DMVPN Lab

NetSwag Labs - DMVPN LAB

What is VPN?

• VPN stands for Virtual Private Network.  Provides a secure method for transporting data across public networks.  Data-in-transit is encrypted to ensure that data is protected from man in the middle attacks, snooping, and eavesdropping.

What is DMVPN?

• DMVPN stands for Dynamic Multipoint Virtual Private Network.  Utilizes of legacy VPN technologies to implement dynamically established, multipoint VPN tunnels.  Allows for a full-mesh VPN topology allowing sites to communicate directly (Spoke-to-Spoke) or via the hubs (Hub-to-Spoke).

Basic Configurations

Switch_A Basic Configurations

hostname Switch-A

interface e1

description To Switch-B E1

no switchport

ip address 10.10.10.1/30

interface e2

description To Switch-C E1

no switchport

ip address 10.10.10.5/30

interface e3

description To Router-A E0/0

no switchport

ip address 10.10.10.17/30

interface loopback0

ip address 192.168.99.1 255.255.255.255

Switch_B Basic Configurations

hostname Switch-B

interface e1

description To Switch-A E2

no switchport

ip address 10.10.10.2/30

interface e2

description To Switch-C E1

no switchport

ip address 10.10.10.9/30

interface e3

description To Router-B E0/0

no switchport

ip address 10.10.10.21/30

interface loopback0

ip address 192.168.99.2 255.255.255.255

Switch_C Basic Configurations

hostname Switch-C

interface e1

description To Switch-A E2

no switchport

ip address 10.10.10.6/30

interface e2

description To Switch-D E2

no switchport

ip address 10.10.10.13/30

interface e3

description To Router-C E0/0

no switchport

ip address 10.10.10.25/30

interface loopback0

ip address 192.168.99.3 255.255.255.255

Switch_D Basic Configurations

hostname Switch-D

interface e1

no switchport

ip address 10.10.10.10/30

interface e2

no switchport

ip address 10.10.10.14/30

interface e3

no switchport

ip address 10.10.10.29/30

interface loopback0

ip address 192.168.99.4 255.255.255.255

Router_A Basic Configurations

hostname Router-A

interface e0/0

    ip address 10.10.10.18 255.255.255.252

Interface loopback0

    ip address 192.168.99.11 255.255.255.255

Router_B Basic Configurations

hostname Router-B

interface e0/0

    ip address 10.10.10.22 255.255.255.252

Interface loopback0

    ip address 192.168.99.12 255.255.255.255

Router_C Basic Configurations

hostname Router-C

interface e0/0

    ip address 10.10.10.26 255.255.255.252

Interface loopback0

    ip address 192.168.99.13 255.255.255.255

Router_D Basic Configurations

hostname Router-D

interface e0/0

    ip address 10.10.10.30 255.255.255.252

Interface loopback0

    ip address 192.168.99.14 255.255.255.255

Underlay Routing Configurations

Switch_A Static Routing

ip routing

ip route 10.10.10.20/30 10.10.10.2

ip route 10.10.10.20/30 10.10.10.6 255

ip route 10.10.10.24/30 10.10.10.6

ip route 10.10.10.24/30 10.10.10.2 255

ip route 10.10.10.28/30 10.10.10.2

ip route 10.10.10.28/30 10.10.10.6 255

Switch_B Static Routing

ip routing

ip route 10.10.10.16/30 10.10.10.1

ip route 10.10.10.16/30 10.10.10.10 255

ip route 10.10.10.24/30 10.10.10.10

ip route 10.10.10.24/30 10.10.10.1 255

ip route 10.10.10.28/30 10.10.10.10

ip route 10.10.10.28/30 10.10.10.1 255

Switch_C Static Routing

ip routing

ip route 10.10.10.16/30 10.10.10.5

ip route 10.10.10.16/30 10.10.10.14 255

ip route 10.10.10.20/30 10.10.10.14

ip route 10.10.10.20/30 10.10.10.5 255

ip route 10.10.10.28/30 10.10.10.14

ip route 10.10.10.28/30 10.10.10.5 255

Switch_D Static Routing

ip routing

ip route 10.10.10.16/30 10.10.10.9

ip route 10.10.10.16/30 10.10.10.13 255

ip route 10.10.10.24/30 10.10.10.13

ip route 10.10.10.24/30 10.10.10.9 255

ip route 10.10.10.20/30 10.10.10.9

ip route 10.10.10.20/30 10.10.10.13 255

Router_A Static Routing

ip routing

ip route 0.0.0.0 0.0.0.0 10.10.10.17

Router_B Static Routing

ip routing

ip route 0.0.0.0 0.0.0.0 10.10.10.21

Router_C Static Routing

ip routing

ip route 0.0.0.0 0.0.0.0 10.10.10.25

Router_D Static Routing

ip routing

ip route 0.0.0.0 0.0.0.0 10.10.10.29

DMVPN (Overlay) Configurations

ISAKMP Policy and IPSec Profile Configuration (All Routers)

crypto keyring DMVPN-100

pre-shared-key address 0.0.0.0 0.0.0.0 key test

crypto isakmp policy 1

encr aes 256

authentication pre-share

crypto isakmp profile DMVPN

keyring DMVPN-100

match identity address 0.0.0.0 0.0.0.0

exit

crypto isakmp keepalive 30 5

!

crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set DMVPN

set isakmp-profile DMVPN

set pfs group14

!

Router_A Hub Configuration for DMVPN

interface tunnel 100

ip address 192.168.100.1 255.255.255.0

ip mtu 1400

ip nhrp authentication netswag

ip nhrp network-id 100

no ip redirects

tunnel source e0/0

tunnel key 100

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

bandwidth 1000000

ip tcp adjust-mss 1360

ip nhrp holdtime 300

Router_B Spoke Configuration for DMVPN

interface tunnel 100

ip address 192.168.100.2 255.255.255.0

ip mtu 1400

ip nhrp authentication netswag

ip nhrp network-id 100

ip nhrp map 192.168.100.1 10.10.10.18

ip nhrp map multicast 10.10.10.18

ip nhrp nhs 192.168.100.1

tunnel source e0/0

tunnel key 100

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

bandwidth 1000000

ip tcp adjust-mss 1360

ip nhrp holdtime 300

Router_C Spoke Configuration for DMVPN

interface tunnel 100

ip address 192.168.100.3 255.255.255.0

ip mtu 1400

ip nhrp authentication netswag

ip nhrp network-id 100

ip nhrp map 192.168.100.1 10.10.10.18

ip nhrp map multicast 10.10.10.18

ip nhrp nhs 192.168.100.1

tunnel source e0/0

tunnel key 100

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

bandwidth 1000000

ip tcp adjust-mss 1360

ip nhrp holdtime 300

Router_D Spoke Configuration for DMVPN

interface tunnel 100

ip address 192.168.100.4 255.255.255.0

ip mtu 1400

ip nhrp authentication netswag

ip nhrp network-id 100

ip nhrp map 192.168.100.1 10.10.10.18

ip nhrp map multicast 10.10.10.18

ip nhrp nhs 192.168.100.1

tunnel source e0/0

tunnel key 100

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

bandwidth 1000000

ip tcp adjust-mss 1360

ip nhrp holdtime 300

DMVPN (Overlay Routing) Configuration

EIGRP Configuraton Across all tunnels

Router_A EIGRP Configuration for DMVPN VRF

router eigrp 1

 !

 address-family ipv4 vrf DMVPN autonomous-system 1

  network 192.168.98.0

  network 192.168.100.0

  passive-interface default

  no passive-interface Tunnel100

  eigrp router-id 192.168.99.1

 exit-address-family

Router_B EIGRP Configuration for DMVPN VRF

router eigrp 1

 !

 address-family ipv4 vrf DMVPN autonomous-system 1

  network 192.168.97.0

  network 192.168.100.0

  passive-interface default

  no passive-interface Tunnel100

  eigrp router-id 192.168.99.2

 exit-address-family

Router_C EIGRP Configuration for DMVPN VRF

router eigrp 1

 !

 address-family ipv4 vrf DMVPN autonomous-system 1

  network 192.168.96.0

  network 192.168.100.0

  passive-interface default

  no passive-interface Tunnel100

  eigrp router-id 192.168.99.3

 exit-address-family

Router_D EIGRP Configuration for DMVPN VRF

router eigrp 1

 !

 address-family ipv4 vrf DMVPN autonomous-system 1

  network 192.168.95.0

  network 192.168.100.0

  passive-interface default

  no passive-interface Tunnel100

  eigrp router-id 192.168.99.4

 exit-address-family