I’ve already written a post that lets you calculate a route summarisation. So now you have a method of advertising your routes more efficiently, what do you do with it? Well I’m at the EIGRP point in my studies so here’s how to implement it with EIGRP.
To demonstrate I’ve built the above network on GNS3, there is a loopback interface on the routers for each of those networks.
Solution
I’ve already setup EIGRP, and importantly disabled auto-summarisation* If we take a look at the routing table on the North router we can see the routes being learned from the South router;
*Note: If this exercise is about summarisation, why have I disable auto-summarisation? Well if I didn’t the routers would see all the remote subnets as 10.0.0.0/8 and nothing would work!
And you will see the ‘opposite’ in the routing table on the South router;
And just to prove it’s not all smoke and mirrors, here’s the current EIGRP config on both routers;
Now you actually apply the route summarisation on the network interface that the routes are getting advertised through (even through the IP of that network may not be in the networks you are summarising). This may seem a little odd that it’s not done in the ‘router eigrp {system number}’ part of the config. My routers both connect to each other with their GigiabitEthernet1/0 interface.
Firstly, perform your route summarisation, and you should come up with 10.0.0.0/14 for the North router and 10.4.0.0/14 on th South router.
Apply the route summarisation on the GE1/0 interface;
[box]
interface GigabitEthernet1/0
ip summary-address eigrp 90 10.0.0.0 255.252.0.0
[/box]
If you are wondering /14 is 255.252.0.0, I struggle to remember converting short and long notation subnets, that’s why I’ve got an IP subnet aide memoir.
Now configure the South router;
[box]
interface GigabitEthernet1/0
ip summary-address eigrp 90 10.4.0.0 255.252.0.0
[/box]
Now if you look on the routing tables of both routers, you will see the routes have been summarised.
Why is the summarised route listed twice? And why does one route point to Null0?
Well to get your head round this, you need to understand that ‘a more specific route always wins‘, e.g. traffic coming from the 10.1.0.0 subnet behind router North that is arriving at router South will have a subnet of /16 (or /32), which is more specific than the /14 summarised route. OK, but Null0 drops the traffic? So lets say all the remote networks in the North Site ‘Go Down’. The South, route now only has the 10.0.0.0/14 route left, so it would drop the traffic, which is good as those subnets are all down.
Related Articles, References, Credits, or External Links
I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test.
Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table.
Solution
Assuming EIGRP is already setup between the ASA and the LAN (i.e. Core Switch).
[box]
ASA
Petes-ASA# show run router
!
router eigrp 20
no auto-summary
network 10.1.0.0 255.255.0.0
passive-interface default
no passive-interface inside
redistribute static
!
Switch
Core-SW#show run | sec router
router eigrp 20
network 10.1.0.0 0.0.255.255
network 10.2.0.0 0.0.255.255
network 10.3.0.0 0.0.255.255
no auto-summary
[/box]
Also assuming you already have a site to site VPN established and working.
[box]
Petes-ASA# show cry isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.249.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Petes-ASA# show cry ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.253.254
access-list VPN-INTERESTING-TRAFIC extended permit ip 10.1.0.0 255.255.0.0 10.250.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
current_peer: 192.168.249.254
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
[/box]
Show the Cryptomap, then add the RRI.
[box]
Petes-ASA# show run crypto
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 192.168.249.254
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
Petes-ASA# configure terminal
Petes-ASA(config)# crypto map CRYPTO-MAP 1 set reverse-route
Petes-ASA(config)#
[/box]
Create a ‘Prefix-List’ for the routes to inject (i.e the remote LAN at the other end of the VPN tunnel).
Core-SW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
10.0.0.0/16 is subnetted, 4 subnets
C 10.2.0.0 is directly connected, GigabitEthernet2/0
C 10.3.0.0 is directly connected, GigabitEthernet3/0
C 10.1.0.0 is directly connected, GigabitEthernet1/0
D EX 10.250.0.0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
D*EX 0.0.0.0/0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
[/box]
Related Articles, References, Credits, or External Links
For the first time in about ten years I had to deal with EIGRP last week, so I thought I would run it up in a lab. Normally I would use GNS3 but for this procedure I’ll use Cisco Packet Tracer.</p<
In fact I’ll include the files so you can download and use the lab yourself, (if you have a copy of Packet Tracer). And I’ll also include the configs for all the routers.
In the lab I’ve got three sites connected via serial connections, and one of those sites has the Internet connection.
As you can see I’ve used VLSM to split up the 192.168.0.0/24 subnet to create the six networks I need, (three on the sites, and three for the links).
Solution
1. I will start at the beginning with Router R1 in site 1. As you can see I’m going to give the FastEthernet 0/0 interface to the inside network (192.168.0.1/28). I will use Serial 3/0 to connect to Site 2 (192.168.64.2/30), and Serial 2/0 to connect to Site 1 (192.168.68.1/30). I will mirror these three settings around the network (going clockwise) and I will configure all the Serial 2/0 interfaces to set the clock speed for the serial links.
number of 1, then I am adding all the networks that I want this router to advertise (don’t forget to add the subnet that connects each router to its neighbour). When enabled EIGRP will send routing updates onto each of these networks. As you can see from the diagram, this would mean that the router would send routing information onto the LAN. While this wont cause any problems, it does generate traffic that does not need to be on the LAN, so I’ve disabled that by using a passive-interface* command.
*Note: If you have a lot of interfaces you want to be passive, you can ‘swap the logic’ by using passive-interface default and then setting all the interfaces you want to advertise networks out of, as no passive-interface.
I’ve also disabled auto-summary of networks, I’ve seen other pages and blogs that incorrectly say this makes the EIGRP routing protocol classless. EIGRP is classless out of the box! At a basic level network-summary is the process of advertising one route for many networks. This works best for contiguous networks (i.e. 192.168.1.x, 192.168.2.x, etc). But if you let EIGRP auto-summarise for you, then this happens,
Above you can see it has added three more routes to networks that (at the moment) don’t exist, which is fine, but then you can NOT use those subnets in the future. If you did and this router saw that traffic it would send it to Null0 (i.e. drop the traffic). With auto-summary disabled, the routers routing table is a lot cleaner (see below).
The last thing you will notice is that the subnet masks are a little strange, you need to use wildcard masks, these are easy to work out, just subtract each octet of the subnet mask from 255 like so;
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 1
R1(config-router)#passive-interface FastEthernet0/0
R1(config-router)#network 192.168.0.0 0.0.0.15
R1(config-router)#network 192.168.64.0 0.0.0.3
R1(config-router)#network 192.168.68.0 0.0.0.3
R1(config-router)#no auto-summary
R1(config-router)#end
R1#
[/box]
5. Repeat the process for routers R2 an R3.
[box]
Router 2
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 1
R2(config-router)#passive-interface FastEthernet0/0
R2(config-router)#network 192.168.16.0 0.0.0.15
R2(config-router)#network 192.168.64.0 0.0.0.3
R2(config-router)#network 192.168.72.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#end
R2#
Router 3
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router eigrp 1
R3(config-router)#passive-interface FastEthernet0/0
R3(config-router)#network 192.168.32.0 0.0.0.15
R3(config-router)#network 192.168.72.0 0.0.0.3
R3(config-router)#network 192.168.68.0 0.0.0.3
R3(config-router)#no auto-summary
R3(config-router)#end
R3#
[/box]
6. EIGRP Adding a Route to the Internet
To add in the networks ‘route out’, I need to bring up and configure another interface on router R3 (FastEthernet4/0). Then I will configure that as the default route (GOLR) for that router, and add that new network into the advertised routes.
To get all the other routers to use the static route I’ve just configured on this router, I use the redistribute static command (while in config-router mode).
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface FastEthernet4/0
R3(config-if)#ip address 123.123.123.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#ip route 0.0.0.0 0.0.0.0 123.123.123.2
R3(config)#router eigrp 1
R3(config-router)#network 123.123.123.120 0.0.0.3
R3(config-router)#redistribute static
R3(config-router)#end
R3#
[/box]
7. Then I will add the ISP (Internet Router). I will also add this to the EIGRPAS group (though I could just use static routing.)
Note: In the lab I don’t have a link to the Internet so I’ll simply use the Loopback interface on the Internet router and give that the 4.2.2.2 IP address.
As a final ‘belt and braces’ approach, I will add a summary route back to the LAN. If you are unsure how to calculate a summary route, simply write your subnets out in binary, and the mask will be the the length from the first to the last bit, that all the subnets have in common, like so;
Summarisation for these networks will be 192.168.0.0/17 (255.255.128.0)
A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other you have all those tunnels to configure as well.
To address that we have DMVPN, rather than a point-to-point GRE tunnel it uses multipoint GRE that can have more than two endpoints. In fact it acts like a ‘network overlay’ that joins all the sites together. It is typically deployed in a hub-and-spoke configuration where one router (the hub) sits at the center and each remote site (spoke) joins the multipoint GRE, tunnels back to the hub. The magic part is, if one spoke needs to speak to another spoke, this is done by building a dynamic tunnel between them ‘on the fly’.
Below is the the network topology I’m going to use;
I have a main site that will be the ‘Hub Site’ and at that site MainSiteRTR will be the NHS router. The remaining three hub sites will act as ‘spokes’, so my ‘network overlay’ will be 192.168.1.0/24.
Solution
Configure DMVPN Hub (NHS) Router
Before I start, all the sites are pre-configured as per figure1 above, all the routers can see each other via EIGRP.
1. To begin the setup looks very much like a standard GRE tunnel, but we define a source but no destination (we don’t need to, because we specify tunnel mode gre multipoint). There are two commands for the NHRP setup, ‘ip nhrp map multicast dynamic‘ lets EIGRP information propagate to the ‘spokes’. And ‘ip nhrp network-id 1’ creates a group ID for the DMVPN group. All the spokes will need to share this ID to form tunnels with this NHS Router.<.p>
[box]
MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#interface Tunnel0
MainSiteRTR(config-if)# ip address 192.168.0.1 255.255.255.0
MainSiteRTR(config-if)# ip nhrp map multicast dynamic
MainSiteRTR(config-if)# ip nhrp network-id 1
MainSiteRTR(config-if)# tunnel source 1.1.1.1
MainSiteRTR(config-if)# tunnel mode gre multipoint
*Mar 1 00:02:31.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
MainSiteRTR(config-if)#exit
*Mar 1 00:02:41.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
MainSiteRTR(config)#
[/box]
Configure the Branch ‘Spoke’ Routers
2. There are a few differences here, first ‘ip nhrp map 192.168.0.1 1.1.1.1’ tells the branch router to map the 192.168.0.2 private IPpermanently to the 1.1.1.1 public address. ‘ip nhrp map multicast 1.1.1.1’ tells the router to relay ALL its multicast traffic back to the hub router. ‘ip nhrp nhs 192.168.0.1’ tells the spoke router where the hub router is.
[box]
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#interface Tunnel0
Branch1(config-if)# ip address 192.168.0.2 255.255.255.0
Branch1(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch1(config-if)# ip nhrp map multicast 1.1.1.1
Branch1(config-if)# ip nhrp network-id 1
Branch1(config-if)# ip nhrp nhs 192.168.0.1
Branch1(config-if)# tunnel source 2.2.2.1
Branch1(config-if)# tunnel mode gre multipoint
*Mar 1 00:07:28.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch1(config-if)#exit
*Mar 1 00:07:38.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch1(config)#
[/box]
3. Then configure each branch router the same, (apart from the tunnel source and the endpoint IP).
[box]
Branch 2 Router Config
Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#interface Tunnel0
Branch2(config-if)# ip address 192.168.0.3 255.255.255.0
Branch2(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch2(config-if)# ip nhrp map multicast 1.1.1.1
Branch2(config-if)# ip nhrp network-id 1
Branch2(config-if)# ip nhrp nhs 192.168.0.1
Branch2(config-if)# tunnel source 3.3.3.1
Branch2(config-if)# tunnel mode gre multipoint
Branch2(config-if)# exit
*Mar 1 00:09:32.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch2(config)#
Branch 3 Router Config
Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#interface Tunnel0
Branch3(config-if)# ip address 192.168.0.4 255.255.255.0
Branch3(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch3(config-if)# ip nhrp map multicast 1.1.1.1
Branch3(config-if)# ip nhrp network-id 1
Branch3(config-if)# ip nhrp nhs 192.168.0.1
Branch3(config-if)# tunnel source 4.4.4.1
Branch3(config-if)# tunnel mode gre multipoint
Branch3(config-if)# exit
*Mar 1 00:11:05.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch3(config)#
*Mar 1 00:11:15.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch3(config)#
[/box]
Verifying and Testing the DMVPN Setup
4. On the main site;
[box]
MainSiteRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 2.2.2.1 192.168.0.2 UP never D
1 3.3.3.1 192.168.0.3 UP never D
1 4.4.4.1 192.168.0.4 UP never D
[/box]
5. On a branch site (Note: There is only one tunnel to the Main Site);
[box]
Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 192.168.0.1 UP 00:08:24 S
[/box]
6. But if from the same branch site you ping another branch site, it will dynamically build a tunnel to that site also. (Note: The S denotes static, and the D denotes dynamic).
[box]
Branch1#ping 192.168.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/60/108 ms
Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 192.168.0.1 UP 00:08:52 S
1 4.4.4.1 192.168.0.4 UP never D
[/box]
Protect and Encrypt the Tunnel(s) with IPSEC
7. BE AWARE the traffic traveling over these tunnels is still being sent in cleartext, it’s simply been ‘encapsulated’ with GRE. To rectify that we can protect the tunnels with IPSEC.
[box]
MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#crypto isakmp policy 10
MainSiteRTR(config-isakmp)# authentication pre-share
MainSiteRTR(config-isakmp)# encryption aes
MainSiteRTR(config-isakmp)# group 2
MainSiteRTR(config-isakmp)# hash sha
MainSiteRTR(config-isakmp)# crypto isakmp key Sh@reds3cret address 2.2.2.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 3.3.3.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 4.4.4.1
MainSiteRTR(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
MainSiteRTR(cfg-crypto-trans)# crypto ipsec profile PF-PNL
MainSiteRTR(ipsec-profile)# set transform-set TFS-PNL
MainSiteRTR(ipsec-profile)# interface Tunnel0
MainSiteRTR(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:25:34.055: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MainSiteRTR(config-if)# exit
MainSiteRTR(config)#
[/box]
8. Then simply repeat on the branch routers, the only difference is the peer addresses.
[box]
Branch 1 Router Config
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)# authentication pre-share
Branch1(config-isakmp)# encryption aes
Branch1(config-isakmp)# group 2
Branch1(config-isakmp)# hash sha
Branch1(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch1(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch1(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch1(ipsec-profile)# set transform-set TFS-PNL
Branch1(ipsec-profile)#interface Tunnel0
Branch1(config-if)# tunnel protection ipsec profile PF-PNL
Branch1(config-if)#exit
Branch1(config)#
*Mar 1 00:36:47.179: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch1(config)#
Branch 2 Router Config
Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#crypto isakmp policy 10
Branch2(config-isakmp)# authentication pre-share
Branch2(config-isakmp)# encryption aes
Branch2(config-isakmp)# group 2
Branch2(config-isakmp)# hash sha
Branch2(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch2(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch2(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch2(ipsec-profile)# set transform-set TFS-PNL
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)# tunnel protection ipsec profile PF-PNL
Branch2(config-if)#exit
Branch2(config)#
*Mar 1 00:37:57.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch2(config)#
Branch 3 Router Config
Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#crypto isakmp policy 10
Branch3(config-isakmp)# authentication pre-share
Branch3(config-isakmp)# encryption aes
Branch3(config-isakmp)# group 2
Branch3(config-isakmp)# hash sha
Branch3(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch3(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch3(ipsec-profile)# set transform-set TFS-PNL
Branch3(ipsec-profile)#interface Tunnel0
Branch3(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:39:10.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch3(config-if)#exit
[/box]
9. To test re-establish the tunnels, and this time you can see they are protected;
[box]
MainSiteRTR#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 3.3.3.1 QM_IDLE 1002 0 ACTIVE
1.1.1.1 4.4.4.1 QM_IDLE 1003 0 ACTIVE
1.1.1.1 2.2.2.1 QM_IDLE 1001 0 ACTIVE
Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site.
One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke site, it will dynamically build a VPN tunnel to that spoke site.
That’s great right? Well it’s pretty cool, but there is a downside. There is a slight ‘lag’ while that dynamic VPN is established, for normal network traffic you probably wont even notice, but if you are sending streaming media, or voice traffic then it becomes more of a problem.
So if we had a system where all the routers have all the same settings, the hub router wouldn’t need to ‘broker’ the initial connection and the routers get all their VPN settings from a central ‘Server’. Well that’s what GDOI gives us, we set up a router as a central ‘Key Server’ and all the other GDOI ‘Group Members’ register with the key server, and get all their settings.
So I’ll use the same network that I built the DMVPN on, I’ve added another router that will be the ‘Key Server’, other than that the topology is the same.
Note: The GDOI Key Server, cannot run on the DMVPN hub router.
Solution
GDOI Key Server Setup
1. Firstly setup the requirements for ISAKMP phase 1. Note: here I’m using pre-shared keys, this does not scale well if you have a lot of sites, you might want to look at a PKI solution and use certificates instead.
[box]
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
EXAMPLE
KS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
KS(config)#crypto isakmp policy 10
KS(config-isakmp)#encr aes
KS(config-isakmp)#authentication pre-share
KS(config-isakmp)#group 2
KS(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
KS(config)#
[/box]
2. Then setup IPSEC phase 2 requirements. With a transform-set and a profile.
3. The Key server will use its certificate for authentication, if you DO have a PKI solution and this router has already enrolled to it then you can skip this step. If not you need to generate a LOCAL certificate on the key server. (Note: This requires the device to have a hostname and domain name set).
[box]
ip domain-name testbench.local
crypto key generate rsa modulus 2048
EXAMPLE
KS(config)#ip domain-name testbench.local
KS(config)#crypto key generate rsa modulus 2048
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
*Mar 1 00:17:13.591: %SSH-5-ENABLED: SSH 1.99 has been enabled
KS(config)#
[/box]
4. To setup the key server, create a group (GDOI-VPN) and give it an identity number,all members of the group will share this number. It used the profile we created above, and will apply encryption based on ACL 123 (we will create in a minute). Finally it sets the IP that it will be used as the key servers (this is the IP in use on FastEthernet 0/0).
[box]
crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2
EXAMPLE
KS(config)#crypto gdoi group GDOI-DMVPN
KS(config-gdoi-group)#identity number 999
KS(config-gdoi-group)#server local
KS(gdoi-local-server)# rekey retransmit 10 number 2
KS(gdoi-local-server)# rekey authentication mypubkey rsa rsa
KS(gdoi-local-server)# rekey transport unicast
KS(gdoi-local-server)# sa ipsec 10
KS(gdoi-sa-ipsec)# profile PF-GDOI
KS(gdoi-sa-ipsec)# match address ipv4 123
KS(gdoi-sa-ipsec)# replay counter window-size 64
KS(gdoi-sa-ipsec)# address ipv4 5.5.5.2
KS(gdoi-local-server)#
[/box]
5. Create the ACL we specified above, this ACL will get downloaded to all the group members. As will the VPN profile, they will then apply that profile to traffic defined in the ACL. It’s an ‘interesting traffic ACL, (if you are used to working with VPN’s).
[box]
access-list 123 permit gre any any
EXAMPLE
KS(config)#access-list 123 permit gre any any
KS(config)#
[/box]
Setup GDOI Group Members
Note: These settings are the same for the DMVPN hub router and all the spoke routers.
6. As above we specify a matching phase 1 policy.
[box]
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
EXAMPLE
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)#encr aes
Branch1(config-isakmp)#authentication pre-share
Branch1(config-isakmp)#group 2
Branch1(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
Branch1(config)#
crypto gdoi group GDOI-DMVPN
identity number 999
server address ipv4 5.5.5.2
EXAMPLE
Branch1(config)#crypto gdoi group GDOI-DMVPN
Branch1(config-gdoi-group)#identity number 999
Branch1(config-gdoi-group)#server address ipv4 5.5.5.2
Branch1(config-gdoi-group)#exit
[/box]
8. Then use that group to create a ‘crypto map’, and apply that map to the public interface that ‘faces outwards’. Note: Normally when applying encryption to DMVPN you would apply your crypto to the tunnel interface, with GDOI you do NOT.
[box]
crypto map CM-GDOI 10 gdoi
set group GDOI-DMVPN
interface FastEthernet0/0
crypto map CM-GDOI
EXAMPLE
Branch1(config)#crypto map CM-GDOI 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
Branch1(config-crypto-map)#set group GDOI-DMVPN
Branch1(config-crypto-map)#interface FastEthernet0/0
Branch1(config-if)#crypto map CM-GDOI
*Mar 1 05:11:31.546: %CRYPTO-5-GM_REGSTER: Start registration to KS 5.5.5.2 for group GDOI-DMVPN using address 2.2.2.1
*Mar 1 05:11:31.582: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
[/box]
9. Now I could add a route to my DMVPN network, with a static statement (i.e. ip route 192.168.0.0 0.0.255.255 Tunnel0), but I’m using EIGRP anyway, so I can just advertise the DMVPN network into my EIGRP group.
Branch1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: port 848
IKE SA: local 2.2.2.1/848 remote 5.5.5.2/848 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Branch1#
Branch1#show crypto gdoi
GROUP INFORMATION
Group Name : GDOI-DMVPN
Group Identity : 999
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 5.5.5.2
Group Server list : 5.5.5.2
GM Reregisters in : 2042 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 5.5.5.2:
access-list permit gre any any
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/0:
IPsec SA:
spi: 0x93842CD3(2474912979)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (2197)
Anti-Replay : Disabled
[/box]
Complete GDOI with DMVPN Configs
Below I’ll show the configs, with the GDOI config highlighted in Red and the DMVPN config highlighted in blue.
[box]
GDOI Key Server Config
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac
!
crypto ipsec profile PF-GDOI
set transform-set TS-GDOI
!
crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 5.5.5.2 255.255.255.252
speed auto
half-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 20
network 5.5.5.0 0.0.0.3
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 123 permit gre any any
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
[/box]
DMVPN Hub Server Config
[box]
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MainSiteRTR
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef ! no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
!
crypto gdoi group GDOI-DMVPN
identity number 999
server address ipv4 5.5.5.2
!
crypto map CM-GDOI 10 gdoi
set group GDOI-DMVPN
!
ip tcp synwait-time 5
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1 tunnel source 1.1.1.1
tunnel mode gre multipoint
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
crypto map CM-GDOI
!
interface FastEthernet1/0
ip address 5.5.5.1 255.255.255.252
duplex auto
speed auto
!
router eigrp 20
network 1.1.1.0 0.0.0.3
network 5.5.5.0 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
Branch (Spoke) Routers
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive log
config hidekeys
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
!
crypto gdoi group GDOI-DMVPN
identity number 999
server address ipv4 5.5.5.2
!
crypto map CM-GDOI 10 gdoi
set group GDOI-DMVPN
!
ip tcp synwait-time 5
!
interface Tunnel0 ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1 tunnel source 2.2.2.1
tunnel mode gre multipoint
!
interface FastEthernet0/0
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
crypto map CM-GDOI
!
interface FastEthernet0/1
ip address 172.17.1.1 255.255.0.0
duplex auto
speed auto
!
router eigrp 20
network 2.2.2.0 0.0.0.3
network 172.17.0.0
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
[/box]
Related Articles, References, Credits, or External Links
I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs.
I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3) ones and the little info I got were more people in forums asking why theirs did not work. So I built a firewall with 8.2 code, then worked out how to do it, then upgraded the firewall to version 9.1. Finally I picked out the relevant parts of the upgraded config.
Here’s the scenario I’m going to use for this example.
Solution
Before we start, yes I know the ASA is a firewall not a router! A better solution would be to have either a router behind the firewall or, (as is more common) a switch that is layer 3 capable, i.e it can route.
The commands you use will be different if your firewall is running an operating system earlier than 8.3, check your ASA version and proceed to the correct set of commands.
For Firewalls running an Operating System OLDER than 8.3 go here
How to Setup VLAN Routing on an ASA 5505 (Version 8.3 and Newer)
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.
Note: I don’t need to Add VLAN 1 to Ethernet 0/1, because all ports are in VLAN 1 by default.
4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through) and allow traffic to pass between interfaces.
5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.
[box]
Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112
[/box]
6. Now setup ‘dynamic’ NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
2. 2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.
Note: I don’t need to Add VLAN 1 to Ethernet 0/1 because all ports are in VLAN 1 by default.
4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through). and allow traffic to pass between interfaces.
5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.
[box]
Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112
[/box]
6. Enable NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.
Reverse Route injection is the process that can be used on a Cisco ASA to take a route for an established VPN, and populate/inject that route into the routing table of other devices in it’s routing group.
In the example below, on the main site, we have a Layer 3 switch that’s routing all the 192.168.x.x networks, and we have an established site to site VPN to a remote site. To access the web server at 172.16.1.10 the 192.168.x.x networks need a route to it.
I’m going to use OSPF, (the ASA also supports EIGRP and RIP.)
Solution
1. We already have a site to site VPN, let’s find out what cryptomap it is using.
[box]
Main-GW# show run crypto map
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.60
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
Main-GW#
[/box]
2. So in this example it’s called CRYPTO-MAP 1, let’s enable reverse route injection for that crypto map.
[box]
Main-GW# configure terminal
Main-GW(config)# crypto map CRYPTO-MAP 1 set reverse-route
[/box]
3. Now create a ‘prefix-list‘ that contains our remote VPN subnet. (Note: if you had a lot of remote subnets you could add them separately or simply summarise them if they were contiguous networks).
6. And while still in config-router mode, set it to redistribute our VPN network(s). And finally remember the ASA wont send out any networks, without a default-information originate command.
Main-GW# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Main-GW#
[/box]
8. To make sure it has worked, on the core switch CORE-SW-01, look at the routing table.
[box]
Core-SW-01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 123.123.123.123 to network 0.0.0.0
O E1 172.16.0.0/16 [110/12011] via 192.168.1.1, 00:00:04, GigabitEthernet0/0
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
C 192.168.50.0/24 is directly connected, GigabitEthernet0/2
C 192.168.100.0/24 is directly connected, GigabitEthernet0/3
O*E2 0.0.0.0/0 [110/1] via 192.168.1.1, 00:00:03, GigabitEthernet0/0
[/box]
Related Articles, References, Credits, or External Links