Configuring DMVPN (Dynamic Multipoint Virtual Private Network) with BGP (Border Gateway Protocol) involves setting up a scalable and secure VPN solution for connecting multiple sites. Here’s a basic guide on how to configure DMVPN with BGP:
Assumptions:
- Topology:
- Multiple branch offices connected to a central hub.
- The central hub is the DMVPN hub.
- DMVPN Overview:
- DMVPN Phase 3 is used, allowing spoke-to-spoke communication without traffic passing through the hub.
- GRE (Generic Routing Encapsulation) is used for building the overlay network.
- NHRP (Next Hop Resolution Protocol) is used for dynamic spoke-to-spoke communication.
Central Hub Configuration:
- Enable DMVPN and Define Hub:
bash
Hub(config)# interface tunnel0
Hub(config-if)# ip address 192.168.1.1 255.255.255.0
Hub(config-if)# tunnel source <hub-public-interface>
Hub(config-if)# tunnel mode gre multipoint
Hub(config-if)# tunnel key 100
Hub(config-if)# tunnel protection ipsec profile DMVPN
- Configure NHRP:
bash
Hub(config)# interface tunnel0
Hub(config-if)# ip nhrp authentication <shared-secret>
Hub(config-if)# ip nhrp map multicast dynamic
Hub(config-if)# ip nhrp network-id 100
Hub(config-if)# ip nhrp holdtime 300
- Enable BGP:
bash
Hub(config)# router bgp <AS-number>
Hub(config-router)# bgp log-neighbor-changes
Hub(config-router)# network 192.168.1.0 mask 255.255.255.0
Hub(config-router)# neighbor <spoke-public-IP> remote-as <AS-number>
Hub(config-router)# neighbor <spoke-public-IP> update-source <hub-public-interface>
Ensure BGP neighbors are configured with the correct remote AS number and update-source.
- DMVPN IPsec Configuration:
bash
Hub(config)# crypto isakmp policy 10
Hub(config-isakmp)# encryption aes
Hub(config-isakmp)# hash sha
Hub(config-isakmp)# group 5
Hub(config-isakmp)# authentication pre-share
Hub(config-isakmp)# exit
Hub(cfg-crypto-trans)# mode transport
Hub(cfg-crypto-trans)# exit
Hub(ipsec-profile)# set transform-set DMVPN
Spoke Configuration:
- Enable DMVPN and Define Spoke:
bash
Spoke(config)# interface tunnel0
Spoke(config-if)# ip address 192.168.1.2 255.255.255.0
Spoke(config-if)# tunnel source <spoke-public-interface>
Spoke(config-if)# tunnel destination <hub-public-IP>
Spoke(config-if)# tunnel mode gre multipoint
Spoke(config-if)# tunnel key 100
Spoke(config-if)# tunnel protection ipsec profile DMVPN
- Configure NHRP:
bash
Spoke(config)# interface tunnel0
Spoke(config-if)# ip nhrp authentication <shared-secret>
Spoke(config-if)# ip nhrp map multicast <hub-public-IP>
Spoke(config-if)# ip nhrp map <hub-public-IP> <hub-private-IP>
Spoke(config-if)# ip nhrp network-id 100
- Enable BGP:
bash
Spoke(config)# router bgp <AS-number>
Spoke(config-router)# bgp log-neighbor-changes
Spoke(config-router)# network 192.168.1.0 mask 255.255.255.0
Spoke(config-router)# neighbor <hub-public-IP> remote-as <AS-number>
Spoke(config-router)# neighbor <hub-public-IP> update-source <spoke-public-interface>
Ensure BGP neighbors are configured with the correct remote AS number and update-source.
- DMVPN IPsec Configuration: Use the same IPsec configuration as on the hub.
Verification:
- Verify DMVPN Status:
bash
Hub# show dmvpn
Check the status of the DMVPN tunnels.
- Verify BGP Neighbors:
bash
Hub# show ip bgp summary
Spoke# show ip bgp summary
Check that BGP neighbors are established.
- Verify IPsec Status:
bash
Hub# show crypto isakmp sa
Hub# show crypto ipsec sa
Spoke# show crypto isakmp sa
Spoke# show crypto ipsec sa
Verify that the IPsec Security Associations are established.
This is a basic example, and configurations may vary based on your specific requirements and network setup. Ensure that all IP addresses, AS numbers, and shared secrets are correctly configured. Always refer to the documentation for your specific router model and software version for accurate and detailed information.