{"id":1276,"date":"2018-09-06T13:47:20","date_gmt":"2018-09-06T06:47:20","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1276"},"modified":"2018-09-06T13:47:20","modified_gmt":"2018-09-06T06:47:20","slug":"dmvpn-phase-3-a-complete-guide","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1276","title":{"rendered":"DMVPN Phase 3: a complete guide"},"content":{"rendered":"<p>In a\u00a0<a href=\"http:\/\/www.ciscozine.com\/understanding-cisco-dmvpn\/\" target=\"_blank\" rel=\"noopener\">previous article<\/a>, I explained what is\u00a0and how it works DMVPN technology. In this article you see how to configure\u00a0<strong>DMVPN phase3<\/strong>. This phase allows spokes to build a\u00a0<strong>spoke-to-spoke<\/strong>\u00a0tunnel and to overcomes the phase2 restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network.<\/p>\n<p>The\u00a0<strong>phase3<\/strong>\u00a0configuration is\u00a0<strong>based<\/strong>\u00a0by 4 steps:<\/p>\n<ol>\n<li>Define\u00a0<strong>Tunnel<\/strong>\u00a0interface (mandatory)<\/li>\n<li>Define\u00a0<strong>NHRP<\/strong>\u00a0(mandatory)<\/li>\n<li>Define\u00a0<strong>EIGRP<\/strong>\u00a0Process (mandatory)<\/li>\n<li>Define\u00a0<strong>IPSEC<\/strong>\u00a0Profile (optional)<\/li>\n<\/ol>\n<p>In this example, there are\u00a0<strong>3 routers<\/strong>:\u00a0<strong>one hub<\/strong>\u00a0(Ciscozine) and\u00a0<strong>two spokes<\/strong>.\u00a0<span id=\"more-1661\"><\/span>The IP address are:<\/p>\n<p><a class=\"fancybox image\" href=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-Phase3-in-depth.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1665\" src=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-Phase3-in-depth.png\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" srcset=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-Phase3-in-depth.png 543w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-Phase3-in-depth-300x288.png 300w\" alt=\"DMVPN-Phase3-in-depth\" width=\"500\" height=\"480\" \/><\/a><\/p>\n<p>Ciscozine (HUB)<\/p>\n<ul>\n<li>NBMA IP: 17.17.17.1 (outside ip address) \u2013 Eth1\/0<\/li>\n<li>Tunnel IP: 10.0.1.1\/24 \u2013 Tunnel1<\/li>\n<li>Network: 192.168.1.0\/24 \u2013 Eth0\/0<\/li>\n<\/ul>\n<p>Spoke1:<\/p>\n<ul>\n<li>NBMA IP: 27.27.27.2 (outside ip address) \u2013 Eth1\/0<\/li>\n<li>Tunnel IP: 10.0.1.2\/24 \u2013 Tunnel1<\/li>\n<li>Network: 192.168.2.0\/24 \u2013 Eth0\/0<\/li>\n<\/ul>\n<p>Spoke2:<\/p>\n<ul>\n<li>NBMA IP: 37.37.37.3 (outside ip address) \u2013 Eth1\/0<\/li>\n<li>Tunnel IP: 10.0.1.3\/24 \u2013 Tunnel1<\/li>\n<li>Network: 192.168.3.0\/24 \u2013 Eth0\/0<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Let\u2019s start with the configuration \ud83d\ude42<\/p>\n<p>1.\u00a0<strong>Define Tunnel interface<\/strong><\/p>\n<p><strong>Allow<\/strong>\u00a0a single GRE interface\u00a0<strong>to support multiple<\/strong>\u00a0<strong>tunnels<\/strong>, simplifying the size and complexity of the configuration.<\/p>\n<p>HUB<\/p>\n<pre>interface Tunnel1\n description DMVPN-HUB\n ip address 10.0.1.1 255.255.255.0 ! IP address of the tunnel\n ip mtu 1400\n ip tcp adjust-mss 1360\n tunnel source Ethernet1\/0 ! The tunnel source is the \"outside\" interface\n tunnel mode gre multipoint ! The tunnel type: multipoint GRE\n tunnel key 101<\/pre>\n<p>&nbsp;<\/p>\n<p>Spoke2<\/p>\n<pre>interface Tunnel1\n description DMVPN-SPOKE2\n ip address 10.0.1.2 255.255.255.0 ! IP address of the tunnel\n ip mtu 1400\n ip tcp adjust-mss 1360\n tunnel source Ethernet1\/0 ! The tunnel source is the \"outside\" interface\n tunnel mode gre multipoint ! The tunnel type: multipoint GRE\n tunnel key 101\n<\/pre>\n<p>&nbsp;<\/p>\n<p>Spoke3<\/p>\n<pre>interface Tunnel1\n description DMVPN-SPOKE2\n ip address 10.0.1.3 255.255.255.0 ! IP address of the tunnel\n ip mtu 1400\n ip tcp adjust-mss 1360\n tunnel source Ethernet1\/0 ! The tunnel source is the \"outside\" interface\n tunnel mode gre multipoint ! The tunnel type: multipoint GRE\n tunnel key 101\n<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>Note:<\/strong>\u00a0The\u00a0<strong>MTU<\/strong>\u00a0is set to\u00a0<strong>1400bytes<\/strong>\u00a0due to GRE and IPSEC\u00a0<strong>overhead<\/strong>, while the maximum\u00a0<strong>TCP MSS is 40 bytes lower<\/strong>\u00a0than the MTU (20 bytes IP header + 20 bytes TCP header).<\/p>\n<p>Below the\u00a0<strong>IPv4<\/strong>\u00a0packet\u00a0<strong>details<\/strong>:<\/p>\n<p><a class=\"fancybox image\" href=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-MTU.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1663\" src=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-MTU.png\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" srcset=\"http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-MTU.png 1116w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-MTU-300x78.png 300w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-MTU-768x200.png 768w, http:\/\/www.ciscozine.com\/wp-content\/uploads\/DMVPN-MTU-1024x266.png 1024w\" alt=\"DMVPN-MTU\" width=\"500\" height=\"130\" \/><\/a><\/p>\n<p>New IPv4 Header (Tunnel Mode): 20 bytes<br \/>\nSPI (ESP Header): 4 bytes<br \/>\nSequence (ESP Header): 4 bytes<br \/>\nESP-AES (IV): 16 bytes<br \/>\nNew IPv4 Header (GRE): 20 bytes<br \/>\nGRE Header + Tunnel Key: 8 bytes<br \/>\n<strong>Original Data Packet: 1400 bytes<\/strong><br \/>\nESP Pad (ESP-AES): 10 bytes<br \/>\nPad length (ESP Trailer): 1 byte<br \/>\nNext Header (ESP Trailer): 1 byte<br \/>\nESP-SHA-256-HMAC ICV (ESP Trailer): 16 bytes<\/p>\n<p><strong>Total<\/strong>\u00a0IPSec\u00a0<strong>Packet<\/strong>\u00a0<strong>Size<\/strong>:\u00a0<strong>1500 bytes<\/strong><\/p>\n<p><strong>Remember:<\/strong>\u00a0The\u00a0<strong>tunnel key-id<\/strong>\u00a0is used as a form of\u00a0<strong>weak security<\/strong>\u00a0to prevent improper configuration or injection of packets from a foreign source. The\u00a0<strong>key<\/strong>\u00a0must be the\u00a0<strong>same<\/strong>\u00a0in\u00a0<strong>all<\/strong>\u00a0<strong>tunnels<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p>2.\u00a0<strong>Define NHRP<\/strong><\/p>\n<p>Allow\u00a0<strong>spokes<\/strong>\u00a0to be deployed\u00a0<strong>with dynamically<\/strong>\u00a0assigned public\u00a0<strong>IP addresses<\/strong>\u00a0(i.e., behind an ISP\u2019s router). The\u00a0<strong>hub<\/strong>\u00a0maintains an\u00a0<strong>NHRP database<\/strong>\u00a0of the public interface addresses of the each spoke. Each spoke registers its real address when it boots; when it needs to\u00a0<strong>build direct tunnels with other spokes<\/strong>, it queries the NHRP database for real addresses of the destination spokes.<\/p>\n<p>HUB<\/p>\n<pre>interface Tunnel1\n ip nhrp authentication CiscoPWD ! NHRP authentication key\n ip nhrp map multicast dynamic\n ip nhrp network-id 101 ! NHRP identifier\n ip nhrp holdtime 300 ! Seconds that NHRP NBMA addresses are advertised as valid in positive NHRP responses\n ip nhrp redirect ! Mandatory to enable DMVPN phase3 on the hub router<\/pre>\n<p><strong>Note:<\/strong>\u00a0The \u201c<strong>ip nhrp map multicast dynamic<\/strong>\u201d command allows NHRP to\u00a0<strong>automatically add spoke<\/strong>\u00a0routers to the multicast NHRP mappings when these spoke routers initiate the mGRE tunnel and register their unicast NHRP mappings. This is\u00a0<strong>needed to enable dynamic routing protocols<\/strong>\u00a0to work over the mGRE tunnels between the hub and spokes.<\/p>\n<p>&nbsp;<\/p>\n<p>Spoke2 \/ Spoke3<\/p>\n<pre>interface Tunnel1\n ip nhrp authentication CiscoPWD ! NHRP authentication key\n ip nhrp map 10.0.1.1 17.17.17.1\n ip nhrp map multicast 17.17.17.1 ! Enable to receive multicast or broadcast packets\n ip nhrp network-id 101 ! NHRP identifier\n ip nhrp holdtime 300 ! Seconds that NHRP NBMA addresses are advertised as valid in positive NHRP responses\n ip nhrp nhs 10.0.1.1\n ip nhrp shortcut ! Mandatory to enable DMVPN phase3 on the spoke router<\/pre>\n<p>The command \u201c<strong>ip nhrp map 10.0.1.1 17.17.17.1<\/strong>\u201d configure a\u00a0<strong>static mapping IP-to-NBMA<\/strong>\u00a0of the HUB router, while the command \u201cip nhrp nhs 10.0.1.1\u201d define the ip address of the next-hop server (hub). These commands are required on spokes routers.<\/p>\n<p><strong>Remember:<\/strong>\u00a0The authentication string, the holdtime and network-id must be the same in all tunnels.<\/p>\n<p>&nbsp;<\/p>\n<p>3.\u00a0<strong>Define EIGRP Process<\/strong><\/p>\n<p><strong>Learn<\/strong>\u00a0<strong>networks<\/strong>\u00a0between hub and spokes.<\/p>\n<p>The key chain is used to authenticate EIGRP process; obviously, it must be the same on all routers.<\/p>\n<p>HUB \u2013 Spoke1 \u2013 Spoke2<\/p>\n<pre>key chain DMVPN\n key 1\n  key-string eigrp-Ciscozine\n<\/pre>\n<p>&nbsp;<\/p>\n<p>HUB<\/p>\n<pre>router eigrp 100\n network 10.0.1.0 0.0.0.255 ! Used for neighborship\n network 192.168.1.0 ! Announce the 192.168.1.0\/24 network\n passive-interface default\n no passive-interface Tunnel1\n no passive-interface Ethernet0\/0\n\ninterface Tunnel1\n ip authentication mode eigrp 100 md5 ! Enable MD5 authentication process\n ip authentication key-chain eigrp 100 DMVPN ! Enable authentication process using DMVPN key chain\n ip summary-address eigrp 100 192.168.0.0 255.255.0.0 ! Advertise a summary route\n<\/pre>\n<p>&nbsp;<\/p>\n<p>Spoke2<\/p>\n<pre>router eigrp 100\n network 10.0.1.0 0.0.0.255 ! Used for neighborship\n network 192.168.2.0 ! Announce the 192.168.2.0\/24 network\n passive-interface default\n no passive-interface Tunnel1\n no passive-interface Ethernet0\/0\n\ninterface Tunnel1\n\u00a0ip authentication mode eigrp 100 md5 ! Enable MD5 authentication process\n ip authentication key-chain eigrp 100 DMVPN ! Enable authentication process using DMVPN key chain\n\n<\/pre>\n<p>&nbsp;<\/p>\n<p>Spoke3<\/p>\n<pre>router eigrp 100\n network 10.0.1.0 0.0.0.255 ! Used for neighborship\n network 192.168.3.0 ! Announce the 192.168.3.0\/24 network\n passive-interface default\n no passive-interface Tunnel1\n no passive-interface Ethernet0\/0\n\ninterface Tunnel1\n\u00a0ip authentication mode eigrp 100 md5 ! MD5 authentication process\n ip authentication key-chain eigrp 100 DMVPN ! Enable authentication process using DMVPN key chain<\/pre>\n<p>&nbsp;<\/p>\n<p>At the end of this step, the\u00a0<strong>DMVPN is operational<\/strong>\u00a0and can be used but, my suggestion, it is to complete the DMVPM architecture encrypting and protecting all data with IPSEC.<\/p>\n<p>&nbsp;<\/p>\n<p>4.\u00a0<strong>Define IPSEC Profile<\/strong><\/p>\n<p>The last step (optional) is to\u00a0<strong>protect<\/strong>\u00a0the\u00a0<strong>mGRE<\/strong>\u00a0tunnel\u00a0<strong>with IPSEC<\/strong>. To do it, you need to define an isakmp policy\/profile and a ipsec transform-set\/profile.<\/p>\n<p>HUB \/ Spoke2 \/ Spoke3<\/p>\n<pre>crypto keyring VPN-KEYRING-WAN\n  pre-shared-key address 0.0.0.0 0.0.0.0 key Ciscozine ! Define the preshared key\n\ncrypto isakmp policy 10 ! Define the isakmp security settings\n encr aes\n hash sha256\n authentication pre-share\n group 5\n\ncrypto isakmp profile WAN\n   keyring VPN-KEYRING-WAN\n   match identity address 0.0.0.0\n\ncrypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac ! Define the ipsec security settings\n mode tunnel\n\ncrypto ipsec profile IPSEC-PROFILE\n set transform-set TSET\n<\/pre>\n<p>After that, it is possible to apply the IPSEC profile to the tunnel interface:<\/p>\n<pre>Interface Tunnel1\n tunnel protection ipsec profile IPSEC-PROFILE\n<\/pre>\n<p>&nbsp;<\/p>\n<p>Now the\u00a0<strong>architecture<\/strong>\u00a0is\u00a0<strong>complete<\/strong>\u00a0and\u00a0<strong>protected<\/strong>\u00a0by IPSEC.<\/p>\n<p>And what about troubleshooting commands? Stay tuned, you will learn in the next article \ud83d\ude42<\/p>\n<p><strong>References:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cway.cisco.com\/tools\/ipsec-overhead-calc\/\" target=\"_blank\" rel=\"noopener\">https:\/\/cway.cisco.com\/tools\/ipsec-overhead-calc\/<\/a><\/li>\n<li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/dynamic-multipoint-vpn-dmvpn\/211292-Configure-Phase-3-Hierarchical-DMVPN-wit.html\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cisco.com\/\u2026\/211292-Configure-Phase-3-Hierarchical-DMVPN-wit.html<\/a><\/li>\n<li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/ipaddr_nhrp\/configuration\/xe-3s\/nhrp-xe-3s-book\/nhrp-switch-enhancemts-dmvpn.html\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cisco.com\/\u2026\/nhrp-switch-enhancemts-dmvpn.html<\/a><\/li>\n<\/ul>\n<p>Detail: <a href=\"http:\/\/www.ciscozine.com\/dmvpn-phase-3-guide\/\">http:\/\/www.ciscozine.com\/dmvpn-phase-3-guide\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a\u00a0previous article, I explained what is\u00a0and how it works DMVPN technology. In this article you see how to configure\u00a0DMVPN [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[29,30,31,25,16,19,6],"tags":[],"class_list":["post-1276","post","type-post","status-publish","format-standard","hentry","category-ccie-rs","category-ccna","category-ccnp-route","category-cisco","category-courses","category-issues","category-networking"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1276"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1276\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}