WAN Design Requirements

DMVPN

DMVPN

Cisco DMVPN is based on a virtual private network (VPN), which provides private connectivity over a public network like the Internet. Furthermore, the DMVPN network takes this VPN concept further by allowing multiple VPNs to be deployed over a shared infrastructure in a manageable and scalable way.

This shared infrastructure, or “DMVPN network,” enables each VPN to connect to the other VPNs without needing expensive dedicated connections or complex configurations.

DMVPN Explained: DMVPN creates a virtual network built on the existing infrastructure. This virtual network consists of “tunnels” between various endpoints, such as corporate networks, branch offices, or remote users. This virtual network allows for secure communication between these endpoints, regardless of their geographic location. As we are operating under an underlay, DMVPN is an overlay solution.

Hub Router:The hub router serves as the central point of connectivity in a DMVPN deployment. It acts as a central hub for all the spoke routers, enabling secure communication between them. The hub router is responsible for managing the dynamic IPsec tunnels and facilitating efficient routing.

Spoke Routers: Spoke routers are the remote endpoints in a DMVPN network. They establish IPsec tunnels with the hub router to securely transmit data. Spoke routers are typically located in branch offices or connected to remote workers' devices. They dynamically establish tunnels based on network requirements, ensuring optimal routing.

Next-Hop Resolution Protocol (NHRP):NHRP is a critical component of DMVPN that aids in dynamic IPsec tunnel establishment. It assists spoke routers in resolving the next-hop addresses for establishing tunnels with other spoke routers or the hub router. NHRP maintains a mapping database that allows efficient routing and simplifies network configuration.

Scalability:DMVPN offers excellent scalability, making it suitable for organizations with expanding networks. As new branch offices or remote workers join the network, DMVPN dynamically establishes tunnels without the need for manual configuration. This scalability eliminates the complexities associated with traditional point-to-point VPN solutions.

Cost Efficiency:By utilizing DMVPN, organizations can leverage affordable public network infrastructures instead of costly dedicated connections. DMVPN makes efficient use of bandwidth, reducing operational costs while providing secure and reliable connectivity.

Flexibility:DMVPN provides flexibility in terms of network design and management. It supports different routing protocols, allowing seamless integration with existing network infrastructure. Additionally, DMVPN supports various transport technologies, including MPLS, broadband, and cellular, enabling organizations to choose the most suitable option for their needs.

Highlights: DMVPM

VPN-based security solutions

VPN-based security solutions are increasingly popular and have proven effective and secure technology for protecting sensitive data traversing insecure channel mediums, such as the Internet.

Traditional IPsec-based site-to-site, hub-to-spoke VPN deployment models must scale better and be adequate only for small- and medium-sized networks. However, as demand for IPsec-based VPN implementation grows, organizations with large-scale enterprise networks require scalable and dynamic IPsec solutions that interconnect sites across the Internet with reduced latency while optimizing network performance and bandwidth utilization.

Scaling traditional IPsec VPN

Dynamic Multipoint VPN (DMVPN) technology scales IPsec VPN networks by offering a large-scale deployment model that allows the network to expand and realize its full potential. In addition, DMVPN offers scalability that enables zero-touch deployment models.

ipsec tunnel
Diagram: IPsec Tunnel

Encryption is supported through IPsec, making DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN. A popular option for DMVPN is FlexVPN.

Routing Technique

DMVPN (Dynamic Multipoint VPN) is a routing technique for building a VPN network with multiple sites without configuring all devices statically. It’s a “hub and spoke” network in which the spokes can communicate directly without going through the hub.

Advanced:

DMVPN Phase 2

DMVPN Phase 2 is an enhanced version of the initial DMVPN implementation. It introduces the concept of Next Hop Resolution Protocol (NHRP), which provides dynamic mapping between the participating devices’ physical and virtual IP addresses. This dynamic mapping allows for efficient and scalable communication within the DMVPN network.

Resolutions triggered by the NHRP

Learning the mapping information required through NHRP resolution creates a dynamic spoke-to-spoke tunnel. How does a spoke know how to perform such a task? As an enhancement to DMVPN Phase 1, spoke-to-spoke tunnels were first introduced in Phase 2 of the network. Phase 2 handed responsibility for NHRP resolution requests to each spoke individually, which means that spokes initiated NHRP resolution requests when they determined a packet needed a spoke-to-spoke tunnel.

Cisco Express Forwarding (CEF) would assist the spoke in making this decision based on information contained in its routing table.

Related: For pre-information, you may find the following posts helpful.

  1. VPNOverview
  2. Dynamic Workload Scaling
  3. DMVPN Phases
  4. IPSec Fault Tolerance
  5. Dead Peer Detection
  6. Network Overlays
  7. IDS IPS Azure
  8. SD WAN SASE
  9. Network Traffic Engineering

DMVPM

Cisco DMVPN

♦DMVPN Components Involved

The DMVPN solution consists of a combination of existing technologies so that sites can learn about each other and create dynamic VPNs. Therefore, efficiently designing and implementing a Cisco DMVPN network requires thoroughly understanding these components, their interactions, and how they all come together to create a DMVPN network.

These technologies may seem complex, and this post aims to simplify them. First, we mentioned that DMVPN has different components, which are the building blocks of a DMVPN network. These include Generic Routing Encapsulation (GRE), Next Hop Redundancy Protocol (NHRP), and IPsec.

The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).

Each of these components needs a base configuration for DMVPN to work. Once the base configuration is in place, we have a variety of show and debug commands to troubleshoot a DMVPN network to ensure smooth operations.

There are four pieces to DMVPN:

  • Multipoint GRE (mGRE)
  • NHRP (Next Hop Resolution Protocol)
  • Routing (RIP, EIGRP, OSPF, BGP, etc.)
  • IPsec (not required but recommended)

Cisco DMVPN Components

Main DMVPN Components

Dynamic VPN

  • Multipoint GRE and Point to Point GRE

  • NHRP (Next Hop Resolution Protocol)

  • Routing (RIP, EIGRP, OSPF, BGP, etc.)

  • IPsec (not required but recommended)

1st Lab Guide: Displaying the DMVPN configuration

DMVPN Network

The following screenshot is from a DMVPN network using Cisco modeling labs. We have R1 as the hub, R2 and R3 as the spokes. The command: show DMVPN displays that we have two spokes routers. Notice the “D” attribute. This means the spokes have been learned dynamically, which is the essence of DMVPN.

The spokes are learned with a process called the Next Hop Resolution Protocol. As this is a nonbroadcast multiaccess network, we must use a protocol other than the Address Resolution Protocol (ARP).

Note:

  1. As you can see, with tunnel configuration for one of the spokes, we have a static mapping for the hub with the command IP nhrp NHS 192.168.100.1.  We also have point-to-point GRE tunnels in the spokes with the command: tunnel destination 172.17.11.2.
  2. Therefore, we are running DMVPN Phase 1. DMVPN phase 3 will have mGRE. More on this later.
DMVPN configuration
Diagram: DMVPN Configuration.

Key DMVPN components include:

●   Multipoint GRE (mGRE) tunnel interface: Allows a single GRE interface to support multiple IPsec tunnels, simplifying the size and complexity of the configuration. Standard point-to-point GRE tunnels are used in the earlier versions or phases of DMVPN.

●   Dynamic discovery of IPsec tunnel endpoints and crypto profiles: Eliminates the need to configure static crypto maps defining every pair of IPsec peers, further simplifying the configuration.

●   NHRP: Allows spokes to be deployed with dynamically assigned public IP addresses (i.e., behind an ISP’s router). The hub maintains an NHRP database of the public interface addresses of each spoke. Each spoke registers its actual address when it boots; when it needs to build direct tunnels with other spokes, it queries the NHRP database for real addresses of the destination spokes

DMVPN Explained
Diagram: DMVPN explained. Source is TechTarget

DMVPN Explained

Overlay Networking

A Cisco DMVPN network consists of many overlay virtual networks. Such a virtual network is called an overlay network because it depends on an underlying transport called the underlay network. The underlay network forwards traffic flowing through the overlay network. With the use of protocol analyzers, the underlay network is aware of the existence of the overlay. However, left to its defaults, the underlay network does not fully see the overlay network.

We will have routers at the company’s sites that are considered the endpoints of the tunnel that forms the overlay network. So, we could have a WAN edge router or Cisco ASA configured for DMVPN.  Then, for the underlay that is likely out of your control, have an array of service provider equipment such as routers, switches, firewalls, and load balancers that make up the underlay.

The following diagram displays the different overlay solutions. VXLAN is expected in the data center, while GRE is used across the WAN. DMVPN uses GRE.

What is VXLAN
Diagram: Virtual overlay solutions.

2nd Lab Guide: VXLAN overlay

Overlay Networking

While DMVPN does not run VXLAN as the overlay protocol, viewing for background information and reference is helpful. VXLAN is a network overlay technology that provides a scalable and flexible solution for creating virtualized networks.

It enables the creation of logical Layer 2 networks over an existing Layer 3 infrastructure, allowing organizations to extend their networks across data centers and virtualized environments. In the following example, we create a Layer 2 overlay over a Layer 3 core. A significant difference between DMVPN’s use of GRE as the overlay and the use of VXLAN is the VNI.

Note:

  1. One critical component of VXLAN is the Virtual Network Identifier (VNI). In this blog post, we will explore the details of VXLAN VNI and its significance in modern network architectures.
  2. VNI is a 24-bit identifier that uniquely identifies a VXLAN network. It allows multiple VXLAN networks to coexist over the same physical network infrastructure. Each VNI represents a separate Layer 2 network, enabling the isolation and segmentation of traffic between different virtual networks.

Below, you can see the VNI used and the peers that have been created. VXLAN also works in multicast mode.

Overlay networking
Diagram: Overlay Networking with VXLAN

DMVPN Overlay Networking

Creating an overlay network


  • To create an overlay network, one needs a tunneling technique.Multipoint GRE and Point to Point GRE

  • GRE tunnel is the most widely used for external connectivity

  • VXLAN is for internal to the data center.

  • GRE tunnel support IP-based network, works by inserting IP and GRE header on top of the original protocol packet.

DMVPN: Creating an overlay network

The overlay network does not magically appear. To create one, we need a tunneling technique. Many tunneling technologies can be used to form the overlay network. The Generic Routing Encapsulation (GRE) tunnel is the most widely used external connectivity, while VXLAN is used for internal connectivity to the data center.

And the one that DMVPN adopts. A GRE tunnel can support tunneling for various protocols over an IP-based network. It works by inserting an IP and GRE header on top of the original protocol packet, creating a new GRE/IP packet. 

GRE over IPsec

The resulting GRE/IP packet uses a source/destination pair routable over the underlying infrastructure. The GRE/IP header is the outer header, and the original protocol header is the inner header.

♦ Is GRE over IPsec a tunneling protocol? 

GRE is a tunneling protocol that transports multicast, broadcast, and non-IP packets like IPX. IPSec is an encryption protocol. IPSec can only transport unicast packets, not multicast & broadcast. Hence, we wrap it GRE first and then into IPSec, which is called GRE over IPSec.

3rd Lab Guide: Displaying the DMVPN configuration

DMVPN Configuration

We are using a different DMVPN lab setup than before. R11 is the hub of the DMVPN network, and we only have one spoke of R12. In the DMVPN configuration, the tunnel interface has an “encapsulation tunnel.” This is the overlay network, and we are using GRE.

We are currently using the standard point-to-point GRE and not multipoint GRE. We know this as we have explicitly set the tunnel destination with the command tunnel destination 172.16.31.2.  This is fine for a small network of a few spokes. However, for the more extensive network, we need to use mGRE. And take full advantage of the dynamic nature of DMVPN.

Note:

  1. As for the routing protocols, we run EIGRP over the tunnel ( GRE ) interface. So, we only have one EIGRP neighbor, so we don’t need to worry about the split horizon. Before we move on, one key point is that running a traceroute from R11 to R12 only shows one hop.
  2. This is because the TTL is also carried in the GRE. So, no matter how many devices are in the path ( underlay network ) between R11 and R12, either physical or virtual, it will always show as one hop due to the overlay network, i.e., GRE.
DMVPN configuration
Diagram: DMVPN Configuration

Multipoint GRE. What is mGRE? 

An alternative to configuring multiple point-to-point GRE tunnels is to use multipoint GRE tunnels to provide the connectivity desired. Multipoint GRE (mGRE) tunnels are similar in construction to point-to-point GRE tunnels except for the tunnel destination command. However, instead of declaring a static destination, no destination is declared, and instead, the tunnel mode gre multipoint command is issued.

How does one remote site know what destination to set for the GRE/IP packet created by the tunnel interface? The easy answer is that it can’t on its own. The site can only glean the destination address with the help of an additional protocol. The next component used to create a DMVPN network is the Next Hop Resolution Protocol (NHRP). 

Essentially, mGRE features a single GRE interface on each router, allowing multiple destinations. This interface secures multiple IPsec tunnels and reduces the overall scope of the DMVPN configuration. However, if two branch routers need to tunnel traffic, mGRE and point-to-point GRE may not know which IP addresses to use.

The Next Hop Resolution Protocol (NHRP) is used to solve this issue. The following diagram depicts the functionality of mGRE in DMVPN technology.

what is mgre
Diagram: What is mGRE? Source is Stucknactive

Next Hop Resolution Protocol (NHRP)

The Next Hop Resolution Protocol (NHRP) is a networking protocol designed to facilitate efficient and reliable communication between two nodes on a network. It does this by providing a way for one node to discover the IP address of another node on the same network.

The primary role of NHRP is to allow a node to resolve the IP address of another node that is not directly connected to the same network. This is done by querying an NHRP server, which contains a mapping of all the nodes on the network. When a node requests the NHRP server, it will return the IP address of the destination node.

NHRP was initially designed to allow routers connected to non-broadcast multiple-access (NBMA) networks to discover the proper next-hop mappings to communicate. It is specified in RFC 2332. NBMA networks faced a similar issue as mGRE tunnels. 

Cisco DMVPN
Diagram: Cisco DMVPN and NHRP. The source is network direction.

The NHRP can deploy spokes with assigned IP addresses, which can be connected from the central DMVPN hub. One branch router requires this protocol to find the public IP address of the second branch router. NHRP uses a “server-client” model, where one router functions as the NHRP server while the other routers are the NHRP clients. In the multipoint GRE/DMVPN topology, the hub router is the NHRP server, and all other routers are the spokes. 

Each client registers with the server and reports its public IP address, which the server tracks in its cache. Then, through a process that involves registration and resolution requests from the client routers and resolution replies from the server router, traffic is enabled between various routers in the DMVPN.

4th Lab Guide: Displaying the DMVPN configuration

NHC and NHS Design

The following DMVPN configuration shows a couple of new topics. DMVPN works with an NHS and NHC design; the hub is the HHS. You can see this explicitly configured on the spokes, and this configuration needs to be on the spokes rather than the hubs.

The hub configuration is meant to be more dynamic. Also, if you recall, we are running EIGRP over the GRE tunnel. Two important points here. Firstly, we must consider a split-horizon as we have two spokes. Secondly, we need to use the “multicast” command.

Note:

  1. This is because EIGRP uses multicast HELLO messages to form neighbor relationships. If we had BGP running over the tunnel interface and not EIGRP, we would not need the multicast keywords. As BGP does not use multicast. The full command: IP nhrp nhs 192.168.100.11 nmba 172.16.11.1 multicast.
  2. On the spoke, we are telling the router that R11 is the NHS and to map its tunnel interface of 192.168.100.11 to the address 172.16.11.1 and to allow multicast traffic, or better explained, we are creating a new multicast mapping table.

DMVPN configuration

5th Lab Guide: DMVPN over IPsec

Securing DMVPN

In the following screenshot, we have DMVPN operating over IPsec. So, I have connected the hub and two spokes into an unmanaged switch to simulate the WAN environment. A WAN and DMVPN do not have encryption by default. However, since you probably use DMVPN with the Internet as the underlying network, it might be wise to encrypt your tunnels.

In this network, we are running RIP v2 as the routing protocol. Remember that you must turn off the split horizon at the hub site. IPsec has phases 1 and 2 (don’t confuse them with the DMVPN phases). Firstly, we need an ISAKMP policy that matches all our routers. Then, for Phase 2, we require a transform set on each router that tells the router what encryption/hashing to use and if we want tunnel or transport mode.

Note:

  1. I used ESP with AES as the encryption algorithm for this configuration and SHA for hashing. The mode is essential; since we are using GRE, we have already used tunnels as a transport mode. If you use tunnel mode, we will have even more overhead, which is unnecessary.
  2. The primary test here was to run a ping between the spokes. Since the ping works behind the scenes, our two spoke routers will establish an IPsec tunnel. You can see the security association below:
DMVPN over IPsec
Diagram: DMVPN over IPsec

IPsec Tunnels

An IPsec tunnel is a secure connection between two or more devices over an untrusted network using a set of cryptographic security protocols. The most common type of IPsec tunnel is the site-to-site tunnel, which connects two sites or networks. It allows two remote sites to communicate securely and exchange traffic between them. Another type of IPsec tunnel is the remote-access tunnel, which allows a remote user to connect to the corporate network securely.

When setting up an IPsec tunnel, several parameters, such as authentication method, encryption algorithm, and tunnel mode, must be configured. Depending on the organization’s needs, additional security protocols, such as Internet Key Exchange (IKE), can also be used for further authentication and encryption.

IPsec VPN
Diagram: IPsec VPN. Source Wikimedia.

IPsec Tunnel Endpoint Discovery 

Tunnel Endpoint Discovery (TED) allows routers to discover IPsec endpoints automatically so that static crypto maps must not be configured between individual IPsec tunnel endpoints. In addition, TED allows endpoints or peers to dynamically and proactively initiate the negotiation of IPsec tunnels to discover unknown peers.

These remote peers do not need to have TED configured to be discovered by inbound TED probes. So, while configuring TED, VPN devices that receive TED probes on interfaces — that are not configured for TED — can negotiate a dynamically initiated tunnel using TED.

DMVPN Checkpoint 

Main DMVPN Points To Consisder

  • Dynamic Multipoint VPN (DMVPN) technology is used for scaling IPsec VPN networks.

  • The DMVPN solution consists of a combination of existing technologies.

  • The overlay network does not magically appear. To create an overlay network, we need a tunneling technique. 

  • Once the virtual tunnel is fully functional, the routers need a way to direct traffic through their tunnels. Dynamic routing protocols are excellent choices for this.

  • mGRE features a single GRE interface on each router with the possibility of multiple destinations.

  • The Next Hop Resolution Protocol (NHRP) is a networking protocol designed to facilitate efficient and reliable communication between two nodes on a network.

  • An IPsec tunnel is a secure connection between two or more devices over an untrusted network using a set of cryptographic security protocols. DMVPN is not secure by default.

Continue Reading


DMVPN and Routing protocols 

Routing protocols enable the DMVPN to find routes between different endpoints efficiently and effectively. Therefore, choosing the right routing protocol is essential to building a scalable and stable DMVPN. One option is to use Open Shortest Path First (OSPF) as the interior routing protocol. However, OSPF is best suited for small-scale DMVPN deployments. 

The Enhanced Interior Gateway Routing Protocol (EIGRP) or Border Gateway Protocol (BGP) is more suitable for large-scale implementations. EIGRP is not restricted by the topology limitations of a link-state protocol and is easier to deploy and scale in a DMVPN topology. BGP can scale to many peers and routes, and it puts less strain on the routers compared to other routing protocols

DMVPN supports various routing protocols that enable efficient communication between network devices. In this section, we will explore three popular DMVPN routing protocols: Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP). We will examine their characteristics, advantages, and use cases, allowing network administrators to make informed decisions when implementing DMVPN.

EIGRP: The Dynamic Routing Powerhouse

EIGRP is a distance vector routing protocol widely used in DMVPN deployments. This section will provide an in-depth look at EIGRP, discussing its features such as fast convergence, load balancing, and scalability. Furthermore, we will highlight best practices for configuring EIGRP in a DMVPN environment, optimizing network performance and reliability.

OSPF: Scalable and Flexible Routing

OSPF is a link-state routing protocol that offers excellent scalability and flexibility in DMVPN networks. This section will explore OSPF’s key attributes, including its hierarchical design, area types, and route summarization capabilities. We will also discuss considerations for deploying OSPF in a DMVPN environment, ensuring seamless connectivity and effective network management.

BGP: Extending DMVPN to the Internet

BGP, a path vector routing protocol, connects DMVPN networks to the global Internet. This section will focus on BGP’s unique characteristics, such as its autonomous system (AS) concept, policy-based routing, and route reflectors. We will also address the challenges and best practices of integrating BGP into DMVPN architectures.

6th Lab Guide: DMVPN Phase 1 and OSPF

DMVPN Routing

OSPF is not the best solution for DMVPN. Because it’s a link-state protocol, each spoke router must have the complete LSDB for the DMVPN area. Since we use a single subnet on the multipoint GRE interfaces, all spoke routers must be in the same area.

This is no problem with a few routers, but it doesn’t scale well when you have dozens or hundreds. Most spoke routers are probably low-end devices at branch offices that don’t like all the LSA flooding that OSPF might do within the area. One way to reduce the number of prefixes in the DMVPN network is to use a stub or total stub area.

Note:

  1. The example below shows we are running OSPF between the Hub and the two spokes. OSPF network type can be viewed on the hub along with the status of DMVPN. Please take note of the next hop on the Spoke router when I do a show IP route OSPF.
  2. Each router has learned the networks on the different loopback interfaces. The next hop value is preserved when we use the broadcast network type.

You have seen all the different OSPF Broadcast network types on DMVPN phase 1. As you can see, some stuff is in the routing tables. All traffic goes through the hub, so our spoke routers don’t need to know everything. Unfortunately, it’s impossible to summarize within the area. However, we can reduce the number of routes by changing the DMVPN area into a stub or total stub area.

Unlike the broadcast network type, point-to-point and point-to-multipoint network types do not preserve the spokes’ next-hop IP addresses.

7th Lab Guide: DMVPN Phase 2 with OSPF

DMVPN Routing

In the following example, we have DMVPN Phase 2 running with OSPF. We are using the Broadcast network type. However, the following OSPF network types are potentials for DMVPN phase 2.

  • point-to-point
  • broadcast
  • non-broadcast
  • point-to-multipoint
  • point-to-multipoint non-broadcast

Below, all routers have learned the networks on each other’s loopback interfaces. Look closely at the next hop IP addresses for the 2.2.2.2/32 and 3.3.3.3/32 entries. This looks good; these are the IP addresses of the spoke routers. You can also see that 1.1.1.1/32 is an inter-area route. This is good; we can summarize networks “behind” the hub towards the spoke routers if we want to.

When running OSPF for DMVPN phase 2, you only have two choices if you want direct spoke-to-spoke communication: broadcast and non-broadcast. Let me give you an overview:

  • Point-to-point: This will not work since we use multipoint GRE interfaces.
  • Broadcast: This network type is your best choice. We are using it in the example above. The automatic neighbor discovery and correct next-hop addresses. Make sure that the spoke router can’t become DR or BDR. Here, we can use the priority commands and set them to 0 on the spokes.
  • Non-broadcast: similar to broadcast, but you have to configure static neighbors.
  • Point-to-multipoint: Don’t use this for DMVPN phase 2 since the hub changes the next hop address; you won’t have direct spoke-to-spoke communication.
  • Point-to-multipoint non-broadcast: same story as point-to-multipoint, but you must also configure static neighbors.

DMVPN Deployment Scenarios: 

Cisco DMVPN can be deployed in two ways:

  1. Hub-and-spoke deployment model
  2. Spoke-to-spoke deployment model

Hub-and-spoke deployment model: In this traditional topology, remote sites, which are the spokes, are aggregated into a headend VPN device. The headend VPN location would be at the corporate headquarters, known as the hub. 

Traffic from any remote site to other remote sites would need to pass through the headend device. Cisco DMVPN supports dynamic routing, QoS, and IP Multicast while significantly reducing the configuration effort. 

Spoke-to-spoke deployment model: Cisco DMVPN allows the creation of a full-mesh VPN, in which traditional hub-and-spoke connectivity is supplemented by dynamically created IPsec tunnels directly between the spokes. 

With direct spoke-to-spoke tunnels, traffic between remote sites does not need to traverse the hub; this eliminates additional delays and conserves WAN bandwidth while improving performance. 

Spoke-to-spoke capability is supported in a single-hub or multi-hub environment. Multihub deployments provide increased spoke-to-spoke resiliency and redundancy.  

DMVPN Designs

The word phase is almost always connected to discussions on DMVPN design. DMVPN phase refers to the version of DMVPN implemented in a DMVPN design. As mentioned above, we can have two deployment models, each of which can be mapped to a DMVPN Phase.

Cisco DMVPN as a solution was rolled out in different stages as the explanation became more widely adopted to address performance issues and additional improvised features. There are three main phases for DMVPN:

  • Phase 1 – Hub-and-spoke
  • Phase 2 – Spoke-initiated spoke-to-spoke tunnels
  • Phase 3 – Hub-initiated spoke-to-spoke tunnels
What is DMVPN
Diagram: What is DMVPN? Source is Lira

The differences between the DMVPN phases are related to routing efficiency and the ability to create spoke-to-spoke tunnels. We started with DMVPN Phase 1, which only had a hub to spoke. This needed more scalability as we could not have direct spoke-to-spoke communication. Instead, the spokes could communicate with one another but were required to traverse the hub.

Then, we went to DMVPN Phase 2 to support spoke-to-spoke with dynamic tunnels. These tunnels were initially brought up by passing traffic via the hub. Later, Cisco developed DMVPN Phase 3, which optimized how spoke-to-spoke commutation happens and the tunnel build-up.

Dynamic multipoint virtual private networks began simply as what is best described as hub-and-spoke topologies. The primary tool for creating these VPNs combines Multipoint Generic Routing Encapsulation (mGRE) connections employed on the hub with traditional Point-to-Point (P2P) GRE tunnels on the spoke devices.

In this initial deployment methodology, known as a Phase 1 DMVPN, the spokes can only join the hub and communicate with one another through the hub. This phase does not use spoke-to-spoke tunnels. Instead, the spokes are configured for point-to-point GRE to the hub and register their logical IP with the non-broadcast multi-access (NBMA) address on the next hop server (NHS) hub.

It is essential to keep in mind that there is a total of three phases, and each one can influence the following:

  1. Spoke-to-spoke traffic patterns
  2. Routing protocol design
  3. Scalability

DMVPN Design Options

The disadvantage of a single hub router is that it’s a single point of failure. Once your hub router fails, the entire DMVPN network is gone.

We need another hub router to add redundancy to our DMVPN network. There are two options for this:

  1. Dual hub – Single Cloud
  2. Dual hub – Dual Cloud

With the single cloud option, we use a single DMVPN network but add a second hub. The spoke routers will use only one multipoint GRE interface, and we configure the second hub as a next-hop server. The dual cloud option also has two hubs, but we will use two DMVPN networks, meaning all spoke routers will get a second multipoint GRE interface.

Understanding DMVPN Dual Hub Single Cloud:

DMVPN dual hub single cloud is a network architecture that provides redundancy and high availability by utilizing two hub devices connected to a single cloud. The cloud can be an internet-based infrastructure or a private WAN. This configuration ensures the network remains operational even if one hub fails, as the other hub takes over the traffic routing responsibilities.

Benefits of DMVPN Dual Hub Single Cloud:

1. Redundancy: With dual hubs, organizations can ensure network availability even during hub device failures. This redundancy minimizes downtime and maximizes productivity.

2. Load Balancing: DMVPN dual hub single cloud allows for efficient load balancing between the two hubs. Traffic can be distributed evenly, optimizing bandwidth utilization and enhancing network performance.

3. Scalability: The architecture is highly scalable, allowing organizations to easily add new sites without reconfiguring the entire network. New sites can be connected to either hub, providing flexibility and ease of expansion.

4. Simplified Management: DMVPN dual hub single cloud simplifies network management by centralizing control and reducing the complexity of VPN configurations. Changes and updates can be made at the hub level, ensuring consistent policies across all connected sites.

The disadvantage is that we have limited control over routing. Since we use a single multipoint GRE interface, making the spoke routers prefer one hub over another is challenging.

8th Lab Guide: DMVPN Dual Hub Single Cloud

DMVPN Advanced Configuration

Below is a DMVPN network with two hubs and two spoke routers. Hub1 will be the primary hub, and hub2 will be the secondary hub. We use a single DMVPN network; each router only has one multipoint GRE interface. On top of that, we have R1 on the leading site where we use the 10.10.10.0/24 subnet. Behind R1, we have a loopback interface with IP address 1.1.1.1/32.

Note:

  1. The two hub routers and spoke routers are connected to the Internet. Usually, you would connect the two hub routers to different ISPs. To keep it simple, I combined all routers into the 192.168.1.0/24 subnet, represented as an unmanaged switch in the lab below.
  2. Each spoke router has a loopback interface with an IP address. The DMVPN network will use subnet 172.16.1.0/24, where hub1 will be the primary hub. Spoke routers will register themselves with both hub routers.
Dual Hub Single Cloud
Diagram: Dual Hub Single Cloud

Summary of DMVPN Phases

Phase 1—Hub-to-Spoke Designs: Phase 1 was the first design introduced for hub-to-spoke implementation, where spoke-to-spoke traffic would traverse via the hub. Phase 1 also introduced daisy chaining of identical hubs for scaling the network, thereby providing Server Load Balancing (SLB) capability to increase the CPU power.

Phase 2—Spoke-to-Spoke Designs: Phase 2 design introduced the ability for dynamic spoke-to-spoke tunnels without traffic going through the hub, intersite communication bypassing the hub, thereby providing greater scalability and better traffic control.

In Phase 2 network design, each DMVPN network is independent of other DMVPN networks, causing spoke-to-spoke traffic from different regions to traverse the regional hubs without going through the central hub.

Phase 3—Hierarchical (Tree-Based) Designs: Phase 3 extended Phase 2 design with the capability to establish dynamic and direct spoke-to-spoke tunnels from different DMVPN networks across multiple regions. In Phase 3, all regional DMVPN networks are bound to form a single hierarchical (tree-based) DMVPN network, including the central hubs.

As a result, spoke-to-spoke traffic from different regions can establish direct tunnels with each other, thereby bypassing both the regional and main hubs.

DMVPN network
Diagram: DMVPN network and phases explained. Source is blog

DMVPN Architecture

Design recommendation


  • To create an overlay network, one needs a tunneling technique.Multipoint GRE and Point to Point GRE

  • Dynamic routing protocols are typically required in all but the smallest deployments or wherever static routing is not manageable or optimal.

  • QoS: Mandatory to ensure performance and quality of voice, video, and real-time data applications.

DMVPN Design recommendation

Which deployment model can you use? The 80:20 traffic rule can be used to determine which model to use:

  1. If 80 percent or more of the traffic from the spokes is directed into the hub network itself, deploy the hub-and-spoke model.
  2. Consider the spoke-to-spoke model if more than 20 percent of the traffic is meant for other spokes.

The hub-and-spoke model is usually preferred for networks with a high volume of IP Multicast traffic.

Architecture

Medium-sized and large-scale site-to-site VPN deployments require support for advanced IP network services such as:

● IP Multicast: Required for efficient and scalable one-to-many (i.e., Internet broadcast) and many-to-many (i.e., conferencing) communications and commonly needed by voice, video, and specific data applications

● Dynamic routing protocols: Typically required in all but the smallest deployments or wherever static routing is not manageable or optimal

● QoS: Mandatory to ensure performance and quality of voice, video, and real-time data applications

Traditionally, supporting these services required tunneling IPsec inside protocols such as Generic Route Encapsulation (GRE), which introduced an overlay network, making it complex to set up and manage and limiting the solution’s scalability.

Indeed, traditional IPsec only supports IP Unicast, making deploying applications that involve one-to-many and many-to-many communications inefficient. Cisco DMVPN combines GRE tunneling and IPsec encryption with Next-Hop Resolution Protocol (NHRP) routing to meet these requirements while reducing the administrative burden. 

How DMVPN Works

How DMVPN Works


  •  Each spoke establishes a permanent tunnel to the hub. IPsec is optional.

  • Each spoke registers its actual address as a client to the NHRP server on the hub

  • When a spoke requires that packets be sent to a destination subnet on another spoke, it queries the NHRP server for the real (outside) addresses of other spoke.

  • After the originating spoke learns the peer address of the target spoke, it initiates a dynamic IPsec tunnel to the target spoke.

  • The spoke-to-spoke tunnels are established on demand whenever traffic is sent between the spokes.

  • DMVPN Operations.

How DMVPN Works

DMVPN builds a dynamic tunnel overlay network.

• Initially, each spoke establishes a permanent IPsec tunnel to the hub. (At this stage, spokes do not establish tunnels with other spokes within the network.) The hub address should be static and known by all of the spokes.

• Each spoke registers its actual address as a client to the NHRP server on the hub. The NHRP server maintains an NHRP database of the public interface addresses for each spoke.

• When a spoke requires that packets be sent to a destination (private) subnet on another spoke, it queries the NHRP server for the real (outside) addresses of the other spoke’s destination to build direct tunnels.

• The NHRP server looks up the NHRP database for the corresponding destination spoke and replies with the real address for the target router. NHRP prevents dynamic routing protocols from discovering the route to the correct spoke. (Dynamic routing adjacencies are established only from spoke to the hub.)

• After the originating spoke learns the peer address of the target spoke, it initiates a dynamic IPsec tunnel to the target spoke.

• Integrating the multipoint GRE (mGRE) interface, NHRP, and IPsec establishes a direct dynamic spoke-to-spoke tunnel over the DMVPN network.

The spoke-to-spoke tunnels are established on demand whenever traffic is sent between the spokes. After that, packets can bypass the hub and use the spoke-to-spoke tunnel directly. 

Feature Design of Dynamic Multipoint VPN 

The Dynamic Multipoint VPN (DMVPN) feature combines GRE tunnels, IPsec encryption, and NHRP routing to provide users with ease of configuration via crypto profiles—which override the requirement for defining static crypto maps—and dynamic discovery of tunnel endpoints. 

This feature relies on the following two Cisco-enhanced standard technologies: 

  • NHRP is a client-server protocol where the hub is the server and the spokes are the clients. The hub maintains an NHRP database of each spoke’s public interface addresses. Each spoke registers its real address when it boots and queries the NHRP database for the real addresses of the destination spokes to build direct tunnels. 
  • mGRE Tunnel Interface –Allows a single GRE interface to support multiple IPsec tunnels and simplifies the size and complexity of the configuration.
  • Each spoke has a permanent IPsec tunnel to the hub, not to the other spokes within the network. Each spoke registers as a client of the NHRP server. 
  • When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the real (outside) address of the destination (target) spoke. 
  • After the originating spoke “learns” the peer address of the target spoke, a dynamic IPsec tunnel can be initiated into the target spoke. 
  • The spoke-to-spoke tunnel is built over the multipoint GRE interface. 
  • The spoke-to-spoke links are established on demand whenever there is traffic between the spokes. After that, packets can bypass the hub and use the spoke-to-spoke tunnel.
Cisco DMVPN
Diagram: Cisco DMVPN features. The source is Cisco.

Cisco DMVPN Solution Architecture

DMVPN allows IPsec VPN networks to scale hub-to-spoke and spoke-to-spoke designs better, optimizing performance and reducing communication latency between sites.

DMVPN offers a wide range of benefits, including the following:

• The capability to build dynamic hub-to-spoke and spoke-to-spoke IPsec tunnels

• Optimized network performance

• Reduced latency for real-time applications

• Reduced router configuration on the hub that provides the capability to dynamically add multiple spoke tunnels without touching the hub configuration

• Automatic triggering of IPsec encryption by GRE tunnel source and destination, assuring zero packet loss

• Support for spoke routers with dynamic physical interface IP addresses (for example, DSL and cable connections)

• The capability to establish dynamic and direct spoke-to-spoke IPsec tunnels for communication between sites without having the traffic go through the hub; that is, intersite communication bypassing the hub

• Support for dynamic routing protocols running over the DMVPN tunnels

• Support for multicast traffic from hub to spokes

• Support for VPN Routing and Forwarding (VRF) integration extended in multiprotocol label switching (MPLS) networks

• Self-healing capability maximizing VPN tunnel uptime by rerouting around network link failures

• Load-balancing capability offering increased performance by transparently terminating VPN connections to multiple headend VPN devices

Network availability over a secure channel is critical in designing scalable IPsec VPN solutions prepared with networks becoming geographically distributed. DMVPN solution architecture is by far the most effective and scalable solution available.

Summary: DMVPM

One technology that has gained significant attention and revolutionized the way networks are connected is DMVPN (Dynamic Multipoint Virtual Private Network). In this blog post, we delved into the depths of DMVPN, exploring its architecture, benefits, and use cases.

Section 1: Understanding DMVPN

DMVPN, at its core, is a scalable and efficient solution for providing secure and dynamic connectivity between multiple sites over a public network infrastructure. It combines the best features of traditional VPNs and multipoint GRE tunnels, resulting in a flexible and cost-effective network solution.

Section 2: The Architecture of DMVPN

The architecture of DMVPN involves three main components: the hub router, the spoke routers, and the underlying routing protocol. The hub router acts as a central point for the network, while the spoke routers establish secure tunnels with the hub. These tunnels are dynamically built using multipoint GRE, allowing efficient data transmission.

Section 3: Benefits of DMVPN

3.1 Enhanced Scalability: DMVPN provides a scalable solution, allowing for easy addition or removal of spokes without complex configurations. This flexibility is particularly useful in dynamic network environments.

3.2 Cost Efficiency: Using existing public network infrastructure, DMVPN eliminates the need for costly dedicated lines or leased circuits. This significantly reduces operational expenses and makes it an attractive option for organizations of all sizes.

3.3 Simplified Management: With DMVPN, network administrators can centrally manage the network infrastructure through the hub router. This centralized control simplifies configuration, monitoring, and troubleshooting tasks.

Section 4: Use Cases of DMVPN

4.1 Branch Office Connectivity: DMVPN is ideal for connecting branch offices to a central headquarters. It provides secure and reliable communication while minimizing the complexity and cost associated with traditional WAN solutions.

4.2 Mobile or Remote Workforce: DMVPN offers a secure and efficient solution for connecting remote employees to the corporate network in today’s mobile-centric work environment. Whether it’s sales representatives or telecommuters, DMVPN ensures seamless connectivity regardless of the location.

Conclusion:

DMVPN has emerged as a game-changer in the world of network connectivity. Its scalable architecture, cost efficiency, and simplified management make it an attractive option for organizations seeking to enhance their network infrastructure. Whether connecting branch offices or enabling a mobile workforce, DMVPN provides a robust and secure solution. Embracing the power of DMVPN can revolutionize network connectivity, opening doors to a more connected and efficient future.

GRE over IPsec

Point-to-Point Generic Routing Encapsulation over IP Security

Point-to-Point Generic Routing Encapsulation over IP Security

Generic Routing Encapsulation (GRE) is a widely used encapsulation protocol in computer networking. It allows the transmission of diverse network protocols over an IP network infrastructure. In this blog post, we'll delve into the details of the GRE and its significance in modern networking.

GRE acts as a tunneling protocol, encapsulating packets from one network protocol within another. By creating a virtual point-to-point link, it facilitates the transmission of data across different network domains. This enables the interconnection of disparate networks, making GRE a crucial tool for securely building virtual private networks (VPNs) and connecting remote sites.

P2P GRE is a tunneling protocol that allows the encapsulation of various network layer protocols within IP packets. It provides a secure and reliable method of transmitting data between two points in a network. By encapsulating packets in IP headers, P2P GRE ensures data integrity and confidentiality.

IP Security (IPsec) plays a crucial role in enhancing the security of P2P GRE tunnels. By leveraging cryptographic algorithms, IPsec provides authentication, integrity, and confidentiality of data transmitted over the network. It establishes a secure channel between two endpoints, ensuring that data remains protected from unauthorized access and tampering.

Enhanced Network Security: P2P GRE over IP Security offers a robust security solution for organizations by providing secure communication channels across public and private networks. It allows for the establishment of secure connections between geographically dispersed locations, ensuring the confidentiality of sensitive data.

Improved Network Performance: P2P GRE over IP Security optimizes network performance by encapsulating and routing packets efficiently. It enables the transmission of data across different network topologies, reducing network congestion and enhancing overall network efficiency.

Seamless Integration with Existing Infrastructures: One of the key advantages of P2P GRE over IP Security is its compatibility with existing network infrastructures. It can be seamlessly integrated into existing networks without the need for significant architectural changes, making it a cost-effective solution for organizations.

Security Measures: Implementing P2P GRE over IP Security requires careful consideration of security measures. Organizations should ensure that strong encryption algorithms are utilized, proper key management practices are in place, and regular security audits are conducted to maintain the integrity of the network.

Scalability and Performance Optimization: To ensure optimal performance, network administrators should carefully plan and configure the P2P GRE tunnels. Factors such as bandwidth allocation, traffic prioritization, and Quality of Service (QoS) settings should be taken into account to guarantee the efficient operation of the network.

Highlights: Point-to-Point Generic Routing Encapsulation over IP Security

Generic Tunnelling – P2P GRE & IPSec

– P2P GRE is a tunneling protocol that allows the encapsulation of different network protocols within an IP network. It provides a secure and efficient mechanism for transmitting data between two network endpoints. By encapsulating packets, P2P GRE ensures that information is protected from external threats and remains intact during transmission.

– IPsec, on the other hand, is a suite of protocols that provides security services at the IP layer. It offers authentication, confidentiality, and integrity to IP packets, ensuring that data remains secure even when traversing untrusted networks. IPsec can be combined with P2P GRE to create a robust and secure communication channel.

– The combination of P2P GRE and IPsec brings several benefits to network administrators and organizations. Firstly, it enables secure communication between geographically dispersed networks, allowing for seamless connectivity. Additionally, P2P GRE over IPsec provides strong encryption, ensuring the confidentiality of sensitive data. It also allows for the creation of virtual private networks (VPNs), offering a secure and private network environment.

– P2P GRE over IPsec finds applications in various scenarios. One common use case is connecting branch offices of an organization securely. By establishing a P2P GRE over IPsec tunnel between different locations, organizations can create a secure network environment for their remote sites. Another use case is securely connecting cloud resources to on-premises infrastructure, enabling secure and seamless integration.

**The Role of GRE**

A: In GRE, packets are wrapped within other packets that use supported protocols, allowing the use of protocols not generally supported by a network. To understand this, consider the difference between a car and a ferry. On land, cars travel on roads, while ferries travel on water.

B: Usually, cars cannot travel on water but can be loaded onto ferries. In this analogy, terrain could be compared to a network that supports specific routing protocols and vehicles to data packets. Similarly, one type of vehicle (the car) is loaded onto a different kind of vehicle (the ferry) to cross terrain it could not otherwise.

GRE tunneling: how does it work?

GRE tunnels encapsulate packets within other packets. Each router represents the end of the tunnel. GRE packets are exchanged directly between routers. When routers are between forwarding packets, they use headers surrounding them rather than opening the encapsulated packets. Every packet of data sent over a network has the payload and the header. The payload contains the data being sent, while the headers contain information about the source and group of the packet. Each network protocol attaches a header to each packet.

Unlike load limits on automobile bridges, data packet sizes are limited by MTU and MSS. An MSS measurement only measures a packet’s payload, not its headers. Including the headers, the MTU measures the total size of a packet. Packets that exceed MTU are fragmented to fit through the network.

GRE configuration

GRE Operation

GRE is a layer three protocol, meaning it works at the IP level of the network. It enables a router to encapsulate packets of a particular protocol and send them to another router, where they are decapsulated and forwarded to their destination. This is useful for tunneling, where data must traverse multiple networks and different types of hardware.

GRE encapsulates data in a header containing information about the source, destination, and other routing information. The GRE header is then encapsulated in an IP header containing the source and destination IP addresses. When the packet reaches the destination router, the GRE header is stripped off, and the data is sent to its destination.

GRE over IPsec

**Understanding Multipoint GRE**

Multipoint GRE, or mGRE, is a tunneling protocol for encapsulating packets and transmitting them over an IP network. It enables virtual point-to-multipoint connections, allowing multiple endpoints to communicate simultaneously. By utilizing a single tunnel interface, mGRE simplifies network configurations and optimizes resource utilization.

One of Multipoint GRE’s standout features is its ability to transport multicast and broadcast traffic across multiple sites efficiently. It achieves this through a single tunnel interface, eliminating the need for dedicated point-to-point connections. This scalability and flexibility make mGRE an excellent choice for large-scale deployments and multicast applications.

Multipoint GRE & DMVPN:

DMVPN, as the name suggests, is a virtual private network technology that dynamically creates VPN connections between multiple sites without needing dedicated point-to-point links. It utilizes a hub-and-spoke architecture, with the hub as the central point for all communication. Using the Next Hop Resolution Protocol (NHRP), DMVPN provides a highly scalable and flexible solution for securely interconnecting sites.

Multipoint GRE, or mGRE, is a tunneling protocol my DMVPN uses to create point-to-multipoint connections. It allows multiple spokes to communicate directly with each other, bypassing the hub. By encapsulating packets within GRE headers, mGRE establishes virtual links between spokes, providing a flexible and efficient method of data transmission.

Google HA VPN

Understanding HA VPN

HA VPN is a highly scalable and redundant VPN solution provided by Google Cloud. It allows you to establish secure connections over the public internet while ensuring high availability and reliability. With HA VPN, you can connect your on-premises networks to Google Cloud, enabling secure data transfer and communication.

To begin configuring HA VPN, you must first set up a virtual private cloud (VPC) network in Google Cloud. This VPC network will serve as the backbone for your VPN connection. Next, you must create a VPN gateway and configure the necessary parameters, such as IP addresses, routing, and encryption settings. Google Cloud provides a user-friendly interface and comprehensive documentation to guide you through this process.

Once the HA VPN configuration is set up in Google Cloud, it’s time to establish connectivity with your on-premises networks. This involves configuring your on-premises VPN gateway or router to connect to the HA VPN gateway in Google Cloud. You must ensure that the IPsec VPN parameters, such as pre-shared keys and encryption algorithms, are correctly configured on both ends for a secure and reliable connection.

IPSec Security

Securing GRE:

IPsec, short for Internet Protocol Security, is a protocol suite that provides secure communication over IP networks. It operates at the network layer of the OSI model, offering confidentiality, integrity, and authentication services. By encrypting and authenticating IP packets, IPsec effectively protects sensitive data from unauthorized access and tampering.

Components of IPsec:

To fully comprehend IPsec, we must familiarize ourselves with its core components. These include the Authentication Header (AH), the Encapsulating Security Payload (ESP), Security Associations (SAs), and Key Management protocols. AH provides authentication and integrity, while ESP offers confidentiality and encryption. SAs establish the security parameters for secure communication, and Key Management protocols handle the exchange and management of cryptographic keys.

The adoption of IPsec brings forth a multitude of advantages for network security. First, it ensures data confidentiality by encrypting sensitive information, making it indecipherable to unauthorized individuals. Second, IPsec guarantees data integrity, as any modifications or tampering attempts would be detected. Additionally, IPsec provides authentication, verifying the identities of communicating parties, thus preventing impersonation or unauthorized access.

When IPsec and GRE are combined, they create a robust network security solution. IPsec ensures the confidentiality and integrity of data, while GRE enables the secure transmission of encapsulated non-IP traffic. This integration allows organizations to establish secure tunnels for transmitting sensitive information while extending their private networks securely.

Benefits of GRE over IPSEC:

Secure Data Transmission: By leveraging IPSEC’s encryption and authentication capabilities, GRE over IPSEC ensures the confidentiality and integrity of data transmitted over the network. This is particularly crucial when transmitting sensitive information, such as financial data or personal records.

Network Scalability: GRE over IPSEC allows organizations to create virtual private networks (VPNs) by establishing secure tunnels between remote sites. This enables seamless communication between geographically dispersed networks, enhancing collaboration and productivity.

Protocol Flexibility: GRE over IPSEC supports encapsulating various network protocols, including IPv4, IPv6, and multicast traffic. This flexibility enables the transmission of diverse data types, ensuring compatibility across different network environments.

The Role of VPNs

VPNs are deployed on an unprotected network or over the Internet to ensure data integrity, authentication, and encryption. Initially, VPNs were designed to reduce the cost of unnecessary leased lines. As a result, they now play a critical role in securing the internet and, in some cases, protecting personal information.

In addition to connecting to their corporate networks, individuals use VPNs to protect their privacy. Data integrity, authentication, and encryption through L2F, L2TP, GRE, or MPLS VPNs are impossible. However, IPsec can also benefit these protocols when combined with L2TP, GRE, and MPLS. These features make IPsec the preferred protocol for many organizations.

DMVPN over IPsec
Diagram: DMVPN over IPsec

GRE over IPsec

A GRE tunnel allows unicast, multicast, and broadcast traffic to be tunneled between routers and is often used to route traffic between different sites. A disadvantage of GRE tunneling is that it is clear text and offers no protection. Cisco IOS routers, however, allow us to encrypt the entire GRE tunnel, providing a safe and secure site-to-site tunnel.

RFC 2784 defines GRE (protocol 47), and RFC 2890 extends it. Using GRE, packets of any protocol (the payload packets) can be encapsulated over any other protocol (the delivery protocol) between two endpoints. Between the payload (data) and the delivery header, the GRE protocol adds its header (4 bytes plus options).

Tip:

GRE supports IPv4 and IPv6. If IPv4 or IPv6 endpoint addresses are defined, the outer IP header will be IPv4 or IPv6, respectively. In comparison to the original packet, GRE packets have the following overhead:

  • 4 bytes (+ GRE options) for the GRE header.
  • 20 bytes (+ IP options) for the outer IPv4 header (GRE over IPv4), or
  • 40 bytes (+ extension headers) for the outer IPv6 header (GRE over IPv6).

GRE over IPsec creates a new IP packet inside the network infrastructure device by encapsulating the original packets within GRE.

When GRE over IPsec is deployed in tunnel mode, the plaintext IPv4 or IPv6 packet is encapsulated into GRE. The tunnel source and destination IP addresses are then encapsulated in another IPv4 or IPv6 packet. An IPsec tunnel source and tunnel destination route the traffic to the destination with an additional outer IP header acting as a tunnel source and tunnel destination.

On the other hand, GRE over IPsec encapsulates plaintext IPv4 or IPv6 packets in GRE and then protects them with IPsec for confidentiality and integrity; the outer IP header with the source and destination addresses of the GRE tunnel enables packet routing.

IPsec site-to-site

An IPsec site-to-site VPN, also known as a gateway-to-gateway VPN, is a secure tunnel established between two or more remote networks over the internet. It enables organizations to connect geographically dispersed offices, data centers, or even cloud networks, creating a unified and secure network infrastructure. By leveraging IPsec, organizations can establish secure communication channels, ensuring confidentiality, integrity, and authentication of transmitted data.

GRE with IPsec

Advanced Topics

GETVPN:

– GetVPN, short for Group Encrypted Transport VPN, is a Cisco proprietary technology that provides secure site communication. It operates in the network layer and employs a key server to establish and distribute encryption keys to participating devices.

– This approach enables efficient and scalable deployment of secure VPNs across large networks. GetVPN offers robust security measures, including data confidentiality, integrity, and authentication, making it an excellent choice for organizations requiring high levels of security.

– When you run IPSec over a hub-and-spoke topology like DMVPN, the hub router has an IPSec SA with every spoke router. As a result, you are limited in the number of spoke routers you can use. Direct spoke-to-spoke traffic is supported in DMVPN, but when a spoke wants to send traffic to another spoke, it must first create an IPSec SA, which takes time.

Multicast traffic cannot be encapsulated with traditional IPSec unless first encapsulated with GRE.

GETVPN solves the scalability issue by using a single IPSec SA for all routers in a group. Multicast traffic is also supported without GRE.

Understanding IPv6 Tunneling

IPv6 tunneling is a mechanism that enables the encapsulation of IPv6 packets within IPv4 packets, allowing them to traverse an IPv4 network infrastructure. This allows for the coexistence and communication between IPv6-enabled devices over an IPv4 network. The encapsulated IPv6 packets are then decapsulated at the receiving end of the tunnel, restoring the original IPv6 packets.

Types of IPv6 Tunneling Techniques

There are several tunneling techniques used for IPv6 over IPv4 connectivity. Let’s explore a few prominent ones:

Manual IPv6 Tunneling: Manual IPv6 tunneling involves manually configuring tunnels on both ends. This method requires the knowledge of the source and destination IPv4 addresses and the tunneling protocol to be used. While it offers flexibility and control, manual configuration can be time-consuming and error-prone.

Automatic 6to4 Tunneling: Automatic 6to4 tunneling utilizes the 6to4 addressing scheme to assign IPv6 addresses to devices automatically. It allows IPv6 packets to be encapsulated within IPv4 packets, making them routable over an IPv4 network. This method simplifies the configuration process, but it relies on the availability of public IPv4 addresses.

Teredo Tunneling: Teredo tunneling is designed for IPv6 connectivity over IPv4 networks when the devices are located behind a NAT (Network Address Translation) device. It employs UDP encapsulation to transmit IPv6 packets over IPv4. Teredo tunneling can be helpful in scenarios where native IPv6 connectivity is unavailable.

Before you proceed, you may find the following posts helpful for pre-information:

  1. Dead Peer Detection
  2. IPsec Fault Tolerance
  3. Dynamic Workload Scaling 
  4. Cisco Switch Virtualization
  5. WAN Virtualization
  6. VPNOverview

Point-to-Point Generic Routing Encapsulation over IP Security

Guide on IPsec site to site

In this lesson, two Cisco IOS routers use IPSec in tunnel mode. This means the original IP packet will be encapsulated in a new IP packet and encrypted before sending it out of the network. For this demonstration, I will be using the following three routers.

R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these routers to encrypt traffic from 1.1.1.1/32 to 3.3.3.3/32. R2 is just a router in the middle, so R1 and R3 are not directly connected.

Notice with information 1 that we can’t ping the remote LAN. However, once the IPsec tunnel is up, we have reachability. Under the security associations, we have 4 packets encapsulated and encapsulated. However, I sent 5 pings. The first packet is lost to ARP.

ipsec tunnel
Diagram: IPsec Tunnel

IPsec relies on encryption and tunneling protocols to establish a secure connection between networks. The two primary components of IPsec are the IPsec tunnel mode and the IPsec transport mode. In tunnel mode, the entire IP packet is encapsulated within another IP packet, adding an extra layer of security. In contrast, the transport mode only encrypts the payload of the IP packet, leaving the original IP header intact.

To initiate a site-to-site VPN connection, the IPsec VPN gateway at each site performs a series of steps. These include negotiating the security parameters, authenticating the participating devices, and establishing a secure tunnel using encryption algorithms such as AES (Advanced Encryption Standard) or 3DES (Triple Data Encryption Standard). Once the tunnel is established, all data transmitted between the sites is encrypted, safeguarding it from unauthorized.

Back to basic with GRE tunnels

What is a GRE tunnel?

A GRE tunnel supplies connectivity to a wide variety of network layer protocols. GRE works by encapsulating and forwarding packets over an IP-based network. The authentic use of GRE tunnels provided a transport mechanism for non-routable legacy protocols such as DECnet and IPX. With GRE, we add header information to a packet when the router encapsulates it for transit on the GRE tunnel.

The new header information contains the remote endpoint IP address as the destination. The latest IP headers permit the packet to be routed between the two tunnel endpoints, and this is done without inspection of the packet’s payload.

After the packet reaches the remote endpoint, the GRE termination point, the GRE headers are removed, and the original packet is forwarded from the remote router. Both GRE and IPsec tunnels are used in solutions for SD WAN SASE and SD WAN Security. Both solutions abstract the complexity of configuring these technologies.

GRE Operation

GRE operates by encapsulating the original packet with a GRE header. This header contains information such as the source and destination IP addresses and additional fields for protocol identification and fragmentation support. Once the packet is encapsulated, it can be transmitted over an IP network, effectively hiding the underlying network details.

When a GRE packet reaches its destination, the receiving end decapsulates it, extracting the original payload. This process allows the recipient to receive the data as if it were sent directly over the underlying network protocol. GRE is a transparent transport mechanism, enabling seamless communication between disparate networks.

GRE Tunnel
Diagram: GRE tunnel example. Source is heficed

Guide on Point-to-Point GRE

Tunneling is putting packets into packets to transport them over a particular network. This is also known as encapsulation.

You might have two sites with IPv6 addresses on their LANs, but they only have IPv4 addresses when connected to the Internet. In normal circumstances, IPv6 packets would not be able to reach each other, but tunneling allows IPv6 packets to be routed on the Internet by converting IPv6 packets into IPv4 packets.

You might also want to run a routing protocol between your HQ and a branch site, such as RIP, OSPF, or EIGRP. By tunneling these protocols, we can exchange routing information between the HQ and branch routers.

When you configure a tunnel, you’re creating a point-to-point connection between two devices. We can accomplish this with GRE (Generic Routing Encapsulation). Let me show you a topology to demonstrate the GRE.

GRE configuration

In the image above, we have three routers connected. We have our headquarters router on the left side. On the right side, there is a “Branch” router. There is an Internet connection on both routers. An ISP router is located in the middle, on top. This topology can be used to simulate two routers connected to the Internet. A loopback interface represents the LAN on both the HQ and Branch routers.

EIGRP will be enabled on the loopback and tunnel interfaces. Through the tunnel interface, both routers establish an EIGRP neighbor adjacency. The next hop is listed as the tunnel interface in the routing table. We use GRE to tunnel our traffic, but it does not encrypt it like a VPN does. Our tunnel can be encrypted using IPSEC, one of the protocols.GRE without IPsec

Guide on Point-to-Point GRE with IPsec

A GRE tunnel allows unicast, multicast, and broadcast traffic to be tunneled between routers and is often used to send routing protocols between sites. GRE tunneling has the disadvantage of being clear text and unprotected. Cisco IOS routers, however, support IPsec encryption of the entire GRE tunnel, allowing a secure site-to-site tunnel. The following shows an encrypted GRE tunnel with IPsec.

We have three routers above. Each HQ and Branch router has a loopback interface representing its LAN connection. The ISP router connects both routers to “the Internet.” I have created a GRE tunnel between the HQ and Branch routers; all traffic between 172.16.1.0 /24 and 172.16.3.0 /24 will be encrypted with IPsec.

GRE with IPsec

For the IPsec side of things, I have configured an ISAKMP policy. In the example, I specify that I want 256-bit AES encryption and that we want a pre-shared key. We rely on Diffie-Hellman Group 5 for key exchange. The ISAKMP security association’s lifetime is 3600 seconds. The pre-shared key needs to be on both routers highlighted with a circle. Also, I created a transform-set called ‘TRANS’ that specifies we want ESP AES 256-bit and HMAC-SHA authentication.

Then, we create a crypto map that tells the router what traffic to encrypt and what transform set to use.

ipsec plus GRE

**How GRE and IPSec Work Together**

GRE and IPSec often work together to enhance network security. GRE provides the encapsulation mechanism, allowing the creation of secure tunnels between networks. IPSec, on the other hand, provides the necessary security measures, such as encrypting and authenticating the encapsulated packets. By combining both technologies’ strengths, organizations can establish secure and private connections between networks, ensuring data confidentiality and integrity.

**Benefits of GRE and IPSec**

The utilization of GRE and IPSec offers several benefits for network security. Firstly, GRE enables the transport of multiple protocols over IP networks, allowing organizations to leverage different network layer protocols without compatibility issues. Secondly, IPSec provides a robust security framework, protecting sensitive data from unauthorized access and tampering. GRE and IPSec enhance network security, enabling organizations to establish secure connections between geographically dispersed networks.

Topologies and routing protocol support

– Numerous technologies connect remote branch sites to HQ or central hub. P2P Generic Routing Encapsulation ( GRE network ) over IPsec is an alternative design to classic WAN technologies like ATM, Frame Relay, and Leased lines. GRE over IPsec is a standard deployment model that connects several remote branch sites to one or more central sites. Design topologies include the hub-and-spoke, partial mesh, and full mesh.

– Both partial and full-mesh topologies experience limitations in routing protocol support. A full mesh design is limited by the overhead required to support a design with a full mesh of tunnels. Following a complete mesh requirement, a popular design option would be to deploy DMVPN. Regarding the context of direct connectivity from branch to hub only, hub-and-spoke is by far the most common design.

Guide with DMVPN and GRE

The lab guide below shows a DMVPN network based on Generic Routing Encapsulation (GRE), which is the overlay. Specifically, we use GRE in point-to-point mode, which means deploying DMVPN Phase 1, a true VPN hub-and-spoke design, where all traffic from the spokes must go via the hub. With the command show dmvpn, we can see that two spokes are dynamically registered over the GRE tunnel; notice the “D” attribute.

The beauty of using DMPVN as a VPN technology is that the hub site does not need a specific spoke configuration as it uses GRE in multi-point mode. On the other hand, the spokes need to have a hub configuration with the command: IP nhrp nhs 192.168.100.11. IPsec encryption is optional with DMVPN. In the other command snippet, we are running IPsec encryption with the command: tunnel protection ipsec profile DMVPN_IPSEC_PROFILE.

DMVPN configuration
Diagram: DMVPN Configuration.

One of GRE’s primary use cases is creating VPNs. By encapsulating traffic within GRE packets, organizations can securely transmit data across public networks such as the Internet. This provides a cost-effective solution for connecting geographically dispersed sites without requiring dedicated leased lines.

Another use of the GRE is network virtualization. By leveraging GRE tunnels, virtual networks can be created isolated from the underlying physical infrastructure. This allows for more efficient resource utilization and improved network scalability.

**DMVPN (Dynamic Multipoint VPN)**

DMVPN is based on the principle of dynamic spoke-to-spoke tunneling, which allows for dynamic routing and scalability. It also allows for the creation of a dynamic mesh topology, allowing multiple paths between remote sites. This allows for increased redundancy and improved performance.

DMVPN also offers the ability to establish a secure tunnel over an untrusted network, such as the Internet. This is achieved with a series of DMVPN phases. DMVPN phase 3 offers better flexibility by using IPSec encryption and authentication, ensuring that all traffic sent over the tunnel is secure. This makes DMVPN an excellent choice for businesses connecting multiple sites over an unsecured network.

Dynamic Multipoint VPN
Diagram: Example with DMVPN. Source is Cisco

GRE Network: Head-end Architecture 

Single-tier and dual-tier

Head-end architectures include a single-tier head-end where the point-to-point GRE network and crypto functionality co-exist on the same device. Dual-tier designs are where the point-to-point GRE network and crypto functionality are not implemented on the same device. In dual-tier designs, the routing and GRE control planes are located on one device, while the IPsec control plane is housed on another.

what is generic routing encapsulation
Diagram: What is generic routing encapsulation?

Headend

Router

Crypto

Crypto IP

GRE  

GRE IP

Tunnel Protection

Single Tier

Headend

Static or Dynamic

Static

p2p GRE static

Static

Optional 


Branch

Static

Static or Dynamic

p2p GRE static

Static

Optional 

Dual Tier

Headend

Static or Dynamic

Static

p2p GRE static

Static

Not Valid


Branch

Static

Static or Dynamic

p2p GRE static

Static

Not Valid

“Tunnel protection” requires the same source and destination IP address for the GRE and crypto tunnels. Implementations of dual-tier separate these functions, resulting in the different IP addresses for the GRE and crypto tunnels. Tunnel protection is invalid with dual-tier mode.

GRE over IPsec

GRE (Generic Routing Encapsulation) is a tunneling protocol that encapsulates multiple protocols within IP packets, allowing the transmission of diverse network protocols over an IP network. On the other hand, IPSEC (IP Security) is a suite of protocols that provides secure communication over IP networks by encrypting and authenticating IP packets. Combining these two protocols, GRE over IPSEC offers a secure and flexible solution for transmitting network traffic over public networks.

Preliminary design considerations

Diverse multi-protocol traffic requirements force the use of a Generic Routing Encapsulation ( GRE ) envelope within the IPsec tunnel. The p2p GRE tunnel is encrypted inside the IPsec crypto tunnel. Native IPsec is not multi-protocol and lacks IP multicast or broadcast traffic support. As a result, proper propagation of routing protocol control packets cannot occur in a native IPsec tunnel.

However, OSPF design cases allow you to run OSPF network type non-broadcast and explicitly configure the remote OSPF neighbors, resulting in OSPF over the IPsec tunnel without GRE. With a GRE over IPsec design, all traffic between hub and branch sites is first encapsulated in the p2p GRE packet before encryption.

GRE over IPsec
Diagram: GRE over IPSec.

**GRE over IPSec Key Points**

Redundancy:

Redundant designs are implemented with the branch having two or more tunnels to the campus head. The head-end routers can be geographically separated or co-located. Routing protocols are used with redundant tunnels, providing high availability with dynamic path selection.

The head-end router can propagate a summary route ( 10.0.0.0/8 ) or a default route ( 0.0.0.0/0 ) to the branch sites, and a preferred routing metric will be used for the primary path. If OSPF is RP, the head-end selection is based on OSPF costs.

Recursive Routing:

Each branch must add a static route to their respective ISP IP addresses for each head-end. The static avoids recursive routing through the p2p GRE tunnel. Recursive routing occurs when the route to the GRE tunnel source outside the IP address of the opposing router is learned via a route with a next-hop of the inside IP address of the opposing p2p GRE tunnel.

Recursive routing causes the tunnel to flap and the p2p GRE packets to route into their p2p GRE tunnel. To overcome recursive routing, my best practice is to ensure that the outside tunnel is routed directly to ISP instead of inside the p2p GRE tunnel.

%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

Recursive routing and outbound interface selection pose significant challenges in tunnel or overlay networks. Therefore, routing protocols should be used with utmost caution over network tunnels. A router can encounter problems if it attempts to reach the remote router’s encapsulating interface (transport IP address) via the tunnel. Typically, this issue occurs when the transport network is advertised using the same routing protocol as the overlay network.

Routers learn the destination IP address for tunnel interfaces through recursive routing. First, the IP address of the tunnel’s destination is removed from the routing table, making it unreachable.

Split tunneling

If the head-end advertises a summary route to the branch, split tunneling is enabled on all packets not destined for the summary. Any packets not destined for the summary are split-tunneled to the Internet. For example, split tunneling is not used for the branch sites in a design where the head-end router advertises a default route ( 0.0.0.0/0 ) through the p2p GRE tunnel.

A key point: Additional information on Split tunneling.

Split tunneling is a networking concept that allows users to selectively route traffic from their local device to a local or remote network. It gives users secure access to corporate networks and other resources from public or untrusted networks. Split tunneling can also be used to reduce network congestion. For example, if a user is on a public network and needs to access a resource on a remote network, the user can set up a split tunnel to send only the traffic that needs to go over the remote network. This reduces the traffic on the public network, allowing it to perform more efficiently.

Control plane

Routing protocol HELLO packets initiated from the branch office force the tunnel to establish—routing protocol control plane packets to maintain and keep the tunnel up. HELLO packets provide a function similar to GRE keepaways. The HELLO routing protocol operates in layer 3, and GRE is maintained in layer 2.

 Branch router considerations

The branch router can have p2p GRE over IPSEC with a static or dynamic public address. The GRE and crypto tunnels are sourced from a static address with a static public IP address. With dynamic address allocation, the GRE is sourced from a loopback address privately assigned (non-routable), and the crypto tunnel is sourced from a dynamically assigned public IP address.

Closing Points on GRE with IPsec

GRE allows for the encapsulation of packets from various network protocols, providing a versatile solution for creating point-to-point links. Meanwhile, IPsec ensures these connections are secure, encrypting the data to protect it from interception and tampering. In this blog post, we’ll explore how to implement a point-to-point GRE tunnel secured by IPsec on Google Cloud, helping you create a robust and secure network architecture.

The first step in establishing a secure point-to-point link is setting up GRE tunnels. GRE is a tunneling protocol that encapsulates a wide variety of network layer protocols inside virtual point-to-point links. When configuring GRE on Google Cloud, you’ll need to create a Virtual Private Cloud (VPC) network, assign static IP addresses to your virtual machines, and configure the GRE tunnels on both ends. This setup allows for seamless data transfer across your network, regardless of underlying network infrastructure.

Once the GRE tunnel is established, the next step is to secure it using IPsec. IPsec provides encryption and authentication services for your data, ensuring that only authorized users can access it and that the data remains unaltered during transmission. On Google Cloud, you can configure IPsec by setting up Cloud VPN or using third-party tools to establish a secure IPsec tunnel. This involves generating and exchanging security keys, configuring security policies, and ensuring that your firewall rules allow IPsec traffic. With IPsec, your GRE tunnel becomes a secure conduit for your data, protected from potential threats.

One of the key advantages of using Google Cloud for your GRE and IPsec setup is the seamless integration with other Google Cloud services. Whether you’re connecting different regions, linking on-premises networks with cloud resources, or setting up a hybrid cloud environment, Google Cloud’s suite of services can enhance your network’s functionality and performance. Services like Google Cloud Interconnect, Cloud DNS, and Cloud Load Balancing can be incorporated into your architecture to optimize data flow, manage traffic, and ensure high availability.

Summary: Point-to-Point Generic Routing Encapsulation over IP Security

Point-to-Point Generic Routing Encapsulation (P2P GRE) over IP Security (IPsec) stands out as a robust and versatile solution in the vast realm of networking protocols and security measures. This blog post will delve into the intricacies of P2P GRE over IPsec, exploring its features, benefits, and real-world applications.

Understanding P2P GRE

P2P GRE is a tunneling protocol that encapsulates various network layer protocols over IP networks. It establishes direct communication paths between multiple endpoints, creating virtual point-to-point connections. By encapsulating data packets within IP packets, P2P GRE enables secure transmission across public or untrusted networks.

Exploring IPsec

IPsec serves as the foundation for securing network communications. It provides authentication, confidentiality, and integrity to protect data transmitted over IP networks. By combining IPsec with P2P GRE, organizations can achieve enhanced security and privacy for their data transmissions.

Benefits of P2P GRE over IPsec

– Scalability: P2P GRE supports the creation of multiple tunnels, enabling flexible and scalable network architectures.

– Versatility: The protocol is platform-independent and compatible with various operating systems and network devices.

– Efficiency: P2P GRE efficiently handles encapsulation and decapsulation processes, minimizing overhead and ensuring optimal performance.

– Security: Integrating IPsec with P2P GRE ensures end-to-end encryption, authentication, and data integrity, safeguarding sensitive information.

Real-World Applications

P2P GRE over IPsec finds extensive use in several scenarios:

– Secure Site-to-Site Connectivity: Organizations can establish secure connections between geographically dispersed sites, ensuring private and encrypted communication channels.

– Virtual Private Networks (VPNs): P2P GRE over IPsec forms the backbone of secure VPNs, enabling remote workers to access corporate resources securely.

– Cloud Connectivity: P2P GRE over IPsec facilitates secure connections between on-premises networks and cloud environments, ensuring data confidentiality and integrity.

Conclusion:

P2P GRE over IPsec is a powerful combination that offers secure and efficient communication across networks. Its versatility, scalability, and robust security features make it an ideal choice for organizations seeking to protect their data and establish reliable connections. By harnessing the power of P2P GRE over IPsec, businesses can enhance their network infrastructure and achieve higher data security.