300-420 ENSLD – Cisco CCNP Enterprise – CCNP Enterprise ENSLD (300-420): Designing Enterprise Managed VPN’s Part 3

4. Describe DMVPN

Dynamic multipoint virtual private network. Dmvn is a feature that simplifies the deployment of large hubbands, partially meshed, and fully meshed vpns. DMVPN enables scalability for large multipoint vpn solutions. The major features of DMVPN include configuration reduction and zero touch deployment, support for dynamic routing protocols, and support for dynamically assigned addresses on remote peers. Its support ports devices behind network address translation. It has support for partial or full mesh vpn and be used with or without IPSec encryption. cisco dynamic multipoint vpn There are two DMVPN deployment modes hub and spoke.

Spoke to spoke The DMVPN feature enables user to scale large and small IPSec vpns. The cisco dynamic multipoint vpn feature combines mgre tunnels, IPSec encryption, and NHRP provides simple provisioning of many vpn peers. DMVPN also easily supports dynamically addressed spoke routers by its design. With DMVPN, you can greatly reduce configuration of the hub router because you configure only one interface to support spokes. The DMVPN solution also supports zero touch deployments for new spokes.

When you add a new spoke, the NHRP provides dynamic registration of the spoke and the routing protocol provides IP connectivity. The DMVPN solution supports IP unicast and multicast traffic. There, you can use dynamic routing protocols over DMVPN. Dynamic routing protocols provide the scalability and automatic spoke route distribution. DMVPN enables spoke routers to have dynamic IP address and uses NHRP to register the IP addresses of the spoke routers with the hub router. The DMVPN supports hub routers behind staticknat and spoke routers behind dynamic nat.

DMVPN with dynamics spoke oak tunnel supports partial or full meshed topology for your vpn. The DMVPN can be deployed without IPSec encryption. The two DMVPN deployment models have the following characteristics hub and Spoke A strict hub and spoke. DMVPN deployment model requires each branch to be configured with a point to point interface to the hub. All traffic between spoke networks must flow through the hub router. DMVPN provides a scalable configuration to the hub router but does not facilitate direct spoke to spoke communication.

Spoke to spoke A spoke to spoke DMVPN deployment model requires each branch to be configured with an mgr ease in which dynamic spoke to spoke tunnels are used for the spoke to spoke traffic. In this model, Dmvpides a scalable configuration model for all involved devices, and it also allows spoke devices to dynamically peer establish optimal routing paths. Note that DMVPN will not immediately produce a partially meshed or fully meshed topology. DMVPN initially establishes a permanent hub and spoke topology from which a partial mesh or full mesh is dynamically generated based on traffic patterns. Building Blocks of DMVPN Dmvpns use the following mechanisms to combine the best of hub and spoke and fully meshed topologies and provide some other features. mgre mgre technology enables a single gray interface to support multiple gray tunnels and simplifies the complexity of the configuration. Grey tunnels also provide support for Ipcast and noniprotocols IP.

Multicast, in turn enables the designer to use routing protocols to distribute routing information and detect changes in the vpn. All DMVPN members use Grey or mgre interfaces to build tunnels between devices. NHRP NHRP is a client and sotical in which the hub acts as an NHRP server and the spokes act as NHRP clients. The hub made an NHRP database of mappings between the outer public physical interface and tunnel inside the tunnel interface addresses of each spoke. Each spoke registers its public and internal tunnel addresses when it boots and queries hrp database for the addresses of other spokes. When building direct spoke to spoke tunnels, NHRP is used to reduce the configuration complexity of fully meshed or partially meshed vpns into something that is comparable to the Cox City of Hub and spoke vpns. IPSec IPSec provides transmission protection for grey tunnel Dmvns from a permanent hub and spoke IPSec vpn, which can dynamically reconfigure itself into a partial mesh or full mesh as needed. DMVPN Benefits and Limitations DMVPN following major benefits, it allows the creation of a scalable, fully meshed vpn topology with many peers visa dynamically set up as needed.

It requires relatively little configuration effort in which the configure of hub routers does not change as new peers are added to the network. It uses Grey tunnel interfaces and can use advanced features such as dynamic routing protocols, qos methods, security features and so on. It can run over public networks that do not support customer routing information such as the Internet, because Grey IPSec tunneling hides internal network addressing. On the other hand, DMVPN also has some limitations. It requires peak ki based authentication of peers to provide scalable spoke to spoke I K Aocation. It can be somewhat more complex to troubleshoot compared to classic IPSec tunnels because it requires some troubleshooting skills for the NHRP and mgre technologies. Dmvp and Deployment Example large number of low bandwidth spokes soho Access to the corporate environment Enterprise extranet Enterprise van connectivity Backup over Internet links Service Provider vpn services DMVPN is one of the preferred technologies for larger vans.

Some Gmvpn deployment exam follow large number of low bandwidth spokes. The typical example includes a bank dm network. These networks are usually very large and there are many low bandwidth spokes that require connectivity to the headquarters. DMVPN allows these sites to connect over the Internet, providing privacy and data integrity while meeting the perform requirements of business critical applications. Small office Home Office soho Access to the corporate Environment DMVPN can be used to provide work access from small or home offices. There can be many spokes that need access to the corporate environments. The solution can also support voice traffic to the head office location with occasional spoke to spoke. Voice Traffic Enterprise extranet large enterprises frequently require activity to many business partners.

DMVPN can be used to secure traffic between the enterprise and various partner sites. The solution can provide network segregation by helping to ensure that no spoke to spoke ik is allowed even through the hub enterprise van connectivity backup DMVPN can be used as a backlution for private wans allowing remote sites to connect securely to the enterprise head office over Internet links. Service Provider vpn Services DMVPN enables service providers to offer managed vpn services. Traffic from multiple customers can be aggregated in a single provider edge P E router and kept rated using features such as a vpn routing forwarding instance vrf.

DMVPN phase DMVPN phase one as the basic DMVPN deployment model. DMVPN overview of dmv Phase one the hub user and VR enables the direct few point to point gray tunnels. These are so that are automatically created in phase one into hub router users and VR to P M VP and phase route two follow which use regularly to point great unspoke tunnels. The traffic router is in full reach the hub and to reach both units go through the hub. Multicast remain benefit of the hub simplified configuration on the hub rowing dynamic router spoke to spoke tunnel in dm on the hub and register with the hub, which means that the address on the venue router establishes a direct in this way directly to the spoke without registration. Multicast routing attention therefore and follows if you want.

The hub router must be the next hopper router. You must statically configure namely igr crowders disable split using point to multipoint network similarly to dm using bodynamic spoke registration which also allows configure the net dynamic IP addresses. You can use all nhr routines resolution because of this requirement and you can modify therefore advertiser route out disabling Facebook to send updates that using only one interface. You should also disable the next hop self therefore hub when it receives the update. For this confirmation of the spoke that originated horizon is enabled by another spoke receiver point to multipoint. It will try to establish network type on the tunnel interface. Two behaves like a land segment of the ospf or James. When you want to use OS lapping as a rooted router, you should configure the routers you should use external traffic will flow through the problem with internal router.

Your hub router to when addresses on the tunnel. Phase two operation hub when prefixes come to the hub reply to the other spokes to establish do not have the next hoppers. Not a venila boat wants to send traffic to the network on the other oak in Dmvp and phase two it checks the routing table. The next hop IP address in the routing table is pointing directly to the other spoke router. If the direct tunnel was not already established, the following procedure is used the spoke sends an NHRP query to the NHRP server DMVPN hub to resolve the next IP address to the tunnel endpoint address. The NHRP server has mapping for all spokes. The server stores these mappings during NHRP initial registration of the spokes to the hub. It sends an NHRP reply to the spoke routers with the correct mapping. The spoke router receives the NHRP response from the Hub.

The response triggers the IPSec process for direct spoke to spoke tunnel establishment. Once the IP tunnel is created, all packets will bypass the Hub. At this point, the spoke to spoke tunnel can pass traffic direction only. To provide bidirectional connectivity, the other spoke also needs next hop information. The other spoke sends an NHRP query when the first packet needs to be forwarded.

Once the NHRP mapping is in place, the Gray Association is built and the response packet is sent directly to the spoke. DMVPN phase Three dmvp and phase three is similar to Dmvp and phase two. It was a direct spoke to spoke tunnel to send data to traffic. However, Dmvp and phase three overcomes the scalability issues of Dmvp and phase two. Dmvp and phase three operations follow. The spoke registers with the Hub. Routing adjacency is established between the hub and spokes.

When spoke to spoke commissioners needed, the spoke sends the first packet to the hub. The hub responds with an NHRP redirect. The spoke sends the NHRP request for the redirected destination IP. The request is forwarded to the destination. The destination spoke responds with NHRP directly to the originator. The originators the NHRP table with received entries. The initial step in Dmvp and phase three is simmer one. In Dmvp and phase two, the spoke router registers the tunnel and outer IP address mapping to the houter.

This registration allows the hub to dynamically discover all spokes. After the initial connect was established, the hub and spoke in establish routing adjacency to exchange routes in DMVPN phase two, the Hub routers must preserve the next hop IP address when sending the route to the other spokes. In dpn phase three, the hub router does not need to preserve the next hop. You can also send similarized information, even default route only. Therefore, you can greatly reduce the size of the routing table on the spoke routers in the large Dmvpns, when the spoke router wants to send IP packets to the other spoke routers, the spoke routers the first packet to the Hub router. The hub router forwards packets to the correct spoke, but it also replies to the originator of the traffic with NHRP redirects.

The NHRP message tells the originator that the forwarding is suboptimal and should send traffic directly to the other spoke. The NHRP message contains the destination IP address of the original IP packet. Now the spoke sends an NHRP request for the original ipis using the routing table, the NHRP request will traverse the Hub router, which will forward this request to the correct spoke. When the other spoke receives the NHRP request, the spoke responds directly to the originator. When this response comes to the originator, the originator knows the outer IP address of the destination. The originator can rewrite the NHRP table with the correct entry.

An overview of DMVPN facebooking follows. The Hub does not need to preserve next hop information. You can send only the summary fault route to the spoke routers. Migration from Dmvp and phase two to phase three users EIGRP as follows Remove the next hub self configuration from the hub. Leave the split horizon. disk. You can use summarization commands. Migration from Dmvp and phase two to phase three users of as follows Change the ospf network type to point to multipoint on all hubs and spokes. Remove the priority configuration because the hub does not need to preserve next hop information. You can routing Summarization or even send the default route only to the spoke routers. Summarization could greatly of network scalability in larger networks because the routing tables on the spoke routers are much smaller.

If you want to migrate from Dmvp and phase two to phase three, and you want to use EIGRP as the routing protocol, some changes be done in the configuration. You should remove the next hopself configuration from the hub router because it is needed anymore.

The Split Horizon must stay disabled for EIGRP. You can use Summarization commands to reduce the number of routes on the Dmvp and spokes. If you want to migrate from Dmvp and phase two to phase three and you want to use ospf, change the network type to point to multipoint on all hubs and spokes. You can also remove the priority configuration, which is not needed in ospf. Point to multipoint network type. DMVPN and redundancy to provide High Availability in the Dmvpns, you can imp multiple hub routers. Usually, there are two routers at the central site.

There are two typical deploy in the Dmvpns that can be used to provide High Availability dual Hub dual DMVPN Cloud dual Hub single DMVPN Cloud Although dual hub as mentioned, you can use more than two routers at the site for High Availability. Dual hub is just a typical deployment in both topologies at rehab routers are deployed for redundancy. High Availability is provided by using a second hub router, which may be on the same DMVPN subnet as the primary hub router. This option is commonly referred to as a single DMVPN cloud topology. The second hub router can also service its own DMVPN subnet, which is known dual DMVPN cloud topology.

Dual Hub Single DMVPN and Dual Hub Dual dmv Cloud topologies rely on routing protocols running inside the tunnels to determine tunnel path selection. durrance between the two topologies is most apparent on the branch router with a single DMVPN subnet. The branch router has a single mgre tunnel, and both hub routers are mapped to this tunnel through this mgre interface. In a dual DMVPN topology, the branch router has a unique tunnel pointing to a unique head, and standard routing protocols such as EIGRP, bgp or ospf are used to determine the active hub over either topgie.

In the single DMVPN topology, the hubs will appear as two different next hops via the one mgre tunnel interface. In the dual DMVPN topology, the hubs will appear as two different next hops wire gray or mgre interfaces. In general, the single DMVPN cloud topology is best when dynamic to spoke tunnels are required. Because spoke to spoke tunnels can only be built within a DMVPN cloud that is not between DMVPN clouds. The dual DMVPN cloud topology is often easier for hub and spoke only network.

It can be easier to configure the routing protocol to prefer one DMVPN cloud hub over the other. The reason for this is that the router receives routing information from the hubs on different tunnel interfaces. However, either Dmvp and cloud topology can be configured for either style network hub and spoke only or spoke to spoke. These DMVPN cloud topologies can be used in combination to meet the requirements for more complex network.

5. EIGRP DMVPN and DMVPN Scaling

EIGRP is a routing protocol of choice for Dmvpns. dmvpn has evolved through three majors that are called phases. dmvpn phase one allows for simple hub and spoke topologies. dmvpn phase two and dmvpn phase three allow complex hub and spoke full mesh or hybrid topology. No matter which dmvpn phase is used or how complex the topology is, EIGRP routers will always establish agencies in a hub and spoke matter, reducing the number of total adjacencies to a minimum, allowing for scalability, and reducing the spoke router hardware requirements while still routing through the optimal paths. dmvpn phase one only allows hub and spoke topologies with a central hub and all spokes that are connected to it via ere tunnels. dmvpn relays multicast between the hub and spokes so that EIGRP adjannes can be formed.

All spoke routers establish adjacencies with the hub router because there is no path between the spokes. Spoke routers do not establish adjacencies between each other. The spoke three router advertises its connected network 192-168-3024. The hub router receives the advertisement and places the route in its routing table. The hub has established adjacent with the spoke to router. However, it does not advertise the 192-16-8302 at work to spoke to. dmvpn terminates all mgr tunnels on a single interface on the hub route EIGRP a base split horizon by default, so the hub router does not advertise the routes through the siphase that received them. When using EIGRP to route through the dmvpn cloud, you always need to display horizon on the hub router.

This rule exists for all dmvpn phases. dmv phase two allows dynamic establishment of mgre tunnels between the spoke routers when needed. However, spoke to tunnels do not relay multicast and therefore spoke to spoke EIGRP adjacencies are not established. This action tremendously reduces the number of established adjacencies in Dmvp and mesh networks with a high number ofx and allows you to use low end routers in your branches. As all spoke networks are advertised through, the hub serves as the next hop for all spoke to spoke communication, rendering the established spoke to spoke tunnels useless. Is it possible to keep the hub and spoke EIGRP topology yet use the full mesh of dmvpn to forward traffic?

The hub router can still relay the advertisements that it receives from the spokes, but it should not state itself as a net for those routes. You must configure the hub to advertise the network that it receives from the spokes, but it must be spoke IP address as the next hub. Look at the spoke to routing table. It received the 192168 dot 30 dot 00:24 route from the hub router. However, it states the spoke three router as its next spoke to.

Spoke traffic is now being forwarded directly between the spokes. You must configure router as a no next hop self when using EIGRP in the dmvpn phase two network. When the dmvpn spokes rises, so does the number of advertised routes. You already know that you can counter the rising number of routes by using Simarization. Because all routes are being advertised through the Hub, you can do all summarization on the Hub. Try summarizing all lans on the hub. What happens?

The hub now ownertizes the summary network. The spokes serving as a next hub summarization reduces the number of advertised routes, but now all spoke to spoke traffic is flowing through the hub. Once again. Is it possible to summarize orcs that are advertised by spokes while optimally routing through the dmvpn cloud? This case is solved by Dmvp and phase three. Both dmvpn phase two and Dmpvn phase three allow you to build partial mesh networks, but only dmvpn phase three allows you to perform optimal full mesh routing with simple summarized EIGRP advertising. dmvpn employs a significantly changed nhrp and intermediate protocol. nhrp is used to improve the efficiency of existing routing protocols. nhrp phase three improvements allow the hub to issue redirects to spokes. Look at how it works.

The grp configuration remains simple. The hub route appears with spokes and the split horizon rule is removed on the hub advertisers all the networks that it receives from the spokes stating itself as the next hop. You should do summarization on the hub to reduce the number of advertised networks. A packet is sent from the spoke to land to the spoke three lan address. Spoke to looks into its routing table and sees that there is a summary of entry with the hub router as its next hop. A packet is forwarded toward the hub router, which then forwards it to spoke three, which sounds much like EIGRP in the dmvpn phase two network without the no next hop selfconfigured. So why is Dmvp and phase three better than dmvpn phase two? The hub router help three listed as the optimal next hop for the spoke three lan address. When the hub router is configured for iprp redirect, it sends an nhrp redirect message to spoke to, notifying spoke to that the packets for the spoke N are better forwarded directly to the spoke three router.

The spoke three router receives the nhrp redirect hub and when configured with Ipnhrp shortcut, creates a new nhrp entry in its routing table. The new nhrp entry states the spoke three router as the next hop for the traffic that is destined to the spoke three lan subnet, and the traffic is now forwarded directly across the spoke to spoke tunnel to the spoke three router. Eigrpdpn scaling scalability of EIGRP over Dmvpns depends on several factors topology, number of peers, number of advertised prefixes and dmvpn phase. The EIGRP behavior varies depending on the dmvpn phase that is used. Newer phases yield lower convergence times.

When the same EIGRP topology is used. dmvpn phase three does not only offer optimal routing, but of the fastest EIGRP convergence times. Production deployments show that a practical maximum of erp peers in a dmvpn phase two network is about 600. This number does not differ for single Hub and dual Hub deployments. After this number, convergence times start to rise significantly. scaling the Dmvp and beyond this number typically requires multiple hubs, with each terminating up to 600 spokes. The increase in the number of advertised prefixes linearly increases convergence times. This action can be easily hedged by using summarization, especially in Dmvp and phase three networks.