DMVPN – mGRE review of NHRP Servers and Client configurations (nothing labbed), and a glimpse out IPSec configuration at the very end!

DMVPN2

This will be so basic that I am not sure exactly why I am posting, except for the sake of a refresher to this material, as the name implies instead of doing a “GRE to GRE” tunnel, we are creating Multi-GRE Tunnels with the help of NHRP (Name Hop Resolution Protocol), to allow spoke sites to register their GRE identities to the server, so when the server starts getting traffic between two GRE enabled sites it can dynamically build a tunnel between them and leave itself out of the processing the traffic.

A look at mGR from an older blog post from my ROUTE studies

(Pulled from this post if you feel like checking it out)

NHRP Server / DMVPN Headend

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int tu0
*Mar 1 17:39:30.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 1
R1(config-if)#tunnel source 172.12.123.1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#
*Mar 1 17:41:20.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#ip mtu 1416
R1(config-if)#

NHRP Client 1

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int tu0
*Mar 1 18:00:20.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#ip nhrp map 10.0.0.1 172.12.123.1
R2(config-if)#ip nhrp map multicast 172.12.123.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 172.12.123.1
R2(config-if)#tunnel source 172.12.123.2
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#
*Mar 1 18:03:10.808: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#ip mtu 1416
R2(config-if)#

That MTU is important for IPSec configuration to be added on top of these mGRE tunnels for encryption once we get into that!

NHRP Client 1

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int tu0
R3(config-if)#
*Mar 2 03:21:45.649: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#ip add 10.0.0.3 255.255.255.0
R3(config-if)#ip nhrp map 10.0.0.1 172.12.123.1
R3(config-if)#ip nhrp map multicast 172.12.123.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 10.0.0.1
R3(config-if)#tunnel source 172.12.123.3
R3(config-if)#tunnel mode gre multipoint
*Mar 2 03:23:05.648: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#ip mtu 1416
R3(config-if)#

And a sneak peak at configuring IPSec on top of all this, which I’ll later review in depth:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#hash md5
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
R1(config)#crypto ipsec transform TRANS esp-3des
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile DMVPN
R1(ipsec-profile)#set transform-set TRANS
R1(ipsec-profile)#exit
R1(config)#int tu0
R1(config-if)#tunnel protection ipsec profile DMVPN
R1(config-if)#
*Mar 1 18:07:23.742: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#

Most engineers will keep some kind of template for doing this lying around, because I have a website that I keep all my notes in to share with the world, this is literally my “Work Wiki” for when I am not quite clear on a configuration and need to double check.

I am sure I will get into the actual configuration and troubleshooting of all this in the coming articles, however I wanted to put this out there to demonstrate a few things:

  • There is an NHRP MAP config that consists of two IP’s. one is called the “Overlay Address” (which GRE uses) and one is called the “Underlay Address” which is the IP Network the traffic is actually being transmitted over
  • There is no “Destination” set like regular GRE Tunnels, because they will be dynamically assigned as needed by the NHRP Server
  • Speaking of NHRP Server, the config seen “ip nhrp nhs 10.0.0.1” tells this mGRE instance as its kind of Destination IP, as the NHS (Next Hop Server) will direct the Spoke Routers traffic where it will need to go and dynamically build a DMVPN tunnel between them (which is the magic of DMVPN)!
  • All routers all “tunnel mode gre multi-point” because that is how GRE rolls
  • The IPSec Crypto mess of a config you see at the bottom is configured on its own entirely, then added with a simple line at the end of the mGRE Tunnel interface to encrypt traffic over the mGRE Tunnels!

I will leave it there for now, it looks like there is some NHRP concepts along with an Intro to DMVPN to review before I get my hands on breaking the lab again 🙂

See you very soon, I am eager to get a good grasp for DMVPN!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s