3. Configure dynamic routing protocols on the hub and spoke routers to enable dynamic routing over the DMVPN network.
4. Verify the NHRP configuration and connectivity by checking the NHRP cache and the routing table.
NHRP is a critical component of DMVPN, as it provides the dynamic mapping between VPN addresses and the public IP addresses of spoke routers, allowing for efficient and secure communication between spokes in a DMVPN network.
2.3.c IPsec
IPsec (Internet Protocol Security) is a suite of protocols used to secure IP communications by encrypting and authenticating IP packets. In DMVPN, IPsec is used to provide confidentiality, integrity, and authentication for the data transmitted between the spoke routers over the public internet.
IPsec can operate in two modes: transport mode and tunnel mode. In DMVPN, tunnel mode is used to create an encrypted and authenticated tunnel between the spoke routers. Each spoke router encrypts the data packets destined for other spokes with IPsec, and the hub router decrypts the packets and forwards them to the appropriate spoke.
To configure IPsec on a DMVPN network, the following steps are typically required:
1. Enable IPsec on the hub router and configure the IPsec policy, such as the encryption and authentication algorithms and the key exchange method.
2. Enable IPsec on the spoke routers and configure the IPsec policy to match the hub router's policy.
3. Configure the IPsec profile on the hub and spoke routers to define the transform sets and the pre-shared key.
4. Configure the DMVPN on the hub and spoke routers to define the tunnel interface, the IP address, and the IPsec profile.
5. Verify the IPsec configuration and connectivity by checking the IPsec SA (Security Association) and the routing table.
IPsec provides a secure and efficient mechanism for transmitting data over the public internet in a DMVPN network. By encrypting and authenticating the data packets, IPsec ensures that the communication between the spoke routers is secure and cannot be intercepted or tampered with by unauthorized parties.
2.3.d Dynamic neighbor
In DMVPN, dynamic neighbors are the spoke routers that register with the hub router to establish a secure and dynamic VPN network. The hub router acts as the NHRP (Next Hop Resolution Protocol) server and maintains a mapping between the spoke routers' public IP addresses and their private IP addresses. The spoke routers register with the hub router by sending an NHRP registration message, which includes their public IP address, their private IP address, and their registered tunnel interface.
Once the hub router receives the NHRP registration message, it updates its NHRP mapping database with the spoke router's information. The hub router can then send NHRP resolution messages to the spoke router to resolve the private IP address of a spoke router that needs to communicate with another spoke router. The NHRP resolution message contains the spoke router's public IP address, and the hub router uses this information to lookup the spoke router's private IP address in its NHRP mapping database. The hub router then returns the private IP address to the spoke router, which can use it to establish a direct tunnel with the destination spoke router.
Dynamic neighbors simplify the configuration and management of DMVPN by allowing the spoke routers to register with the hub router automatically, without requiring manual configuration of the hub router's NHRP mapping database. This enables the DMVPN to scale to a large number of spoke routers, and it also provides dynamic failover capabilities in case of spoke router failures or network changes.
2.3.e Spoke-to-spoke
Spoke-to-spoke communication in DMVPN allows the spoke routers to communicate with each other directly, without the need for traffic to pass through the hub router. This can improve network performance and reduce the load on the hub router.
To enable spoke-to-spoke communication, the spoke routers need to be configured to support it. This can be done by configuring the spoke routers to dynamically register their private IP addresses with the hub router using NHRP, as well as configuring them to advertise their own private IP addresses to each other using a routing protocol such as EIGRP or OSPF. The hub router also needs to be configured to allow spoke-to-spoke communication by forwarding NHRP resolution requests between spokes, instead of just forwarding them to the hub.
Once the spoke routers are configured for spoke-to-spoke communication, they can establish direct IPsec tunnels between each other, using the NHRP resolution messages to learn each other's public IP addresses. This creates a meshed network topology that enables traffic to flow directly between spokes, without the need to traverse the hub router. The spoke routers can also use the routing protocol to exchange routing information and determine the best path for traffic to take between them.
Spoke-to-spoke communication in DMVPN provides a more flexible and scalable VPN solution, and it can also improve the resilience of the network by allowing traffic to take multiple paths between spokes.
