Saturday, January 10, 2015

Cisco CCNP - 300-101 - Configuring and Verifying DMVPN, NHRP, GRE Tunnel while Peeking at the raw packet

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on Configuring and Verifying DMVPN, NHRP, GRE Tunnel while Peeking at the raw packet

Topology



This topology consists of one internet router, a HQ and 2 Branches.

Internet Router:
    - Interface fa0/0 - connected to HQ - IP 3.0.0.1/24
    - Interface fa1/0 - connected to Branch-1 - IP 5.0.0.1/24
    - Interface fa2/0 - connected to Branch-2 - IP 4.0.0.1/24
    - Interface lo7 - Loopback for testing - IP 7.0.0.1/32
    - Interface lo8 - Loopback for testing - IP 8.0.0.1/32
       

HQ
    - Interface fa0/0 - connected to Internet - IP 3.0.0.2/24
    - Interface lo1 - Loopback for testing - IP 1.0.0.1/32
    - Interface lo2 - Loopback for testing - IP 2.0.0.1/32
    - Default Gateway - 3.0.0.1

    DMVPN IP
        - 192.168.0.1/24
       
       
Branch-1
    - Interface fa0/0 - connected to Internet - IP 5.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 10.0.0.1/24
    - Default Gateway - 5.0.0.1
   
    203 Server on Branch 1 - LAN
        eth0 - 10.0.0.2/24
        Default Gateway - 10.0.0.1

    DMVPN IP
        - 192.168.0.2/24

       
Branch-2
    - Interface fa0/0 - connected to Internet - IP 4.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 172.16.0.1/24
    - Default Gateway - 4.0.0.1

    Kali Host on Branch-2
        eth0 - 172.16.0.2/24
        Default Gateway - 172.16.0.1
       
    DMVPN IP
        - 192.168.0.3/24


Configuration before DMVP


Internet


 






















HQ














Branch-1











Branch-2











Configuration after DMVPN
HQ DMVPN Tunnel




Branch-1 DMVPN Tunnel


Branch-2 DMVPN












Verification

Now the systems have been configured, time to verify the configuration is working.

HQ



Looks good!















Still looking good!!


Branch-1


Looks good!








Still looking good!!

Branch-2


Looks good!








Still looking good!!

The final verification is to ensure the hosts in the 2 remote branches can ping (and traceroute) each other. To ensure the hosts are reachable I've enable EIGRP on the tunnel. In a future posts I will go through the EIGRP.







Ping looks good!



Traceroute looks better!! I say it looks better because this validates the path taken to get from Branch-2 to Branch-1.


Peeking into the NHRP Packets

Looks like the process of establishing communication between a Next Hop Server (NHS) and a Next Hop Resolution Client (NHC) take 2 packets
From the looks of it in the first packet I see a registration request with ID "65542".
Next I see a registration reply with ID "65542" and "Code=Success"

NHRP Registration Request





















By capturing the registration packet I've managed to determine what the password is. Obviously there is a lot more to be gained from this packet capture.

NHRP Registration Reply






















Similarly the reply code shows us all the information needed to understand the NHRP Registration/Reply process.

All is well. This lab is completed.


References:
https://tools.ietf.org/html/rfc2332
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_1.html
http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html

2 comments:

  1. Hey Nik, why are you using " ip nhrp map multicast dynamic" on the spokes? I believe this command is intended to be used on the hub only.

    ReplyDelete
    Replies
    1. Nuno,
      I think I will have to build a lab to verify this. I've seen documentation which states this should only be on the hub while at the same time there are some cisco configuration which has this on the spoke. How about you build a lab to test and report your findings back. :-)

      Look at these links:
      http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
      http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-dmvpn.html
      http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-dmvpn.html

      Delete