In this post I will be focusing on Configuring and Verifying DMVPN, NHRP, GRE Tunnel while Peeking at the raw packet
Topology
This topology consists of one internet router, a HQ and 2 Branches.
Internet Router:
- Interface fa0/0 - connected to HQ - IP 3.0.0.1/24
- Interface fa1/0 - connected to Branch-1 - IP 5.0.0.1/24
- Interface fa2/0 - connected to Branch-2 - IP 4.0.0.1/24
- Interface lo7 - Loopback for testing - IP 7.0.0.1/32
- Interface lo8 - Loopback for testing - IP 8.0.0.1/32
HQ
- Interface fa0/0 - connected to Internet - IP 3.0.0.2/24
- Interface lo1 - Loopback for testing - IP 1.0.0.1/32
- Interface lo2 - Loopback for testing - IP 2.0.0.1/32
- Default Gateway - 3.0.0.1
DMVPN IP
- 192.168.0.1/24
Branch-1
- Interface fa0/0 - connected to Internet - IP 5.0.0.2/24
- Interface fa1/0 - connected to LAN - IP 10.0.0.1/24
- Default Gateway - 5.0.0.1
203 Server on Branch 1 - LAN
eth0 - 10.0.0.2/24
Default Gateway - 10.0.0.1
DMVPN IP
- 192.168.0.2/24
Branch-2
- Interface fa0/0 - connected to Internet - IP 4.0.0.2/24
- Interface fa1/0 - connected to LAN - IP 172.16.0.1/24
- Default Gateway - 4.0.0.1
Kali Host on Branch-2
eth0 - 172.16.0.2/24
Default Gateway - 172.16.0.1
DMVPN IP
- 192.168.0.3/24
Configuration before DMVP
Internet
HQ
Branch-1
Branch-2
Configuration after DMVPN
HQ DMVPN Tunnel
Branch-1 DMVPN Tunnel
Branch-2 DMVPN
Verification
Now the systems have been configured, time to verify the configuration is working.
HQ
Looks good!
Still looking good!!
Branch-1
Looks good!
Still looking good!!
Branch-2
Looks good!
Still looking good!!
The final verification is to ensure the hosts in the 2 remote branches can ping (and traceroute) each other. To ensure the hosts are reachable I've enable EIGRP on the tunnel. In a future posts I will go through the EIGRP.
Ping looks good!
Traceroute looks better!! I say it looks better because this validates the path taken to get from Branch-2 to Branch-1.
Peeking into the NHRP Packets
Looks like the process of establishing communication between a Next Hop Server (NHS) and a Next Hop Resolution Client (NHC) take 2 packets
From the looks of it in the first packet I see a registration request with ID "65542".
Next I see a registration reply with ID "65542" and "Code=Success"
NHRP Registration Request
By capturing the registration packet I've managed to determine what the password is. Obviously there is a lot more to be gained from this packet capture.
NHRP Registration Reply
Similarly the reply code shows us all the information needed to understand the NHRP Registration/Reply process.
All is well. This lab is completed.
References:
https://tools.ietf.org/html/rfc2332
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_1.html
http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
Hey Nik, why are you using " ip nhrp map multicast dynamic" on the spokes? I believe this command is intended to be used on the hub only.
ReplyDeleteNuno,
DeleteI think I will have to build a lab to verify this. I've seen documentation which states this should only be on the hub while at the same time there are some cisco configuration which has this on the spoke. How about you build a lab to test and report your findings back. :-)
Look at these links:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-dmvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-dmvpn.html