IOS 15.0 Security Enhancements and Improvements, Part 2

This post is the second of a series of articles on the new security features of IOS 15.0 code. The topic of discussion here is Dynamic Multipoint Virtual Private Networks (DMVPNs) and the new feature is Tunnel Health Monitoring and Recovery.

Before the specifics of monitoring and recovery can be delineated, a quick review of some key concepts of DMVPNs is in order. These Virtual Private Networks are the exclusive domain of the Cisco IOS Router in what is typically a hub-and-spoke topology. A primary objective in most implementations of this technology is resiliency in addition to flexibility; the use of routing protocols over the Generic Route Encapsulation (GRE) tunnels provides the resiliency, while the dynamic IP addressing of the remote routers (spokes) provides the flexibility. A critical protocol to the success of DMVPN scenarios is NHRP (Next Hop Resolution Protocol) as discussed in RFC 2332, it is a means of providing a query-response system for dynamic public IP address to private IP addresses belonging to the GRE tunnel interfaces.

The DMVPN enhancements in IOS 15.0 for monitoring and recovery are centered around two key areas:

  1. Notification via SNMP and SYSLOG for NHRP and DMVPN events and
  2. Tunnel Interface Control mechanisms which dynamically down the interface in case of NHRP failure.

For the first of these, the document referenced below mentions that SNMP must be enabled for the health monitoring/recovery feature to be utilizable. An added benefit of the syslog notification feature is provision of valuable troubleshooting information for such DMVPN functional problems as cryptographic errors, NHRP client-server reachability and configuration errors, as well as reporting on excessive amounts of NHRP traffic.

By including robust notification mechanisms for the DMVPN tunnels as well as having the router “down” the tunnel interface due to the detection of poor “health”, overall VPN performance should be improved, and those responsible for network monitoring and support now have valuable diagnostic and troubleshooting tools.

Author: Doug McKillip


