Configure DMVPN for SD-Routing Devices
What is Cisco DMVPN
Cisco DMVPN (Dynamic Multipoint VPN) is a routing technique to build a VPN network with multiple sites without having to statically configure all devices. This technique uses tunnelling protocols and encrypted security measures to create virtual connections, or tunnels, between sites. These tunnels are dynamically created as needed, making them both efficient and cost-effective.
Components of Cisco DMVPN
Cisco DMVPN consists of four main components:
Component |
Purpose |
---|---|
Multipoint GRE (mGRE) |
mGRE is a tunneling mechanism used for creating multipoint Virtual Private Networks (VPNs) using GRE encapsulation. Encapsulating data packets from different sources into a single tunnel facilitates scalability and simplifies VPN management. |
Next Hop Resolution Protocol (NHRP) |
Next Hop Resolution Protocol (NHRP) is a resolution protocol that allows a Next Hop Client (NHC) to dynamically register with Next Hop Servers (NHSs). With the Dynamic Multipoint Virtual Private Network (DMVPN) design, the NHC is the spoke router, and the NHS is the hub router. Once all the clients are registered, spoke routers can discover other spoke routers within the same non-broadcast multiple access (NBMA) network. NHRP enables businesses to have a way for next-hop servers and next-hop clients to communicate with each other directly, bypassing a central hub and preventing potential bottlenecks. |
IPSec encryption |
IPSec is a group of protocols for securing connections between devices. IPSec helps keep data sent over public networks secure. It is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from. |
Routing protocols such as BGP, EIGRP and OSPF |
|
Deployment Scenarios
Cisco DMVPN can be deployed in two ways:
Hub and Spoke Deployment Model
In this traditional topology, a central device (Hub) is connected to multiple other devices (Spokes). The primary enterprise resources are located in a large central site, with several smaller sites or branch offices connected directly to the central site over a VPN. Traffic from any remote site to other remote sites passes through the Hub.
This model is best suited for sites requiring lower bandwidth needs.
Spoke-to-Spoke Deployment Model
Cisco DMVPN allows the creation of a full-mesh VPN, in which traditional hub-and-spoke connectivity is supplemented by dynamically created IPSec tunnels directly between the spokes. With direct spoke-to-spoke tunnels, traffic between remote sites does not need to go through the Hub.
This eliminates additional delays and conserves WAN bandwidth. This deployment model is best suited for sites requiring higher bandwidth needs.
Configure Cisco DMVPN Using Feature Parcel
This section covers details on how to configure Cisco DMVPN using Feature Parcel for SD-Routing devices.
The following table outlines the various steps involved in creating a DMVPN tunnel using the Feature Parcels in Catalyst SD-WAN Manager.
Steps to Configure a DMVPN Tunnel |
To Know More |
---|---|
Configure a VRF in the Service Profile |
|
Configure a DMVPN Tunnel |
Configure Basic Attributes of the Tunnel |
Configure a DMVPN Tunnel
This task covers details on configuring a DMVPN tunnel in the Catalyst SD-WAN Manager using Service Profile.
Before you begin
Step 1 | Go to Cisco Catalyst SD-WAN Manager. Select SD Routing. . Select Solution as |
Step 2 | Select the Service Profile created as part of Configure a VRF task. Select the VRF, click + and select DMVPN Tunnel. You can choose an existing DMVPN tunnel from the list or create a new DMVPN tunnel. |
Step 3 | Specify a name and description for the DMVPN tunnel. Under the Basic Configuration tab specify the following:
|
Step 4 | Specify overlay and underlay details. DMVPN supports IPv4 and IPv6 unicast and multicast transport through the overlay and underlay tunnels. Overlay
Underlay Select either IPv4 or IPv6 address for underlay transport.
|
Step 5 | Configure NHRP DMVPN Role NHRP Summary Map IPv4 NHRP Summary Map and IPv6 NHRP Summary Map: The spoke-to-spoke NHRP summary map uses the configured IP address network and subnet mask in the NHRP resolution response instead of the IP address network and subnet mask from RIB. This functionality is useful to reduce the NHRP resolution traffic on the network. NBMA Summary Map Note NBMA Summary Map details are only required to be entered if you select the DMVPN Role as Spoke or Both. IPv4 NHS NBMA Summary Map and IPv6 NHS NBMA Summary Map: You can configure a fully qualified domain name (FQDN) for the non-broadcast multiple access network (NBMA) address of the hub (NHS) on the spokes (NHCs). This allows spokes to dynamically locate the IP address of the hub using FQDN.
|
Step 6 | Configure BFD Select the toggle button to enable BFD. Enabling BFD provides fast peer failure detection by sending rapid failure detection notices to the control protocols and reducing overall network convergence time.
|
Step 7 | Configure Advanced Parameters.
For more information on each of the parameters used in the Feature Profile, see Security and VPN Configuration Guide. |
What's next
Encrypt Data in a DMVPN Tunnel
Adding IPSec encryption to data helps secure the data in the tunnel while it travels through the network. The IPsec encryption used in Cisco DMVPN is based on IKEv2. Configuring IPsec with IKEv1 is not supported.
This is an optional configuration.
Before you begin
Step 1 | Go to Cisco Catalyst SD-WAN Manager. Select SD Routing . . Select solution as |
Step 2 | Select an existing Service Profile or create a new one. |
Step 3 | Select an existing DMVPN tunnel. Click + to create an IPSec profile. |
Step 4 | Specify a name and description to identify the IPSec profile. Enter details to configure the profile. Authentication
|
Step 5 | Click Save . |
Configure Cisco DMVPN Using Commands
In addition to the features configured using Feature Profile, you can use IOS XE commands in Cisco SD-WAN Manager and configure any additional features.
Use IOS XE CLI commands to add configurations to your device that are not available through Feature Parcels.
The IOS XE commands operate together with the configurations provided through Feature Parcels. However, commands configured either using CLI Add-on Profile or CLI Config Group override the configurations specified by the corresponding Feature Parcel.
Configuring Cisco DMVPN Using CLI Add-on Profile
Before you begin
-
You should have an understanding of the features you want to provision in your setup. Guidance for the different features and their configuration commands are available in Security and VPN Configuration Guide.
-
You must onboard the autonomous routing device to the Catalyst Cisco SD-WAN Manager and the status of the devices should be In Sync. Check the status of the device using
.
Step 1 | Go to Cisco Catalyst SD-WAN Manager. Select SD Routing. . Select Solution as |
Step 2 | Select an existing Configuration Group or create a new one. Select the configuration group, click + Add Profile to add a CLI Add-on Profile. |
Step 3 | To create a new profile, select + Create New. Specify name and description. If you have an existing CLI Add-on profile, select the profile, click Edit. |
Step 4 | In the Config Preview pane, enter the commands required for configuring features. Click Save and then Done. |
Step 5 | Associate and Deploy the Configuration Group to an SD-Routing Device. Click Next. |
Step 6 | In the Summary window, select Preview CLI. The old and new configuration is displayed. Review the changes. Click Cancel to go back to Configuration Groups. |
Configuring Cisco DMVPN Using CLI Config Group
Before you begin
-
You should have an understanding of the features you want to have in your setup. Guidance for the features and their configuration commands are available in https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-conn-dmvpn-dmvpn-0.html
-
You must onboard the autonomous routing device to the Cisco SD-WAN Manager and the status of the devices should be In Sync. Check the status of the device using
.
Step 1 | Go to Cisco Catalyst SD-WAN Manager. Select SD Routing. . Select Solution as |
Step 2 | Select an existing CLI Config group from the list or select Create Configuration Group to create a new configuration group. |
Step 3 | Specify a name, description. Select the CLI Configuration Group checkbox. |
Step 4 | Select a device to load the configuration from. In the Config Preview pane, review the configuration and enter the commands required for configuring additional features. Click Save and Done. |
Step 5 | Associate and Deploy the Configuration Group to an SD-Routing Device. Click Next. |
Step 6 | In the Summary window, select Preview CLI. The old and new configuration is displayed. Click Cancel to go back to Configuration Groups. |
Associate and Deploy the Configuration Group to an SD-Routing Device
Before you begin
Step 1 | On Cisco SD-WAN Manager, select the Configuration Group created earlier. |
Step 2 | Click + Add and select the devices from the list. Click Save to attach the configuration group to the selected devices. |
Step 3 | To provision the configuration changes, click Deploy.
|
Monitor Cisco DMVPN
This section provides details on how to monitor Cisco DMVPN using commands.
Monitor Cisco DMVPN Sessions Using Commands
Use these commands to monitor the DMVPN tunnels and view session information. These commands can be executed using
in Cisco Catalyst SD-WAN Manager.
Use command |
To |
---|---|
show dmvpn |
display DMVPN session information. |
show dmvpn detail |
display detail DMVPN information for each session, including Next Hop Server (NHS) and NHS status, crypto session information, and socket details. |
show crypto session |
display status information for active crypto sessions. |
show ip nhrp traffic |
display statistics of NHRP traffic. |
show ip nhrp summary |
display the mapping of all the overlay entries. |