#100DaysOfLabbing - Day 3

Dual Stack - Multi Hub - DMVPN

tl;dr - After failure, success tastes so much sweeter.

Today was all over the map. This morning I came into the labs charging like a bull. I wanted to do IPv6 DMVPN and I did! I was successful. That carried me on a little engineering high knowing I had done something I have never tried before that seemed so foreign and came out of the battle victorious.

But, I'm wise enough to know anyone can get lucky once, but very few get lucky twice.

So I wiped the routers and did it again, minimal errors and mostly from memory... success.

While I was completing my second run through the configs and topology I got an idea for a topology and a challenge: Dual Stack - Multi Hub - DMVPN

I felt comfortable enough with my understanding of the component technologies that I felt could pull it off and I shrugged "what the hell... we'll do it live". (https://www.youtube.com/watch?v=eUFY8Zw0Bag)

As I began the recording I can be quoted as saying something to the effect of "this might take about 30 minutes"... 65 minutes later I ended up at a dead end and I failed.

I got burned by a couple of items:

• I had to pull off the tunnel protection on the IPv4 DMVPN and put it back on for it too work. I'm not sure if this is a bug or have I unknowingly fell victim of order of operations and I didn't know it?
• Others were oversights and mis-configurations.

Have a Process:

When ever I'm writing configs they rarely look like the running-configs from a routers output or are in the same order, instead I build them in layers, like a cake.

1. Think ahead about all the elements that you'll need to complete a task.
2. Which configurable elements can be grouped and entered at the same time?
3. In-between layers, what can you verify?

Following the process from above I would order the tasks as follows:

1. Underlay (NBMA) addresses, connectivty
2. Loopbacks
3. Crypto
4. Tunnel Interface for IPv4 topology
5. Routing protocol for IPv4 topology
6. Verify
7. Tunnel interface for IPv6 topology
8. Routing Protocol for IPv6 topology
9. Verify

The Resources:

I found this group of documents extremely helpful from all aspects of this configuration. It includes specifics on IPv6 addressing which I still wasn't to keen on, but know I'm much more comfortable. It also broke down the elements we need for the IPv6 DMVPN.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6-dmvpn.html

The Videos:

Day 3 - Part 1 (more than 1 hour)

Day 3 - Part 2

The Configs:

R1: (IPv4 Hub, IPv6 Spoke)

hostname R1

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

!

interface Loopback6

 no ip address

 ipv6 address FC01::1/128

 ipv6 eigrp 6

!

interface Tunnel0

 ip address 10.123.234.1 255.255.255.0

 no ip redirects

 no ip split-horizon eigrp 90

 ip nhrp map multicast dynamic

 ip nhrp network-id 1234

 tunnel source 172.17.100.1

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface Tunnel1

 no ip address

 ipv6 address FE80::1 link-local

 ipv6 address FC00:1234::1/64

 ipv6 eigrp 6

 ipv6 nhrp map FC00:1234::4/64 2001::4

 ipv6 nhrp map multicast 2001::4

 ipv6 nhrp network-id 10123

 ipv6 nhrp nhs FC00:1234::4

 ipv6 nhrp shortcut

 tunnel source 2001::1

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0

 ip address 172.17.100.1 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::1/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

R2: (IPv4 Spoke, IPv6 Spoke)

hostname R2

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 2.2.2.2 255.255.255.255

!

interface Loopback6

 no ip address

 ipv6 address FC02::2/128

 ipv6 eigrp 6

!

interface Tunnel0

 ip address 10.123.234.2 255.255.255.0

 no ip redirects

 ip nhrp map multicast 172.17.100.1

 ip nhrp map 10.123.234.1 172.17.100.1

 ip nhrp network-id 1234

 ip nhrp nhs 10.123.234.1

 tunnel source 172.17.100.2

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface Tunnel1

 no ip address

 ipv6 address FE80::2 link-local

 ipv6 address FC00:1234::2/64

 ipv6 eigrp 6

 ipv6 nhrp map FC00:1234::4/64 2001::4

 ipv6 nhrp map multicast 2001::4

 ipv6 nhrp network-id 10123

 ipv6 nhrp nhs FC00:1234::4

 ipv6 nhrp shortcut

 tunnel source 2001::2

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0

 ip address 172.17.100.2 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::2/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

R3: (IPv4 Spoke, IPv6 Spoke)

hostname R3

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 3.3.3.3 255.255.255.255

interface Loopback6

 no ip address

 ipv6 address FC03::3/128

 ipv6 eigrp 6

interface Tunnel0

 ip address 10.123.234.3 255.255.255.0

 no ip redirects

 ip nhrp map multicast 172.17.100.1

 ip nhrp map 10.123.234.1 172.17.100.1

 ip nhrp network-id 1234

 ip nhrp nhs 10.123.234.1

 tunnel source 172.17.100.3

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

interface Tunnel1

 no ip address

 ipv6 address FE80::3 link-local

 ipv6 address FC00:1234::3/64

 ipv6 eigrp 6

 ipv6 nhrp map FC00:1234::4/64 2001::4

 ipv6 nhrp map multicast 2001::4

 ipv6 nhrp network-id 10123

 ipv6 nhrp nhs FC00:1234::4

 ipv6 nhrp shortcut

 tunnel source 2001::3

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

interface GigabitEthernet0/0

 ip address 172.17.100.3 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::3/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

R4: (IPv4 Spoke, IPv6 Hub)

hostname R4

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

!

interface Loopback6

 no ip address

 ipv6 address FC04::4/128

 ipv6 eigrp 6

!

interface Tunnel0

 ip address 10.123.234.4 255.255.255.0

 no ip redirects

 ip nhrp map multicast 172.17.100.1

 ip nhrp map 10.123.234.1 172.17.100.1

 ip nhrp network-id 1234

 ip nhrp nhs 10.123.234.1

 tunnel source 172.17.100.4

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface Tunnel1

 no ip address

 ipv6 address FE80::4 link-local

 ipv6 address FC00:1234::4/64

 ipv6 eigrp 6

 no ipv6 split-horizon eigrp 6

 ipv6 nhrp map multicast dynamic

 ipv6 nhrp network-id 10123

 ipv6 nhrp redirect

 tunnel source 2001::4

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0

 ip address 172.17.100.4 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::4/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

!

!

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  af-interface Tunnel1

   no split-horizon

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

Future = Application Layer Networking

I was having a conversation with a peer about the future of networking. The foundation of the conversation revolved around SDN and the changes that SDN brings to network operators and engineers. The point was raised to me that 'engineers and operators of future networks won't need to have the granular low level understanding of bits, bytes and protocols.' As control of the network becomes more and more software driven the engineer/operator needs only high level understanding. My response to that is: Nothing could be further from the truth! My prediction for the future is: true application layer networking. Have a predictable and deterministic path through the network based on application only.

I think in the future, of application layer routing, we will need to incorporate some level of routing intelligence on each host/end device. I'm not sure exactly what that will look like yet but, I know it is not along the lines of OSPF or EIGRP.

In our current model, for most networks (home networks and small business networks) there is a single egress point where all traffic leaves your LAN to destinations on the internet.

In mid-sized business/enterprise you'll have redundant links a backups. You may have site-to-site tunnels with IPSEC connected remote sites but anything not on your LAN or part of your remote sites still egresses a single point to destinations on the internet.

Large businesses/Enterprises may have multiple egress points to the internet, all managed by lead engineers and operators with oversight from the senior engineers, involving multiple AS's and public IPv4 subnets that span the globe. This is expensive and the bottom line is, even with all the sophistication, the workstations and end devices are still taking the shortest path out of the network based on destination IP address and not on application specific characteristics.

Routers are doing destination based forwarding all over the globe. They are not making routing decisions based on the the type of traffic in the payload of the packet.

One thing I foresee SDN doing for us is bringing dynamic intelligence into routing. Having your controller understand the link requirements of protocols and identify those protocols as they are passing through the routers and forward them based on the application traffic they are carrying not just their destination IP address.

Another thing I believe the future holds for us is true multi-path routing, where end devices, even a common smart phone, can have multiple gateways and not just redundant default gateways, instead they would be application specific gateways. For example I could be connected to my cellular network, wifi and maybe a bunch of ad-hoc networks all at the same time. Perhaps those ad-hoc networks have gateways of their own and we can use them to egress to the internet essentially giving a device like our phone, multiple egress points. Letting our devices participate in the decision making process for routing and forwarding and how to best utilize the links available to it on a per-application basis.

Sorry I went off on a minor futuristic sci-fi routing tangent for a moment.

To bring this full circle, I feel like the engineers and operators of the future will actually need to know more about the inter-workings of each protocol more than just Layer 4. If the future is anything close to application layer networking, we will actually need to be closer to the bits and bytes to understand the protocol of the applications themselves in-order to programmatically and deterministically route them to their destinations.

P.S. - I'm not talking about getting rid of IP addresses but instead introduce more to forwarding than just the destination. I'm sure all the "every packet should be treated equal" people out there are going to have a fit with this.

Comments are welcomed.