Dual CCIE friend & DMVPN

I was just received a call from a good friend of mine. He told me he just passed his lab exam in CCIE Data Centre which now makes him a dual CCIE RS/DC. He works for a company based in Queensland that claims to maintain 10000 networks, considered 2nd largest network in Australia but they are not a service provider. I think it took him 3 attempts before passing this one, pretty much the same number of lab exams before passing his R&S.

I am aware of the passing rate of CCIE lab exam takers and to be honest I don’t intend to fail my first attempt. One I couldn’t afford it so I am really studying my butt out hoping that wouldn’t happen.

Anyway, speaking of labs this week I have been working on the topic of VPNs. DMVPN is probably my favorite. Dynamic Multipoint VPN, contains 4 components, namely IPsec, NHRP, GRE and routing. Its your modern replacement for NBMA and frame-relay networks. You can use it as a back-up solution for your MPLS L3 VPN solution as long as you know how to traffic engineer your traffic.

Since this is an overlay on your internet solution, expect additional bytes on the packets hence, you do need to configure ip mtu and ip tcp adjust-mss to control fragmentation of packets. Another cool feature of DMVPN is its ability to do spoke to spoke routing with DMVPN Phase 3 with a single command on the hub and spoke.

In my config below, I’ve just written a simple DMVPN solution phase 1 using RIPv2 as a routing protocol.

Spoke:

!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp key cisco address 169.254.1.5
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE
set transform-set ESP-AES-SHA
!
int tunnel0
ip address 155.0.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication NHRPAUTH
ip nhrp network-id 1
ip nhrp map 155.0.1.5 169.254.1.5
ip nhrp map multicast 169.254.1.5
ip nhrp nhs 155.0.1.5
tunnel mode gre multipoint
tunnel key 2
tunnel source fa0/0.100
tunnel protection ipsec profile DMVPN_PROFILE
!
router rip
ver 2
no auto-summary
network 150.1.0.0
network 155.1.0.0
passive-interface default
no passive-interface tunnel0
!

Hub:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE
set transform-set ESP-AES-SHA
!
int tunnel0
ip address 155.0.1.5 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication NHRPAUTH
ip nhrp network-id 1
ip nhrp map multicast dynamic
tunnel mode gre multipoint
tunnel key 2
tunnel source fa0/0.100
tunnel protection ipsec profile DMVPN_PROFILE
!
router rip
ver 2
no auto
network 155.1.0.0
network 150.1.0.0
passive-interface default
no passive-interface tunnel0
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s