SOLUTION OVERVIEW
CONFIGURING DYNAMIC MULTIPOINT VPN
WITH ON-DEMAND ROUTING
OVERVIEW
This document provides a sample configuration for configuring On-Demand Routing (ODR) with Dynamic Multipoint VPN (DMVPN) in hub to
spoke configuration. The DMVPN feature simplifies the hub router IPsec configuration and supports dynamic IP addresses at the spoke router.
DMVPN combines Generic Routing Encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). It provides IP
routing for remote sites, while minimizing the overhead on the network devices. This sample configuration also allows load balancing with dual
ODR hub routers, failover to a single hub when a hub router fails, and the recovery from a hub router failure when it is recovered.
Figure 1. Network Diagram
PREREQUISITES
The sample configuration is based on the following assumptions:
• Public IP addresses for the hub routers (10.0.149.221 and 10.0.149.220)
• DMVPN network for tunnel interface on both hubs are 192.168.1.0/24 and 192.168.2.0/24
• Spoke router can use static IP or dynamic IP addresses
• Example uses Enhanced Interior Gateway Routing Protocol (EIGRP) as its dynamic routing protocol
• Example uses pre-shared keys for authentication
• Disabled split tunneling for the spoke router; this allows the Internet traffic to go through the hub only
LIMITATIONS
This guide provides the DMPVN configuration, but does not cover the following configuration:
• Full router security audit: run a Security Device Manager (SDM) security audit in the wizard mode to lock down and secure the router.
• Initial router configuration step: full configuration is shown in the following section.
All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 16
• This configuration guide uses private addresses only. When using private addresses and connecting to the Internet, an appropriate Network
Address Translation (NAT) or Port Address Translation (PAT) configuration is required to provide connectivity over the Internet.
• The ODR provides a default route only to the spoke, the configuration support hub and spoke topology; no split tunneling
PRECAUTIONS
Before configurations are made to any router, confirm the following:
• The spoke router can reach the DMVPN hub directly over the Internet.
• The DMVPN hub is configured and operational.
COMPONENTS
• Cisco IOS Software Release 12.3(11)T3(fc2)
• Cisco 831, 1751, 3725 and 3745 Routers
Figure 1 illustrates the network for the sample configuration.
The information presented in this document was created from devices in a specific lab environment. All devices started with a cleared (default)
configuration. It is imperative to understand the potential impact of any command before implementing it in a live network.
This configuration uses two DMVPN hub routers. Each hub router is configured with a separate DMVPN tunnel network (192.168.1.0/24 and
192.168.2.0/24). The first tunnel on the spokes is used for direct connectivity through the first DMVPN hub and the second tunnel on the spokes
is used for the second DMVPN hub. During normal operations with dual hubs, the spoke router load-balances the traffic between both hubs.
Connectivity between the spoke routers is provided through the hub routers in hub and spoke topology. During a failure, the ODR protocol will time
out the failed path, and it will use one active path to the active hub router.
Using ODR, the hub router learns about the remote networks using the CDP protocol. By default, CDP is disabled on the tunnel interface. To allow
the hub and spoke routers to exchange routes, CDP must be enabled on the tunnel interface. ODR allows for push of the default route from the hub
router to the spoke router. The hub router configuration only accepts spoke routers network ranges defined with the “distribute-list 101 in” in order
to prevent the risk of learning the DHCP public network of spoke router from the tunnel interface with ODR. All routing protocols should be
disabled on the spoke routers to activate ODR on the spoke routers.
By default, CDP sends updates every sixty seconds. This update interval may not be frequent enough to provide faster re-convergence of IP routes on
the hub router side of the network. A quicker re-convergence rate may be necessary if the spoke connects to one of several hub routers via
asynchronous interfaces such as modem lines.
ODR expects to receive periodic CDP updates, which contain IP prefix information. When ODR fails to receive updates for routes that it has
installed in the routing table, these ODR routes are first marked invalid and eventually removed from the routing table (by default, ODR routes are
marked invalid after 180 seconds and are removed from the routing table after 240 seconds). These defaults are based on the default CDP update
interval. Configuration changes made to either the CDP or ODR timers should be reflected through changes made to both.
For additional information about configuring ODR timers, refer to:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75f.html#1000989
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
© 2005 Cisco Systems, Inc. All rights reserved.
Page 2 of 16
CONFIGURATION OF THE CISCO 3725 ROUTER
Following are the configurations on the Hub router:
Current configuration:
!
version 12.3
!
hostname c3725-21
!
no aaa new-model
!
ip subnet-zero
ip cef
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
cdp enable
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
© 2005 Cisco Systems, Inc. All rights reserved.
Page 3 of 16
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface FastEthernet0/0
ip address 10.0.149.221 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.20.21 255.255.255.0
duplex auto
speed 100
!
router odr
distribute-list 101 in
!
router eigrp 1
redistribute odr metric 2000 100 255 255 1400
network 192.168.1.0
network 192.168.2.0
network 192.168.20.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.149.207
!
!
access-list 101 permit ip any 192.168.0.0 0.0.255.255
!
end
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
© 2005 Cisco Systems, Inc. All rights reserved.
Page 4 of 16
VERIFYING THE CISCO 3725 ROUTER RESULTS
Normal Operation
This section provides information that can be used to confirm that the configuration is working properly.
c3725-21#show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2
E1-OSPF external type 1, E2-OSPF external type 2
i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2
ia-IS-IS inter area, *-candidate default, U-per-user static route
o-ODR, P-periodic downloaded static route
Gateway of last resort is 10.0.149.207 to network 0.0.0.0
o 192.168.27.0/24 [160/1] via 192.168.1.11, 00:00:52, Tunnel0
C 192.168.20.0/24 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.149.0 is directly connected, FastEthernet0/0
o 192.168.16.0/24 [160/1] via 192.168.1.10, 00:00:21, Tunnel0
C 192.168.1.0/24 is directly connected, Tunnel0
D 192.168.2.0/24 [90/2818560] via 192.168.20.20, 06:03:24, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.149.207
c3725-21#show crypto session detail
Crypto session current status
Code: C-IKE Configuration mode, D-Dead Peer Detection
K-Keepalives, N-NAT-traversal, X-IKE Extended Authentication
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.150.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.150.1
Desc: (none)
IKE SA: local 10.0.149.221/500 remote 10.0.150.1/500 Active
Capabilities:D connid:10 lifetime:20:55:47
IPSEC FLOW: permit 47 host 10.0.149.221 host 10.0.150.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec’ed 6829 drop 0 life (KB/Sec) 4503324/3143
Outbound: #pkts enc’ed 65167 drop 1 life (KB/Sec) 4503313/3143
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.150.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.150.2
Desc: (none)
IKE SA: local 10.0.149.221/500 remote 10.0.150.2/500 Active
Capabilities:D connid:11 lifetime:20:56:02
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
© 2005 Cisco Systems, Inc. All rights reserved.
Page 5 of 16