DMVPN for R&S CCIE

Candidates
Johnny Bass
CCIE #6458
BRKCCIE-3003

@CCIE6458
BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Are We Here?
• Show of hands, how many of you are currently supporting DMVPN?
• Show of hands, how many of you actually have configured DMVPN on a router?
• Show of hands, how many of you heard of DMVPN before it was on the v5.0
Blueprint?

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

DMVPN and the CCIE R&S Exam (V5.0)

4.1.4 Implement and Troubleshoot DMVPN (single hub)

4.1.4 a NHRP
4.1.4 b DMVPN with IPsec using preshared key
4.1.4 c QoS Profile
4.1.4 d Pre-classify

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 5

Agenda
• Dynamic Multipoint VPN Review
• How to Configure DMVPN without & with IPSec
• Support for IPv6 with DMVPN
• DMVPN advanced topics (CCIE twists)
• Troubleshooting
• Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

DMVPN History
• DMVPN is a Cisco IOS® Software solution for building IPsec + GRE VPNs in an
easy, dynamic, and scalable manner.
• DMVPN relies on two proven technologies:
• Next Hop Resolution Protocol (NHRP): Creates a distributed (NHRP) mapping
database of all the spoke tunnels to real (public interface) addresses
• Multipoint GRE Tunnel Interface: Single GRE interface to support multiple GRE and
IPsec tunnels; simplifies size and complexity of configuration

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 7

DMVPN: Major Features
• Offers configuration reduction and no-touch deployment
• Supports IPv4/IPv6 Unicast, Multicast, and dynamic routing protocols
• Supports remote peers with dynamically assigned addresses
• Supports spoke routers behind dynamic NAT and hub routers behind static NAT
• Dynamic spoke-to-spoke tunnels for scaling partial- or
• full-mesh VPNs
• Usable with or without IPsec encryption

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 8

Configuration Reduction
• With DMVPN: mGRE + IPSec
• One mGRE interface supports ALL spokes
• Multiple mGRE interfaces allowed: each is in a separate DMVPN

• Dynamic Tunnel Destination simplifies support for dynamically addressed spokes

• NHRP registration and dynamic routing protocols

• Smaller hub configuration

• One interface for all spokes e.g. 250 spokes ->1 interface
• Configuration including NHRP e.g. 250 spokes ->15 lines
• All spokes in the same subnet e.g. 250 spokes -> 250 addresses

• No need to touch the hub for new spokes

• Spoke to spoke traffic via the hub or direct

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 9

DMVPN Basics – GRE Tunnels
• IPv4 Subnet or IPv6 Prefix R1
per spoke link Tunnel12 Tunnel14
Tunnel13
• Tunnel interface per
spoke on the hub

R2 R4

R3

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 10

DMVPN Basics – mGRE Tunnels
• One IPv4 Subnet or IPv6 Prefix R1
for all spokes
One tunnel interface for all Tunnel1234
spokes on the hub

R2 R4

R3

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 11

DMVPN Components Multipoint GRE Tunnels
• Single tunnel interface (multipoint)
• Non-Broadcast Multi-Access (NBMA) network
• Smaller hub configuration
• Multicast and broadcast support

• Dynamic tunnel destination

• Next Hop Resolution Protocol (NHRP)
• VPN IP-to-NBMA IP address mapping
• Short-cut forwarding
• Direct support for dynamic addresses and NAT

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 12

Dynamic Addressing
• Spokes have a persistent dynamic GRE/IPsec tunnel to the hub, but not to other
spokes. They register as clients of the NHRP server.
• When a spoke needs to send a packet to a destination (private) subnet behind
another spoke, it queries the NHRP server for the real (outside) address of the
destination spoke.
• Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target
spoke (because it knows the peer address).
• The spoke-to-spoke tunnel is built over the mGRE interface.

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 13

DMVPN Components: NHRP
• NHRP is a layer two resolution protocol and cache like ARP or Inverse ARP
(Frame Relay)
• It is used in DMVPN to map a tunnel IP address to an NBMA address
• NHRP registration
• Spoke dynamically registers its mapping with NHRP Server (NHS)
• Supports spokes with dynamic NBMA addresses or NAT

• NHRP resolutions and redirects

• Supports building dynamic spoke-to-spoke tunnels
• Control and IP Multicast traffic still through hub
• Unicast data traffic direct; reduced load on hub routers

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 14

DMVPN Phase 1

• DMVPN Phase 1 network, tunnel interfaces are not symmetrically configured

• All communications are going via the hub router.
• Spoke routers cannot communicate directly to each other.

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 15

DMVPN Phase 2

• DMVPN Phase 2 network, tunnel interfaces are symmetrically configured

• mGRE tunnels on spoke routers opens up the capability to allow direct spoke-to-
spoke communications.
• Hub cannot summarize spoke routes and cannot send default to spokes

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 16

DMVPN Phase 3

• DMVPN Phase 3 network, tunnel interfaces are symmetrically configured

• Hub routers announce their own IP address as the next-hop value when
forwarding routing information to spoke routers.
• NHRP Shortcut Switching. This feature allows the spokes to discover shorter paths to a
destination network after receiving an NHRP Redirect message from the hub.

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 17

Benefits of DMVPN Phase 3

• Because DMVPN Phase 3 does not require the hub to preserve next-hop values in routing
updates, summarization of routing protocol updates from hub to spokes is allowed.
• You can even configure the hub router to advertise only a default route to its spoke
routers.
• The spokes don’t need to have an individual route with an IP next hop of the tunnel IP
address of the remote spoke for the networks behind all the other spokes.
• The spokes can use summarized routes with an IP next hop of the tunnel IP address of
the hub and still be able to build spoke-to-spoke tunnels.
• This summarization possibility significantly improves network scalability.
• In a DMVPN Phase 3 network, separate regional DMVPN networks can be connected into
a single hierarchical DMVPN network.

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 18

Agenda
• Dynamic Multipoint VPN Review
• How to Configure DMVPN without & with IPSec
• Support for IPv6 with DMVPN
• DMVPN advanced topics (CCIE twists)
• Troubleshooting
• Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

Basic NHRP Configuration
• In order to configure an mGRE interface to use NHRP, the following command is
necessary:
• ip nhrp network-id <id>

• Where <id> is a unique number (same on hub and all spokes)

• The network ID defines an NHRP domain
• Several domains can co-exist on the same router

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 20

Initial NHRP Caches
• Initially, the hub has an empty cache
• The spoke has one static entry mapping the hub’s tunnel address to the hub’s
NBMA address:
• ip nhrp map 172.110.123.1 10.1.1.1
• Multicast traffic must be sent to the hub
• ip nhrp map multicast 10.1.1.1

• Tunnel Interface IP subnet is 172.110.123.0/24

• Tunnel Source 10.1.1.1

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 21

The Spokes Must Register To The Hub
• In order for the spokes to register themselves to the hub, the hub must be
declared as a Next Hop Server (NHS):
• ip nhrp nhs 172.110.123.1
• ip nhrp holdtime 3600 (optional)
• NHRP registrations are sent from NHCs to their configured NHSs every one-third of the NHRP
holdtime. Default is 2400 seconds (40 minutes)
• ip nhrp registration no-unique (optional)

• Spokes control the cache on the hub

• Tunnel Interface IP subnet is 172.110.123.0/24

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 22

Registration Process
• The spokes send Registration-requests to the hub
• The request contains the spoke’s Tunnel and NBMA addresses as well as the
hold time and some flags
• The hub creates an entry in its NHRP cache
• The entry will be valid for the duration of the hold time defined in the registration
• The NHS returns a registration reply (acknowledgement)

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 23

Multicast Packets from the Hub
• The hub must also send multicast traffic to all the spokes that registered to it
• This must be done dynamically (possible since Release 12.2(13)T)
• This is not the default
• ip nhrp map multicast dynamic

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 24

DMVPN Basics - Configuration
R1

Tunnel1234

R2 R4

R3

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 25

Basic DMVPN Configuration Example
hostname R1 ! Hub hostname R2 ! Spoke
! !
interface Loopback0 interface Loopback0
ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
! !
interface Tunnel123 interface Tunnel123
ip address 172.110.123.1 255.255.255.0 ip address 172.110.123..2 255.255.255.0
no ip redirects ip nhrp map 172.110.123.1 10.1.1.1
ip nhrp network-id 1 ip nhrp map multicast 10.1.1.1
ip ospf network non-broadcast ip nhrp network-id 1
tunnel source 10.1.1.1 ip nhrp nhs 172.110.123.1
tunnel mode gre multipoint ip ospf network non-broadcast
! ip ospf priority 0
interface FastEthernet0/0 tunnel source 10.1.1.2
ip address 10.1.1.1 255.255.255.0 tunnel mode gre multipoint
! !
router ospf 1 interface FastEthernet0/0
network 10.0.0.0 0.255.255.255 area 0 ip address 10.1.1.2 255.255.255.0
! !
router ospf 2 router ospf 1
network 1.1.1.1 0.0.0.0 area 1 network 10.0.0.0 0.255.255.255 area 0
network 172.110.123.0 0.0.0.255 area 0 !
neighbor 172.110.123.2 router ospf 2
neighbor 172.110.123.3 network 2.2.2.2 0.0.0.0 area 2
network 172.110.123.0 0.0.0.255 area 0

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 26

IPsec Protection
• GRE/NHRP can build a fully functional overlay network
• GRE is insecure; ideally, it must be protected
• The good old crypto map configuration is rather cumbersome; DMVPN
introduced tunnel protection (which can also be used with VTI)
• Still need to define an IPsec security level

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 27

The IPsec Security Policy
• Phase I has to be defined:
• crypto isakmp policy 10
• authentication pre-share
• crypto isakmp key CISCO address 0.0.0.0
• A transform set must be defined:
• crypto ipsec transform-set MyTS esp-sha-hmacesp-3des
• mode transport

• An IPsec profile replaces the crypto map:

• crypto ipsec profile MyProfile
• set transform-set MyTS
• The IPsec profile is like a crypto map without “set peer” and “match address”

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 28

Protecting the tunnel
• The profile must be applied on the tunnel
• tunnel protection ipsec profile MyProfile
• Internally Cisco IOS® Software will treat this as a dynamic crypto map and it
derives the local-address, set peer and match address parameters from the
tunnel parameters and the NHRP cache
• •This must be configured on the hub and spoke tunnels along with a tunnel key

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 29

 DMVPN with IPSec Configuration Example hostname R2 ! Spoke
hostname R1 ! Hub !
! crypto isakmp policy 10
crypto isakmp policy 10 encryption aes 256
encryption aes 256 hash sha512
hash sha512 authentication pre-share
authentication pre-share crypto isakmp key CISCO address 0.0.0.0
crypto isakmp key CISCO address 0.0.0.0 crypto isakmp diagnose error
crypto isakmp diagnose error !
! crypto ipsec transform-set MyTS esp-sha256-hmac esp-aes
crypto ipsec transform-set MyTS esp-sha256-hmac esp-aes mode transport
mode transport !
! crypto ipsec profile MyProfile
crypto ipsec profile MyProfile set transform-set MyTS
set transform-set MyTS !
! interface Tunnel123
interface Tunnel123 ip address 172.110.123.2 255.255.255.0
ip address 172.110.123.1 255.255.255.0 ip nhrp map 127.110.123.1 10.1.1.1
ip nhrp map multicast dynamic ip nhrp map multicast 10.1.1.1
ip nhrp network-id 1 ip nhrp network-id 1
ip ospf network non-broadcast ip nhrp nhs 172.110.123.1
tunnel source 10.1.1.1 ip ospf network non-broadcast
tunnel mode gre multipoint ip ospf priority 0
tunnel key 1 tunnel source 10.1.1.2
tunnel protection ipsec profile MyProfile tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile MyProfile

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 30

Agenda
• Dynamic Multipoint VPN Review
• How to Configure DMVPN without & with IPSec
• Support for IPv6 with DMVPN
• DMVPN advanced topics (CCIE twists)
• Troubleshooting
• Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

IPv6 NHRP Configuration
• In order to configure an mGRE interface to use NHRP for IPv6, the following
command is necessary:
• ipv6 nhrp network-id <id>

• Where <id> is a unique number (same on hub and all spokes)

• The network ID defines an NHRP domain
• Several domains can co-exist on the same router

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 32

Initial NHRP Caches
• Initially, the hub has an empty cache
• The spoke has one static entry mapping the hub’s tunnel address to the hub’s
NBMA address:
• ipv6 nhrp map 2005:dead:beef:99::1/128 10.1.1.1

• Multicast traffic must be sent to the hub

• ipv6 nhrp map multicast 10.1.1.1

• Tunnel Interface IPv6 is 2005:DEAD:BEEF:99::/64

• Tunnel Source 10.1.1.1

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 33

The Spokes Must Register To The Hub
• In order for the spokes to register themselves to the hub, the hub must be
declared as a Next Hop Server (NHS):
• ipv6 nhrp nhs 2005:dead:beef:99::1
• ipv6 nhrp holdtime 3600 (optional)
• ipv6 nhrp registration no-unique (optional)

• Spokes control the cache on the hub

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 34

Multicast Packets from the Hub
• The hub must also send multicast traffic to all the spokes that registered to it
• This is not the default
• ipv6 nhrp map multicast dynamic

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 35

DMVPN IPv6 Configuration Example
hostname R1 ! Hub hostname R2 ! Spoke
! !
interface Tunnel123 interface Tunnel123
no ip address no ip address
no ip redirects no ip redirects
ipv6 address FE80::1 link-local ipv6 address FE80::2 link-local
ipv6 address 2005:DEAD:BEEF:99::1/64 ipv6 address 2005:DEAD:BEEF:99::2/64
ipv6 nhrp map multicast dynamic ipv6 nhrp map multicast 10.1.1.1
ipv6 nhrp network-id 1 ipv6 nhrp map FE80::1/128 10.1.1.1
ipv6 ospf 2 area 0 ipv6 nhrp map 2005:DEAD:BEEF:99::1/128
ipv6 ospf neighbor FE80::2 10.1.1.1
ipv6 ospf network non-broadcast ipv6 nhrp network-id 1
tunnel source 10.1.1.1 ipv6 nhrp nhs 2005:DEAD:BEEF:99::1
tunnel mode gre multipoint ipv6 ospf 2 area 0
! ipv6 ospf network non-broadcast
interface FastEthernet0/0 ipv6 ospf priority 0
ip address 10.1.1.1 255.255.255.0 tunnel source 10.1.1.2
ipv6 ospf 1 area 0 tunnel mode gre multipoint
! !
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
!

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 36

DMVPN over IPv6
• In Cisco IOS Release 15.2(1)T, IPv6 support on DMVPN was extended to the
public network
• The spoke has one static entry mapping the hub’s tunnel address to the hub’s
NBMA address:
• ipv6 nhrp map 2005:dead:beef:99::1/128 2001:1:1::1

• Multicast traffic must be sent to the hub

• ipv6 nhrp map multicast 2001:1:1::1

• Tunnel mode has to be set to:

• tunnel mode gre multipoint ipv6
• Tunnel Interface (private) 2005:DEAD:BEEF:99::/64
• Tunnel Source (public) 2001:1:1::1

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

DMVPN IPv6 Configuration over IPv6 Example
hostname R1 ! Hub hostname R2 ! Spoke
! !
interface Tunnel123 interface Tunnel123
no ip address no ip address
no ip redirects no ip redirects
ipv6 address FE80::1 link-local ipv6 address FE80::2 link-local
ipv6 address 2005:DEAD:BEEF:99::1/64 ipv6 address 2005:DEAD:BEEF:99::2/64
ipv6 nhrp map multicast dynamic ipv6 nhrp map multicast 2001:1:1::1
ipv6 nhrp network-id 1 ipv6 nhrp map FE80::1/128 2001:1:1::1
ipv6 ospf 2 area 0 ipv6 nhrp map 2005:DEAD:BEEF:99::1/128
ipv6 ospf neighbor FE80::2 10.1.1.1
ipv6 ospf network non-broadcast ipv6 nhrp network-id 1
tunnel source 2001:1:1::1 ipv6 nhrp nhs 2005:DEAD:BEEF:99::1
tunnel mode gre multipoint ipv6 ipv6 ospf 2 area 0
! ipv6 ospf network non-broadcast
interface FastEthernet0/0 ipv6 ospf priority 0
ipv6 address 2001:1:1::1/64 tunnel source 2001:1:1::2
ipv6 ospf 1 area 0 tunnel mode gre multipoint ipv6
! !
interface FastEthernet0/0
ipv6 address 2001:1:1::2/64
!

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 38

Agenda
• Dynamic Multipoint VPN Review
• How to Configure DMVPN without & with IPSec
• Support for IPv6 with DMVPN
• DMVPN advanced topics (CCIE twists)
• Troubleshooting
• Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

Dynamic verses Static Spokes
• Dynamic • Static
• Spoke to spoke dynamic tunnels • Spoke to hub only
• Passes through hub, but hub does not • Traffic can be routed through the hub,
decrement TTL due to traffic hidden therefore the TTL is decremented
from via the dynamic tunnel • Spoke tunnel mode:
• Spoke tunnel mode: • tunnel mode gre
• tunnel mode gre multipoint

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 40

Routing Issues with DMVPN
• Dynamic Spokes:
• OSPF and EIGRP can neighbor spoke to without issue (no TTL concerns)
• eBGP can form peering relationships with modifying TTL

• Static Spokes:
• OSPF can only neighbor to Hub
• EIGRP can neighbor with static neighbor statements
• eBGP can form peering relationships by using either ebgp-multihop ot TTL security

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 41

OSPF over DMVPN
• Default OSPF network type is Point to Point
• Watch out if multicast is to be supported or not on the tunnel interface

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 42

QoS with DMVPN
• Pre-classify
• Copies payload TOS or Traffic Class field to Tunnel Header

R1(config)# interface tunnel123

R1(config-if)# qos preclassify

• QoS Per Tunnel

• Spoke has a NHRP Group referenced under its tunnel interface
• Hub has policy map and is referenced on the tunnel interface and the NHRP group
name from spoke

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 43

Per Tunnel Qos
• Spoke • Hub
Interface tunnel 123 Class-map Voice
ip nhrp group spoke1 match access-group 100
!
Policy-map VoIP
class Voice
priority percent 30
!
Interface tunnel 123
ip nhrp map group spoke1 service-policy output
VoIP

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 44

CCIE DMVPN Example
IBGP
MPLS MPLS OSPF BGP Route Reflector
Core Area 1
DMVPN HUB-SPOKE BGP AS 1
SW5
E0/1 .50 E0/0 .50

VRF: VRFB PE 10.1.25.0/24 10.1.15.0/24 PE VRF: VRFB

E1/0 .2 E1/0 .1
R2 E1/1 .2 E1/1 .1 R1
E0/2 .2 E0/2 .1
E0/3 .2 10.1.26.0/24 10.1.16.0/24 E0/3 .2

Tu91 .2 Tu91 .1
E0/1 .60 E0/0 .60
14.1.62.0/24 14.1.111.0/24
SW6
EIGRP EIGRP

14.1.112.0/24
E0/1 .6 AS 10 P AS 10 E0/1 .11

14.1.56.0/24
OSPF
CE Area 0 CE E0/0 .11 E0/0 .12
E0/0 .5 E0/0 .6 R12
R5 R6 R11
E0/0 .5 E0/0 .6 E0/0 .11 E0/0 .12

14.1.105.0/24 14.1.206.0/24 14.1.103.0/24 14.1.204.0/24

EIGRP PROD EIGRP

14.1.34.0/24
VL105 .110 AS 100 VL206 .120 DMVPN VL103 .130 VL204 .140
AS 10 Secure
DMVPN VL34 .130 VL34 .140
SW1 VL108 .110 VL207 .120 SW2 SW3 SW4
VL107 .110 .1 14.1.91.0/24 .1 VL44 .140
14.1.108.0/24 VL208 .120 VL33 .130
SP2 BGP SP1 BGP
14.1.107.0/24 14.1.208.0/24 14.1.33.0/24 14.1.44.0/24
AS 20002 AS 20001
14.1.207.0/24 .1 .1 .1 .1 EIGRP ENG E0/0 .14
E0/0 .8 E0/0 .13 AS 100
E0/0 .7
E0/0 .8
E0/0 .7 Engineering
R8 R13 R14
R7
E0/1 14.1.7.1/24 E0/1 14.1.8.1/24 E0/1 14.1.13.1/24 E0/1 14.1.14.1/24
Production

CE CE
Branch 1 Tu91 .9 Tu91 .10 Branch 2
S1/0 .2 E0/0 .2 E0/0 .2 S1/0 .2
R9 R10
E0/1 14.1.9.1/24 E0/1 14.1.10.1/24
EIGRP EIGRP
DMVPN DMVPN
AS 10 AS 10
BGP AS 65009 BGP AS 65010

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 45

 IBGP
MPLS MPLS OSPF BGP Route Reflector
Core Area 1
DMVPN HUB-SPOKE BGP AS 1
SW5
E0/1 .50 E0/0 .50

VRF: VRFB PE 10.1.25.0/24 10.1.15.0/24 PE VRF: VRFB

E1/0 .2 E1/0 .1
R2 E1/1 .2 E1/1 .1 R1
E0/2 .2 E0/2 .1
E0/3 .2 10.1.26.0/24 10.1.16.0/24 E0/3 .2

Tu91 .2 Tu91 .1
E0/1 .60 E0/0 .60
14.1.62.0/24 14.1.111.0/24
SW6
EIGRP EIGRP

14.1.112.0/24
E0/1 .6 AS 10 P AS 10 E0/1 .11

14.1.56.0/24
OSPF
CE Area 0 CE E0/0 .11 E0/0 .12
E0/0 .5 E0/0 .6 R12
R5 R6 R11
E0/0 .5 E0/0 .6 E0/0 .11 E0/0 .12

14.1.105.0/24 14.1.206.0/24 14.1.103.0/24 14.1.204.0/24

EIGRP PROD EIGRP

14.1.34.0/24
VL105 .110 AS 100 VL206 .120 DMVPN VL103 .130 VL204 .140
AS 10 Secure
DMVPN VL34 .130 VL34 .140
SW1 VL108 .110 VL207 .120 SW2 SW3 SW4
VL107 .110 .1 14.1.91.0/24 .1 VL44 .140
14.1.108.0/24 VL208 .120 VL33 .130
SP2 BGP SP1 BGP
14.1.107.0/24 14.1.208.0/24 14.1.33.0/24 14.1.44.0/24
AS 20002 AS 20001
14.1.207.0/24 .1 .1 .1 .1 EIGRP ENG E0/0 .14
E0/0 .8 E0/0 .13 AS 100
E0/0 .7
E0/0 .8
E0/0 .7 Engineering
R8 R13 R14
R7
E0/1 14.1.7.1/24 E0/1 14.1.8.1/24 E0/1 14.1.13.1/24 E0/1 14.1.14.1/24
Production

CE CE
Branch 1 Tu91 .9 Tu91 .10 Branch 2
S1/0 .2 E0/0 .2 E0/0 .2 S1/0 .2
R9 R10
E0/1 14.1.9.1/24 E0/1 14.1.10.1/24
EIGRP EIGRP
DMVPN DMVPN
AS 10 AS 10
BGP AS 65009 BGP AS 65010

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 46

CCIE DMVPN Example
• 3.5. VRFB DMVPN (4 points)

• Configure the mGRE Tunnel91 interfaces on R1, R2, R9, and R10.

• Use the Loopback0 interfaces for the Tunnel91 interface source.

• Supply IPv4 addresses for all required tunnel interfaces according to the “MP-BGP MPLS VRFB Topology” diagram.

• Configure R9 as the IPv4 NHRP NHS for the DMVPN spokes R1, R2, and R10.

• Supply the NHRP NHS mapping for unicast IPv4 on R1, R2, and R10. Do not configure any NHRP mapping for unicast IPv4 traffic
on R9.

• NHRP communications must be authenticated with the string eigrp.

• Provide static mapping for the IPv4 multicast and broadcast traffic on R1, R2, and R10.

• Set the MTU size on the tunnel interfaces to 1400 bytes.

• Place the Tunnel91 interfaces on R1 and R2 in the VRFB.

• Enable direct communications between the DMVPN spoke networks.

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 47

 3.5. VRFB DMVPN R1 and R2
R1: R2:
interface Tunnel91 interface Tunnel91
ip vrf forwarding VRFB ip vrf forwarding VRFB
ip address 14.1.91.1 255.255.255.0 ip address 14.1.91.2 255.255.255.0
no ip redirects no ip redirects
ip mtu 1400 ip mtu 1400
ip nhrp authentication eigrp ip nhrp authentication eigrp
ip nhrp map 14.1.91.9 14.14.1.9 ip nhrp map 14.1.91.9 14.14.1.9
ip nhrp map multicast 14.14.1.9 ip nhrp map multicast 14.14.1.9
ip nhrp network-id 1 ip nhrp network-id 1
ip nhrp nhs 14.1.91.9 ip nhrp nhs 14.1.91.9
ip nhrp shortcut ip nhrp shortcut
tunnel source Loopback0 tunnel source Loopback0
tunnel mode gre multipoint tunnel mode gre multipoint
tunnel key 10 tunnel key 10

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 48

3.5. VRFB DMVPN R9 and R10
R9: R10:
interface Tunnel91 interface Tunnel91
ip address 14.1.91.9 255.255.255.0 ip address 14.1.91.10 255.255.255.0
no ip redirects no ip redirects
ip mtu 1400 ip mtu 1400
ip nhrp authentication eigrp ip nhrp authentication eigrp
ip nhrp map multicast dynamic ip nhrp map 14.1.91.9 14.14.1.9
ip nhrp network-id 1 ip nhrp map multicast 14.14.1.9
ip nhrp redirect ip nhrp network-id 1
tunnel source Loopback0 ip nhrp nhs 14.1.91.9
tunnel mode gre multipoint ip nhrp shortcut
tunnel key 10 tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 10

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 49

CCIE DMVPN Example
• 4.1. DMVPN Security (2 points)

• Configure the IPsec ISAKMP policy on R1, R2, R9, and R10 according to the following specifications:

Parameter Value

pre-shared key CCIE

encryption aes 256 bit

IPsec transform name TRANSFORM

IPsec transform algorithm esp-aes esp-sha256-hmac

IPsec mode transport

IPsec profile name PROFILE

• Apply the IPsec profile on the Tunnel91 interfaces on R1, R2, R9, and R10.

• The traffic that is forwarded on the Tunnel91 interfaces must be encrypted.

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 50

Configuration examples on R1, R2, R9, and R10
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key CCIE address 0.0.0.0
!
crypto ipsec transform-set TRANSFORM esp-aes
esp-sha256-hmac
mode transport
!
crypto ipsec profile PROFILE
set transform-set TRANSFORM
!
interface Tunnel91
tunnel protection ipsec profile PROFILE
!
BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 51
Agenda
• Dynamic Multipoint VPN Review
• How to Configure DMVPN without & with IPSec
• Support for IPv6 with DMVPN
• DMVPN advanced topics (CCIE twists)
• Troubleshooting
• Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

Troubleshooting – Show Commands
• show dmvpn
• Display DMVPN session related information
• show dmvpn detail
• display detailed information about all (IPv4/IPv6) networks
• show ip/ipv6 nhrp
• debug dmvpn
• debug ip nhrp

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 53

Agenda
• Dynamic Multipoint VPN Review
• How to Configure DMVPN without & with IPSec
• Support for IPv6 with DMVPN
• DMVPN advanced topics (CCIE twists)
• Troubleshooting
• Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

Q&A

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 55

Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle <CCIE6458>
• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates

Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online

BRKCCIE-3003 - DMVPN for Route & Switching CCIE Candidates 57

Thank you

58