Tag Archives: 4.1d

4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [i] NHRP

NHRP is an ARP -like protocol that alleviates these NBMA network problems. With NHRP, systems attached to an NBMA network dynamically learn the NBMA address of the other systems that are part of that network, allowing these systems to directly communicate without requiring traffic to use an intermediate hop.

NHRP allows Next Hop Clients (NHCs ) to dynamically register with Next Hop Servers (NHSs). This allows the NHCs to join the NBMA network without configuration changes on the NHSs, especially in cases where the NHC has a dynamic physical IP address or is behind a Network Address Translation (NAT) router that dynamically changes the physical IP address. In these cases it would be impossible to preconfigure the logical virtual private network (VPN IP) to physical (NBMA IP) mapping for the NHC on the NHS. This function is called NHRP registration. NHRP also allows one NHC client (spoke) to dynamically discover the logical VPN IP to physical NBMA IP mapping for another NHC client (spoke) within the same NBMA network. Without this discovery, IP packets traversing from hosts behind one spoke to hosts behind another spoke would have to traverse by way of the NHS (hub) router . This would increase the utilization of the hub’s physical bandwidth and CPU to process these packets that come into the hub on the multipoint interface and go right back out the multipoint interface. This is often called hair-pinning. With NHRP, systems attached to an NBMA network dynamically learn the NBMA address of the other systems that are part of that network, allowing these systems to directly communicate without requiring traffic to use an intermediate hop. This alleviates the load on the intermediate hop (NHS) and can increase the overall bandwidth of the NBMA network to be greater than the bandwidth of the hub router.

NHRP is used to facilitate building a VPN. In this context, a VPN consists of a virtual Layer 3 network that is built on top of an actual Layer 3 network. The topology you use over the VPN is largely independent of the underlying network, and the protocols you run over it are completely independent of it. The Dynamic Multipoint VPN network (DMVPN) is based on GRE IP logical tunnels that can be protected by adding in IPsec to encrypt the GRE IP tunnels.

You can use debug nhrp to troubleshoot NHRP related problems (e.g . authentication errors).

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4508-4513).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-3s/asr1000/config-nhrp.html

4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [ii] DMVPN with IPsec using preshared key

The feature works according to the following rules.

● Each spoke has a permanent IPSec tunnel to the hub, not to the other spokes within the network . Each spoke registers as clients of the NHRP server.

● When a spoke needs to send a packet to a destination (private) subnet on another spoke , it queries the NHRP server for the real (outside) address of the destination (target) spoke.

● After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.

● The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.

● The spoke-to-spoke links are established on demand whenever there is traffic between the spokes . Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.

● If an IP multicast stream originates from a spoke location, a rendezvous point (RP) must be deployed at the hub site in order for other spoke site clients to receive the stream

● mGRE Tunnel Interface allows a single GRE interface to support multiple IPSec tunnels and simplifies the size and complexity of the configuration.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4531-4534).  . Kindle Edition.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html

4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [iii] QoS profile

The Per-Tunnel QoS for DMVPN feature introduces per-tunnel quality of service (QoS) support for Dynamic Multipoint VPN (DMVPN) and increases per-tunnel QoS performance for Internet Protocol Security (IPsec) tunnel interfaces. This feature allows you to apply a QoS policy on a DMVPN hub on a tunnel instance (per-endpoint or per-spoke basis) in the egress direction for DMVPN hub-to-spoke tunnels.

The QoS policy on a DMVPN hub on a tunnel instance allows you to shape the tunnel traffic to individual spokes (parent policy ) and to differentiate individual data flows going through the tunnel for policing (child policy). The QoS policy that is used by the hub for a particular endpoint or spoke is selected by the Next Hop Resolution Protocol (NHRP) group in which the spoke is configured. Even though many spokes may be configured in the same NHRP group, the tunnel traffic of each spoke is measured individually for shaping and policing.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4612-4617).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-per-tunnel-qos.pdf

4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [iv] Pre-classify

Configure qos pre-classify in VPN designs where both QoS and IPsec occur on the same system and QoS needs to match on parameters in the cleartext packet other than the DSCP/ ToS byte.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4647-4648).  . Kindle Edition.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html