Cisco Systems 3725, 831, 1751, 3745 User Manual

0 (0)

SOLUTION OVERVIEW

CONFIGURING DYNAMIC MULTIPOINT VPN

WITH ON-DEMAND ROUTING

OVERVIEW

This document provides a sample configuration for configuring On-Demand Routing (ODR) with Dynamic Multipoint VPN (DMVPN) in hub to spoke configuration. The DMVPN feature simplifies the hub router IPsec configuration and supports dynamic IP addresses at the spoke router. DMVPN combines Generic Routing Encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). It provides IP routing for remote sites, while minimizing the overhead on the network devices. This sample configuration also allows load balancing with dual ODR hub routers, failover to a single hub when a hub router fails, and the recovery from a hub router failure when it is recovered.

Figure 1. Network Diagram

PREREQUISITES

The sample configuration is based on the following assumptions:

∙Public IP addresses for the hub routers (10.0.149.221 and 10.0.149.220)

∙DMVPN network for tunnel interface on both hubs are 192.168.1.0/24 and 192.168.2.0/24

∙Spoke router can use static IP or dynamic IP addresses

∙Example uses Enhanced Interior Gateway Routing Protocol (EIGRP) as its dynamic routing protocol

∙Example uses pre-shared keys for authentication

∙Disabled split tunneling for the spoke router; this allows the Internet traffic to go through the hub only

LIMITATIONS

This guide provides the DMPVN configuration, but does not cover the following configuration:

∙Full router security audit: run a Security Device Manager (SDM) security audit in the wizard mode to lock down and secure the router.

∙Initial router configuration step: full configuration is shown in the following section.

∙This configuration guide uses private addresses only. When using private addresses and connecting to the Internet, an appropriate Network Address Translation (NAT) or Port Address Translation (PAT) configuration is required to provide connectivity over the Internet.

∙The ODR provides a default route only to the spoke, the configuration support hub and spoke topology; no split tunneling

PRECAUTIONS

Before configurations are made to any router, confirm the following:

∙The spoke router can reach the DMVPN hub directly over the Internet.

∙The DMVPN hub is configured and operational.

COMPONENTS

∙Cisco IOS Software Release 12.3(11)T3(fc2)

∙Cisco 831, 1751, 3725 and 3745 Routers

Figure 1 illustrates the network for the sample configuration.

The information presented in this document was created from devices in a specific lab environment. All devices started with a cleared (default) configuration. It is imperative to understand the potential impact of any command before implementing it in a live network.

This configuration uses two DMVPN hub routers. Each hub router is configured with a separate DMVPN tunnel network (192.168.1.0/24 and 192.168.2.0/24). The first tunnel on the spokes is used for direct connectivity through the first DMVPN hub and the second tunnel on the spokes is used for the second DMVPN hub. During normal operations with dual hubs, the spoke router load-balances the traffic between both hubs.

Connectivity between the spoke routers is provided through the hub routers in hub and spoke topology. During a failure, the ODR protocol will time out the failed path, and it will use one active path to the active hub router.

Using ODR, the hub router learns about the remote networks using the CDP protocol. By default, CDP is disabled on the tunnel interface. To allow the hub and spoke routers to exchange routes, CDP must be enabled on the tunnel interface. ODR allows for push of the default route from the hub router to the spoke router. The hub router configuration only accepts spoke routers network ranges defined with the “ distribute-list 101 in” in order to prevent the risk of learning the DHCP public network of spoke router from the tunnel interface with ODR. All routing protocols should be disabled on the spoke routers to activate ODR on the spoke routers.

By default, CDP sends updates every sixty seconds. This update interval may not be frequent enough to provide faster re-convergence of IP routes on the hub router side of the network. A quicker re-convergence rate may be necessary if the spoke connects to one of several hub routers via asynchronous interfaces such as modem lines.

ODR expects to receive periodic CDP updates, which contain IP prefix information. When ODR fails to receive updates for routes that it has installed in the routing table, these ODR routes are first marked invalid and eventually removed from the routing table (by default, ODR routes are marked invalid after 180 seconds and are removed from the routing table after 240 seconds). These defaults are based on the default CDP update interval. Configuration changes made to either the CDP or ODR timers should be reflected through changes made to both.

For additional information about configuring ODR timers, refer to: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75f.html#1000989

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 2 of 16

CONFIGURATION OF THE CISCO 3725 ROUTER

Following are the configurations on the Hub router:

Current configuration:

version 12.3

hostname c3725-21

no aaa new-model

ip subnet-zero ip cef

crypto isakmp policy 1 encr 3des authentication pre-share group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport

crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA

interface Tunnel0 bandwidth 1000

ip address 192.168.1.1 255.255.255.0 no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW ip nhrp map multicast dynamic ip nhrp network-id 100000

ip nhrp holdtime 360 ip tcp adjust-mss 1360

no ip split-horizon eigrp 1 delay 1000

cdp enable

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 3 of 16

tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000

tunnel protection ipsec profile SDM_Profile1

interface FastEthernet0/0

ip address 10.0.149.221 255.255.255.0 duplex auto

speed auto

interface FastEthernet0/1

ip address 192.168.20.21 255.255.255.0 duplex auto

speed 100

router odr distribute-list 101 in

router eigrp 1

redistribute odr metric 2000 100 255 255 1400 network 192.168.1.0

network 192.168.2.0 network 192.168.20.0 no auto-summary

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.149.207

access-list 101 permit ip any 192.168.0.0 0.0.255.255

end

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 4 of 16

VERIFYING THE CISCO 3725 ROUTER RESULTS

Normal Operation

This section provides information that can be used to confirm that the configuration is working properly.

c3725-21#show ip route

Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP

D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area

N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2

E1-OSPF external type 1, E2-OSPF external type 2

i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-IS-IS inter area, *-candidate default, U-per-user static route o-ODR, P-periodic downloaded static route

Gateway of last resort is 10.0.149.207 to network 0.0.0.0

o 192.168.27.0/24 [160/1] via 192.168.1.11, 00:00:52, Tunnel0

C192.168.20.0/24 is directly connected, FastEthernet0/1 10.0.0.0/24 is subnetted, 1 subnets

C 10.0.149.0 is directly connected, FastEthernet0/0

o 192.168.16.0/24 [160/1] via 192.168.1.10, 00:00:21, Tunnel0

C192.168.1.0/24 is directly connected, Tunnel0

D192.168.2.0/24 [90/2818560] via 192.168.20.20, 06:03:24, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 10.0.149.207

c3725-21#show crypto session detail Crypto session current status

Code: C-IKE Configuration mode, D-Dead Peer Detection K-Keepalives, N-NAT-traversal, X-IKE Extended Authentication Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 10.0.150.1 port 500 fvrf: (none) ivrf: (none) Phase1_id: 10.0.150.1

Desc: (none)

IKE SA: local 10.0.149.221/500 remote 10.0.150.1/500 Active Capabilities:D connid:10 lifetime:20:55:47

IPSEC FLOW: permit 47 host 10.0.149.221 host 10.0.150.1 Active SAs: 2, origin: crypto map

Inbound: #pkts dec’ed 6829 drop 0 life (KB/Sec) 4503324/3143 Outbound: #pkts enc’ed 65167 drop 1 life (KB/Sec) 4503313/3143

Interface: Tunnel0 Session status: UP-ACTIVE

Peer: 10.0.150.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 10.0.150.2

Desc: (none)

IKE SA: local 10.0.149.221/500 remote 10.0.150.2/500 Active Capabilities:D connid:11 lifetime:20:56:02

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 5 of 16

+ 11 hidden pages