Monthly Archives: February 2017

DMVPN Phase 1

Cisco, DMVPN, VPN, , , , , , , , , ,
DMVPN Phase 1 – Hub to Spoke Design

DMVPN Phase 1 provides Hub and Spoke tunnel deployment. It means GRE tunnels are only built between Hub and Spokes. There is no spoke-to-spoke tunnel. Traffic from one spoke site to another spoke site always traverse via hub.

Check this link for DMVPN basics – http://www.amolak.net/dmvpn-basics/

We will discuss DMVPN Phase 1 configuration with:

  • EIGRP
  • OSPF
  • BGP

Here is the network topology for our discussion and configuration.

Initial configuration on devices
Site-1 Router R1:

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4
!

Site-2 Router R2:

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4
!

Site-3 Router R3: 

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4
!

Internet Router R4:

hostname R4
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.24.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 1.1.34.4 255.255.255.0
!
DMVPN NBMA Network Behavior

DMVPN creates Non Broadcast Multi Access (NBMA) networks. By default, NBMA network do not support multicast traffic and multicast traffic is required to enable dynamic routing protocols.

ip nhrp map multicast dynamic command is used under hub router tunnel interface to enable support of multicast traffic. This allows each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast traffic to the spoke routers.

“ip nhrp map multicast <hub nbma ip>” command is used under spoke routers tunnel interface. It ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke.

With this set up, routing adjacencies are only formed between hub and spokes. Spokes do not form routing adjacencies with each other.

ip nhrp network-id

The NHRP network ID is used to define the NHRP domain for an NHRP interface and differentiate between multiple NHRP domains or networks, when two or more NHRP domains (GRE tunnel interfaces) are available on the same NHRP router. The NHRP network ID is used to help keep two NHRP networks (clouds) separate from each other when both are configured on the same router. NHRP network IDs are locally significant and can be different.

DMVPN Phase 1 configuration with EIGRP
----------
R1 - Hub:
----------

Since all spoke routers are configured with tunnel mode GRE (p2p GRE), they can send traffic via Hub only. So spoke routers do not require specific routes of each other. Hub router would advertise a single EIGRP summary route to all spoke routers. Basically Hub router is telling spokes if you want to reach any specific subnet from this summary route, send that traffic to me, I will forward it to actual destination spoke site.

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip summary-address eigrp 100 10.10.0.0 255.255.0.0
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROTECT-GRE
!
router eigrp 100
 network 10.10.1.1 0.0.0.0
 network 192.168.1.1 0.0.0.0

------------
R2 - Spoke: 
------------

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router eigrp 100
 network 10.10.2.2 0.0.0.0
 network 192.168.1.2 0.0.0.0

-----------
R3 - Spoke:
-----------

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router eigrp 100
 network 10.10.3.3 0.0.0.0
 network 192.168.1.3 0.0.0.0

Verification:

- Tunnel mode is mGRE on Hub Router.
- Tunnel mode is GRE (Point-to-Point GRE) on Spoke Routers.
 
 R1:
 
 R1#sh int t0
 Tunnel0 is up, line protocol is up 
   Hardware is Tunnel
   Internet address is 192.168.1.1/24
   MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel source 1.1.14.1 (FastEthernet0/0)
    Tunnel Subblocks:
       src-track:
          Tunnel0 source tracking subblock associated with FastEthernet0/0
           Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
   Tunnel protocol/transport multi-GRE/IP
     Key disabled, sequencing disabled
     Checksumming of packets disabled
   Tunnel TTL 255, Fast tunneling enabled
   Tunnel transport MTU 1434 bytes
   Tunnel transmit bandwidth 8000 (kbps)
   Tunnel receive bandwidth 8000 (kbps)
   Tunnel protection via IPSec (profile "PROTECT-GRE")
  <snip>
 
 R2:
 
 R2#sh int t0
 Tunnel0 is up, line protocol is up 
   Hardware is Tunnel
   Internet address is 192.168.1.2/24
   MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel source 1.1.24.2 (FastEthernet0/0), destination 1.1.14.1
    Tunnel Subblocks:
       src-track:
          Tunnel0 source tracking subblock associated with FastEthernet0/0
           Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
   Tunnel protocol/transport GRE/IP
     Key disabled, sequencing disabled
     Checksumming of packets disabled
   Tunnel TTL 255, Fast tunneling enabled
   Tunnel transport MTU 1434 bytes
   Tunnel transmit bandwidth 8000 (kbps)
   Tunnel receive bandwidth 8000 (kbps)
   Tunnel protection via IPSec (profile "PROTECT-GRE")
  <snip>
 
 R3:
 
 R3#sh int t0
 Tunnel0 is up, line protocol is up 
   Hardware is Tunnel
   Internet address is 192.168.1.3/24
   MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel source 1.1.34.3 (FastEthernet0/0), destination 1.1.14.1
    Tunnel Subblocks:
       src-track:
          Tunnel0 source tracking subblock associated with FastEthernet0/0
           Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
   Tunnel protocol/transport GRE/IP
     Key disabled, sequencing disabled
     Checksumming of packets disabled
   Tunnel TTL 255, Fast tunneling enabled
   Tunnel transport MTU 1434 bytes
   Tunnel transmit bandwidth 8000 (kbps)
   Tunnel receive bandwidth 8000 (kbps)
   Tunnel protection via IPSec (profile "PROTECT-GRE")
  <snip>
 
 
 - Routing adjacencies are Hub to Spokes only
 
 R1#show ip eigrp neighbors 
 EIGRP-IPv4 Neighbors for AS(100)
 H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
 1   192.168.1.3             Tu0                      11 00:19:56  191  1146  0  16
 0   192.168.1.2             Tu0                      14 00:19:56  178  1068  0  16
 
 R2#show ip eigrp neighbors
 EIGRP-IPv4 Neighbors for AS(100)
 H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
 0   192.168.1.1             Tu0                      11 00:20:37  779  4674  0  10
 
 R3#show ip eigrp neighbors
 EIGRP-IPv4 Neighbors for AS(100)
 H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
 0   192.168.1.1             Tu0                      14 00:20:39  183  1098  0  11 
 
 - Routing Table
 
 R1#show ip route eigrp | beg Gate
 Gateway of last resort is 1.1.14.4 to network 0.0.0.0
 
       10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
 D        10.10.0.0/16 is a summary, 00:14:48, Null0
 D        10.10.2.0/24 [90/1907456] via 192.168.1.2, 00:22:02, Tunnel0
 D        10.10.3.0/24 [90/1907456] via 192.168.1.3, 00:22:04, Tunnel0
 
 R2#show ip route eigrp | beg Gate
 Gateway of last resort is 1.1.24.4 to network 0.0.0.0
 
       10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
 D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:15:06, Tunnel0
 
 R3#show ip route eigrp | beg Gate
 Gateway of last resort is 1.1.34.4 to network 0.0.0.0
 
       10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
 D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:15:17, Tunnel0
 
 
 - Spoke (R2) to Spoke (R3) traffic traverse via Hub
 
 R2#ping 10.10.3.3 so 10.10.2.2
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
 Packet sent with a source address of 10.10.2.2 
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 192/199/212 ms
 
 R2#trace 10.10.3.3 so 10.10.2.2
 Type escape sequence to abort.
 Tracing the route to 10.10.3.3
 VRF info: (vrf in name/id, vrf out name/id)
   1 192.168.1.1 144 msec 140 msec 136 msec   << Hub R1 Tunnel IP    
   2 192.168.1.3 204 msec *  196 msec         << Spoke R3 Tunnel IP


- DMVPN status on Hub
 
 R1#sh dmvpn
 Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
 ======================================================================
 Interface: Tunnel0, IPv4 NHRP Details 
 Type:Hub, NHRP Peers:2, 
 
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 1.1.24.2            192.168.1.2    UP 01:21:07     D
      1 1.1.34.3            192.168.1.3    UP 01:21:11     D
 
R1#sh ip nhrp 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 01:50:50, expire 01:29:09
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 01:50:54, expire 01:29:05
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.34.3 

 - DMVPN status on Spoke Routers
 
 R2#sh dmvpn
 Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
 =====================================================================
 Interface: Tunnel0, IPv4 NHRP Details 
 Type:Spoke, NHRP Peers:1, 
 
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 1.1.14.1            192.168.1.1    UP 01:22:47     S
 
R2#sh ip nhrp
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:53:57, never expire 
   Type: static, Flags: 
   NBMA address: 1.1.14.1 
 R3#sh dmvpn
 Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
 ====================================================================
 Interface: Tunnel0, IPv4 NHRP Details 
 Type:Spoke, NHRP Peers:1, 
 
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 1.1.14.1            192.168.1.1    UP 01:23:09     S


R3#sh ip nhrp
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:54:39, never expire 
   Type: static, Flags: 
   NBMA address: 1.1.14.1 
 DMVPN Phase 1 configuration with OSPF
- Hub router tunnel would be OSPF network type point-to-multipoint
- Spoke routers tunnel would be OSPF network type point-to-point
- OSPF hello timers must match on tunnel interface on Hub and Spokes
- Route summarization is not feasible in single OSPF area

R1:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf hello-interval 10
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROTECT-GRE
!
router ospf 1
 network 10.10.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0

R2:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router ospf 1
 network 10.10.2.2 0.0.0.0 area 0
 network 192.168.1.2 0.0.0.0 area 0

R3:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router ospf 1
 network 10.10.3.3 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0
 Verification
R1:

R1#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 2, Adjacent neighbor count is 2 
    Adjacent with neighbor 192.168.1.3
    Adjacent with neighbor 192.168.1.2
  Suppress hello for 0 neighbor(s)

R1#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.3       0   FULL/  -        00:00:33    192.168.1.3     Tunnel0
192.168.1.2       0   FULL/  -        00:00:34    192.168.1.2     Tunnel0

R1#show ip route ospf | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.2.0/24 [110/25] via 192.168.1.2, 00:04:05, Tunnel0
O        10.10.3.0/24 [110/25] via 192.168.1.3, 00:03:45, Tunnel0

R2:

R2#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.2, Network Type POINT_TO_POINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:08
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1
  Suppress hello for 0 neighbor(s)

R2#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/  -        00:00:31    192.168.1.1     Tunnel0

R2#show ip route ospf | beg Gate
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 00:05:12, Tunnel0
O        10.10.3.0/24 [110/49] via 192.168.1.1, 00:04:35, Tunnel0
      192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
O        192.168.1.1/32 [110/24] via 192.168.1.1, 00:05:12, Tunnel0


R3:

R3#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.3, Network Type POINT_TO_POINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:02
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1
  Suppress hello for 0 neighbor(s)

R3#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/  -        00:00:31    192.168.1.1     Tunnel0

R3#show ip route ospf | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 00:05:40, Tunnel0
O        10.10.2.0/24 [110/49] via 192.168.1.1, 00:05:40, Tunnel0
      192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
O        192.168.1.1/32 [110/24] via 192.168.1.1, 00:05:40, Tunnel0


Spoke to Spoke traffic:

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/201/208 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 152 msec 120 msec 164 msec   << Hub Tunnel IP
  2 192.168.1.3 236 msec *  220 msec         << Spoke-3 Tunnel IP
DMVPN Phase 1 configuration with BGP
- "bgp listen range ....." command can be used to define a range of IP address of BGP neighbors on hub router
- "bgp listen limit xx" command can be used to set the limit of dynamic BGP neighbors
- Hub router would act as BGP Route-reflector server
- Spoke routers would be BGP route-reflector clients
- As spokes would communicate via hub only, it is inefficient to advertise all specific prefixes to spoke BGP peers
- Hub Router would advertise summary route to spokes

R1:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROTECT-GRE
!
router bgp 65001
 bgp router-id 192.168.1.1
 bgp log-neighbor-changes
 bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES
 bgp listen limit 50
 network 10.10.1.0 mask 255.255.255.0
 aggregate-address 10.10.0.0 255.255.0.0 summary-only
 neighbor DMVPN-SPOKES peer-group
 neighbor DMVPN-SPOKES remote-as 65001
 neighbor DMVPN-SPOKES route-reflector-client

R2: 

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router bgp 65001
 bgp router-id 192.168.1.2
 bgp log-neighbor-changes
 network 10.10.2.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001

R3:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router bgp 65001
 bgp router-id 192.168.1.3
 bgp log-neighbor-changes
 network 10.10.3.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001
Verification
R1:

R1#show ip bgp summary 
BGP router identifier 192.168.1.1, local AS number 65001
BGP table version is 8, main routing table version 8
4 network entries using 592 bytes of memory
4 path entries using 256 bytes of memory
3/3 BGP path/bestpath attribute entries using 408 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1256 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*192.168.1.2    4        65001      38      40        8    0    0 00:30:25        1
*192.168.1.3    4        65001      37      39        8    0    0 00:30:09        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup DMVPN-SPOKES listen range group members: 
  192.168.1.0/24 

Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1

R1#show ip bgp
BGP table version is 8, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.0.0/16     0.0.0.0                            32768 i
 s>  10.10.1.0/24     0.0.0.0                  0         32768 i
 s>i 10.10.2.0/24     192.168.1.2              0    100      0 i
 s>i 10.10.3.0/24     192.168.1.3              0    100      0 i

R1#show ip route bgp | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 0.0.0.0, 00:30:49, Null0
B        10.10.2.0/24 [200/0] via 192.168.1.2, 00:30:49
B        10.10.3.0/24 [200/0] via 192.168.1.3, 00:29:46

R2:

R2#show ip bgp sum
BGP router identifier 192.168.1.2, local AS number 65001
BGP table version is 5, main routing table version 5
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 696 total bytes of memory
BGP activity 3/1 prefixes, 3/1 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      41      40        5    0    0 00:31:43        1

R2#show ip bgp
BGP table version is 5, local router ID is 192.168.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.0.0/16     192.168.1.1              0    100      0 i
 *>  10.10.2.0/24     0.0.0.0                  0         32768 i

R2#show ip route bgp | beg Gate 
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 192.168.1.1, 00:31:53

R3:

R3#show ip bgp sum
BGP router identifier 192.168.1.3, local AS number 65001
BGP table version is 3, main routing table version 3
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 696 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      41      39        3    0    0 00:32:08        1

R3#show ip bgp
BGP table version is 3, local router ID is 192.168.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.0.0/16     192.168.1.1              0    100      0 i
 *>  10.10.3.0/24     0.0.0.0                  0         32768 i

R3#show ip route bgp | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 192.168.1.1, 00:31:29

Spoke-to-Spoke traffic:

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 180/192/204 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 140 msec 176 msec 140 msec   << Hub Tunnel IP
  2 192.168.1.3 224 msec *  220 msec         << Spoke-3 Tunnel IP

As we have seen that spoke-to-spoke traffic always traverse via hub in phase 1 design. In a large network, It increases overhead on hub router. Also spokes has to use sub-optimal routing path for traffic between spoke sites. The shortcomings of DMVPN phase 1 are addressed in Phase 2 design, which we will discuss in next blog.

DMVPN Basics

Cisco, DMVPN, VPN,
What is DMVPN?

DMVPN is a Cisco solution to build easy,dynamic and scalable IPsec+GRE VPNs to connect multiple sites in partial or full mesh network topology.

DMVPN components
  • CEF (Cisco Express Forwarding)
  • GRE (Generic Routing Encapsulation Protocol) – GRE, mGRE (Multipoint GRE)
  • NHRP (Next Hop Resolution Protocol)
  • Dynamic Routing protocol
  • IPsec Encryption Protocols
DMVPN Terminology
  • NBMA IP Address – Typically a public IP address on internet facing interface
  • Tunnel IP Address – GRE Tunnel interface IP address
  • NHS (Next Hop Server) – DMVPN Hub Router(s)
  • NHC (Next Hop Client) – DMVPN Spoke Router(s)
Type of IP Addresses in GRE or mGRE with DMVPN
  • Hub & Spokes Public IP address are called Infrastructure IP Address, Outside IP Address, Service Provider Address or NBMA IP Address, all names has same meaning.
  • Hub & Spokes Private IP Addresses (Tunnel IP Address ) are also called Enterprise Addressing space, Inside address.
NHRP – Next Hop Resolution Protocol
  • Next Hop Resolution Protocol (NHRP) is a client and server protocol where the hub acts as the NHRP server (NHS), and the spokes are the NHRP clients (NHC).
  • NHRP can have static or dynamic mappings of Tunnel IP Address to NBMA IP Address.
  • The Hub router maintains NHRP database.
How DMVPN Works?
  • Initially each spoke establish a permanent GRE+IPsec tunnel to the hub. The hub address should be static and known by all the spokes.
  • Each spoke registers its NBMA IP Address as a client to the NHRP server on the hub. The NHRP server maintains an NHRP database of public interface IP address for each spoke.
  • When a spoke requires that packets be sent to a destination subnet on another spoke, it sends a query to NHRP server to get information of NBMA address of the other spoke so that it can build direct tunnel.
  • The NHRP server looks up the NHRP database for the corresponding destination spoke and replies with the NBMA address for the target router.
  • After the originating spoke learns the NBMA IP Address of the target spoke, it initiates a dynamic IPsec tunnel to the target spoke.
  • With the integration of the multipoint GRE (mGRE) interface, NHRP and IPsec, a direct dynamic spoke-to-spoke tunnel is established over the DMVPN network.
  • Adding a new spoke router to the DMVPN requires no configuration on the hub. The spoke is configured with the hub information and dynamically registers with the hub router.
DMVPN Network Designs
Phase 1 – Hub to Spoke Design
  • mGRE tunnel is configured at Hub and GRE tunnel is configured on the spokes
  • Multicast or Unicast traffic flow between Hub & Spokes only
  • No Spoke-to-Spoke traffic flow
  • Spoke-to-Spoke traffic traverse via the Hub
  • Route Summarization at Hub
Phase 2 – Spoke to Spoke Design
  • Hub & all Spokes will be configured with mGRE tunnel
  • Spoke-to-Spoke traffic traverse via direct dynamic VPN tunnel
  • Route Summarization not feasible
Phase 3 – Hierarchical (Tree-Based) Design
  • Phase 3 extends Phase 2 design with the capability to establish dynamic and direct spoke-to-spoke tunnels from different DMVPN networks across multiple regions.
  • All regional DMVPN networks are bound together to form a single hierarchical (tree-based) DMVPN network, including the central Hubs.
  • Hub & all Spokes will be configured with mGRE tunnel
  • Spoke-to-Spoke traffic from different regions can establish direct tunnel with each other, thereby bypassing both the regional and central hubs.
Stay tuned for different DMVPN configurations in next blogs!