Dual Stack - Multi Hub - DMVPN
tl;dr - After failure, success tastes so much sweeter.Today was all over the map. This morning I came into the labs charging like a bull. I wanted to do IPv6 DMVPN and I did! I was successful. That carried me on a little engineering high knowing I had done something I have never tried before that seemed so foreign and came out of the battle victorious.
But, I'm wise enough to know anyone can get lucky once, but very few get lucky twice.
So I wiped the routers and did it again, minimal errors and mostly from memory... success.
While I was completing my second run through the configs and topology I got an idea for a topology and a challenge: Dual Stack - Multi Hub - DMVPN
I felt comfortable enough with my understanding of the component technologies that I felt could pull it off and I shrugged "what the hell... we'll do it live". (https://www.youtube.com/watch?v=eUFY8Zw0Bag)
As I began the recording I can be quoted as saying something to the effect of "this might take about 30 minutes"... 65 minutes later I ended up at a dead end and I failed.
I got burned by a couple of items:
- I had to pull off the tunnel protection on the IPv4 DMVPN and put it back on for it too work. I'm not sure if this is a bug or have I unknowingly fell victim of order of operations and I didn't know it?
- Others were oversights and mis-configurations.
Have a Process:
When ever I'm writing configs they rarely look like the running-configs from a routers output or are in the same order, instead I build them in layers, like a cake.
- Think ahead about all the elements that you'll need to complete a task.
- Which configurable elements can be grouped and entered at the same time?
- In-between layers, what can you verify?
Following the process from above I would order the tasks as follows:
- Underlay (NBMA) addresses, connectivty
- Loopbacks
- Crypto
- Tunnel Interface for IPv4 topology
- Routing protocol for IPv4 topology
- Verify
- Tunnel interface for IPv6 topology
- Routing Protocol for IPv6 topology
- Verify
The Resources:
I found this group of documents extremely helpful from all aspects of this configuration. It includes specifics on IPv6 addressing which I still wasn't to keen on, but know I'm much more comfortable. It also broke down the elements we need for the IPv6 DMVPN.
The Videos:
Day 3 - Part 1 (more than 1 hour)
Day 3 - Part 2
The Configs:
R1: (IPv4 Hub, IPv6 Spoke)
hostname R1
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback6
no ip address
ipv6 address FC01::1/128
ipv6 eigrp 6
!
interface Tunnel0
ip address 10.123.234.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 90
ip nhrp map multicast dynamic
ip nhrp network-id 1234
tunnel source 172.17.100.1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
no ip address
ipv6 address FE80::1 link-local
ipv6 address FC00:1234::1/64
ipv6 eigrp 6
ipv6 nhrp map FC00:1234::4/64 2001::4
ipv6 nhrp map multicast 2001::4
ipv6 nhrp network-id 10123
ipv6 nhrp nhs FC00:1234::4
ipv6 nhrp shortcut
tunnel source 2001::1
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
ip address 172.17.100.1 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::1/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
R2: (IPv4 Spoke, IPv6 Spoke)
hostname R2
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback6
no ip address
ipv6 address FC02::2/128
ipv6 eigrp 6
!
interface Tunnel0
ip address 10.123.234.2 255.255.255.0
no ip redirects
ip nhrp map multicast 172.17.100.1
ip nhrp map 10.123.234.1 172.17.100.1
ip nhrp network-id 1234
ip nhrp nhs 10.123.234.1
tunnel source 172.17.100.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
no ip address
ipv6 address FE80::2 link-local
ipv6 address FC00:1234::2/64
ipv6 eigrp 6
ipv6 nhrp map FC00:1234::4/64 2001::4
ipv6 nhrp map multicast 2001::4
ipv6 nhrp network-id 10123
ipv6 nhrp nhs FC00:1234::4
ipv6 nhrp shortcut
tunnel source 2001::2
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
ip address 172.17.100.2 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::2/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
R3: (IPv4 Spoke, IPv6 Spoke)
hostname R3
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Loopback6
no ip address
ipv6 address FC03::3/128
ipv6 eigrp 6
interface Tunnel0
ip address 10.123.234.3 255.255.255.0
no ip redirects
ip nhrp map multicast 172.17.100.1
ip nhrp map 10.123.234.1 172.17.100.1
ip nhrp network-id 1234
ip nhrp nhs 10.123.234.1
tunnel source 172.17.100.3
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
no ip address
ipv6 address FE80::3 link-local
ipv6 address FC00:1234::3/64
ipv6 eigrp 6
ipv6 nhrp map FC00:1234::4/64 2001::4
ipv6 nhrp map multicast 2001::4
ipv6 nhrp network-id 10123
ipv6 nhrp nhs FC00:1234::4
ipv6 nhrp shortcut
tunnel source 2001::3
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/0
ip address 172.17.100.3 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::3/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
R4: (IPv4 Spoke, IPv6 Hub)
hostname R4
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface Loopback6
no ip address
ipv6 address FC04::4/128
ipv6 eigrp 6
!
interface Tunnel0
ip address 10.123.234.4 255.255.255.0
no ip redirects
ip nhrp map multicast 172.17.100.1
ip nhrp map 10.123.234.1 172.17.100.1
ip nhrp network-id 1234
ip nhrp nhs 10.123.234.1
tunnel source 172.17.100.4
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
no ip address
ipv6 address FE80::4 link-local
ipv6 address FC00:1234::4/64
ipv6 eigrp 6
no ipv6 split-horizon eigrp 6
ipv6 nhrp map multicast dynamic
ipv6 nhrp network-id 10123
ipv6 nhrp redirect
tunnel source 2001::4
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
ip address 172.17.100.4 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::4/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
!
!
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
af-interface Tunnel1
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
No comments:
Post a Comment