Line 1: |
Line 1: |
| ==Introduction== | | ==Introduction== |
| | | |
− | <b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco routers. This article contains step=by=step instructions on how to configure DMVPN between a "Hub" and two "Spokes" using RUT9xx routers. | + | <b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco routers. This article contains step-by-step instructions on how to configure DMVPN between a "Hub" and two "Spokes" using RUT9xx routers. |
| | | |
| ==Prerequisites and overview== | | ==Prerequisites and overview== |
Line 10: |
Line 10: |
| <li>At least two RUT9xx routers</li> | | <li>At least two RUT9xx routers</li> |
| <li>A PC to configure the routers</li> | | <li>A PC to configure the routers</li> |
| + | <li>(optional) A Cisco router</li><li>HUB has to be reachable from spokes (HUB must have Public IP address, or has to be in the same WAN network as Spokes) |
| + | </li> |
| </ul> | | </ul> |
| ---- | | ---- |
Line 18: |
Line 20: |
| ==Spoke configuration== | | ==Spoke configuration== |
| | | |
− | This section contains information on how to configure DMVPN <b>Spokes</b>. Particularly, | + | This section contains information on how to configure DMVPN <b>Spokes</b>. Firstly, we'll configure the DMVPN instance to make to the connection possible. Then we'll set the <b>Border Gateway Protocol</b> (<b>BGP</b>) parameters as our dynamic routing solution. |
| + | |
| + | <b>Note</b>: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPNs. |
| | | |
| ===Spoke configuration: DMVPN=== | | ===Spoke configuration: DMVPN=== |
Line 44: |
Line 48: |
| <b>Step 1</b>: enable BGP:<br>[[File:Dmvpn_5_1_v1.png]] | | <b>Step 1</b>: enable BGP:<br>[[File:Dmvpn_5_1_v1.png]] |
| ---- | | ---- |
− | <b>Step 2</b>: configure BGP instance:<br>[[File:Dmvpn_2_1_v1.png]] | + | <b>Step 2</b>: configure BGP instance:<br>[[File:Dmvpn_5_2_v1.png]] |
| ---- | | ---- |
− | <b>Step 3</b>: configure BGP peer:<br>[[File:Dmvpn_2_2_v1.png]] | + | <b>Step 3</b>: configure BGP peer:<br>[[File:Dmvpn_5_3_v1.png]] |
| ---- | | ---- |
| <b>Step 4</b>: save changes | | <b>Step 4</b>: save changes |
Line 80: |
Line 84: |
| ---- | | ---- |
| <b>Step 4</b>: save changes | | <b>Step 4</b>: save changes |
| + | |
| + | ==Cisco configuration== |
| + | |
| + | If you plan on using a Cisco router with this topology, you can use the configuration provided in this section. The configuration is set in accordance with the configuration scheme in [[DMVPN_configuration#Prerequisites_and_overview|section 2]] of this article. |
| + | |
| + | ===Cisco Spoke configuration: DMVPN=== |
| + | ---- |
| + | |
| + | crypto isakmp policy 1 |
| + | encr aes |
| + | hash md5 |
| + | authenticatio pre-share |
| + | group 5 |
| + | ! |
| + | crypto isakmp key 1234 address 192.168.1.30 |
| + | ! |
| + | ! |
| + | crypto ipsec transform-set DMVPN-TS esp-3des esp-md5-sha256 |
| + | mode transport |
| + | ! |
| + | crypto ipsec profile DMVPN |
| + | set security-association lifetime secnds 86400 |
| + | set transform-set DMVPN-TS |
| + | ! |
| + | interface Tunnel0 |
| + | description mGRE - DMVPN Tunnel |
| + | ip address 10.1.1.1 255.255.255.0 |
| + | ip nhrp network-id 1 |
| + | ip nhrp nhs 10.1.1.3 nbma 192.168.1.30 |
| + | ip nhrp shortcut |
| + | ip nhrp redirect |
| + | tunnel source GigabitEthernet0/0/1 |
| + | tunnel destination 192.168.1.30 |
| + | tunnel key 1234 |
| + | tunnel protectio ipsec profile DMVPN |
| + | ! |
| + | interface GigabitEthernet0/0/1 |
| + | description Wired DMVPN |
| + | ip address 192.168.1.100 255.255.255.0 |
| + | negotiation auto |
| + | |
| + | ===Cisco Spoke configuration: BGP=== |
| + | ---- |
| + | |
| + | router bgp 65002 |
| + | bgp log-neighbor-changes |
| + | network 10.1.1.0 mask 255.255.255.0 |
| + | neighbor spokes-ibgp peer-group |
| + | neighbor spokes-ibgp remote-as 65001 |
| + | neighbor spokes-ibgp route-reflector-client |
| + | neighbor spokes-ibgp soft-reconfiguration inbound |
| + | neighbor 10.1.1.3 peer-group spokes-ibgp |
| + | |
| + | ===Cisco Hub configuration=== |
| + | ---- |
| + | interface Tunnel0 |
| + | description mGRE - DMVPN Tunnel |
| + | ip address 10.1.1.3 255.255.255.0 |
| + | ip nhrp network-id 1 |
| + | ip nhrp nhs dynamic nbma multicast |
| + | ip nhrp shortcut |
| + | ip nhrp redirect |
| + | tunnel source GigabitEthernet0/0/1 |
| + | tunnel key 1234 |
| + | tunnel protection ipsec profile DMVPN |
| + | ! |
| + | router bgp 65001 |
| + | bgp log-neighbor-changes |
| + | network 10.1.1.0 mask 255.255.255.0 |
| + | neighbor spokes-ibgp peer-group |
| + | neighbor spokes-ibgp remote-as 65001 |
| + | neighbor spokes-ibgp route-reflector-client |
| + | neighbor spokes-ibgp soft-reconfiguration inbound |
| + | neighbor 10.1.1.3 peer-group spokes-ibgp |
| + | neighbor 10.1.1.2 peer-group spokes-ibgp |