Beruflich Dokumente
Kultur Dokumente
Introduction to DMVPN
What is DMVPN?
DMVPN provides an easy and scalable way to create large and small IPsec VPNs by combining GRE tunnels, IPsec encryption, and Next Hop
Resolution Protocol (NHRP).
NHRP
In NHRP, the hub maintains a database of all spokes’ real (publicly reachable) Internet addresses. Spokes in a DMVPN network register their real IP
address with the hub during boot session. Spokes query the NHRP database on the hub for the real address of destination spokes when building
direct tunnels to them.
All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 30
When would a DMVPN hub-to-spoke or spoke-to-spoke topology be deployed?
DMVPN was designed to follow the 80:20 rule, where eighty percent of the traffic would go through the hub, and twenty percent of the traffic
would go through the spokes.
DMVPN hub-to-spoke network topology is usually preferred to DMVPN spoke-to-spoke topology for networks with a high volume of voice and
multicast traffic.
If a customer wants to deploy DMVPN architectures where 100 percent of the traffic will be spoke-to-spoke with voice and multicast requirements,
please contact the DMVPN core (dmvpn-core@cisco.com) for more detailed network design information and guidance.
• DMVPN avoids the need for crypto maps on the physical interface.
• Adding new spokes in a DMVPN network does not require any extra configuration on the hub side, making the maintenance much easier.
• DMVPN provides routing-based failover. This makes configuration of redundant hubs easier.
• DMVPN makes it easier to configure split tunneling or nonsplit tunneling. A configuration change on the hub can change the split-tunneling
behavior. In IPsec, all the spokes will have to be modified.
• DMVPN has dynamic spoke-to-spoke connectivity support. Plain IPsec needs additional configuration in the spoke to support spoke-to-spoke
connectivity and also needs static IP addresses.
• Native IPsec supports only IP Unicast traffic. Use a GRE tunnel architecture to support multicast and dynamic routing.
What are the differences between DMVPN and IPsec plus GRE?
IPsec and GRE have the following limitations with respect to DMVPN:
• IPsec uses an Access Control List (ACL) to define what data is to be encrypted. Each time a new subnetwork is added behind a spoke or the hub,
the customer must change the ACL on both the hub and spoke routers. If the service provider manages the router, the customer must notify the
service provider in order to get the IPsec ACL changed and the new traffic will be encrypted.
• With large hub-and-spoke networks, the size of the configuration on the hub router can become very large, to the extent that it is unusable. For
example, a hub router would need up to 3900 lines of configuration to support 300 spoke routers. This is large enough that it would be difficult to
show the configuration and to find the section of the configuration that is relevant to a current problem that is being debugged. Also, this size
configuration may be too large to fit in NVRAM and would need to be stored on Flash memory.
• GRE plus IPsec must know the endpoint peer address. The spokes’ IP addresses are connected directly to the Internet using their own ISP, and
they are often set up so that their external interface addresses are not fixed. The IP addresses can change each time the site comes online (using
Dynamic Host Configuration Protocol [DHCP]).
• If the spokes need to communicate with each other directly over the IPsec VPN, the hub-and-spoke network must become a full mesh. Since it is
not already known which spokes will need to talk directly with each other, a full mesh is required, even though each spoke may not need to talk
directly with every other spoke. Also, it is not feasible to configure IPsec on a small spoke router so that it has direct connectivity with all other
spoke routers in the network; spoke routers may need to be more powerful routers.
DMVPN uses mGRE on the hub router, because mGRE does not require a tunnel destination to be configured, but mGRE cannot work alone. NHRP
is used to find the mapping between the IP next hop out the tunnel interface and the tunnel destination to get to that IP next hop (spoke). In order to
start this system, the spoke routers are configured with the NHRP mapping for one or more hub routers. When the spoke routers boot, they build the
GRE plus IPsec tunnel to the hub routers. At this point the spoke router will send an NHRP registration packet (for example, a Frame Relay inverse
Address Resolution Protocol [ARP]) with its own mapping to the hub routers. After the hub receives NHRP registrations from the spokes, it can send
packets back to the spoke router. At this point the hub and spoke become routing neighbors and pass routing information to each other. Since GRE is
now clear, IPsec is used to protect the content of GRE. Tunnel protection has been introduced as part of DMVPN, and the tunnel profile serves the
same functionality as a crypto map. IPsec applies the tunnel profile on the tunnel interface, and Cisco IOS® Software treats this internally as a
crypto map.
• Multicast
• GRE
• Routing protocols
• Simplified configurations
If a physical interface needs to be kept free for other applications (for example, router management), a hub-to-spoke DMVPN deployment is
recommended.
If the customer is interested in all items in the preceding list, as well as direct (not through hub) spoke-to-spoke communication, then a spoke-to-
spoke DMVPN deployment is recommended.
Between the two, it is recommended that DMVPN networks be deployed with hub-to-spoke topologies first and then follow a migration path to a
DMVPN spoke-to-spoke topology, if spoke-to-spoke voice and multicast requirements exist.
• Easy VPN
• Plain IPsec
If a customer is interested in multicast and routing protocols, recommended deployments are:
• DMVPN
• IPsec with GRE (differences between DMVPN and IPsec with GRE have been outlined in the previous section)
What are the options for deploying DMVPN hubs and the typical size of installations they support?
The largest currently deployed customer base for DMVPN is 3000 spokes as of June 21, 2005. Cisco is working on customer deployments for
networks with more than 10,000 spokes.
The following devices are recommended for DMVPN headend devices. Details are included in the following sections.
• Cisco 7200 VXR router with VPN Acceleration Module (VAM) and VAM2 cards or Cisco 3700 Series multiservice access routers with Advanced
Integration Module (AIM) and AIM HP II cards
• Cisco Catalyst® 6500 Series Switches and Cisco 7600 Series Routers with Cisco Multiprocessor WAN Application Module (MWAM) card and
VPN Services Module (VPNSM) installed for aggregating large number of spokes to a single hub
• Cisco Catalyst 6500 Series and Cisco 7600 Series with Cisco Catalyst 6500 Series Supervisor Engine 720 and the VPNSM for high throughput
Cisco 7200 VXR Router with VAM2 Cards and Cisco 3700 Series with AIM and AIM HP II Cards
Cisco 7200 Series Routers will scale up to 700 spokes, with 350 spokes per mGRE interface using Extended Interior Gateway Routing Protocol
(EIGRP). The size of installations can be increased by having multiple hubs. Cisco 7206VXR Routers are very stable, with 700 spokes with two
mGRE interfaces being used by Cisco IT for the internal Enterprise-Class Teleworker deployment (see section 3 for additional details). The
performance of these routers with DMVPN has been demonstrated to be better than IPsec point-to-point GRE in hub-and-spoke mode.
Table 2, taken from the DMVPN design guide (link included below), shows the comparison chart for DMVPN and IPsec with point-to-point GRE
with voice calls.
Bi-directional Bi-directional
Spokes # of Voice Calls Traffic (Mbps) Traffic (kPPS) CPU Utilization %
Cisco 3745 Multiservice Access 60 60 17.6 8.4 72
Additional information:
• Detailed scalability numbers for all Cisco 7200 Series and Cisco Access Routers:
http://www.cisco.com/warp/public/779/largeent/it/ese/DMVPN_bk.pdf
Cisco Catalyst 6500 Series Switch with MWAM and VPNSM Card
The Cisco Catalyst 6500 Series with the Cisco MWAM Card and VPNSM installed are recommended for aggregating large numbers of spokes to
a single hub.
The MWAM card runs multiple installations of Cisco IOS Software. The MWAM essentially acts as six independent NPE-G1 Cisco IOS Software
Routers, all located on one card, which can be used in the Cisco Catalyst 6500 Series or the Cisco 7600 Series. When the mGRE tunnels are
terminated on the MWAM processors, it is easy to create a very scalable DMVPN design. The MWAM performs the NHRP resolution and the
GRE functionality, leaving most of the encryption to the VPNSM.
The VPNSM is a Gigabit Ethernet IPsec cryptographic module that is installed in the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series
Router. Configuring VPNs using the VPNSM is similar to configuring VPNs on routers running Cisco IOS Software. When configuring VPNs with
the VPNSM, crypto maps are attached to VLANs (using interface VLANs); when VPNs are configured on routers running Cisco IOS Software,
crypto maps are attached to individual interfaces.
Unlike modules for existing router platforms, the VPNSM performs the crypto ACL lookup processing and all crypto key swapping (moving the
relevant key material for a given packet into use for encrypting or decrypting that packet) in Ternary Content Addressable Memory (TCAM)
hardware. The router platforms perform these functions in their main CPUs, giving a design using the VPNSM, a definitive advantage in
performance.
The detailed packet flow is further explained in “DMVPN Support, Scalability and Management.” Detailed design information concerning DMVPN
designs with the MWAM access module can be accessed at DMVPN on CAT6K-MWAM and Native Modes white paper in the technical documents
section at http://www.cisco.com/go/dmvpn.
Cisco Catalyst 6500 Series and Cisco 7600 Series Router with Cisco Catalyst 6500 Series Supervisor Engine 720
and VPNSM
The MWAM is typically used for aggregating a high volume of spokes into a headend device. The Cisco Catalyst 6500 Series Switch with native
Cisco Catalyst 6500 Series Switch Supervisor Engine 720 or the Cisco Catalyst 6500 Series Supervisor Engine 2 and VPNSM can be used for a
high-bandwidth spoke or a hub device. The number of spokes supported by the Cisco Catalyst 6500 Series and Cisco 7600 Series Router running in
native supervisor mode is limited by the routing protocol, and the number of spokes is approximately 350 spokes per mGRE interface with a total of
700 spokes. Figure 2 is a high-level deployment diagram for this option.
These features can take DMVPN to the next level. A detailed description of the projects have been given in subsequent sections.
DMVPN Phase 3 is not currently available. For exact availability dates for these features, please contact dmvpn-core@cisco.com.
• The routing protocol must be configured; it will advertise all individual specific routes for networks behind the spoke routers. The route
summarization cannot be done on the hub for routes advertised to the spokes.
• When using Open Shortest Path First (OSPF) as the routing protocol, only two hub routers can be supported, and all spokes must be dual
connected to both hub routers. This reduces the scalability of DMVPN spoke-to-spoke when using OSPF.
• The hub routers must be connected to each other (over DMVPN) in a loop or “daisy chain,” and NHRP mapping resolutions will traverse the
whole chain. This tends to limit the number of hub routers.
In DMVPN Phase 3, all of the preceding limitations will be removed. It will rewrite the interaction of NHRP, Cisco Express Forwarding switching,
and the routing table to allow:
• Route summarization for reduced routing load and routing table size on spoke routers.
• Allowing for more than two hub routers for DMVPN spoke-to-spoke communication when using the OSPF routing protocol. (Limitations exist
only for current DMVPN spoke-to-spoke networks.)
The following diagrams help illustrate what the DMVPN Phase 3 enhancements will be.
Route Summarization for Reduced Routing Load and Routing Table Sizes on Spoke Routers
In a DMVPN network, the hub maintains an NHRP mapping database of all the spoke’s tunnel to real (public interface) addresses. Each spoke
registers its real address when it boots. Spokes query the NHRP database for real addresses of destination spokes to build direct tunnels.
The current model for NHRP to interact with Cisco Express Forwarding is for NHRP to have ARP-like functionality only. This requires the routing
table to contain unique specific subnetwork entries with an IP next hop for each tunnel IP address of the remote spoke routers on the DMVPN. This
means every spoke router in the DMVPN will need to have a subnetwork route for every subnetwork behind every other DMVPN spoke router. As
the size of a DMVPN network grows, the number of routes grows, this may lead to a large number of routes and scalability problems from small
spoke routers.
In Figure 3, the current model of operation requires all spokes to maintain the subnetwork information of all the other spokes. As the size of DMVPN
networks increases, the routing tables in the spokes continue to increase in size. Also, the hub would need to propagate all the network and tunnel
address pairs for all the spokes without summarization. Currently routes cannot be summarized, because the unique IP next hop on the routes on the
spoke router is the trigger information for building the dynamic spoke-to-spoke tunnels.
A small spoke, for example a Cisco 831 Ethernet Broadband Router in a 300-node DMVPN network, would have routing information for all the
subnetworks behind all 300 spokes even if it would not have use for all of them. It is prefered to summarize routes and follow the query model of
NHRP to request routes for other spokes as needed, prior to building the tunnel and populate the subnet/tunnel mappings on demand.
In Figure 3, the spokes have subnetwork entries to every spoke. This is the behavior of DMVPN networks today. After DMVPN Phase 3, the routing
updates at the spokes will be summarized as shown in Figure 4. In this case the subnetwork routing entries will have an IP next hop of the NHRP
hub router(s), and NHRP will be triggered by “snooping” on the destination IP address of packets that Cisco Express Forwarding is switching to
search for a shorter route. Also, in this case, we can use summary routes instead of needing explicit subnetwork routes. If/when NHRP finds a shorter
route, NHRP will install a specific subnetwork route in the routing table with an IP next hop of the remote spoke router behind where that
subnetwork resides. Cisco Express Forwarding will then automatically pick up that route and install a corresponding Forwarding Information Base
Figure 4. DMVPN Route Summarization After Proposed NHRP Cisco Express Forwarding Rewrite
The routing entries for the spoke tunnel from N1 to N2 (that is, [N1-TS2] to [N1-TS1] are created on demand when the spoke-to-spoke
tunnel is created.
Allow More than Two Hub Routers for DMVPN Spoke-to-spoke When Using OSPF
For complete spoke-to-spoke communication with OSPF, the network cannot grow beyond the maximum number of nodes supported by one hub.
In order to help ensure that the spokes carry subnetwork information for all other spokes with OSPF as the routing protocol, configure OSPF in
broadcast mode. This means the designated router and the backup designated router (the two hubs) need to be connected to every spoke (see Figure
5) and spoke-to-spoke networks cannot grow beyond these two hubs. This limitation will be removed after delivery of DMVPN Phase 3.
Remove Requirement that Hub Routers be Connected in a Loop for Large Spoke-to-Spoke Networks
To enable any-to-any spoke connection, the NHRP resolution packets must be able to be propagated among the hubs to find the NHRP database
information that is needed to answer the query. In Figure 6, to achieve any-to-any spoke communication between a spoke in cluster (1–300) to a
spoke in cluster (1501–1800), NHRP requests would travel across from hub 1 to hub 6, which are linked together in a daisy chain. The simplest form
of a daisy chain would be 1 –> 2 –> 3 –> 4 –> 5 –> 6 –> 1. The NHRP requests traverse the daisy chain, and the NHRP responses also traverse the
rest of the daisy chain. If a spoke in hub 1 wants to contact a spoke in hub 3, the request would be:
We have mechanisms that have a primary daisy chain going across all the hubs and a secondary daisy chain going across alternate hubs. The primary
daisy chain goes across all the routers, and the secondary daisy chain goes across every other router. This is illustrated in Figure 7 and shows that the
hubs are still connected in the event of failure of hub 3.
DMVPN Phase 3 would remove the requirement for daisy chains by:
• Dynamic discovery of the shortest path between hubs so NHRP requests and responses do not go along a single statically defined path.
• Resiliency against single and multiple hub failures. Failure of a hub should only isolate the part of the DMVPN cloud under that hub without
negatively affecting the rest of the DMVPN network.
Currently the order of packet processing results in encryption occuring prior to QoS at the outbound interface. DMVPN Phase 3 QoS enhancements
allow for complete QoS classification, scheduling, queuing, and traffic shaping support per security association prior to encryption of the packet.
There will be a separate queue per spoke for routing updates and a priority queue for voice and application traffic per spoke.
Figure 10 shows inbound and outbound traffic (ie: traffic that has to be encrypted and decrypted). Based on traffic selectors, the right security
association is chosen to encapsulate or decapsulate the packet. The associated QoS policy is then applied on the packet before it enters the crypto
engine for encryption.
In Figure 11, if spokes A, B, and C want to participate in a multicast stream from a multicast source M behind the hub, the hub will need to make
three copies of the multicast packet and encrypt each with the security associations for spoke A, B, or C. Extending the case to a 5-Mbps multicast
stream that needs to be sent to 200 spokes. It is very easy to note that this would result in the hub processing 5Mbps X 200 spokes, or 1 Gbps of
encrypted traffic.
In DMVPN Phase 3, using a common group key under the Group Domain of Interpretation (GDOI) protocol (RFC-3547), albeit is possible to
encrypt the IP Multicast packet first, then duplicate it to send to each individual spoke router that wants it. This will reduce the encryption bandwidth
utilization (back to 1 Mbps for the example).
With GDOI, it is possible to have a common group key to encrypt multicast flows where there would be a requirement for a single encrypt and
multiple copies. This mode scales better because the copying operation is far less computationally intensive than uniquely encrypting the multicast
flows for each spoke with its security association. This can be achieved by running a GDOI server on the DMVPN hub, where the hub uses a group
key to send routing updates/multicast traffic to the set of spokes that want/need it.
Figure 11 shows the protocol flows necessary for group members to participate in a group:
1. Customer-edge (CE) devices register with the key server. The key server authenticates and authorizes each CE and provides the IPsec policy and
keys necessary for the group member to encrypt and decrypt data packets for the group.
3. As needed, the key server pushes a “rekey” key management message to the group members. The rekey message contains new IPsec policy and
keys to use when old IPsec security associations expire. Rekey messages are sent in advance of security association expiration time to help
ensure that valid group keys are always available.
What is the scope of the Better Management Support for DMVPN Project?
To analyze, manage, or troubleshoot the DMVPN network, four different relevant internal tables need to be correlated and examined:
NHRP mapping table, crypto socket table, crypto map table, and IPsec security association table.
The state of a DMVPN tunnel requires the examination of four different data structures.
1. NHRP mapping table, which maps the end destination IP host or network to the remote spoke tunnel IP address and the remote spoke physical
IP (NBMA) address. The NBMA address is then used to create/map to an entry in the crypto socket table. The end destination IP address to
tunnel IP address/NBMA address mapping could be many to one. The NBMA address to crypto socket table entry is one to one.
2. Crypto socket table, which is used by NHRP to create dynamic crypto map entries. It has the same basic information that is provided by a static
crypto map configuration (IPsec local and remote peer addresses, and IPsec proxies for the traffic that is to be encrypted/decrypted). This
information along with the IPsec profile information (transform set) is used to create a dynamic crypto map entry.
3. Crypto map table, which contains the IPsec peer addresses, IPsec proxies, and transform mode from the crypto socket and is used by IPsec to
trigger/control ISAKMP security associations and IPsec security associations.
In order for a DMVPN tunnel to work, an NHRP mapping must point to a crypto socket entry pointing to a crypto map pointing to an IPsec security
association. Currently, four or five different commands need to be entered to show the state of a DMVPN tunnel, which also involves manually
matching entries from one table to entries in the next table. If the tunnel is not working, it is not clear which piece is not working. The following
linkage must be in place:
NHRP mapping –> crypto socket –> crypto map –> IPsec security association
For simplification, show and debug commands that will deal with a DMVPN tunnel as a single entity and look up and correlate the information in
these tables automatically for display will be provided. Also, MIBs for NHRP and mGRE tunnel interfaces as well as expanding the IPsec MIB to
• Show commands
• Syslogs
• Traps/informs
• Debugs
• MIBs
• DMVPN support questions (multicast, VoIP, Multiprotocol Label Switching [MPLS], routing protocols supported, QoS, Network Address
Translation [NAT])
• DMVPN configuration questions
• DMVPN scalability questions (how many tunnels per mGRE, tunnels per router type)
• DMVPN management (MIBs, monitoring individual connections, enhanced command-line interface [CLI])
• DMVPN availability and resiliency questions (failover mechanisms, resiliency, dual hubs)
• Cisco IOS Software Major Releases 12.3([9b, 9c, 9d]), 12.3([12a, 12b]), and 12.3(13a)
• Cisco IOS Software Releases 12.3(8)T6, 12.3(8)T7, 12.3(8)T8, and 12.3(11)T2
• DMVPN hub only (mGRE, NHRP, RP on MWAM or back-end Cisco 7200 Series processor)
• Cisco IOS Software Release 12.2(18)SXD1
• DMVPN hub or spoke (mGRE, NHRP, RP on MSFC and Cisco Catalyst 6500 Series Supervisor Engine 720)
• Cisco IOS Software Release 12.2(18)SXE (Rockies 2)
DMVPN was released in phases; the following outlines the first release and major enhancements added to DMVPN:
Running the latest Cisco IOS Software Release 12.3 or 12.3T, except for Cisco IOS Software releases 12.3(10) and 12.3(11)T, is recommended for
best functionality.
Do not run any code release between the above-listed versions; there is a severe bug, CSCef77648, that will break DMVPN networks.
Hub Platforms
Cisco 1700 Series modular access routers; Cisco 1800, 2800, and 3800 series integrated services routers; Cisco 2600 Series multiservice platforms;
Cisco 3700 Series; Cisco 7206VXR Router; Cisco Catalyst 6500 Series Switches; Cisco 76000 Series Routers.
Spoke Platforms
Cisco 1700 Series; Cisco 3700 Series; Cisco 2600 Series; Cisco 800, 1800, 2800, and 3800 series integrated services routers; and Cisco 7206VXR
Router.
Intermediate System-to-Intermediate System (IS-IS) is not supported because it does not use IP as its network/transport protocol.
Border Gateway Protocol (BGP) is supported, but requires specification of all the neighbors individually in the configuration.
1. Only Cisco Catalyst 6500 Series Supervisor Engine 720 (not Cisco Catalyst 6500 Series Supervisor Engine 2) can be used as a DMVPN hub
or spoke.
2. Tunnel key should not be configured. If configured, neither EARL7 nor VPNSM will take over the tunnel, and the tunnel will be process-
switched.
3. Platforms other than the Cisco Catalyst 6500 Series must upgrade to Cisco IOS Software releases (12.3T or later) that relax tunnel key
requirements, if interacting with Cisco Catalyst 6500 Series using mGRE.
4. mGRE tunnels in non-VRF mode should not share the same tunnel source.
5. GRE tunnels in different VRFs cannot share the same tunnel source.
7. Because of CSCed21558:
8. Because of CSCef95695:
a. If the Cisco Catalyst 6500 Series is a hub, then the spoke behind NAT must be a Cisco Catalyst 6500 Series, or the box must run an image
with the fix.
b. If the Cisco Catalyst 6500 Series is a spoke behind NAT, the hub must be a Cisco Catalyst 6500 Series, or the box must run an image with
the fix.
9. Officially multicast streaming is not supported across DMVPN on Cisco Catalyst 6500 Series and Cisco 7600 Series. Only multicast packets
from the control plane such as routing protocols are supported.
10. In a VRF-aware DMVPN scenario, mls mpls tunnel-recir must be configured in global on the PE/DMVPN hub if CE/DMVPN spokes need to
talk to other CEs across the MPLS cloud.
11. In a VRF-aware DMVPN scenario, the mGRE interface should be configured with a large enough IP Maximum Transmission Unit (MTU)
value to avoid RP doing fragmentation. See bug CSCeh37078.
12. In a VRF-aware DMVPN scenario, EIGRP should be avoided because of bug CSCsa62127 (this bug may be fixed before official release).
13. Officially DMVPN does not support blade-to-blade switchover on the Cisco Catalyst 6500 Series and Cisco 7600 Series.
How is DMVPN deployed on Cisco Catalyst 6500 Series switches with MWAM?
DMVPN as a hub on a Cisco Catalyst Switch has a slightly different implementation than configuring DMVPN on a Cisco 7200 Series. A brief
summary is outlined below.
2. The MSFC creates the security associations on the VPNSM blade. An encrypted packet from the spoke is first decrypted by the VPNSM
module on the Cisco Catalyst 6500 Series.
3. The decrypted packet is the GRE packet. The Server Load Balancer (SLB) on SUP then load balances the GRE packet on the less loaded
MWAM processor. SLB contains the five processors of the MWAM module in its server farm.
4. MWAM processor is like the headend of the DMVPN setup except that it doesn’t have to decrypt anything. MWAM processor accepts the GRE
packets and accepts the NHRP registrations in its database.
5. The mGRE tunnel source interface on MWAM processor is the loopback address.
6. After the NHRP adjacency is established on a MWAM processor, the MWAM processor sends the EIGRP hellos down the new tunnel.
7. MWAM processor just encapsulates the packet toward the spoke from the hub, and VPNSM module encrypts the packet. The SUP then sends
the encrypted packet using an appropriate route to the spoke.
Detailed design information on DMVPN designs with the MWAM Access Module can be accessed at DMVPN Deployment on Cisco Catalyst 6500
Switches-MWAM and Native Modes white paper in the Technical Documents section at http://www.cisco.com/go/dmvpn.
What equipment is needed to deploy a DMVPN solution on Cisco Catalyst 6500 Series Switch with the MWAM Access Module?
The following equipment will be needed:
• Cisco Catalyst 6500 Series chassis with Cisco Catalyst 6500 Series Supervisor Engine 720
• VPNSM module for encryption/decryption
• MWAM module for the headend (terminating GRE tunnels and maintaining NHRP database)
Detailed design information on DMVPN designs with the MWAM Access Module can be accessed at “DMVPN Deployment on Cisco Catalyst 6500
Switches-MWAM and Native Modes” white paper in the Technical Documents section at http://www.cisco.com/go/dmvpn.
Currently, during spoke-to-spoke tunnel setup, the voice packets are directed by the hub. These packets are process switched. This may lead to some
latency of voice traffic during initial call setup. This will be removed with the Routing Scalability Project in DMVPN Phase 3. Details are outlined in
section 1.3.2.
1. If the GRE tunnel addresses for the spokes are static and known, they can be used to classify traffic per spoke for traffic shaping, and then the IP
TOS field can be used to classify traffic within this shaping for policing. The QoS classification is statically defined and applied on the physical
interface.
2. If the data networks behind the spoke are known, then that can be used to classify unicast traffic that is destined for that spoke. This
classification can be used in shaping on the outbound physical interface, and a “child” policy can be used to police traffic within this shaping.
The policy will not be able to classify any multicast traffic per spoke because all multicast traffic would have the same source and destination
IP address no matter which spoke it was destined for.
When configuring QoS with IPsec and with DMVPN, it is important to use the QoS preclassify command on the tunnel interface to enable
QoS to apply the appropriate QoS service before the data is encrypted.
Another QoS mechanism with IPsec is LLQ-before-crypto. This feature aids only when and if the crypto engine on the router is congested.
Check the following link for an example on QoS with DMVPN:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801e6206.shtml.
Also, using the call admission control for IKE feature is important to limit the number of simultaneous IKE security associations that a router can
establish. This is especially important on the spoke router and to prevent overloading the DMVPN connection. See
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html.
For details on configuring Cisco QoS, check the Cisco IOS Software Quality of Service Solutions Configuration Guide:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#wp998201.
Please contact dmvpn-core@cisco.com for exact delivery dates of DMVPN QoS Phase 0 and DMVPN QoS Phase 1.
DMVPN spokes may be behind dynamic NAT, and/or the DMVPN hub may be behind static-NAT. For DMVPN spokes behind dynamic NAT,
Cisco IOS Software Release 12.3(6) or 12.3(7)T is needed. If the DMVPN hub is behind NAT, then all DMVPN routers must run at least Cisco IOS
Software Release 12.3(9a) or 12.3(11)T.
DMVPN spoke routers behind the same NAT box must use NAT to communicate with unique outside (post-NAT) IP addresses. Two spokes with the
same IP address that they present to the DMVPN hub cannot be supported. NAT-T can handle this scenario (PAT), NHRP cannot.
With DMVPN spoke or hub routers behind NAT, IPsec transport mode must be used. IPsec transport mode is the recommended mode for all
DMVPN networks.
Dynamic direct spoke-to-spoke tunnels to/from DMVPN spokes that are behind NAT are not supported. Spoke-to-spoke tunnel may not come up in
all of the NAT-T scenarios:
• The spoke must do Cisco Express Forwarding switching; it will send an NHRP resolution request for the remote spoke tunnel IP address, not for
the network behind the remote spoke.
• IPsec transport mode must be used; otherwise, the hub cannot detect spokes that are behind NAT.
For Cisco IOS Software Release 12.3(13), 12.3(14)T, or 12.3(11)T3 , if the hub is behind NAT, dynamic direct spoke-to-spoke tunnels between
spokes that are not behind NAT are supported.
IPsec tunnels generated using DMVPN between hub and spoke are not supported with the hub behind NAT/PAT when using the Cisco
Catalyst 6500 Series or Cisco 7600 Series with VPNSM. If this is a design requirement, using the Cisco 7200 Series Router or other Cisco IOS
Software Router at the hub is recommended.
• NHRP Holdtime—The hub and spoke must agree on an NHRP holdtime (the recommendation is 10 minutes, or roughly three times the NHRP
registration request interval).
• A single DMVPN network with each spoke using a single multipoint GRE tunnel interface and pointing to two different hubs as its Next Hop
Server (NHS). The hub routers will only have a single multipoint GRE tunnel interface.
• Dual DMVPN networks with each spoke having two GRE tunnel interfaces (either point to point or multipoint) and each GRE tunnel connected
to a different hub router. Again, the hub routers will only have a single multipoint GRE tunnel interface.
Details of DMVPN topologies and configurations can be accessed in the DMVPN white paper in the Technical Documents section at
http://www.cisco.com/go/dmvpn and the DMVPN design guide (SRND) at http://www.cisco.com/warp/public/779/largeent/it/ese/DMVPN_bk.pdf.
First Approach
This approach uses the following Cisco IOS Software features:
With the Reliable Static Routing Backup Using Object Tracking feature, the spoke router uses Internet Control Message Protocol (ICMP) pings to
identify when the hub has become unavailable. A floating static route allows the initiation of the backup connection using the alternative path.
Policy-based routing is employed to direct the ICMP messages from the spoke router to the hub router using the primary interface. Check the
following document for a sample configuration:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper0900aecd801d5004.shtml
Second Approach
This approach uses the dialer watch feature. With the dialer watch feature, the router keeps track of a specific route learned from the primary hubs.
When this route disappears, because of a failure of the primary path, dialer watch initializes the dial link and brings up a second GRE tunnel. The
second GRE tunnel, when it is established, enables learning of all the routes, except the specific route, indicating that the backup path is active.
When the primary path is recovered from failure, the specific path is learned again, causing the dial backup to tear down.
The second approach support is for dynamic IP addresses at the spoke and for spoke-to-spoke functionality, for tunnel protection configuration
and may be used in many configuration scenarios. Details can be accessed at:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns142/networking_solutions_white_paper0900aecd8024e9cc.shtml
The IPsec profile is associated with a tunnel interface with the tunnel protection IPsec-profile command, also first introduced in
Cisco IOS Software Release 12.2(13)T. The tunnel protection command specifies that IPsec encryption will be performed after the GRE
encapsulation has been added to the tunnel packet. The tunnel protection command can be used with mGRE and point-to-point GRE (p-
pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPsec peer address. With mGRE tunnels, multiple IPsec
peers are possible; the corresponding NHRP mapping NBMA destination addresses will be used as the IPsec peer addresses.
If more than one mGRE tunnel is configured on a router (for instance, on a hub router), it is possible to reference the same tunnel source address on
each tunnel interface. In this case, the keyword shared is used in the tunnel protection command on both interfaces. This does not mean
that the two mGRE tunnels are hosting the same DMVPN “cloud”—each tunnel interface requires a unique tunnel key, NHRP network ID, and IP
subnet.
The tunnel protection command must be configured on both the hub and spoke tunnel interfaces.
(The IPsec profile is like a crypto map without set peer and match address. Internally Cisco IOS Software will treat this as a crypto map and
“guess” the set peer and match address parameters from the tunnel parameters and the NHRP cache.)
Tunnel protection uses crypto sockets on Cisco IOS Software to dynamically create crypto maps internally as and when the need arises.
To build spoke-to-spoke tunnels between spokes located on different hubs, the hubs must have NHRP maps to each other, just as the spokes have
NHRP maps to the hubs.
Groups of spokes are mapped to different hubs as primary and secondary. Because each hub has only one mGRE interface to aggregate the primary
and secondary tunnels from the spokes, the spoke fanout is limited to 175 routers per group (totaling 350 spokes per hub).
Or to guarantee no spoke-to-spoke tunnels, configure the spokes to use p-pGRE tunnels with the tunnel destination pointing at the hub. If
two hubs are used, then there will be two p-pGRE tunnels on the spoke.
• Cisco IP Solution Center Version 3.1—Cisco IP Solution Center (ISC) Security Management enables customers to manage their network
security from a single or multiservice application. The following is a sample for configuring DMVPN using Cisco IP Solution Center:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a00801e1990.html#1138244
• Cisco Router and Security Device Manager (SDM)—Cisco SDM provides two modes for configuring DMVPN: wizard mode and configuration
mode. SDM 1.2 and earlier provided support for hub and spoke configuration with SDM. Starting with SDM Version 2.0, the spoke-to-spoke
configuration was added to SDM. For configuring DMVPN using SDM, please refer to Configuring DMVPN Spoke Router in Full Mesh IPSEC
VPN using SDM in the Technical Documents section at http://www.cisco.com/go/dmvpn. The complete SDM Configuration guide can be accessed
at http://www.cisco.com/en/US/products/sw/secursw/ps5318/tsd_products_support_series_home.html.
• CiscoWorks Router Management Center (Router MC) starting with Version 1—Router MC is a Web-based application designed for large-
scale management of VPN and firewall configurations on Cisco routers. Router MC enables the setup and maintenance of VPN connections
between multiple Cisco VPN router devices:
http://www.cisco.com/en/US/products/sw/cscowork/ps3994/products_user_guide_chapter09186a00801f5966.html
Also using SDM, monitor DMVPN tunnels in the monitor mode–> VPN Status –> DMVPN tunnels.
Details of DMVPN topologies and configurations can be accessed in the DMVPN white paper in the Technical Documents section at
http://www.cisco.com/go/dmvpn and the DMVPN design guide (SRND) at http://www.cisco.com/warp/public/779/largeent/it/ese/DMVPN_bk.pdf.
Details of DMVPN topologies and configurations can be accessed in the DMVPN white paper in the Technical Documents section at
http://www.cisco.com/go/dmvpn and the DMVPN design guide (SRND) at http://www.cisco.com/warp/public/779/largeent/it/ese/DMVPN_bk.pdf.
For complete details on ECT, please visit the ECT Website at http://www.cisco.com/go/ect. The following white papers outline the solution and can
be accessed from http://www.cisco.com/go/ect.
• DMVPN Enterprise Class Teleworker Guide—This document describes the deployment of DMVPN and various aspects of the ECT solution in a
consolidated way.
• Layered Security in a VPN Deployment—This document describes the deployment of different aspects of layers of security in the ECT network.
• Deployment of Secure Sockets Layer VPNs—Gives topology/configuration guidance and tried and tested scenarios of DMVPNs with Secure
Sockets Layer (SSL) VPNs.
• Cisco IOS Software IPsec High Availability (HA)—Gives topology/configuration guidance and tried and tested scenarios of IPsec HA. IPsec HA
has been used in management gateways to provide transparent connectivity to management networks.
• Secure Voice and Wireless in a VPN Deployment—This document describes the deployment of voice and wireless applications in an ECT
network.
• Integrated Easy VPN and Dynamic Multipoint VPN—This document describes the deployment of an Easy VPN client on the same hub as
DMVPN hubs used in an ECT solution.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus
Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel
Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal
Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan
Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ
Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-
Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
© the
All other trademarks mentioned in this document or Website are 2005 Cisco
property of Systems, Inc.owners.
their respective All rights reserved.
The use of the word partner does not imply a partnership relationship between
Cisco and any other company. (0502R) notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Important 205297.G_ETMG_SH_6.05
Page 30 of 31
Printed in the USA
© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 31 of 31