Solved: Unable to get EIGRP OTP Route Reflector (E-RR) working

fabio rocha · ‎08-17-2020

Hi,

I am trying to setup an EIGRP OTP connection between two neighbors, although the routing adjacency goes UP when I declare neighbors manually on both sides, I cannot get it to work when one of the routers is configured as a route refletor.

Here is my config:

R1#
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
topology base
exit-af-topology
neighbor 10.88.251.2 Tunnel201 remote 100 lisp-encap
network 10.88.251.0 0.0.0.255
network 10.90.1.0 0.0.0.255
exit-address-family

R1#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.0.101 YES NVRAM up up
GigabitEthernet2 10.222.11.1 YES NVRAM up up
GigabitEthernet3 10.100.11.1 YES NVRAM up up
GigabitEthernet4 unassigned YES NVRAM administratively down down
LISP0 10.90.1.1 YES unset up up
Loopback0 10.90.1.1 YES NVRAM up up
Tunnel201 10.88.251.1 YES NVRAM up up
R1#

R1#ping 10.88.251.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.88.251.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
R1#show ip eigrp 101 topology
EIGRP-IPv4 VR(otp) Topology Table for AS(101)/ID(10.90.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.88.251.0/24, 1 successors, FD is 131727360
via Connected, Tunnel201
P 10.90.1.1/32, 1 successors, FD is 163840
via Connected, Loopback0

R1#show run int tun201
Building configuration...

Current configuration : 404 bytes
!
interface Tunnel201
description MPLS Overlay
bandwidth 1000000
ip address 10.88.251.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip nhrp authentication lab
ip nhrp network-id 201
ip nhrp nhs 10.88.251.2 nbma 10.222.22.1 multicast
ip tcp adjust-mss 1360
delay 200
if-state nhrp
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 201
tunnel vrf MPLS
end

# R2

router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
af-interface Tunnel201
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
remote-neighbors source Tunnel201 unicast-listen lisp-encap
network 10.88.251.0 0.0.0.255
network 10.90.1.0 0.0.0.255
exit-address-family

R2#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.0.102 YES NVRAM up up
GigabitEthernet2 10.222.22.1 YES NVRAM up up
GigabitEthernet3 10.88.255.245 YES NVRAM up up
GigabitEthernet4 unassigned YES NVRAM administratively down down
LISP0 10.90.1.2 YES unset up up
Loopback0 10.90.1.2 YES NVRAM up up
Tunnel201 10.88.251.2 YES NVRAM up up
R2#

R2#show run int tun201
Building configuration...

Current configuration : 407 bytes
!
interface Tunnel201
description MPLS Overlay
bandwidth 1000000
ip address 10.88.251.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
no ip split-horizon eigrp 200
ip nhrp authentication lab
ip nhrp network-id 201
ip nhrp server-only
ip nhrp redirect
ip tcp adjust-mss 1360
delay 200
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 201
tunnel vrf MPLS
end

R2#ping 10.88.2
*Aug 17 14:28:54.141: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#ping 10.88.251.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.88.251.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
R2#

R2#show ip eigrp 101 topology
EIGRP-IPv4 VR(otp) Topology Table for AS(101)/ID(10.90.1.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.88.251.0/24, 1 successors, FD is 131727360
via Connected, Tunnel201
P 10.90.1.2/32, 1 successors, FD is 163840
via Connected, Loopback0
P 10.88.251.4/32, 1 successors, FD is 131072
via Rstatic (131072/0)

On R2 with "debug eigrp packet terse", I can see the messages below:

R2#
*Aug 17 14:29:26.845: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:31.119: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:35.941: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:40.712: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:44.973: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:49.684: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:54.418: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:29:59.287: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:30:04.074: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1
R2#
*Aug 17 14:30:08.640: EIGRP: Ignore unicast Hello from Tunnel201 10.88.251.1

Questions:

- What am I doing wrong?

- Why the debug message at all? from the documentation I've read the E-RR doesn`t need to have remote neighbors declared.

I'd appreciate a lot any comment or insight into the problem.

Thanks in advance,

Fábio Rocha

Georg Pauwen · ‎08-18-2020

Hello,

I think the problem is that you use the tunnel interface for the peering. Try to use a loopback instead, the configs would look like this.

R2 (RR)

interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
af-interface Loopback1
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
remote-neighbors source Loopback1 unicast-listen lisp-encap 1
network 1.1.1.1 0.0.0.0

exit-address-family

R1

interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
topology base
exit-af-topology
neighbor 1.1.1.1 Loopback2 remote 5 lisp-encap 1
network 10.88.251.0 0.0.0.255
network 10.90.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
exit-address-family

View solution in original post

Georg Pauwen · ‎08-17-2020

Hello,

what does the rest of your topology look like ? Post the full running configs of all routers involved...

It looks like you are doing this over an existing DMVPN ?

fabio rocha · ‎08-17-2020

R1#show run
Building configuration...

Current configuration : 3059 bytes
!
! Last configuration change at 12:40:02 BRT Mon Aug 17 2020
!
version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ugMA$aw400jooFRV./5mV0Tppl.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone BRT -3 0
!
ip vrf INET
rd 1:3
!
ip vrf MPLS
rd 1:2
!
!
!
!
!
!
!
!
!

no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!

!
!
!
!
!
!
!
license udi pid CSR1000V sn 97RRJJB51UZ
diagnostic bootup level minimal
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path flash:config
maximum 14
write-memory
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$VJ6d$RXfjxF0k.zspp1/94Khzw.
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.90.1.1 255.255.255.255
!
interface Tunnel201
description MPLS Overlay
bandwidth 1000000
ip address 10.88.251.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip nhrp authentication lab
ip nhrp network-id 201
ip nhrp nhs 10.88.251.2 nbma 10.222.22.1 multicast
ip tcp adjust-mss 1360
delay 200
if-state nhrp
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 201
tunnel vrf MPLS
!
interface LISP1
!
interface GigabitEthernet1
ip vrf forwarding INET
ip address 192.168.0.101 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
description MPLS Underlay
ip vrf forwarding MPLS
ip address 10.222.11.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
description LAN
ip address 10.100.11.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
router eigrp 200
network 10.88.251.0 0.0.0.255
redistribute connected
passive-interface default
no passive-interface Tunnel201
eigrp router-id 10.90.1.1
eigrp stub connected static
shutdown
!
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
topology base
exit-af-topology
neighbor 10.88.251.2 Tunnel201 remote 5 lisp-encap 1
network 10.88.251.0 0.0.0.255
network 10.90.1.0 0.0.0.255
exit-address-family
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route vrf INET 0.0.0.0 0.0.0.0 192.168.0.1
ip route vrf INET 8.8.4.4 255.255.255.255 192.168.0.1
ip route vrf MPLS 0.0.0.0 0.0.0.0 10.222.11.4
ip route vrf MPLS 10.222.22.1 255.255.255.255 10.222.11.4 name FIX
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
line vty 5 15
logging synchronous
transport input ssh
!
ntp server time-pnp.cisco.com
!
!
!
!
!
end

R1#

R2#show run
Building configuration...

Current configuration : 4257 bytes
!
! Last configuration change at 13:17:14 BRT Mon Aug 17 2020
!
version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$mO8/$clc6CdPX5cvj7Z/4t/RWi/
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone BRT -3 0
!
ip vrf INET
rd 1:3
!
ip vrf MPLS
rd 1:2
!
!
!
!
!
!
!
!
!

no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!

!
!
!
!
!
!
!
license udi pid CSR1000V sn 97IK3Z1RFOJ
diagnostic bootup level minimal
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path flash:config
maximum 14
write-memory
!
!
!
!
!
object-group network MPLS-INT
host 10.222.22.1
!
object-group network R1
host 10.222.11.1
!
object-group network R3
host 10.222.33.1
!
object-group network USINAS-MPLS
group-object R1
group-object R3
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$kYT3$YO1S0Ke/qcEKlLyHnq6CL1
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.90.1.2 255.255.255.255
!
interface Tunnel201
description MPLS Overlay
bandwidth 1000000
ip address 10.88.251.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
no ip split-horizon eigrp 200
ip nhrp authentication lab
ip nhrp network-id 201
ip nhrp server-only
ip nhrp redirect
ip tcp adjust-mss 1360
delay 200
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 201
tunnel vrf MPLS
!
interface LISP1
!
interface GigabitEthernet1
description Internet Underlay
ip vrf forwarding INET
ip address 192.168.0.102 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
description MPLS Underlay
ip vrf forwarding MPLS
ip address 10.222.22.1 255.255.255.0
ip access-group FILTRA-MPLS-IN in
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
description Transito Firewall
ip address 10.88.255.245 255.255.255.240
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
router eigrp 200
network 10.88.251.0 0.0.0.255
redistribute connected
redistribute static
passive-interface default
no passive-interface Tunnel201
eigrp router-id 10.90.1.2
shutdown
!
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
af-interface Tunnel201
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
remote-neighbors source Tunnel201 unicast-listen lisp-encap 1
network 10.88.251.0 0.0.0.255
exit-address-family
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 10.88.0.0 255.255.0.0 10.88.255.241 name Firewall
ip route 10.88.251.4 255.255.255.255 Null0 tag 777
ip route vrf INET 0.0.0.0 0.0.0.0 192.168.0.1
ip route vrf INET 8.8.8.8 255.255.255.255 192.168.0.1
ip route vrf MPLS 0.0.0.0 0.0.0.0 10.222.22.4
ip route vrf MPLS 10.222.11.1 255.255.255.255 10.222.22.4 name FIX
ip route vrf MPLS 10.222.33.1 255.255.255.255 10.222.22.4 name FIX
!
ip access-list extended FILTRA-MPLS-IN
permit udp object-group USINAS-MPLS object-group MPLS-INT eq isakmp
permit esp object-group USINAS-MPLS object-group MPLS-INT
permit gre object-group USINAS-MPLS object-group MPLS-INT
remark //
remark // Bloqueia IKE e IPSec de qualquer outro lugar
deny udp any object-group MPLS-INT eq isakmp log
deny esp any object-group MPLS-INT log
deny gre any object-group MPLS-INT log
remark // Permite todo o resto
permit ip any any
!
!
!
route-map STATIC-TO-EIGRP permit 10
match tag 777
set ip next-hop unchanged
set metric 4294967295
set tag 777
!
route-map STATIC-TO-EIGRP deny 20
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
line vty 5 15
logging synchronous
transport input ssh
!
ntp server time-pnp.cisco.com
ntp server pool.ntp.org
!
!
!
!
!
end

R2#

MPLS#show run
Building configuration...

Current configuration : 981 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname MPLS
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
!
ip cef
!
!
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
description Rogue
no switchport
ip address 10.222.44.4 255.255.255.0
duplex auto
!
interface Ethernet0/1
description R1
no switchport
ip address 10.222.11.4 255.255.255.0
duplex auto
!
interface Ethernet0/2
description R2
no switchport
ip address 10.222.22.4 255.255.255.0
duplex auto
!
interface Ethernet0/3
description R3
no switchport
ip address 10.222.33.4 255.255.255.0
duplex auto
!
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

R3#show run
Building configuration...

Current configuration : 3336 bytes
!
! Last configuration change at 13:23:02 BRT Mon Aug 17 2020
!
version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$bfCh$Amp/eM612yv7ojh8doL5E0
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone BRT -3 0
!
ip vrf INET
rd 1:3
!
ip vrf MPLS
rd 1:2
!
!
!
!
!
!
!
!
!

no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!

!
!
!
!
!
!
!
license udi pid CSR1000V sn 9BJGQ6ZBHW9
diagnostic bootup level minimal
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path flash:config
maximum 14
write-memory
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$dZLF$BlZjm7JVplFh/WVuy6UqF0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.90.1.3 255.255.255.255
!
interface Tunnel201
description MPLS Overlay
bandwidth 1000000
ip address 10.88.251.3 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip nhrp authentication lab
ip nhrp network-id 201
ip nhrp nhs 10.88.251.2 nbma 10.222.22.1 multicast
ip tcp adjust-mss 1360
delay 200
if-state nhrp
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 201
tunnel vrf MPLS
!
interface LISP1
!
interface LISP1.2
!
interface GigabitEthernet1
description Internet Underlay
ip vrf forwarding INET
ip address 192.168.0.103 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
description MPLS Underlay
ip vrf forwarding MPLS
ip address 10.222.33.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
description LAN
ip address 10.100.33.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
router eigrp 200
network 10.88.251.0 0.0.0.255
redistribute connected
passive-interface default
no passive-interface Tunnel201
eigrp router-id 10.90.1.3
eigrp stub connected static
shutdown
!
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel201
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
!
topology vrf MPLS tid 2 lisp-instance-id 2
exit-af-topology
neighbor 10.88.251.2 Tunnel201 remote 2 lisp-encap 1
network 10.88.251.0 0.0.0.255
eigrp router-id 10.90.1.3
exit-address-family
!
!
router eigrp top
shutdown
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip tftp source-interface GigabitEthernet1
ip route vrf INET 0.0.0.0 0.0.0.0 192.168.0.1
ip route vrf MPLS 0.0.0.0 0.0.0.0 10.222.33.4
ip route vrf MPLS 10.222.22.1 255.255.255.255 10.222.33.4 name FIX
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
line vty 5 15
logging synchronous
transport input ssh
!
ntp server time-pnp.cisco.com
!
!
!
!
!
end

R3#

Georg Pauwen · ‎08-17-2020

Hello,

thanks for the configs and the topology. I need to lab this up, will get back with you...

fabio rocha · ‎08-17-2020

Thank you so much. I really don't know whats wrong from what I've learned so far, this should be working.

Georg Pauwen · ‎08-18-2020

Hello,

I think the problem is that you use the tunnel interface for the peering. Try to use a loopback instead, the configs would look like this.

R2 (RR)

interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
af-interface Loopback1
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
remote-neighbors source Loopback1 unicast-listen lisp-encap 1
network 1.1.1.1 0.0.0.0

exit-address-family

R1

interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
router eigrp otp
!
address-family ipv4 unicast autonomous-system 101
!
topology base
exit-af-topology
neighbor 1.1.1.1 Loopback2 remote 5 lisp-encap 1
network 10.88.251.0 0.0.0.255
network 10.90.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
exit-address-family

fabio rocha · ‎08-18-2020

HI,

I am going to give it a try and will get back to you soon. Thanks a lot!

Georg Pauwen · ‎08-18-2020

On a side note, I think OTP is supposed to work as an alternative to DMVPN, I don't know if they were actually designed to work together...

fabio rocha · ‎08-18-2020

Hmmm... OTP might be an alternative to DMVPN but somehow you would have to deal with the encryption, automatic registration of clients and tunnel formation, because you certainly would not want to create a full-mesh of IPsec tunnels by yourself.

Also I've read somewhere in the documentation that for OTP it doesn't matter what the WAN techonology is, it can be *anything* you want, including DMVPN.

Sir, I am really grateful for your help. Thank you so much... really!

Maybe you would be willing to give me your opinion on my real problem (the question I am hoping to solve using OTP)...

I have a large DMVPN deployment (think 300+ routers) using both the internet and a MPLS cloud as transports. There are no firewalls in front of those routers so there is no sort of filtering happening.

The routers have IPv4 public addresses on their interfaces facing the internet. Those interfaces are isolated on a transit VRF and on the transit VRF I have a default route pointing to the exit gateway of the local ISP.

Problem is: there is no kind of filtering happening. So, how can I assure that my DMVPN routers are only able to negotiate tunnels (IPSec) with their own peers? (my company's routers) and not with an unknown "bad actor" (a router not under my control) somewhere over the world?

A Firewall on each location would be the perfect answer, I know. But there are 300+ locations and the firewalls would have to be redundant, so we're talking about 600+ firewall boxes. (not cheap at all!)

Appling access-lists on the external VRF would be another perfect solution and doing it once, is no big deal.

However, this client usually changes ISPs, install new locations or decomission old ones.

Realize that in any of those cases, I would have to adjust the access-lists on 300+ routers and these changes happen more often than I would wish.

An automation tool, bought or developed, could handle the access-list propagation on all devices in order to maintain them in sync. But I have no such tools now.

What would you suggest to solve the problem?????

Thanks in advance,

Fábio Rocha.

Georg Pauwen · ‎08-19-2020

Hello,

sorry for my late reply. Typically, DMVPN peer authentication and tunnel keys should be sufficient to secure the tunnels, and prevent 'rogue' routers to connect to your network.

interface Tunnel1
ip nhrp authentication cisco123 ==> NHRP authentication key
ip nhrp map multicast dynamic
ip nhrp network-id 101 ! NHRP identifier
tunnel key 101 --> must be the same on all tunnels

If you add IPSec to your DMVPN (and possible next generation DH groups, > 21), that should be more than enough to secure your network.

fabio rocha · ‎02-06-2021

Hey Georg,

You're technically correct but you're not considereing all possible cases, let's consider for example that one of your routers got stolen. Now the robber has all the information he or she needs to connect to your network, right?

If you notice the steal you can change all the keys (tunnel key, nhrp auth, IPsec keys etc). However what happens if your DMVPN has 300+ routers, that's simply not an easy or fast change to make. Do you see the point?

There are also another examples, let's consider you have a remote router somewhere and someone with physical access to it, does password recovery procedure and steal your config. In this case, you might see that the router has been booted, but you might not realize that somone silently stole your config. (I know there are means to prevent that, like disabling password-recovery entirely).

But there is yet another example, what about an insider attack? Someone got fired and angry for whatever reason, that guy had access to the router configs and took a backup with him. What now?

You're going to change the credentials every time someone leaves the Company? How can we know if someone who just left doesn`t took your config away?

Another innocent case, someone who works in the Company just makes a copy of the config in order to study it at home. Let's say this guy doesn't really understand DMVPN and find its configuration complex and has a very good reason to make copies and setup an emulator to study the config. That guy, might have friends also interested in learning the same subject and then he shares the config with his pals. Or even worse, he shares the full config on a forum like this one (without removing the keys?).

Another possible case, you contract a vendor to physically go to a remote location to set up a new DMVPN site. That vendor (which may subcontract yet another company do to the job), makes a backup of the full config at the end of their work. (to present as proof of work done, or simply to add it to some Project Documentation).

That contractor or subcontrator now has your full config and keys.

So, I hope you can see the point now. Beliviing you're secure simply because of NHRP authentication or IPSec Keys or even certificates, IS NOT ENOUGH. This is simply security-thru-obscurity, meaning that if someone ever gets a copy of your config somehow, all the "security" is gone.

That's why I firmly believe that is important to identify your DMVPN peers by IP addresses for example. That would put another barrier for an adversary to connect to your network, so if the secrecy of the config is lost, there would be a second layer of security to protect you (the concept of defense in depth).

There is YET ANOTHER big issue with DMVPN security, that most people seem to ignore, I discovered it myself after 4 yrs. working with the technology... it might be a big hole if not understood properly. The documentation doesn't make this point clear, so it's something very easy to overlook.

Of course, I won't discuss it in a publuc forum, but you can send me a PM if you has any interest to see my point of view.

Thanks for your help.

Sincerely,

Fábio Rocha.