This won't be a real long lab, as its more just removing OSPF as the WAN, configuring the ISP Router with point to point static routes to each site, then adding a single default route out to the Internet like you would any site in the Front Door VRF and associating both the Physical and … Continue reading DMVPN w/ Front Door VRF – Finally got it with static routing instead of trying to use OSPF over the WAN to form Adjacencies!
I have to honestly say, I am so relieved (for now) to have this smaller Topology to demonstrate how and why Front Door VRF's work, why they work and why we care about them at all when no Cisco training material mentions them. Warning - This is another post that doesn't really teach you how … Continue reading DMVPN / Front Door VRF – A long lab of trying to get this to work, but it is fighting me all the way, to be continued…
First things first is getting DMVPN rocking on this Topology, and from in depth reading into different deployments of DMVPN, it seems the preferred method is to actually have two different DMVPNs running on BR1 and BR2, then configure spokes to be able to reach both (and each other). Its been a lot of head … Continue reading Huge DMVPN / PfR / FVRF Lab – Trying to get things working smoothly but failing, will be going back to basics for now!
One thing to note when going through DMVPN / Legacy or VTY Site-to-Site IPSec VPN profiles, is the IPSec configuration is basically always the same, though it has many variables that can be fine tuned whether its building an IPSec Profile to apply to a Tunnel Interface or building a Crypto Map both require basically … Continue reading Site-to-Site VPN – VTI (Virtual Tunnel Int) VPN discussion, configuration, and differences from Legacy Site-to-Site VPN!
This is referred to as "Legacy IPSec Site to Site VPN" which is kind of surprising to me that its already labeled legacy (outdated), however I'll get through a very light weight configuration specifically to encrypt communication between 184.108.40.206/32 and 220.127.116.11/32. All other traffic will be passed normally, those two specific src / dst IP's … Continue reading Site-to-Site VPN – Legacy IPSec Site-to-Site VPN Tunnel configuration demo, some verification, very straight forward!
I have not delved too deeply into QoS in general in my network studies (shame on me), however I will try to make this as intelligible as possible for my first time really looking at the basic concept of getting QoS to work on packets being encapsulated and encrypted! Quick review of IPSec built-in QoS … Continue reading DMVPN – QoS over DMVPN Tunnels using built in ToS Byte Preserve, then a lab on class-map configuration and “QoS Pre-Classify” configuration for DMVPN!
There will actually be no labbing of this one, as the same configurations will still apply to building tunnel interfaces, with just a few tweaks for the Routing Protocols swapped. What type of OSPF Area is used, why it is used, and additional OSPF configs Being that these Branches are going to have a single … Continue reading DMVPN – Quick review (non-labbed) of configs needed for OSPF as the Branches IGP with BGP running over the WAN!
Drawing up IPSec Profiles to secure the DMVPN Network is honestly as easy as pictured above, though in modern networks there would be much stronger passwords, and most likely multiple profiles that would be deployed at different branches in the event one IPSec Profile were to become compromised. While troubleshooting my branch office deployment I … Continue reading DMVPN – Configuring and applying an IPSec Profile to DMVPN Tunnel interfaces, NHRP Auth config, and troubleshooting commands for IPSec!
The above Topology has already been configured with its respective IP Addressing / Routing Protocols, all Adjacencies are Up/Up, and we are ready to jump straight into NHRP (Next Hop Resolution Protocol) configuration on the Hub / NHS (Next Hop Server) which will be PHX1 Router in this Topology and then onto the DMVPN Spokes! … Continue reading DMVPN – Huge DMVPN Lab, multi-branch deployment considerations, Phase 1 to Phase 2 DMVPN clearly demonstrated, lots of configuration and verification!
Above is a Topology that demonstrates a few things right off the bat, A) it wants to establish an mGRE Tunnel to Branch2 from Branch1, b) To do this it needs to send an "NHRP Query" Packet to the NHRP Server HubRouter to get information on HOW to create a tunnel with Branch 2, c) … Continue reading DMVPN – NHRP Client / Server Protocol review, how dynamic tunnels are formed, the different NHRP Phases, and an Intro to DMVPN definitions!
This will be so basic that I am not sure exactly why I am posting, except for the sake of a refresher to this material, as the name implies instead of doing a "GRE to GRE" tunnel, we are creating Multi-GRE Tunnels with the help of NHRP (Name Hop Resolution Protocol), to allow spoke sites … Continue reading DMVPN – mGRE review of NHRP Servers and Client configurations (nothing labbed), and a glimpse out IPSec configuration at the very end!
I initially stuck my TSHOOT GRE Deep Dive into the CCIE DMVPN bucket, but there is no such thing as too much practice or repetition, so get ready for some more here 🙂 Back to the basics of GRE and why this ancient protocol has any relevance It routes almost ANY kind of traffic which … Continue reading DMVPN – Review of GRE Tunnel setup, do’s and dont’s for configuration, case uses for a GRE Tunnel, and more!
The graphic above shows a VPN Tunnels two modes (Transport and Tunnel), along with how their payloads differ when configured with AH (Authentication only) and ESP (Encryption) on the tunnel, and what protocols correlate with all of it. (After watching the content of the CCIE R/S VPN Technology course, this article more than sums up … Continue reading TSHOOT – GRE DEEP DIVE!!! MTU / Fragmentation / TCP-MSS / PMTUD / Recursive Routing / Interface States / must know information for exam day!