DMVPN: From Basics to Scalable Networks
Webinar: 4.76 Instructor: 4.98 Materials: 4.90 more …
DMVPN is a fantastic technology when you’re trying to roll out large-scale site-to-site Internet-based VPN or improve the convergence of your MPLS/VPN-based network. It seems exceedingly simple, but could soon get you into interesting challenges, more so if you’re trying to build networks where a large number of remote sites connect to a few hub routers.
As soon as you start deploying any-to-any VPN (Phase 2 DMVPN), you’ll stumble across dual default routing problem, and the quest for scalable solutions will lead you from OSPF/EIGRP-based networks to either BGP or unidirectional RIP. With the help of this webinar your journey will be faster and more comfortable.
Designed for demanding networking engineers, this three hour advanced technical webinar is full of design and configuration guidelines and tips that will help you build and deploy scalable DMVPN networks.
- Buy all three DMVPN webinars in DMVPN trilogy
If you’re considering DMVPN deployment beyond a few sites, you simply must attend this advanced webinar. Regardless of whether you’re a high-end consultant, a network designer working on a complex DMVPN-based design or a deployment engineer – you’ll appreciate the high-level overviews, configuration tips and the intricate technical details of all the scenarios covered during the webinar.
To attend this webinar, you should be very familiar with IP routing and IP routing protocols (CCNP-level knowledge is highly recommended) and have rudimentary knowledge of GRE and IPSec.
DMVPN Phase 1
Hub-and-spoke Phase 1 DMVPN is the easiest DMVPN topology. This section describes DMVPN design and configuration principles including:
- Routing protocol design guidelines for OSPF, EIGRP and BGP.
- GRE design and configuration part with special focus on GRE tunnel key requirements and caveats
- NHRP configuration, including NHRP multicast maps and NHRP operation in dial-up networks with dynamic transport IP addresses.
- Basic IPSec configuration with shared keys and certificates.
- Redundant network design with each spoke router being connected to two hub routers.
DMVPN Phase 2
After describing the changes introduced by Phase 2 DMVPN (dynamic spoke-to-spoke tunnels) and their impact on routing protocol design (OSPF, EIGRP and BGP), this section details the default routing issues caused by IPSec tunnels established with unknown destination addresses and the shared IPSec protection profile caveats.
Split Default Routing
This section presents several solutions to the default routing issues introduced with direct spoke-to-spoke tunnels, from policy routing to split default routing with Virtual Routing and Forwarding (VRF) tables.
Multihomed Spoke Site
Connections to two Internet Service Providers are usually used to increase the availability of DMVPN spoke sites. Simplistic implementations of dual uplinks can easily fail if the ISPs perform strict source IP address checking (usually with Reverse Path Forwarding – RPF – mechanisms). This section describes tunnel route-via feature introduced in IOS release 12.4(11)T and an alternate design that works well with encrypted traffic.
Scaling DMVPN with Distance Vector Routing Protocols
OSPF can become a bottleneck in DMVPN designs with high spokes-per-hub ratio. A simple distance vector routing protocol (RIP or ODR) scales much better than OSPF (with obvious convergence drawbacks). This section describes a network design where the spoke sites with multiple routers use OSPF while the sites with a single router (still connected to two uplinks) use ODR, which is then redistributed into OSPF.
Spoke sites running OSPF receive full complement of routes, while the spoke sites running ODR receive just the default route from the hub routers.
DMVPN Phase 3
Simplified scalable routing comes with a price: spoke routers receive just the default route from the hub routers, not the detailed routing information needed to establish spoke-to-spoke tunnels. DMVPN Phase 3 solves this problem by introducing dynamic hub-to-spoke redirects and spoke-to-spoke shortcuts. This section describes Phase 3 configuration and design caveats caused by DMVPN-specific limitations of NHRP.
Scaling DMVPN with Unidirectional Routing
As the number of spokes per hub grows, the multicast replication on the hub router becomes a bottleneck. To scale a DMVPN network beyond this bottleneck, you have to deploy a combination of distance vector routing protocol and reliable static routing, making the hub router totally passive (from the routing perspective).
Unidirectional routing (or BGP) allows you to grow the DMVPN cloud to the point where you hit the architectural and IPSec limits of the hub routers. At that point, you have to introduce a hierarchy of hub routers and carefully design the routing protocols and NHRP if you want to retain any-to-any connectivity with hub hierarchy.
The webinar does not address platform-specific issues or performance guidelines. These topics are covered in Cisco’s design guides.
IPSec configuration is largely ignored, as it’s an independent part of the DMVPN design.
Twenty sets of complete router configurations covering every single design scenario described in the webinar are included in the webinar materials.
The seven router lab topology emulates an enterprise DMVPN deployment with a redundant central site (with two hubs), a redundant remote site (with two routers) and two non-redundant remote sites (using two uplinks in a few scenarios). The seventh router emulates the Internet.
The configurations can be used on any hardware (real or otherwise) supporting recent Cisco IOS software, allowing you to test and modify the design scenarios discussed in the webinar.
The router configurations cover the following scenarios:
DMVPN Phase 1
- GRE+NHRP configuration without IPSec, using OSPF as the routing protocol;
- dual-hub OSPF design
- dual-hub EIGRP design
- dual-hub BGP design
- spokes with dynamic (DHCP-based) transport addresses
- MPLS/VPN over DMVPN
DMVPN Phase 2
- Simple Phase 2 DMVPN with OSPF
- DMVPN in OSPF stub area with default routing and transport interfaces in Internet VRF
- EIGRP with default routes and route filters
- BGP using default-information originate
- Spoke sites with uplinks to two ISPs, no IPSec and tunnel route selection;
- Spoke sites with uplinks to two ISPs using two Internet VRFs;
- ODR-based routing;
- One-way RIP routing (hub site is passive, spokes use IP SLA-based default routing);
- Two-tier central site with IPSec offload;
- MPLS/VPN over DMVPN using EBGP between hub and spokes;
- MPLS/VPN over DMVPN using directly-connected IBGP sessions;
- Inter-AS MPLS/VPN over DMVPN
DMVPN Phase 3
- Dual-star design with ODR routing;
- Multiple hubs in the same DMVPN cloud and mixed RIP+OSPF routing over DMVPN;
Ivan Pepelnjak (CCIE#1354 Emeritus) has been designing, deploying, operating and troubleshooting IP-based Enterprise and Service Provider networks since 1990. He’s the author of highly successful EIGRP and MPLS books published by Cisco press and Service Provider courses now offered by Cisco Systems and technical reviewer of several other VPN-related books. Recently he wrote articles describing the next-generation Service Provider networks and blogged about various internetworking issues.
- Complete sets of sample router configurations
- Recording of WebEx session in downloadable .ARF format
- Frequently-Asked Questions document
- SDN, NFV and OpenFlow
- Cloud Infrastructure and SDDC
- Data Center webinars
- Virtualization webinars
- IPv6 webinars
- Virtual Private Networks (VPN)
Related blog posts