DMVPN Configuration || BGP || EIGRP || Step by step DMVPN Configuration on cisco IOS Routers

 

DMVPN

======

DMVPN (Dynamic Multipoint VPN) is a routing technique we can use to build a VPN network with multiple sites without having to statically configure all devices.

It's a “hub and spoke” network where the spokes will be able to communicate with each other directly without having to go through the hub.

DMVPN is a combination of 4 technologies:

========================================

mGRE -multipoint Gre

Dynamic Next Hop Resolution Protocol ( NHRP ) with Next Hop Server ( NHS )

IPsec tunnel protection

Routing 

NHRP Messages

=============

NHRP Registration Request

NHRP Resolution Request

NHRP Redirect

Steps to configure .

==================

step:1

=======

configure BGP and advertsie all wan interfaces.

router bgp 5678

 no synchronization

 bgp log-neighbor-changes

 network 45.10.10.0 mask 255.255.255.252

 neighbor 45.10.10.2 remote-as 65001

 no auto-summary

Step:2

======

configure phase1

crypto isakmp policy 1

  encryption aes

  authentication pre-share

  group 5

  crypto isakmp key 0 cisco address 0.0.0.0

step:3

=========

configure phase2

crypto ipsec transform-set t-set esp-aes esp-sha-hmac

 mode transport

step:4

==========

create profile.

crypto ipsec profile DMVPN-PROF

  set transform-set t-set

step:5

======

configure DMVPN on hub and spokes router ------> Tunnel

Hub

====

int tunnel 0

  bandwidth 1000

  ip address 88.88.88.1 255.255.255.0

  ip mtu 1400

  ip nhrp authentication cisco

  ip nhrp map multicast dynamic

  ip nhrp holdtime 300

  ip nhrp network-id 99

  tunnel source g0/0

  tunnel mode gre multipoint

  tunnel key 100

  tunnel protection ipsec profile DMVPN-PROF

  exit

Spoke1

====

int tunnel 0

  bandwidth 1000

  ip address 88.88.88.2 255.255.255.0

  ip mtu 1400

  ip nhrp authentication cisco

    ip nhrp map 88.88.88.1 45.10.10.1

    ip nhrp map multicast 45.10.10.1

  ip nhrp holdtime 300

  ip nhrp network-id 99

    ip nhrp nhs 88.88.88.1

  tunnel source g0/0

  tunnel mode gre multipoint

  tunnel key 100

  tunnel protection ipsec profile DMVPN-PROF

  exit

check the tunnel status.

step:6

=======

configure EIGRP on hub and spokes router ------> LAN

router eigrp 100

network 88.0.0.0

network 192.168.2.0

no auto-summa

exit

step:7

========

split horizon & nhs --->remove

int tunnel 0

no ip split-horizon eigrp 100

no ip next-hop-self eigrp 100

=======================================================================

HUB_INDIA

hostname HUB_INDIA

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

no ip icmp rate-limit unreachable

ip cef

!

!

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

 log config

  hidekeys

!

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 5

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set t-set esp-aes esp-sha-hmac

 mode transport

!

crypto ipsec profile DMVPN-PROF

 set transform-set t-set

!

!

!

!

ip tcp synwait-time 5

!

!

!

!

interface Loopback0

 ip address 192.168.0.1 255.255.255.255

!

interface Tunnel0

 bandwidth 1000

 ip address 88.88.88.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication cisco

 ip nhrp map multicast dynamic

 ip nhrp network-id 99

 ip nhrp holdtime 300

 no ip split-horizon eigrp 100

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 100

 tunnel protection ipsec profile DMVPN-PROF

!

interface Ethernet0/0

 no ip address

 shutdown

 duplex auto

!

interface GigabitEthernet0/0

 ip address 45.10.10.1 255.255.255.252

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

!

interface Ethernet1/0

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/1

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/2

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/3

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/4

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/5

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/6

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/7

 no ip address

 shutdown

 duplex half

!

interface GigabitEthernet2/0

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet3/0

 no ip address

 shutdown

 negotiation auto

!

router eigrp 100

 network 88.0.0.0

 network 192.168.0.0

 no auto-summary

!

router bgp 5678

 no synchronization

 bgp log-neighbor-changes

 network 45.10.10.0 mask 255.255.255.252

 neighbor 45.10.10.2 remote-as 65001

 no auto-summary

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

no cdp log mismatch duplex

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

!

!

end

==============================

SPOKE_USA_BRANCH1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SPOKE_USA_BRANCH1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

no ip icmp rate-limit unreachable

ip cef

!

!

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

 log config

  hidekeys

!

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 5

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set t-set esp-aes esp-sha-hmac

 mode transport

!

crypto ipsec profile DMVPN-PROF

 set transform-set t-set

!

!

!

!

ip tcp synwait-time 5

!

!

!

!

interface Loopback0

 ip address 192.168.1.1 255.255.255.255

!

interface Tunnel0

 bandwidth 1000

 ip address 88.88.88.2 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication cisco

 ip nhrp map 88.88.88.1 45.10.10.1

 ip nhrp map multicast 45.10.10.1

 ip nhrp network-id 99

 ip nhrp holdtime 300

 ip nhrp nhs 88.88.88.1

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 100

 tunnel protection ipsec profile DMVPN-PROF

!

interface Ethernet0/0

 no ip address

 shutdown

 duplex auto

!

interface GigabitEthernet0/0

 ip address 150.1.1.2 255.255.255.252

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

!

interface Ethernet1/0

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/1

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/2

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/3

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/4

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/5

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/6

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/7

 no ip address

 shutdown

 duplex half

!

interface GigabitEthernet2/0

 no ip address

 negotiation auto

!

interface GigabitEthernet3/0

 no ip address

 shutdown

 negotiation auto

!

router eigrp 100

 network 88.0.0.0

 network 192.168.1.0

 no auto-summary

!

router bgp 5678

 no synchronization

 bgp log-neighbor-changes

 network 150.1.1.0 mask 255.255.255.252

 neighbor 150.1.1.1 remote-as 65535

 no auto-summary

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

no cdp log mismatch duplex

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

!

!

end

============================================

SPOKE_CANADA_BRANCH

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SPOKE_CANADA_BRANCH

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

no ip icmp rate-limit unreachable

ip cef

!

!

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

 log config

  hidekeys

!

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 5

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set t-set esp-aes esp-sha-hmac

 mode transport

!

crypto ipsec profile DMVPN-PROF

 set transform-set t-set

!

!

!

!

ip tcp synwait-time 5

!

!

!

!

interface Loopback0

 ip address 192.168.2.1 255.255.255.255

!

interface Tunnel0

 bandwidth 1000

 ip address 88.88.88.3 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication cisco

 ip nhrp map 88.88.88.1 45.10.10.1

 ip nhrp map multicast 45.10.10.1

 ip nhrp network-id 99

 ip nhrp holdtime 300

 ip nhrp nhs 88.88.88.1

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 100

 tunnel protection ipsec profile DMVPN-PROF

!

interface Ethernet0/0

 no ip address

 shutdown

 duplex auto

!

interface GigabitEthernet0/0

 ip address 150.2.2.2 255.255.255.252

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

!

interface Ethernet1/0

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/1

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/2

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/3

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/4

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/5

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/6

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/7

 no ip address

 shutdown

 duplex half

!

interface GigabitEthernet2/0

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet3/0

 no ip address

 shutdown

 negotiation auto

!

router eigrp 100

 network 88.0.0.0

 network 192.168.2.0

 no auto-summary

!

router bgp 5678

 no synchronization

 bgp log-neighbor-changes

 network 150.2.2.0 mask 255.255.255.252

 neighbor 150.2.2.1 remote-as 65535

 no auto-summary

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

no cdp log mismatch duplex

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

!

!

end

=====================================

AIRTEL_ISP_INDIA

interface GigabitEthernet0/0

 ip address 45.10.10.2 255.255.255.252

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

!

interface GigabitEthernet2/0

 ip address 83.10.10.1 255.255.255.252

 negotiation auto

!

router bgp 65001

 no synchronization

 bgp log-neighbor-changes

 network 45.10.10.0 mask 255.255.255.252

 network 83.10.10.0 mask 255.255.255.252

 neighbor 45.10.10.1 remote-as 5678

 neighbor 83.10.10.2 remote-as 65535

 no auto-summary

===================================================

AT&T_ISP

!

interface GigabitEthernet0/0

 ip address 83.10.10.2 255.255.255.252

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

!

!

interface GigabitEthernet2/0

 ip address 150.1.1.1 255.255.255.252

 negotiation auto

!

interface GigabitEthernet3/0

 ip address 150.2.2.1 255.255.255.252

 negotiation auto

!

!

router bgp 65535

 no synchronization

 bgp log-neighbor-changes

 network 83.10.10.0 mask 255.255.255.252

 network 150.1.1.0 mask 255.255.255.252

 network 150.2.2.0 mask 255.255.255.252

 neighbor 83.10.10.1 remote-as 65001

 neighbor 150.1.1.2 remote-as 5678

 neighbor 150.2.2.2 remote-as 5678

 no auto-summary

!