14, share 1\/1, type connected prefix, for IPv4\n  connected to Tunnel1, adjacency punt\n  output chain: punt\nSpoke2#<\/pre>\n<p>This causes\u00a0<strong>Spoke2<\/strong>\u00a0to\u00a0<strong>send<\/strong>\u00a0a NHRP resolution request to HUB for Spoke-3 NBMA address. The request gets forwarded from HUB to Spoke3. Spoke3 replies directly to Spoke2 with its mapping information.<\/p>\n<p><strong>After<\/strong>\u00a0the\u00a0<strong>NHRP resolution<\/strong>\u00a0is complete,\u00a0<strong>Spoke2<\/strong>\u00a0can build a\u00a0<strong>dynamic tunnel<\/strong>\u00a0to\u00a0<strong>Spoke3<\/strong>, and traffic will not pass through HUB anymore:<\/p>\n<pre>Spoke2#show adjacency 10.0.1.3\nProtocol Interface                 Address\nIP       Tunnel1                   10.0.1.3(13)\nSpoke2#\n<\/pre>\n<pre>Spoke2#show ip nhrp dynamic\n10.0.1.3\/32 via 10.0.1.3\n   Tunnel1 created 00:00:16, expire 00:04:43\n   Type: dynamic, Flags: router nhop\n   NBMA address: 57.57.57.5\nSpoke2#\n<\/pre>\n<pre>Spoke2#traceroute 192.168.3.5 source ethernet 0\/0\nType escape sequence to abort.\nTracing the route to 192.168.3.5\nVRF info: (vrf in name\/id, vrf out name\/id)\n  1 10.0.1.3 5 msec 5 msec 8 msec\nSpoke2#\n<\/pre>\n<\/li>\n<li><strong>Phase3<\/strong>: Allow spokes to build a\u00a0<strong>spoke-to-spoke<\/strong>\u00a0tunnel and\u00a0<strong>overcomes the phase2 restriction<\/strong>\u00a0using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. This\u00a0<strong>functionality<\/strong>\u00a0is\u00a0<strong>enabled by<\/strong>\u00a0configuring\u00a0<strong>ip nhrp redirect<\/strong>\u00a0on the hub and\u00a0<strong>ip nhrp shortcut<\/strong>\u00a0on the spokes.<a class=\"fancybox image\" href=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1658\" src=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-3.png\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" srcset=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-3.png 555w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-3-297x300.png 297w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/Understanding-DMVPN-Phase-3-144x144.png 144w\" alt=\"Understanding-DMVPN-Phase-3\" width=\"500\" height=\"505\" \/><\/a><br \/>\nFor instance, to reach 192.168.3.0\/24 network from 192.168.2.0\/24 network (ethernet0\/0), the first packet reaches the HUB, then the Spoke3 router:<\/p>\n<pre>Spoke2#traceroute 192.168.3.5 source ethernet 0\/0\nType escape sequence to abort.\nTracing the route to 192.168.3.5\nVRF info: (vrf in name\/id, vrf out name\/id)\n  1 10.0.1.1 5 msec 4 msec 2 msec\n  2 10.0.1.3 2 msec 5 msec 5 msec\nSpoke2#<\/pre>\n<p>Then HUB \u201clink\u201d this traffic back onto the DMVPN network, triggering the\u00a0<strong>NHRP process on HUB<\/strong>\u00a0to generate the\u00a0<strong>traffic indication to Spoke2<\/strong>\u00a0to resolve a\u00a0<strong>better next hop<\/strong>\u00a0for the remote network 192.168.3.0 (Spoke3).<\/p>\n<p>At this point, the spokes can now modify their routing table entries to reflect the NHRP shortcut route and use it to reach the remote spoke.<\/p>\n<pre>Spoke2#traceroute 192.168.3.5 source ethernet 0\/0\nType escape sequence to abort.\nTracing the route to 192.168.3.5\nVRF info: (vrf in name\/id, vrf out name\/id)\n  1 10.0.1.3 5 msec 5 msec 8 msec\nSpoke2#\n<\/pre>\n<pre>Spoke2#show ip route\n!omitted!\nD*    0.0.0.0\/0 [90\/281600] via 10.0.1.1, 00:11:12, Tunnel1\nH     192.168.3.0\/24 [250\/1] via 10.0.1.3, 00:02:01, Tunnel1\nSpoke2#\n<\/pre>\n<p>As you can notice, the network 1<strong>92.168.3.0\/24<\/strong>\u00a0is\u00a0<strong>learned by the NHRP<\/strong>protocol with administrative distance 250.<\/p>\n<pre>Spoke2#show ip route 192.168.3.0\nRouting entry for 192.168.3.0\/24\n  Known via \"nhrp\", distance 250, metric 1\n  Last update from 10.0.1.3 on Tunnel1, 00:00:09 ago\n  Routing Descriptor Blocks:\n  * 10.0.1.3, from 10.0.1.3, 00:00:09 ago, via Tunnel1\n      Route metric is 1, traffic share count is 1\n      MPLS label: none\nSpoke2#\n<\/pre>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>References:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/security\/dynamic-multipoint-vpn-dmvpn\/products-configuration-examples-list.html\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cisco.com\/\u2026\/products-configuration-examples-list.html<\/a><\/li>\n<li><a href=\"https:\/\/learningnetwork.cisco.com\/blogs\/vip-perspectives\/2017\/02\/15\/dmvpn-the-phases-in-depth\" target=\"_blank\" rel=\"noopener\">https:\/\/learningnetwork.cisco.com\/\u2026\/dmvpn-the-phases-in-depth<\/a><\/li>\n<\/ul>\n<p>Details:\u00a0http:\/\/www.ciscozine.com\/understanding-cisco-dmvpn\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In an\u00a0old post, dated 2011, I explained various types of VPN technologies. In seven years several things have changed: SHA1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[29,30,31,32,33,25,16,6],"tags":[],"class_list":["post-1272","post","type-post","status-publish","format-standard","hentry","category-ccie-rs","category-ccna","category-ccnp-route","category-ccnp-switch","category-ccnp-tshoot","category-cisco","category-courses","category-networking"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1272"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1272\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}