DMVPN with L2 primary link and L3 secondary link

Network Scenario Explanation!

Suppose this is the network of ABC Bank Ltd. ABC bank has two branch offices with one Head Office.  Branch offices are located at East and West side respectively. Bank has purchased two links from Internet Service Provider. One link is L2 Link (Intranet) and another Link is L3 (Internet). Our goal is to configure our network in such a way so our L2 link should be the primary link of the Bank network and L3 should be the secondary link of the Bank network. If any problem arises in L2 network at that time traffic should automatically go from L3 network. Bank should not face any kind of connectivity issue.

There are lots of technologies to achieve the goal. But here I’m going to configure DMVPN to achieve the goal.

DMVPN is acronym from Dynamic Multipoint Virtual Private Network. I would like to say DMVPN as an engineering rather a protocol itself. DMVPN is not a protocol itself rather it is the combination of protocols. To configure DMVPN you have to solid understanding about GRE tunnel, NHRP, IPsec, Routing Protocol (RIP, EIGRP, OSPF, BGP).

Here in this lab I’m going to configure DMVPN step by step.

Step 1.

First of all we have to configure router’s hostname, IP address of the link as shown in the topology.

Step 2.

In step two we are going to create tunnel interface on each router. We are going to create Tunnel 2 for L2 network and Tunnel 3 for L3 network. Our Tunnel 2 link subnet will be 192.168.2.0/29 and Tunnel 3 link subnet will be 192.168.3.0/29.

Configuration Example (Tunnel 2 on HQ_Kathmandu)

               HQ_Kathmandu

               HQ_Kathmandu(config)#interface tunnel 2 (Creates Tunnel 2 interface on HQ_Kathmandu)

               HQ_Kathmandu(config-if)ip address 192.168.2.1 255.255.255.248

               HQ_Kathmandu(config-if)no shutdown

               HQ_Kathmandu(config-if)tunnel source int fa0/0

               HQ_Kathmandu(config-if)tunnel mode gre-multipoint (Creates multipoint gre tunnel on HQ_Kathmandu) 
Branch_East

               Branch_East(config)#interface tunnel 2

               Branch_East (config-if)ip address 192.168.2.2 255.255.255.248

               Branch_East (config-if)no shutdown

               Branch_East (config-if)tunnel source int fa0/0

               Branch_East (config-if)tunnel destination 172.16.15.1 (Creates point-to-point GRE tunnel to the IP address 172.16.15.1 which means with HQ_Router fa0/0)

Branch_West

               Branch_West(config)#interface tunnel 2

               Branch_West(config-if)ip address 192.168.2.3 255.255.255.248

               Branch_West(config-if)no shutdown

               Branch_West(config-if)tunnel source int fa0/0

               Branch_West(config-if)tunnel destination 172.16.15.1

We have created GRE tunnel on each router but still If you don’t know about GRE tunnel and its features I suggest you to read cisco documents. 

Now we have to configure NHRP on the tunnel interface. NHRP (Next Hop Redundancy Protocol), which is just like a ARP protocol. NHRP map the tunnel IP to real physical IP. To know more about NHRP I suggest you to read cisco documents. 

Now we are going to configure NHRP on each router.

NHRP on HQ_Kathmandu

            HQ_Kathmandu(config)#interface tunnel 2

            HQ_Kathmandu(config-if)#ip nhrp-network id 2 (network id should be same on all routers)

            HQ_Kathmandu(config-if)#ip nhrp holdtime 600

HQ_Kathmandu(config-if)#ip nhrp registration timeout 30

HQ_Kathmandu(config-if)#ip nhrp map  multicast dynamic (map the tunnel IP to NBMA  IP)

NHRP on Branch_East

            Branch_East(config)#interface tunnel 2

            Branch_East(config-if)#ip nhrp-network id 2 (network id should be same on all routers)

            Branch_East(config-if)#ip nhrp holdtime 600

Branch_East(config-if)#ip nhrp registration timeout 30

Branch_East(config-if)#ip nhrp map  192.168.2.1 172.16.15.1 (map the tunnel IP to NBMA  IP)

Branch_East(conig-if)#ip nhrp map multicast 172.16.15.1 (Map the Routing protocol generated packet to NBMA address of HQ_Kathmandu)

Branch_East(config-if)#ip nhrp nhs 192.168.2.1 (Next hop server should be the tunnel IP address of HQ_Kathmandu)

NHRP on Branch_West

            Branch_West(config)#interface tunnel 2

            Branch_West(config-if)#ip nhrp-network id 2 (network id should be same on all routers)

            Branch_West(config-if)#ip nhrp holdtime 600

Branch_West(config-if)#ip nhrp registration timeout 30

Branch_West(config-if)#ip nhrp map  192.168.2.1 172.16.15.1 (map the tunnel IP to NBMA  IP)

Branch_West(conig-if)#ip nhrp map multicast 172.16.15.1 (Map the Routing protocol generated packet to NBMA address of HQ_Kathmandu)

Branch_West(config-if)#ip nhrp nhs 192.168.2.1 (Next hop server should be the tunnel IP address of HQ_Kathmandu)

Till now we have configured GRE tunnel and NHRP on each router, now its time to configure Routing protocol to advertise routing information to each other.

Routing Protocol on HQ_Kathmandu

               HQ_Kathmandu(config)#router eigrp 10

               HQ_Kathmandu(config-router)#no auto-summary

               HQ_Kathmandu(config-router)#network 192.168.10.0 (LAN network of HQ)

               HQ_Kathmandu(config-router)#network 192.168.2.0 (Tunnel subnet)

Routing Protocol on Branch_East

               Branch_East(config)#router eigrp 10

               Branch_East (config-router)#no auto-summary

               Branch_East (config-router)#network 192.168.20.0 (LAN network of Branch_East)

               Branch_East (config-router)#network 192.168.2.0 (Tunnel subnet)

Routing Protocol on Branch_West

               Branch_West(config)#router eigrp 10

               Branch_West (config-router)#no auto-summary

               Branch_West (config-router)#network 192.168.30.0 (LAN network of Branch_West)

               Branch_West (config-router)#network 192.168.2.0 (Tunnel subnet)

Now we have connectivity between the computers of different branches from L2 (intranet). Traffic generated from the each is using untrusted network (intranet) so till now we have not configured any protocol to secure our data. If we do not implement any mechanism to secure data any body from the ISP side can read the content of the data, so we should protect our data from other. We are going to implement IPsec to achieve this goal.

IPsec provides confidentiality, integrity, authentication by the encryption, hashing and authentication respectively. To know more about IPsec I suggest you to read cisco documents.  

IPsec on HQ_Kathmandu

          HQ_Kathmandu(config)#crypto isakmp enable (By default isakmp is enable if not use this command)

            HQ_Kathmandu(config)#crypto isakmp policy 100

            HQ_kathmandu(config-crypto)#hash aes

            HQ_Kathmndu(config-crypto)#authentication pre-share

            HQ_Kathmandu(config-crypto)#group 2

            HQ_Kathmandu(config_crypto)#lifetime 28800

            HQ_Kathmandu(config_crypto)#encryption md5

            HQ_Kathmandu(config_crypto)#exit

HQ_Kathmandu(config)#crypto isakmp key 0 PASSWORD address 172.16.15.2

HQ_Kathmandu(config)#crypto isakmp key 0 PASSWORD address 172.16.15.3

HQ_Kathmandu(config)#crypto ipsec transform set TSET esp aes 128 esp-aes-hmac

HQ_Kathmandu(config-transform)#mode transport

HQ_Kathmandu(config-transform)#exit

HQ_kathmandu(config)#crypto ipsec profile PROFILENAME

HQ_kathmandu(config-profile)#set transform set TSET

Now call this configuration on the tunnel interface

HQ_Kathmandu(config)#int tunnel 2

HQ_Kathmandu(config-if)#tunnel protection ipsec profile PROFILENAME

              

IPsec on Branch_East

               Branch_East(config)#crypto isakmp enable (By default isakmp is enable if not use this command)

               Branch_East (config)#crypto isakmp policy 100

               Branch_East (config-crypto)#hash aes

               Branch_East (config-crypto)#authentication pre-share

               Branch_East (config-crypto)#group 2

               Branch_East (config_crypto)#lifetime 28800

               Branch_East (config_crypto)#encryption md5

               Branch_East (config_crypto)#exit

Branch_East (config)#crypto isakmp key 0 PASSWORD address 172.16.15.1

Branch_East (config)#crypto ipsec transform set TSET esp aes 128 esp-aes-hmac

Branch_East (config-transform)#mode transport

Branch_East (config-transform)#exit

Branch_East (config)#crypto ipsec profile PROFILENAME

Branch_East (config-profile)#set transform set TSET

Now call this configuration on the tunnel interface

Branch_East (config)#int tunnel 2

Branch_East (config-if)#tunnel protection ipsec profile PROFILENAME

IPsec on Branch_West

               Branch_west(config)#crypto isakmp enable (By default isakmp is enable if not use this command)

               Branch_west (config)#crypto isakmp policy 100

               Branch_west (config-crypto)#hash aes

               Branch_west (config-crypto)#authentication pre-share

               Branch_west (config-crypto)#group 2

               Branch_west (config_crypto)#lifetime 28800

               Branch_west (config_crypto)#encryption md5

               Branch_west (config_crypto)#exit

Branch_west (config)#crypto isakmp key 0 PASSWORD address 172.16.15.1

Branch_west (config)#crypto ipsec transform set TSET esp aes 128 esp-aes-hmac

Branch_west (config-transform)#mode transport

Branch_west (config-transform)#exit

Branch_west (config)#crypto ipsec profile PROFILENAME

Branch_west (config-profile)#set transform set TSET

Now call this configuration on the tunnel interface

Branch_west (config)#int tunnel 2

Branch_west (config-if)#tunnel protection ipsec profile PROFILENAME

We have configured DMVPN on L2 link (intranet) now similarly configured DMVPN on L3 link. Change metric of L3 link so our network use L2 link as primary link and L3 link as secondary Link.