Professional Documents
Culture Documents
BRKSEC-3052
Cisco Public
Session Agenda
DMVPN refresher
Cisco Public
DMVPN refresher
BRKSEC-3052
Cisco Public
Terminology
Core Network
192.168.128.0/17
192.168.101.0/24
Overlay Addresses
192.168.102.0/24
Tunnel Address
Hub 1
Hub 2
Tunnel:
10.0.0.101
Physical: 172.16.101.1
Tunnel:
10.0.0.102
Physical: 172.16.102.1
NBMA Address
Tunnel:
10.0.0.1
Physical: 172.16.1.1
Tunnel:
10.0.0.2
Physical: 172.16.2.1
GRE/IPsec
Tunnels
Spoke 1
Spoke 2
192.168.1.0/24
192.168.2.0/24
Transport Network
BRKSEC-3052
Overlay Network
Cisco Public
Feature History
IOS-XE on ASR1k:
Phase 3 support since Release 3S
Cisco Public
Base Topology
Core Network
192.168.128.0/17
192.168.101.0/24
192.168.102.0/24
Neighborship
Hub 1
Hub 2
Spoke 1
Spoke 2
192.168.1.0/24
192.168.2.0/24
Cisco Public
Phase 3 Synopsis
Core Network
192.168.128.0/17
192.168.101.0/24
192.168.102.0/24
4: Resol. Request
(Dest 192.168.2.2)
192.168.0.0/16 via Hub1
next hop = 10.0.0.101
Hub 1
Hub 2
1: Initial packet flow
6: Tunnel initiation
(S2 to S1)
7: Resol. Reply
(NBMA 172.16.2.1)
Spoke 1
S1 LAN to S2 LAN
Spoke 2
192.168.1.0/24
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.2.0/24
Spokes receive a summary for the overlay network with the hub(s) as next hop
Hubs send NHRP indirection to source spokes when a more direct path exists
Cisco Public
BRKSEC-3052
Cisco Public
Configuration
Core Network
192.168.128.0/17
Routing table
NHRP cache
Core 1
192.168.101.0/24
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Hub 1
interface Tunnel0
description DMVPN Hub 1
ip address 10.0.0.101
ip nhrp network-id 1
ip nhrp map multicast dynamic
ip nhrp map multicast 172.16.102.1
ip nhrp map 10.0.0.102 172.16.102.1
ip nhrp redirect
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TP
Core 2
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Hub 2
Static mapping
for Hub 2 (peer)
NHRP mcast
Spoke 1
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
192.168.1.0/24
Routing table
NHRP cache
interface Tunnel0
description DMVPN Spoke 1
ip address 10.0.0.1
ip nhrp network-id 1
ip nhrp map multicast 172.16.101.1
ip nhrp map 10.0.0.101 172.16.101.1
ip nhrp nhs 10.0.0.101
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TP
Static mapping
for Hub 1 (NHS)
NHRP mcast
Cisco Public
10
1: Spoke Registration
Core Network
192.168.128.0/17
Routing table
NHRP cache
Core 1
192.168.101.0/24
Routing table
Core 2
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Hub 1
Hub 2
NHRP cache
NHRP mcast
NHRP mcast
Spoke 1
Spoke 2
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.1.0/24
Routing table
192.168.2.0/24
NHRP cache
Routing table
NHRP cache
NHRP mcast
NHRP mcast
11
Routing table
Core 1
192.168.101.0/24
Core 2
192.168.102.0/24
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Hub 1
Routing table
iBGP
(10.0.0.101 .102)
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Hub 2
NHRP mcast
NHRP mcast
Spoke 1
Spoke 2
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.1.0/24
Routing table
192.168.2.0/24
NHRP cache
NHRP mcast
Routing table
NHRP cache
NHRP mcast
12
3: Spoke-Hub Traffic
4: Route Lookup
Routing table
Core Network
192.168.128.0/17
Core 1
192.168.101.0/24
5: Forwarding
Routing table
Core 2
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Hub 1
Hub 2
NHRP mcast
NHRP mcast
3: Forwarding
Spoke 1
S1 LAN to Core
dest: 192.168.200.1
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
192.168.1.0/24
NHRP cache
1: Route Lookup
BRKSEC-3052
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.2.0/24
Routing table
Spoke 2
Routing table
NHRP cache
NHRP mcast
13
Routing table
Core Network
192.168.128.0/17
Core 1
192.168.101.0/24
Routing table
Core 2
192.168.102.0/24
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
6: Forwarding
Hub 1
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Hub 2
5: NHRP Lookup
NHRP mcast
NHRP mcast
Spoke 1
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
192.168.1.0/24
NHRP cache
1: Route Lookup
BRKSEC-3052
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
2: NHRP Lookup
Routing table
Spoke 2
S1 LAN to S2 LAN
dest: 192.168.2.10
8: Cache Update +
NHRP
mcast
Resolution
Request
192.168.2.0/24
Routing table
NHRP cache
NHRP mcast
14
Routing table
Core Network
192.168.128.0/17
Core 1
Routing table
Core 2
192.168.101.0/24
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Hub 1
6: Resolution Request
Hub 2
(192.168.2.2/32)
7: Route Lookup
5: NHRP Lookup
8: NHRP Lookup
NHRP mcast
NHRP mcast
Generate NHRP
Resolution Request
Spoke 1
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
1: Route Lookup
192.168.1.0/24
2: NHRP Lookup
Routing table
NHRP cache
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.2.0/24
Routing table
Spoke 2
NHRP cache
NHRP mcast
Routing table
Core 1
192.168.101.0/24
Routing table
Core 2
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Hub 1
Hub 2
2: Tunnel Initiation
(S2 to S1)
NHRP mcast
NHRP mcast
3: Resolution Reply
(192.168.2.0/24, NH 10.0.0.2, NBMA 172.16.2.1)
Spoke 1
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
192.168.1.0/24
C 172.16.1.0/30 Gig0/0 (WAN)
C 192.168.1.0/24 Gig0/1 (LAN)
C 10.0.0.0/24 Tun0 (DMVPN)
B 192.168.0.0/16 10.0.0.101
H 192.168.2.0/24 10.0.0.2
NHRP cache
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
Generate NHRP
Resolution Reply
4: Cache Update
Routing table
Spoke 2
192.168.2.0/24
Routing table
NHRP cache
S 172.16.102.1 (H2)
1: Cache Update
Cisco Public
16
Forwarding table
NH: 10.0.0.101
NHRP
Shortcut
Switching
NH: 10.0.0.2
NH: 10.0.0.1
NHRP cache
NHRP cache
Spoke 1
(15.1M)
Spoke 2
(15.2T)
Adjacencies
Cisco Public
17
BRKSEC-3052
Cisco Public
CE 1
Hub
Spoke 3
19
Cisco Public
20
Spoke 1
interface Tunnel0
ip nhrp group gold
BRKSEC-3052
Hub
Spoke 2
interface Tunnel0
ip nhrp group silver
Spoke 3
interface Tunnel0
ip nhrp group silver
Cisco Public
21
Hierarchical shaper
class-map control
match ip precedence 6
class-map voice
match ip precedence 5
!
policy-map sub-policy
class control
bandwidth 20
class voice
priority percent 60
!
policy-map gold
class class-default
shape average 5000000
service-policy sub-policy
!
policy-map silver
class class-default
shape average 1000000
service-policy sub-policy
Reserved BW
Low-latency queuing
Fair queuing
Aggregate shaper
BRKSEC-3052
Cisco Public
22
Classification happens at the tunnel level (before encaps & crypto engine)
Policing (dropping) & marking also applied at the tunnel level
Queuing & scheduling happen at the physical interface
BRKSEC-3052
Tunnel 1 Data
Data
Tunnel 1 Voice
Voice
Tunnel 2 Data
Tunnel 2 Voice
Crypto
Engine
Data
Voice
Tunnel 3 Data
Data
Tunnel 3 Voice
Voice
Tunnel 1
Policy
Tunnel 2
Policy
Tunnel 3
Policy
Cisco Public
Derived
Interface QoS Policy
SA Classification
Physical
Interface
23
DMVPN virtualization
BRKSEC-3052
Cisco Public
BRKSEC-3052
ip vrf red
rd 1:1
!
interface Ethernet0/0
ip vrf forwarding red
ip address 10.0.0.1 255.255.255.0
New CLI:
25
Routing
Eth0/0
Red RIB/FIB
Routing
Eth0/1
Global RIB/FIB
Red RIB/FIB
Routing
Eth1/0
Eth1/1
Routing
Eth2/0
Tunnel1
interface Eth0/0
vrf forwarding blue
!
interface Eth0/1
vrf forwarding blue
interface Eth1/0
vrf forwarding red
!
interface Eth1/1
! no VRF = global
!
interface Tunnel1
vrf forwarding red
tunnel source Eth1/1
2013 Cisco and/or its affiliates. All rights reserved.
Orange RIB/FIB
Routing
Eth2/1
Tunnel2
Front VRF
(fVRF)
Cisco Public
interface Eth2/0
vrf forwarding green
!
interface Eth2/1
vrf forwarding orange
!
interface Tunnel2
vrf forwarding green
tunnel vrf orange
tunnel source Eth2/1
iVRF
26
Hub
Spokes
BRKSEC-3052
Cisco Public
27
BRKSEC-3052
Cisco Public
28
Hub
BRKSEC-3052
Spokes
Cisco Public
29
BRKSEC-3052
Cisco Public
Part 1:
MPLS VPN review
BRKSEC-3052
Cisco Public
32
BRKSEC-3052
Cisco Public
33
10.0.0.2/32
10.0.0.3/32
LDP
LDP
PE1
P1 Prefixes
10.0.0.4/32
LDP
P2
P1
PE2
10.0.1.0/24
.1
.2
10.0.2.0/24
.1
.2
10.0.3.0/24
.1
.2
OSPF
OSPF
OSPF
= mpls ip configured
P1 LIB
P1 RIB/FIB
P1 LFIB
Type
Via
Interface
Action
Local
On PE1
On P2
Label
Action
10.0.0.1/32
10.0.1.1 (PE1)
Eth0/0
Forward
18
NULL
20
18
POP
Eth0/0
10.0.1.1 (PE1)
10.0.0.2/32
connected
Loop0
Receive
NULL
17
19
10.0.0.3/32
10.0.2.2 (P2)
Eth1/0
Forward
20
20
NULL
20
POP
Eth1/0
10.0.2.2 (P2)
10.0.0.4/32
10.0.2.2 (P2)
Eth1/0
PUSH 18
19
19
18
19
SWAP 18 Eth1/0
10.0.2.2 (P2)
10.0.1.0/24
connected
Eth0/0
Glean
NULL
NULL
21
10.0.2.0/24
connected
Eth1/0
Glean
NULL
18
NULL
10.0.3.0/24
10.0.2.2 (P2)
Eth1/0
Forward
21
21
NULL
21
POP
10.0.2.2 (P2)
Local label
Eth1/0
34
Penultimate hop
10.0.0.2/32
PE1
10.0.0.3/32
10.0.0.4/32
P2
P1
10.0.1.0/24
.1
.2
10.0.2.0/24
.1
.2
PE2
10.0.3.0/24
.1
.2
10.0.0.1 10.0.0.4
Label pushed
10.0.0.1 10.0.0.4
Ethertype: 0x8847
Ethertype: 0x8847
Label: 19
10.0.0.1 10.0.0.4
Label: 18
10.0.0.1 10.0.0.4
Ethertype: 0x0800
10.0.0.1 10.0.0.4
Label popped
Label swapped
PE1 FIB
P1 LFIB
PE2 FIB
P2 LFIB
Prefix
Adjacency
Label
Action
Ifc. NH
Label
Action
Ifc. NH
Prefix
Adjacency
10.0.0.1/32
Receive
18
POP
E0
PE1
18
POP
E0
PE2
10.0.0.1/32
E0 P2 TAG 20
10.0.0.2/32
E0 P1 IP
19
SWAP 18
E1
P2
19
POP
E1
P1
10.0.0.2/32
E0 P2 TAG 19
10.0.0.3/32
E0 P1 TAG 20
20
POP
E1
P2
20
SWAP 18
E1
P1
10.0.0.3/32
E0 P2 IP
10.0.0.4/32
E0 P1 TAG 19
21
POP
E1
P2
21
POP
E1
P1
10.0.0.4/32
Receive
10.0.1.0/24
Glean
10.0.1.0/24
E0 P2 TAG 21
10.0.2.0/24
E0 P1 IP
10.0.2.0/24
E0 P2 IP
10.0.3.0/24
E0 P1 TAG 21
10.0.3.0/24
Glean
BRKSEC-3052
Cisco Public
35
PE routers exchange VPN prefixes & labels across the core with MBGP
PE1
CE1
LDP
P1
LDP
P2
LDP
CE2
PE2
VRF red
VRF red
IGP/EGP
C1
IGP/EGP
C2
Cisco Public
36
PE1
VRF red
10.0.0.2/32
10.0.1.0/24
.1
.2
P1
10.0.0.3/32
10.0.2.0/24
.1
.2
VRF blue
EIGRP
EIGRP
10.10.0.0/30
dot1Q 10
P2
10.0.0.4/32
10.0.3.0/24
.1
.2
VRF red
EIGRP
R1 LAN
10.10.10.0/24
BRKSEC-3052
VRF blue
EIGRP
10.20.0.0/30
dot1Q 20
EIGRP
10.10.0.4/30
dot1Q 10
CE1
10.10.1.0/24
PE2
10.20.0.4/30
dot1Q 20
CE2
10.20.1.0/24
EIGRP
B1 LAN
10.20.10.0/24
10.10.2.0/30
EIGRP
R2 LAN
10.20.20.0/24
Cisco Public
10.20.2.0/30
EIGRP
B2 LAN
10.20.20.0/24
37
PE1
10.0.0.2/32
10.0.1.0/24
.1
.2
P1
LDP
10.0.0.3/32
10.0.2.0/24
.1
.2
P2
10.0.0.4/32
10.0.3.0/24
.1
.2
Core prefixes
& labels via LDP
PE2
VRF red
EIGRP
10.10.0.0/30
dot1Q 10
10.10.1.0/24
EIGRP
R1 LAN
10.10.10.0/24
BRKSEC-3052
38
10.0.0.2/32
Transport
label
VRF red
CE1
10.10.0.0/30
PE1
10.0.1.0/24
.1
.2
10.0.0.3/32
VRF red
10.0.2.0/24
.1
.2
P1
10.0.0.4/32
10.0.3.0/24
.1
.2
P2
PE2
10.10.0.4/30
10.10.2.0/24
10.10.1.0/24
Ethertype: 0x8847
Ethertype: 0x0800
10.10.1.2 10.10.2.2
Ethertype: 0x8847
Label: 18 (top)
Label: 23 (bottom)
10.10.1.2 10.10.2.2
Label: 19 (top)
Label: 23 (bottom)
10.10.1.2 10.10.2.2
Adjacency
10.10.0.0/30
Glean
10.10.0.4/30
10.0.0.4 22
10.10.1.0/24
E1.10 CE1 IP
10.10.2.0/24
10.0.0.4 23
10.10.10.0/24
E1.10 CE1 IP
10.10.20.0/24
10.0.0.4 24
VPN label
Ethertype: 0x8847
Label: 23
10.10.1.2 10.10.2.2
P1 LFIB
Adjacency
...
10.0.0.4/32
E0 P1 TAG 19
BRKSEC-3052
Ethertype: 0x0800
10.10.1.2 10.10.2.2
Label
Action
Ifc. NH
Label
Action
Ifc. NH
Lbl. Action
18
POP
E0
PE1
18
POP
E0
PE2
17
19
SWAP 18
E1
P2
19
POP
E1
P1
20
POP
E1
P2
20
SWAP 18
E1
P1
22
No Label
red
aggregate
21
POP
E1
P2
21
POP
E1
P1
23
No Label
red
E1.10 CE2
24
No Label
red
E1.10 CE2
25
No Label
blue
aggregate
26
No Label
blue
E1.20 CE2
27
No Label
blue
E1.20 CE2
CE2
VRF
POP
Ifc.
NH
E0
P2
...
Cisco Public
39
Part 2:
MPLS over DMVPN
Synopsis
Tunnel0
10.0.0.1/24
MBGP
Tunnel0
10.0.0.101/24
VRF red
VRF red
Spoke1
(PE)
VRF blue
192.168.11.11 192.168.12.12
Global VRF
VRF blue
Hub1
(PE)
172.16.1.1 172.16.101.1
IPsec (ESP transport mode)
GRE (protocol: 0x8847)
Label: 16
192.168.11.11 192.168.12.12
192.168.11.11 192.168.12.12
Hub and spokes act as PE routers, exchange VRF prefixes over MBGP
mGRE Tunnel creates a back-to-back connection
spoke LSR is the penultimate hop only the VPN label is pushed
LDP still required for a supported design
BRKSEC-3052
Cisco Public
41
Global
Output interface
Input interface
IP Data
Encryption
GRE encapsulation
IP
GRE
IP Data
IP ESP
GRE
IP Data ESP
VRF-Lite
MPLS over DMVPN
VRF red
Global
Output interface
Input interface
IP Data
Label imposition
MPLS
IP Data
Encryption
GRE encapsulation
IP GRE MPLS
BRKSEC-3052
IP Data ESP
IP Data
Cisco Public
42
Global
VRF red
GRE encapsulation
VRF-Lite
Encryption
VRF red
Label imposition
BRKSEC-3052
Global
43
BRKSEC-3052
Cisco Public
44
BRKSEC-3052
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast 172.16.101.1
ip nhrp map 10.0.0.101 172.16.101.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.101
mpls bgp forwarding
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
interface Tunnel0
ip address 10.0.0.101 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp map multicast 172.16.102.1
ip nhrp map 10.0.0.102 172.16.102.1
ip nhrp network-id 1
mpls bgp forwarding
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
Cisco Public
Spoke
Hub
45
BRKSEC-3052
Cisco Public
46
redistribute eigrp 1
address-family ipv4 vrf blue
exit-address-family
redistribute connected
redistribute eigrp 1
exit-address-family
Cisco Public
47
VRF blue
Spoke
Hub
Ensure that:
spokes will only receive one default per VRF
hubs will receive spoke prefixes but no defaults
BRKSEC-3052
Cisco Public
48
VRF blue
Spoke
Hub
1:1:192.168.0.0/17
via 10.0.0.101 label 16
Extended Community: RT:1:1
2:2:192.168.128.0/17 via 10.0.0.101 label 17
Extended Community: RT:2:2
Ensure that:
spokes will only receive the summary routes
hubs will receive spoke prefixes but no summaries
BRKSEC-3052
49
Hub1
VRF red
VRF red
192.168.12.0/24
192.168.11.0/24
192.168.111.0/24
192.168.111.2
192.168.112.2
.2
Spoke1
Spoke2
.2
192.168.112.0/24
172.16.1.1 172.16.101.1
IPsec (ESP transport mode)
GRE (protocol: 0x8847)
Label: 36
192.168.111.2 192.168.112.2
BRKSEC-3052
Cisco Public
50
output chain: label 36 TAG midchain out of Tunnel0, addr 10.0.0.101 F33D7CB0
IP adj out of Ethernet0/0, addr 172.16.1.2 F33D7F10
spoke1#show adjacency 10.0.0.101 Tunnel0 detail
Packets following default route will be labeled
Protocol Interface
Address
IP
Tunnel0
10.0.0.101(7)
Encap length 24
4500000000000000FF2FFDABAC100101
AC10650100000800
Tun endpt
Specific TAG adjacency for labeled packets
Next chain element:
IP adj out of Ethernet0/0, addr 172.16.1.2
TAG
Tunnel0
10.0.0.101(5)
0x2F = 47 = GRE
Encap length 24
4500000000000000FF2FFDABAC100101
172.16.1.1 = mGRE tunnel source
AC10650100008847
Tun endpt
0x8847 = MPLS unicast
Next
chain
element:
172.16.101.1 = Hub1 NBMA address
IP adj out of Ethernet0/0, addr 172.16.1.2
BRKSEC-3052
Cisco Public
51
Hub1
VRF red
VRF red
192.168.12.0/24
192.168.11.0/24
192.168.111.0/24
192.168.111.2
192.168.112.2
.2
Spoke1
Spoke2
172.16.1.1 172.16.101.1
IPsec (ESP transport mode)
GRE (protocol: 0x8847)
Label: 36
192.168.111.2 192.168.112.2
36
Bytes Label
Switched
0
.2
192.168.112.0/24
172.16.101.1 172.16.2.1
IPsec (ESP transport mode)
GRE (protocol: 0x8847)
Label: 19
192.168.111.2 192.168.112.2
Outgoing
Next Hop
interface
aggregate/red
192.168.111.2
192.168.112.2
Next Hop
Et1/1
192.168.12.12
Cisco Public
52
BRKSEC-3052
Cisco Public
(LAN) Gig0/1
Hub 1
Tun0 10.0.0.101/24
Replication by NHRP
(WAN) Gig0/0
To Spoke 1
(NBMA 172.16.1.1)
To Hub 2
(NBMA 172.16.102.1)
Cisco Public
54
interface Tunnel0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.102 172.16.102.1
Hub 1
Tun0 10.0.0.101/24
(WAN) Gig0/0
To Spoke 1
(Tunnel 10.0.0.1)
NBMA-mode required:
To Hub 2
(Tunnel 10.0.0.102)
Receiver
No receiver
Group OIL
BRKSEC-3052
Cisco Public
55
Core 1
192.168.101.0/24
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Anycast RP:
1.1.1.1
Core 2
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
MSDP
Hub 1
Multicast RIB
C 172.16.1.0/30 Gig0/0 (WAN)
C 192.168.1.0/24 Gig0/1 (LAN)
C 10.0.0.0/24 Tun0 (DMVPN)
B + 192.168.0.0/16 10.0.0.101 (summary)
B + 1.1.1.1/32 10.0.0.101 (anycast RP)
Core Network
192.168.128.0/17
Hub 2
Spoke 2
Spoke 1
IP mroutes
(*, 225.0.0.12), , RP 1.1.1.1, flags: SJC
Incoming interface: Tunnel0, RPF nbr 10.0.0.101
Outgoing interface list:
Gig1/0, Forward/Sparse, 05:09:41/00:02:59
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.1.0/24
192.168.2.0/24
Source (.2)
(Group: 225.0.0.12)
Cisco Public
56
Core 1
192.168.101.0/24
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Core Network
192.168.128.0/17
Anycast RP:
1.1.1.1
Core 2
192.168.102.0/24
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Hub 1
Multicast RIB
C 172.16.1.0/30 Gig0/0 (WAN)
C 192.168.1.0/24 Gig0/1 (LAN)
C 10.0.0.0/24 Tun0 (DMVPN)
B + 192.168.0.0/16 10.0.0.101 (summary)
B + 1.1.1.1/32 10.0.0.101 (anycast RP)
Hub 2
Source Tree
Spoke 2
Spoke 1
IP mroutes
(*, 225.0.0.12), , RP 1.1.1.1, flags: SJC
Incoming interface: Tunnel0, RPF nbr 10.0.0.101
Outgoing interface list:
Gig1/0, Forward/Sparse, 05:09:41/00:02:59
(192.168.2.2, 225.0.0.12), , flags: JT
Incoming interface: Tunnel0, RPF nbr 10.0.0.101
Outgoing interface list:
Gig1/0, Forward/Sparse, 00:00:04/00:02:55
BRKSEC-3052
Shared Tree
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.1.0/24
192.168.2.0/24
Traffic to 225.0.0.12
Receiver (.2)
(Group: 225.0.0.12)
Source (.2)
(Group: 225.0.0.12)
Cisco Public
57
Core Network
192.168.128.0/17
Core 1
192.168.101.0/24
Core 2
192.168.102.0/24
Anycast RP:
1.1.1.1
Tunnel: 10.0.0.101
NBMA: 172.16.101.1
Tunnel: 10.0.0.102
NBMA: 172.16.102.1
Hub 1
Hub 2
Multicast RIB
C 172.16.1.0/30 Gig0/0 (WAN)
C 192.168.1.0/24 Gig0/1 (LAN)
C 10.0.0.0/24 Tun0 (DMVPN)
B + 192.168.0.0/16 10.0.0.101 (summary)
B + 1.1.1.1/32 10.0.0.101 (anycast RP)
H + 192.168.2.0/24 10.0.0.2 (S2)
Spoke 1
IP mroutes
(*, 225.0.0.12), , RP 1.1.1.1, flags: SJC
Incoming interface: Tunnel0, RPF nbr 10.0.0.101
Outgoing interface list:
Gig1/0, Forward/Sparse, 05:09:41/00:02:59
(192.168.2.2, 225.0.0.12), , flags: JT
Incoming interface: Tunnel0, RPF
RPFnbr
nbr10.0.0.101
10.0.0.2
Outgoing interface list:
Gig1/0, Forward/Sparse, 00:00:04/00:02:55
BRKSEC-3052
Shared Tree
Spoke 2
Tunnel: 10.0.0.1
NBMA: 172.16.1.1
192.168.1.0/24
No PIM
neighborship !
Tunnel: 10.0.0.2
NBMA: 172.16.2.1
192.168.2.0/24
Traffic to 225.0.0.12
Receiver (.2)
(Group: 225.0.0.12)
Source (.2)
(Group: 225.0.0.12)
58
59
Drawbacks:
Not applicable for source-specific multicast (no shared tree)
Must be configured on all multicast-enabled routers on spoke LANs
(so that none of the last-hop routers will try to join the SPT)
Not selective, applies to all multicast traffic within the iVRF
Prevents creation of (S,G) entries reduced granularity in show commands
Cisco Public
60
Best solution: push multicast default route from hubs via MBGP (SAFI 2)
Overrides replication of BGP routes
Hub 1
Spoke 1
Cisco Public
61
BRKSEC-3052
Cisco Public
Spoke
Hub
interface Tunnel0
ipv6 address fe80::2001 link-local
ipv6 address 2001::1/64
ipv6 nhrp network-id 1
ipv6 nhrp map multicast dynamic
interface Tunnel0
ipv6 address fe80::2002 link-local
ipv6 address 2001::2/64
ipv6 nhrp map 2001::1 172.17.0.1
ipv6 nhrp map multicast 172.17.0.1
ipv6 nhrp nhs 2001::1
ipv6 nhrp network-id 1
Cisco Public
63
BRKSEC-3052
Cisco Public
Tun1 (10.1.0.1)
IPsec protection
GRE tunneling
Tun1 (10.1.0.2)
crypto ipsec transform-set tset
mode transport
IPsec profile = crypto map
!
crypto ipsec profile tp
template (no peer, no ACL)
Makes
set transform-set tset
!
interface Tunnel1
ip address 10.1.0.1 255.255.255.252
Single config statement for
tunnel source GigabitEthernet0/0
every new GRE/IPsec tunnel
tunnel destination 172.16.100.1
tunnel protection ipsec profile tp
BRKSEC-3052
Cisco Public
mGRE possible
65
Cisco Public
66
Gig1/0
Tun1
Gig0/0
= crypto map
Single SP/SA DB
= SP/SA DB scope
Gig1/0
Tun1
Gig0/0
Gig0/1
Cisco Public
67
Gig1/0
Tun1
Loop0
= SP/SA DB scope
Gig0/0
Gig0/1
Single
SP/SA DB
Root: Loop0
interface Loopback0
ip address 172.16.3.1 255.255.255.255
!
crypto map cmap local-address Loopback0
crypto map cmap 10 ipsec-isakmp
set peer 172.16.100.1
set transform-set tset
match address gre-tun0
!
interface GigabitEthernet0/0
ip address 172.16.1.1 255.255.255.0
crypto map cmap
!
interface GigabitEthernet0/1
ip address 172.16.2.1 255.255.255.0
crypto map cmap
Cisco Public
68
IKE endpoints
Tunnel
Protection
Crypto
Sockets
69
Entry 65536:
crypto socket listener
(similar to dynamic-map)
BRKSEC-3052
Cisco Public
70
Point-to-point GRE:
Single remote endpoint
Remote endpoint is known
Gig1/0
= Tunnel1-head-0 crypto map
Tun1
Gig0/0
71
Gig1/0
Tun2
(mGRE)
(mGRE)
Tun1 SP/SA DB
Root: Gig0/0
(172.16.1.1)
Tun1
Gig0/0
Gig1/1
Gig0/1
Tun2 SP/SA DB
Root: Gig0/1
(172.16.2.1)
72
Gig1/1
Gig1/0
Tun1
Tun2
Gig0/0
(172.16.1.1)
73
Tun1
Tun2
Gig0/0
Gig1/1
Gig1/0
Profile tp SP/SA DB
Root: Gig0/0
(172.16.1.1)
Cisco Public
Gig1/1
Gig1/0
Tun1
Tun2
Gig0/0
Cisco Public
75
Tunnel2
Situation
TP shared
Differentiator(s)
P-P GRE
or mGRE
P-P GRE
or mGRE
Different sources
Not required
Tunnel source
(IPsec profiles must be different)
P-P GRE
P-P GRE
Same source
Different destinations
Not required
Tunnel destination
P-P GRE
P-P GRE
Same source
Same destination
Required
Tunnel key
mGRE
mGRE
Same source
Required
Tunnel key
P-P GRE
Same source
P-P GRE initiator only
Required
Tunnel key
P-P GRE
Same source
P-P GRE responder
mGRE
mGRE
(*) fix available in: IOS 15.1(4)M6, 15.2(4)M3, 15.3(2)T & IOS-XE 3.7.3S/15.2(4)S3, 3.8.2S/15.3(2)S
(**) workaround: use different IPsec profiles with different transforms and no shared keyword
mode & algorithms act as differentiator during QM (two separate identical transform sets will not work)
BRKSEC-3052
Cisco Public
76
Summary:
Keyword shared always required if tunnel source is shared
Exception: all point-point GRE with different destinations (no ambiguity)
Special case: mGRE & point-point GRE responder (CSCub95247)
Prevents the use of multiple IKE Profiles (due to single IPsec profile)
If TP shared is used for a given tunnel source:
All tunnels with that tunnel source must use TP shared and the same IPsec profile
Other tunnels with different sources may not use the same IPsec profile
Always use the interface name as tunnel source, never the IP address
interface Tunnel0
tunnel source 172.16.200.201
interface Tunnel0
tunnel source GigabitEthernet0/0
BRKSEC-3052
Incorrect !
Correct
Cisco Public
77
BRKSEC-3052
Cisco Public
Each IPsec profile can have either an IKEv1 or IKEv2 profile, not both
Tunnel interface selection in Phase 2 based on IKE profile
IKE profile on Tunnel must match the one derived by IKE from peer ID
Cisco Public
79
Configuration:
Allows different IPsec profiles to coexist on the same local address
Allows IKEv1 & IKEv2 tunnels to coexist with the same source address
IKEv1 profile remains optional on initiator & responder
IKEv2 profile becomes mandatory on responder (already mandatory on initiator)
dVTI responder: profile derived by IKE assigned to Virtual-Access upon creation
Behavior changes:
Tunnel with IKEv1 profile no longer accepts all IKEv2 connections (& vice-versa)
Makes Tunnel selection deterministic, removes ambiguities for good
Cisco Public
80
BRKSEC-3052
Cisco Public
Cisco Public
82
BRKSEC-3052
Cisco Public
83
BRKSEC-3052
aaa new-model
aaa authorization network rad group radius
!
crypto pki certificate map cisco-map 10
subject-name co o = cisco
!
crypto ikev2 name-mangler ou
dn organization-unit
!
crypto ikev2 profile default
match address local interface Ethernet0/0
match certificate cisco-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root-ca
aaa author group cert list radius name-mangler ou
virtual-template 2
!
interface Virtual-Template2 type tunnel
ip nhrp redirect
tunnel protection ipsec profile default
Cisco Public
84
BRKSEC-3052
aaa new-model
aaa authorization network here local
!
crypto pki certificate map cisco-eng 10
subject-name co o = cisco
subject-name co ou = eng
!
crypto ikev2 profile default
match certificate cisco-eng
...
aaa authorization group cert list here default
virtual-template 2
!
interface Tunnel2
ip unnumbered Loopback2
ip nhrp network-id 2
ip nhrp shortcut virtual-template 2
tunnel source Ethernet0/0
tunnel destination 172.16.20.1
tunnel key 2
tunnel protection ipsec profile default
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback2
ip nhrp network-id 2
ip nhrp shortcut virtual-template 2
tunnel key 2
tunnel protection ipsec profile default
Cisco Public
85
FlexVPN Hub
DMVPN
WAN/MPLS/
FlexVPN
2) Progressive approach:
Make the FlexVPN routes less preferred (change metrics on the hubs)
BRKSEC-3052
Spoke
Cisco Public
86
Advantages:
No need for DMVPN and FlexVPN to coexist (no need to share tunnel source)
Tunnel addressing scheme can be reused
Disadvantages:
Only practical for small number of spokes
Potentially long maintenance window required
Downtime is unavoidable
BRKSEC-3052
Cisco Public
87
Advantages:
Spoke sites can be prepared in sequence
FlexVPN fully brought up (incl. routing) while DMVPN remains in production
Short maintenance window required for switchover, easy rollback
Virtually no downtime (just re-routing)
Disadvantage:
IKEv1 and IKEv2 must coexist on the same device
BRKSEC-3052
Cisco Public
88
WAN/MPLS/
Loopback0
172.16.100.1/32
Ethernet0/0
172.16.1.1/30
Spoke
89
WAN/MPLS/
Ethernet0/0
172.16.1.1/30
Spoke
crypto ipsec profile DMVPN
DMVPN
set transform-set tset
set isakmp-profile DMVPN
!
interface Tunnel1
...
tunnel source Ethernet0/0
tunnel protection ipsec profile DMVPN
BRKSEC-3052
Cisco Public
90
Before we part
BRKSEC-3052
Cisco Public
Call to Action
Attend these recommended sessions:
Advanced IPSec with FlexVPN and IKEv2 (BRKSEC-3013, Frederic Detienne)
BRKSEC-3052
Cisco Public
92
BRKSEC-3052
Cisco Public
93