Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers based on the standard protocols, GRE, NHRP and IPsec. DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for and load on the hub to route data between the spoke networks.
It also allows the users to use the central services on the Hub site.
For example, using the central firewall polices on Hub site when all spoke sites users are going to internet through Hub site.
R1 Config
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile dmvpn
set transform-set set1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 10
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile dmvpn
interface FastEthernet0/0
description CONN-TO-ISP
ip address 192.168.14.1 255.255.255.0
interface FastEthernet0/1
ip address 10.10.15.1 255.255.255.0
router eigrp 10
network 10.10.0.0 0.0.255.255
no auto-summary
router ospf 1
router-id 1.1.1.1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
R2 Config
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile dmvpn
set transform-set set1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 123
ip nhrp nhs 10.10.10.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile dmvpn
interface FastEthernet0/0
description CONN-TO-ISP
ip address 192.168.24.2 255.255.255.0
interface FastEthernet0/1
ip address 10.10.26.2 255.255.255.0
router eigrp 10
network 10.10.0.0 0.0.255.255
no auto-summary
router ospf 1
router-id 2.2.2.2
network 2.2.2.2 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
R3 Config
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile dmvpn
set transform-set set1
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Tunnel0
ip address 10.10.10.3 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 123
ip nhrp nhs 10.10.10.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile dmvpn
interface FastEthernet0/0
ip address 10.10.37.3 255.255.255.0
interface FastEthernet1/0
description CONN-TO-ISP
ip address 192.168.34.3 255.255.255.0
router eigrp 10
network 10.10.0.0 0.0.255.255
no auto-summary
router ospf 1
router-id 3.3.3.3
network 3.3.3.3 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
R4 Config
interface FastEthernet0/0
ip address 192.168.14.4 255.255.255.0
interface FastEthernet0/1
ip address 192.168.24.4 255.255.255.0
interface FastEthernet1/0
ip address 192.168.34.4 255.255.255.0
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
R5 Config
interface FastEthernet0/0
ip address 10.10.15.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.15.1
R6 Config
interface FastEthernet0/0
ip address 10.10.26.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.26.2
R7 Config
interface FastEthernet0/0
ip address 10.10.37.7 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.37.3
Verification
R1#show crypto isakmp sa
dst src state conn-id slot status
1.1.1.1 3.3.3.3 QM_IDLE 4 0 ACTIVE
1.1.1.1 4.4.4.4 QM_IDLE 2 0 ACTIVE
1.1.1.1 2.2.2.2 QM_IDLE 3 0 ACTIVE
dst src state conn-id slot status
1.1.1.1 3.3.3.3 QM_IDLE 4 0 ACTIVE
1.1.1.1 4.4.4.4 QM_IDLE 2 0 ACTIVE
1.1.1.1 2.2.2.2 QM_IDLE 3 0 ACTIVE
R2#show ip route eigrp
D 10.10.15.0 [90/297270016] via 10.10.10.1, 00:22:58, Tunnel0
D 10.10.37.0 [90/310070016] via 10.10.10.3, 00:19:38, Tunnel0
D 10.10.37.0 [90/310070016] via 10.10.10.3, 00:19:38, Tunnel0
R5#ping 10.10.37.7
!!!!!
No comments:
Post a Comment