Dynamic multipoint VPN integrates dynamic dynamic simplified multi-line configuration and multi-protocol tunnel transmission function of GRE over IPSEC, forming a HUB-SPOKER network architecture model, which can realize zero adjustment of central node configuration at one time and unlimited access to branch nodes , And can realize the deployment of dynamic agreement.
DMV.PN can only be deployed on Cisco routers, and you also need to pay attention to version support.
The four major technical components that implement the DMV.PN function are MGRE (multipoint tunneling), NHRP (shock resolution protocol), IPSEC, and dynamic routing protocols (mainly EIGRP, OSPF, BGP).
The purpose of MGRE is that the HUB can establish several tunnels with unlimited SPOKER after one configuration. In addition, it also provides channels for the delivery of dynamic routing protocols based on multicast.
The purpose of NHSP is to establish the mapping relationship between Tunnel and public IP address, provide routing preconditions for SPOKER and HUB registration association, and also provide a basis for establishing SPOKER-SPOKER virtual tunnel.
IPSEC is for the security of data transmission.
The dynamic routing protocol is to realize routing dynamic update and interconnection in DMV.PN.
R1 is the HUB end, R2 is the ISP, and the rest is the SPOKER.
HUB configuration:
- IPSEC VPN partial configuration
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto ipsec transform-set DC esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile profile1
set transform-set DC
- Tunnel part configuration
interface Tunnel1
bandwith 1000 //tunnel default bandwith is about 9Kbps lower, changing this value can only affect the transmission of dynamic routing protocols, such as EIGRP metric, HUB and SPOKER should be the same
ip address 169.254.1.1 255.255.255.0
ip mtu 1400 //Set the maximum transmission unit of tunnel data,
no ip next-hop-self eigrp 20 //In SPOKER-SPOKER mode, change the route from SPOKER1 to SPOKER2 from HUBtunnel interface address to destination SPOKER's tunnel interface address
no ip split-horizon eigrp 20 //Associate with the split horizon of EIGRP, the HUB will advertise the routing information learned by a SPOKE to other SPOKER
ip nhrp authentication cisco456 // The authentication password for SPOKER to register to the HUB
ip nhrp map multicast dynamic //HUB end automatic Enable multicast mapping, SPOKER registers to HUB through one-to-one mapping so that the established tunnel can automatically send multicast
ip nhrp network-id 1 //SPOKER registers the associated identification ID with HUB, which must be the same
tunnel source Ethernet0/0 // The public network physical interface associated with the
tunnel tunnel mode gre multipoint //Set the tunnel mode to multipoint tunnel
tunnel key 1024 //The key to establish the tunnel must be consistent
tunnel protection ipsec profile profile1 //Enable tunnel data to be encrypted by IPSEC - Interface
Ethernet0/0
ip address 100.0.1.2 255.255.255.252
end
SPOKER configuration
-
IPSEC V.P.N配置
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto ipsec transform-set B1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile profile1
set transform-set B1 -
Tunnel section configuration
interface Tunnel1
bandwith 1000
ip address 169.254.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco456
ip nhrp map 169.254.1.1 100.0.1.2 //Statically establish a unicast mapping between the public IP address of the HUB and the Tunnel address
ip nhrp map multicast 100.0.1.2 //Create static multicast mapping
ip nhrp network-id 1
ip nhrp nhs 169.254.1.1 //Specify the address of the HUB
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1024
tunnel protection ipsec profile profile1
end - Interface
Ethernet0/0
ip address 100.0.3.2 255.255.255.252
end
Some problems with dynamic routing
- EIGRP
As mentioned above, when deploying SPOKER-SPOKER network connection in DM***, EIGRP needs to turn off the horizontal separation feature of EIGRP, so that HUB can advertise routes to all other SPOKERs and keep the EIGRP routing of HUB\SPOKER consistent.
In order to avoid that the route from SPOKER to another SPOKER still needs to be forwarded through the HUB, you need to close the HUB's own tunnel interface on the HUB, and adjust the EIGRP destination route to the destination SPOKER tunnel address
PS: EIGRP split horizon It means that the routing information received by an interface of the router will not be advertised through this interface. - OSPF
OSPF is very different from the network type. The default network type of the tunnel interface is POINT-TO-POINT. For the HUB, its MGRE channel needs to establish neighbors with multiple SPOKERs, so by default, even if OSPF neighbors are established, OSPF neighbor flapping and down/up will also occur. To solve this problem, you need to change the ospf network type of the tunnel interface to the BROADCAST type.
In addition, in order to solve the problem that the next hop in the SPOKER-SPOKER communication is the HUB by default, you can Adjust the priority of the HUB tunnel interface to make it a DR.
The adjusted results using the above methods are as follows:
Another way is to solve it through NHRP;
modify the network type to point-to-mulitipoint (no DR/BDR election).
When redirection and NHRP query are not enabled, the next hop of SPOKER routing is still HUB.
Headquarters HUB turns on redirection (ip nhrp redirect)
branch SPOKER turns on NHRP query (ip nhrp shortcut on Spoke can send mapping request)
Above, after configuration, trigger the traffic between SPOKER and SPOKER, you will see that next The jump has been rewritten, marked with "%"
Agreement related
When the channel is established in HUB-SPOKER (permanent)
SPOKER first establishes a GRE over IPSEC *** tunnel with HUB, then SPOKER registers with HUB, and finally establishes and updates dynamic routing;
Established in SPOKER and SPOKER (temporary)
SPOKER first finds the target SPOKER through the NHSP mapping relationship, then establishes the IPSEC *** tunnel, and then transmits the encrypted data.
Reference link:
https://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-***-dm***/prod_presentation0900aecd80313c9d.pdf
https://www.cisco .com/c/dam/en/us/products/collateral/security/dynamic-multipoint-***-dm***/prod_presentation0900aecd80313ca0.pdf