Professional Documents
Culture Documents
Cisco Ios DMVPN: February 2008
Cisco Ios DMVPN: February 2008
Overview
February 2008
Cisco.com/go/dmvpn
Feature Cisco VPN solutions offer rich integration of VPN with several
routing protocols such as OSPF, EIGRP, BGP, and RIPv2
performance without degrading performance to enable scalable services.
Single-layer DMVPN
Corporate design (mostly)
Office
Frame
Hub-and-spoke and
Intranet Relay WAN spoke-to-spoke
Branch or
Remote Office networks
Internet VPN Hub Different size
PSTN or ISDN
Broadband
networks (number of
spokes), but also
supporting many
Extranet
Suppliers DMVPN networks on
Primary WAN Link
and Partners
Backup DMVPN Link the same set of hub
routers
* Scaling can be increased by using a BGP Route Reflector model; i.e., terminating BGP session at the hub
location on a number of BGP route reflectors—hub is a route reflector client
** Can be used for spoke-to-spoke
IP Address
Physical: Dynamic
Tunnel0: 10.0.0.12
Dynamic
Unknown Spoke B
IP Addresses .1
192.168.2.0/24
.
Physical: dynamic
..
Tunnel0: 10.0.0.11
Spoke A
.1 ...
192.168.1.0/24
NHRP registration
Spoke dynamically registers its mapping with NHS
Supports spokes with dynamic NBMA addresses or NAT
Physical: 172.16.2.1
(dynamic)
Tunnel0: 10.0.0.12
Physical: 172.16.1.1
(dynamic)
Tunnel0: 10.0.0.11
Hub-and-spoke
Spoke-to-spoke traffic through hub; requires about the same
number of tunnels as spokes
– Hub bandwidth and CPU limit VPN
– Server Load Balancing: Many “identical” hubs increase
CPU power; spoke-to-spoke design under consideration
Spoke-to-spoke: Dynamic spoke-to-spoke tunnels
Control traffic: Hub-and-spoke; hub to hub
– Hub-and-spoke single-layer
– Hierarchical hub-and-spoke layers
Unicast data traffic: Dynamic mesh
– Spoke routers support spoke-to-hub and spoke-to-spoke
tunnels
Number of tunnels falls between the number of spokes n and n2
where n is the number of spokes (full-mesh)
© 2007 Cisco Systems, Inc. All rights reserved. 25
Spoke-to-Hub Tunnels
Network Designs Spoke-to-Spoke Path
Hub Hub
Hub-and-Spoke Spoke-to-Spoke
Load
Balancer Hub Hub
Hubs
Super Hub
Spoke B
.1
Physical: (dynamic) .37
Tunnel0: 10.0.0.11
Tunnel1: 10.0.1.11 192.168.2.0 /24
Web
Spoke A
.1
.25
192.168.1.0 /24
PC
In this way, even the low end routers (e.g. Cisco 1800)
can participate in large IPsec VPNs with thousands of
nodes, as they do not need to have large numbers of
simultaneous Spoke-to-Spoke tunnels
DMVPN DMVPN
Spokes Spokes
© 2007 Cisco Systems, Inc. All rights reserved. 31
Distributed Encryption with SLB
10.1.2.0/24
Hub .1
.2 .3
10.1.1.0/24
Loopback: 172.17.0.1 Loopback: 172.17.0.1
Tunnel0: 10.0.255.254/16 Tunnel0: 10.0.255.254/16
10.1.0.0/24
.2 Hub .3 Hub
.1
Load Balancer
VIP: 172.17.0.1
(no tunnel)
Physical: (dynamic)172.16.2.1
Physical: (dynamic)172.16.1.1 Tunnel0: 10.0.0.2
Tunnel0: 10.0.0.1
Spoke A
192.168.1.1/24 Spoke B 192.168.2.1/24
172.17.0.1 172.17.0.1
Cisco® 7201 or
7301 Routers
.2 .3
Physical Interface
To Provider
© 2007 Cisco Systems, Inc. All rights reserved. 33
Integrated Encryption with SLB
Physical: (dynamic)
Tunnel0: 10.0.0.12
Spoke B
.1
.37
Physical: (dynamic) 192.168.2.0/24
Tunnel0: 10.0.0.11 Web
Spoke A
.1 Spoke C
.25
192.168.1.0/24
PC
© 2007 Cisco Systems, Inc. All rights reserved. 37
DMVPN Dual Hub Spoke-to-Spoke
Hub
Hub Hub
Super Hub
Show
show dmvpn
[ peer {{{ nbma | tunnel } ip_address } |
{ network ip_address mask } | { interface tunnel# } |
{ vrf vrf_name }}]
[ detail ] [ static ]
Debug
debug dmvpn [ { error | event | detail | packet | all }
{ nhrp | crypto | tunnel | socket | all } ]
debug dmvpn condition [ peer
{{{ nbma | tunnel } ip_address } | { network ip_address mask } |
{ interface tunnel# } | { vrf vrf_name }}]
Logging
logging dmvpn { <cr> | rate-limit < 0-3600 > }