(Publically reachable IP addresses in a DMVPN is called NBMA (Non-Broadcast Multi Access) network)
(mGRE (Multi Point GRE) is used instead of using separate tunnel interfaces for each router)
(NHRP (Next Hop Resolution Protocol) is used to know each other’s next hop NBMA address. Also, helps building spoke to spoke dynamic tunnel if there is a route to both the spoke’s via a hub)
(with DMVPN we don’t specify tunnel destinations, but we specify NHS (Next Hop Server))
CONFIGURING THE DMVPN HUB – R1 ROUTER:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.1.0.1 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 15.1.1.1 255.255.255.0
duplex auto
speed auto
interface Tunnel0
description mGRE – DMVPN Tunnel
ip address 172.16.123.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/1
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp redirect (if pahse3 is supported based on the new IOS version or you can use ‘no ip next-hop-self’ on hub router to not use its ip advertised when advertising the spokes)
no ip split-horizon eigrp 1
end
CONFIGURING THE DMVPN SPOKES – R2 & R3 ROUTERS:
R2:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.2.0.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 25.2.2.2 255.255.255.0
duplex auto
speed auto
interface Tunnel0
description DMVPN Spoke site R2
ip address 172.16.123.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/2
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
end
R3:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.3.0.3 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 35.3.3.3 255.255.255.0
duplex auto
speed auto
interface Tunnel0
description DMVPN Spoke site R3
ip address 172.16.123.3 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/3
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
end
ROUTING BETWEEN DMVPN mGRE TUNNELS:
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0
R1(config-router)#network 172.16.123.0 0.0.0.255
R1(config-router)#end
R2(config)#router eigrp 1
R2(config-router)#network 10.0.0.0
R2(config-router)#network 172.16.123.0 0.0.0.255
R2(config-router)#end
R3(config)#router eigrp 1
R3(config-router)#network 10.0.0.0
R3(config-router)#network 172.16.123.0 0.0.0.255
R3(config-router)#end
PROTECTING – ENCRYPTING DMVPN MGRE TUNNELS WITH IPSEC:
R1:
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 86400
exit
!
crypto isakmp key Cisco123 address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode transport
exit
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
exit
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
end
R2 and R3:
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 86400
exit
!
crypto isakmp key Cisco123 address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode transport
exit
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
exit
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
end
Verification Commands:
show run int tun 0
show dmvpn
show ip nhrp
traceroute 10.3.0.50 source 10.2.0.2
show crypto session
show ip eigrp interfaces
show ip route eigrp
show ip route
show ip cef 10.3.0.0
show isakmp sa
show ipsec sa
show crypto engine connections active
show crypto map
show crypto
debug nhrp
Network and CyberSecurity Professional 