Hi Laz,
Thanks for the explanation. I just want to clear something up.
The multicast traffic only flows directly to a spoke once a unicast packet sent to that spoke has caused a tunnel to be built. i.e. the multicast traffic itself cannot cause the tunnel to be built. Is that correct?
Thanks.
Sam
Hello Samir
Yes you are correct. Multicast traffic will not be able to initiate the creation of point to point GRE tunnel between spokes. If this tunnel does not exist, multicast traffic will be routed via the hub. Only unicast traffic will trigger the creation of a spoke-to-spoke tunnel. This is simply due to the design and behavior of the NHRP protocol.
Specifically, the NHRP resolution process is triggered only by unicast traffic and not multicast traffic.
When multicast traffic is sent to the hub, it is forwarded to all registered spokes. Since the multicast traffic is not specifically addressed to a single spoke, it does not provide an opportunity for NHRP to learn about the other spokesâ public IP addresses or establish direct GRE tunnels.
This is a design choice for NHRP, which helps to optimize network traffic flow and reduce unnecessary overhead. If multicast traffic were used to establish spoke-to-spoke tunnels, it could result in numerous unnecessary tunnels being built, which could consume additional resources and complicate the network. Thus it is more efficient to rely only on unicast to trigger the NHRP resolution process.
I hope this has been helpful!
Laz
I had a question, is there anyway we can get a lesson with DMVPN and IPsec with OSPF instead of RIP?
Hello David
If you have suggestions for specific lessons and lesson topics, feel free to use the Member Ideas page below. There you can make your suggestions for additional lessons that Rene can add in the future. You may find that others have suggested something similar, so you can add your voice to theirs.
In the meantime, take a look at the following Cisco documentation which describes a scenario where DMVPN with IPSec and OSPF are being used, along with a few more features.
Doing a search online, I was able to find some additional resources that describe such a setup.
I hope this has been helpful!
Laz
Hello!
Can you provide any resources I can use to better understand the IKEV2 configuration on an iOS router using DMVPN & Cisco router for a PKI server.
Hello James
The following lesson shows how to set up DMVPN with IPsec:
This doesnât include the use of a PKI server, however you can find further information about that for a DMVPN environment at the following Cisco documentation:
This documentation describes a DMVPN network using IPSec along with a CA server, a role which is played by the hub of the DMVPN topology.
If you would like Rene to create a new lesson with your particular setup in mind, feel free to make your suggestion at the following member ideas page:
There, you may find that others have made similar suggestions, and you can add your voice to theirs.
I hope this has been helpful!
Laz
Greetings,
This may be simple, and I might be overthinking it but this part right here
Keep in mind that encryption occurs before multipoint GRE / NHRP.
Would it be possible to elaborate further? I always run into issues at work when troubleshooting DMVPN/IPEC and when I am told Encryption happens before multipoint GRE/ NHRP, how is that exactly?
Thank you for your time
Hakeem
Hello Hakeem
The statement that âencryption occurs before multipoint GRE/NHRPâ is simply highlighting the sequence of operations in the DMVPN/IPSec setup. Encryption, provided by IPSec, happens before the encapsulation of data into multipoint GRE and the NHRP protocol. In other words, data is encrypted first by IPSec to ensure confidentiality, then encapsulated in multipoint GRE for routing, and finally, NHRP is used for address resolution.
This means that the GRE headers and the NHRP additional information remain unencrypted. Does that make sense?
I hope this has been helpful!
Laz
Lazarus,
Yes it does, I was overthinking it. Thanks much for the explaination.
Have a great weekend.
-Hakeem
Hello again,
I was a bit curious about the crypto map command. When I was doing a practice quiz on boson with IPSec I got it incorrect because I set up as seen here instead using a transform-set instead of using a crypto-map. How can I tell when I am supposed to use the crypto-map command instead.
Thank you!
Hello Cameron
The crypto-map command is used to bind or tie together all the various IPSec configuration elements. This includes the transform-set, the ACL that identifies the traffic, and the peer at the other end of the IPSec tunnel.
On the other hand, a transform-set is a combination of security protocols and algorithms. When you define a transform-set, you are essentially defining the methods and protocols that IPSec should use to secure your data.
So, you canât really replace one with the other. They both serve different purposes in the IPSec configuration process.
In general, you should use the crypto-map command when you are ready to tie together your IPSec configuration and apply it to an interface.
I hope this has been helpful!
Laz