Daily Archives: March 16, 2017

2547oDMVPN – MPLS over DMVPN

2547oDMVPN – MPLS over DMVPN

BGP/MPLS VPN was initially defined in RFC2547, which was later obsoleted by RFC4367 and updated by some other RFCs.

2547oDMVPN is also known as MPLS VPN over DMVPN. This solution extends MPLS VPN to the branches. The branches in this deployment are connected to the hub through a Layer 3 SP service, a tunneled model using GRE is needed to extend MPLS to the branches. DMVPN provides two key advantages for extending MPLS VPNs to the branches, bulk encryption and a scalable overlay model. DMVPN allows the hub to have a single multipoint GRE tunnel interface to support large numbers of spokes. Cisco recommends that to seamlessly extend the enterprise MPLS Layer3 VPN network to the remote branches(Spokes), the DMVPN hub should be a P device to label switching packets between the hub and the branches.

The MPLS network requires packets to be label switched all the way between source PEs and destination PEs. Running MPLS over DMVPN tunnels makes the remote branch router a full function PE router, which means label imposition is done in the branch router and label switching must be performed all the way between spokes. This requirement make the direct spoke-spoke communication impossible due to the lack of a label allocation mechanism on the dynamically created spoke-spoke tunnels. However, label switching between spoke PE routers can easily be done if spoke-hub-spoke switching path is implemented. With this approach, the hub router act as a MPLS P router, maintains the LDP neighbor relationship, and exchanges label allocation information with all spoke routers. The hub router label switches the packets in-and-out the mGRE interface between the spokes. So we have to use DMVPN Phase 1 design for this deployment, where spoke-to-spoke traffic traverse the hub.

While this solution breaks the benefit of dynamically building spoke-to-spoke tunnels, it provides an acceptable and often more deterministic path for spoke-to-spoke communications and meets the segmentation requirement. It is a very attractive solution when the large enterprise needs to extend their MPLS-segmented data center or large campus to remote branches.

We will use following network topology for this discussion.

Configuration
R1 - PE1 Router

hostname R1
!
vrf definition CUST-ABC
 rd 100:65001
 !
 address-family ipv4
  route-target export 100:65001
  route-target import 100:65001
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:65002
 !
 address-family ipv4
  route-target export 100:65002
  route-target import 100:65002
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.10.15.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.10.14.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 ip address 172.16.18.1 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 ip address 172.16.19.1 255.255.255.0
!
router ospf 1
 router-id 10.0.0.1
!
router bgp 100
 bgp router-id 10.0.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.4 remote-as 100
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-ABC
  redistribute connected
  neighbor 172.16.18.8 remote-as 65001
  neighbor 172.16.18.8 activate
  neighbor 172.16.18.8 as-override
 exit-address-family
 !
 address-family ipv4 vrf CUST-XYZ
  redistribute connected
  neighbor 172.16.19.9 remote-as 65002
  neighbor 172.16.19.9 activate
  neighbor 172.16.19.9 as-override
 exit-address-family
!

R2 - PE2 Router (DMVPN Spoke)

hostname R2
!
vrf definition CUST-ABC
 rd 100:65001
 !
 address-family ipv4
  route-target export 100:65001
  route-target import 100:65001
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:65002
 !
 address-family ipv4
  route-target export 100:65002
  route-target import 100:65002
 exit-address-family
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Loopback0
 ip address 10.0.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 bandwidth 4096
 ip address 10.10.236.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.67.6
 ip nhrp map 10.10.236.6 1.1.67.6
 ip nhrp network-id 100
 ip nhrp nhs 10.10.236.6
 ip tcp adjust-mss 1360
 ip ospf 1 area 0
 mpls ip
 tunnel source FastEthernet0/0
 tunnel destination 1.1.67.6
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.27.2 255.255.255.0
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 ip address 172.16.210.2 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 ip address 172.16.211.2 255.255.255.0
!
router ospf 1
 router-id 10.0.0.2
!
router bgp 100
 bgp router-id 10.0.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.4 remote-as 100
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-ABC
  redistribute connected
  neighbor 172.16.210.10 remote-as 65001
  neighbor 172.16.210.10 activate
  neighbor 172.16.210.10 as-override
 exit-address-family
 !
 address-family ipv4 vrf CUST-XYZ
  redistribute connected
  neighbor 172.16.211.11 remote-as 65002
  neighbor 172.16.211.11 activate
  neighbor 172.16.211.11 as-override
 exit-address-family
!
ip route 0.0.0.0 0.0.0.0 1.1.27.7


R3 - PE3 Router (DMVPN Spoke)

hostname R3
!
vrf definition CUST-ABC
 rd 100:65001
 !
 address-family ipv4
  route-target export 100:65001
  route-target import 100:65001
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:65002
 !
 address-family ipv4
  route-target export 100:65002
  route-target import 100:65002
 exit-address-family
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Loopback0
 ip address 10.0.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 bandwidth 4096
 ip address 10.10.236.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.67.6
 ip nhrp map 10.10.236.6 1.1.67.6
 ip nhrp network-id 100
 ip nhrp nhs 10.10.236.6
 ip tcp adjust-mss 1360
 ip ospf 1 area 0
 mpls ip
 tunnel source FastEthernet0/0
 tunnel destination 1.1.67.6
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.37.3 255.255.255.0
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 ip address 172.16.123.3 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 ip address 172.16.133.3 255.255.255.0
!
router ospf 1
 router-id 10.0.0.3
!
router bgp 100
 bgp router-id 10.0.0.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.4 remote-as 100
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-ABC
  redistribute connected
  neighbor 172.16.123.12 remote-as 65001
  neighbor 172.16.123.12 activate
  neighbor 172.16.123.12 as-override
 exit-address-family
 !
 address-family ipv4 vrf CUST-XYZ
  redistribute connected
  neighbor 172.16.133.13 remote-as 65002
  neighbor 172.16.133.13 activate
  neighbor 172.16.133.13 as-override
 exit-address-family
!
ip route 0.0.0.0 0.0.0.0 1.1.37.7

R4 - P Router / BGP VPNv4 Route Reflector

hostname R4
!
ip cef
!
interface Loopback0
 ip address 10.0.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.10.14.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.10.45.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.0.0.4
!
router bgp 100
 bgp router-id 10.0.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor RR-CLIENTS peer-group
 neighbor RR-CLIENTS remote-as 100
 neighbor RR-CLIENTS update-source Loopback0
 neighbor 10.0.0.1 peer-group RR-CLIENTS
 neighbor 10.0.0.2 peer-group RR-CLIENTS
 neighbor 10.0.0.3 peer-group RR-CLIENTS
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor RR-CLIENTS send-community extended
  neighbor RR-CLIENTS route-reflector-client
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.3 activate
 exit-address-family
!

R5 - P Router

hostname R5
!
ip cef
!
interface Loopback0
 ip address 10.0.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.10.15.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.10.45.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 ip address 10.10.56.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.0.0.5
!

R6 - P Router / DMVPN HUB

hostname R6
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Loopback0
 ip address 10.0.0.6 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 bandwidth 4096
 ip address 10.10.236.6 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf hello-interval 10
 ip ospf 1 area 0
 mpls ip
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 10.10.56.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 description To INTERNET
 ip address 1.1.67.6 255.255.255.0
!
router ospf 1
 router-id 10.0.0.6
!
ip route 0.0.0.0 0.0.0.0 1.1.67.7


R7 - Internet Router

hostname R7
!
interface FastEthernet0/0
 ip address 1.1.27.7 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.37.7 255.255.255.0
!
interface FastEthernet1/0
 ip address 1.1.67.7 255.255.255.0
!

R8 - Customer ABC Site-1

hostname R8
!
interface FastEthernet0/0
 ip address 172.16.18.8 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.10.1 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp router-id 172.16.18.8
 bgp log-neighbor-changes
 network 192.168.10.0
 neighbor 172.16.18.1 remote-as 100
 no auto-summary
!

R9 - Customer XYZ Site-1

hostname R9
!
interface FastEthernet0/0
 ip address 172.16.19.9 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.10.1 255.255.255.0
!
router bgp 65002
 no synchronization
 bgp router-id 172.16.19.9
 bgp log-neighbor-changes
 network 192.168.10.0
 neighbor 172.16.19.1 remote-as 100
 no auto-summary
!
R10 - Customer ABC Site-2

hostname R10
!
interface FastEthernet0/0
 ip address 172.16.210.10 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.20.1 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp router-id 172.16.210.10
 bgp log-neighbor-changes
 network 192.168.20.0
 neighbor 172.16.210.2 remote-as 100
 no auto-summary
!

R11 - Customer XYZ Site-2

hostname R11
!
interface FastEthernet0/0
 ip address 172.16.211.11 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.20.1 255.255.255.0
!
router bgp 65002
 no synchronization
 bgp router-id 172.16.211.11
 bgp log-neighbor-changes
 network 192.168.20.0
 neighbor 172.16.211.2 remote-as 100
 no auto-summary
!

R12 - Customer ABC Site-3

hostname R12
!
interface FastEthernet0/0
 ip address 172.16.123.12 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.30.1 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp router-id 172.16.123.12
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 172.16.123.3 remote-as 100
 no auto-summary
!

R13 - Customer XYZ Site-3

hostname R13
!
interface FastEthernet0/0
 ip address 172.16.133.13 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.30.1 255.255.255.0
!
router bgp 65002
 no synchronization
 bgp router-id 172.16.133.13
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 172.16.133.3 remote-as 100
 no auto-summary
!
Verification
# Verify DMVPN

!! -- DMVPN HUB - P Router -- !!
R6#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.27.2            10.10.236.2    UP 00:05:14     D
     1 1.1.37.3            10.10.236.3    UP 00:05:10     D

!! -- DMVPN Spoke - PE2 Router -- !!
R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.67.6            10.10.236.6    UP 00:09:22     S

!! -- DMVPN Spoke - R3 PE3 Router -- !!
R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.67.6            10.10.236.6    UP 00:10:28     S

# Verify BGP VPNv4 Peering 

!! -- BGP VPNv4 Route Reflector -- !!
R4#show bgp vpnv4 unicast all summary 
BGP router identifier 10.0.0.4, local AS number 100
BGP table version is 13, main routing table version 13
12 network entries using 2016 bytes of memory
12 path entries using 768 bytes of memory
4/4 BGP path/bestpath attribute entries using 576 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3456 total bytes of memory
BGP activity 12/0 prefixes, 12/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4          100      19      27       13    0    0 00:11:49        4
10.0.0.2        4          100      19      27       13    0    0 00:11:36        4
10.0.0.3        4          100      19      27       13    0    0 00:11:33        4

# Verify network reachability b/w Customer ABC Sites

!! -- Customer ABC Site-1 -- !!
R8#show ip route | beg Gate
Gateway of last resort is not set

B    192.168.30.0/24 [20/0] via 172.16.18.1, 00:13:03
C    192.168.10.0/24 is directly connected, FastEthernet0/1
     172.16.0.0/24 is subnetted, 3 subnets
B       172.16.210.0 [20/0] via 172.16.18.1, 00:13:03
C       172.16.18.0 is directly connected, FastEthernet0/0
B       172.16.123.0 [20/0] via 172.16.18.1, 00:13:03
B    192.168.20.0/24 [20/0] via 172.16.18.1, 00:13:03

!! -- Customer ABC Site-2 -- !!
R10#show ip route | beg Gate
Gateway of last resort is not set

B    192.168.30.0/24 [20/0] via 172.16.210.2, 00:13:37
B    192.168.10.0/24 [20/0] via 172.16.210.2, 00:13:37
     172.16.0.0/24 is subnetted, 3 subnets
C       172.16.210.0 is directly connected, FastEthernet0/0
B       172.16.18.0 [20/0] via 172.16.210.2, 00:13:37
B       172.16.123.0 [20/0] via 172.16.210.2, 00:13:37
C    192.168.20.0/24 is directly connected, FastEthernet0/1

!! -- Customer ABC Site-3 -- !!
R12#show ip route | beg Gate
Gateway of last resort is not set

C    192.168.30.0/24 is directly connected, FastEthernet0/1
B    192.168.10.0/24 [20/0] via 172.16.123.3, 00:14:05
     172.16.0.0/24 is subnetted, 3 subnets
B       172.16.210.0 [20/0] via 172.16.123.3, 00:14:05
B       172.16.18.0 [20/0] via 172.16.123.3, 00:14:05
C       172.16.123.0 is directly connected, FastEthernet0/0
B    192.168.20.0/24 [20/0] via 172.16.123.3, 00:14:05

!! -- Traffic b/w Customer ABC Site 1 & Site 2 -- !!

R8#ping 192.168.20.1 source 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/264/296 ms

R8#traceroute 192.168.20.1 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.20.1

  1 172.16.18.1 64 msec 96 msec 64 msec
  2 10.10.15.5 [MPLS: Labels 22/27 Exp 0] 260 msec 292 msec 256 msec
  3 10.10.56.6 [MPLS: Labels 22/27 Exp 0] 248 msec 284 msec 276 msec
  4 172.16.210.2 [AS 100] [MPLS: Label 27 Exp 0] 300 msec 292 msec 260 msec
  5 172.16.210.10 [AS 100] 292 msec *  236 msec


!! -- Traffic b/w Customer ABC Site 1 & Site 3 -- !!

R8#ping 192.168.30.1 source 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 224/257/288 ms

R8#traceroute 192.168.30.1 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1

  1 172.16.18.1 76 msec 80 msec 80 msec
  2 10.10.15.5 [MPLS: Labels 21/27 Exp 0] 256 msec 292 msec 328 msec
  3 10.10.56.6 [MPLS: Labels 23/27 Exp 0] 320 msec 316 msec 308 msec
  4 172.16.123.3 [AS 100] [MPLS: Label 27 Exp 0] 264 msec 380 msec 320 msec
  5 172.16.123.12 [AS 100] 244 msec *  260 msec


!! -- Traffic b/w Customer ABC Site 2 & Site 3 -- !!
!! -- This traffic is routed via MPLS over DMVPN --!!

R10#ping 192.168.30.1 source 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 268/320/356 ms

R10#traceroute 192.168.30.1 source 192.168.20.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1

  1 172.16.210.2 72 msec 84 msec 40 msec
  2 10.10.236.6 [MPLS: Labels 23/27 Exp 0] 404 msec 372 msec 428 msec
  3 172.16.123.3 [AS 100] [MPLS: Label 27 Exp 0] 352 msec 340 msec 428 msec
  4 172.16.123.12 [AS 100] 396 msec *  412 msec

## How it is routed inside MPLS Network? 

- R2/PE router shows it is reachable via next-hop 10.0.0.3
- R2/PE router has received this update from Route Reflector 10.0.0.4
- MPLS VPN label is 27

R2#show ip route vrf CUST-ABC 192.168.30.0

Routing Table: CUST-ABC
Routing entry for 192.168.30.0/24
  Known via "bgp 100", distance 200, metric 0
  Tag 65001, type internal
  Last update from 10.0.0.3 00:22:01 ago
  Routing Descriptor Blocks:
  * 10.0.0.3 (default), from 10.0.0.4, 00:22:01 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 65001
      MPLS label: 27
      MPLS Flags: MPLS Required

- The next-hop IP 10.0.0.3 is reachable via Tunnel0 and MPLS label 23
- You can see this label in above traceroute output from R10 also.
- This traffic will go over DMVPN Tunnel to next-hop IP 10.10.236.6, which is DMVPN Hub Tunnel IP

R2#show ip route 10.0.0.3
Routing entry for 10.0.0.3/32
  Known via "ospf 1", distance 110, metric 49, type intra area
  Last update from 10.10.236.6 on Tunnel0, 00:33:19 ago
  Routing Descriptor Blocks:
  * 10.10.236.6, from 10.0.0.3, 00:33:19 ago, via Tunnel0
      Route metric is 49, traffic share count is 1

R2#show mpls forwarding-table 10.0.0.3        
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
17         23         10.0.0.3/32      0             Tu0        point2point 

R2#show ip cef 10.0.0.3 detail 
10.0.0.3/32, epoch 0
  local label info: global/17
  1 RR source [no flags]
  nexthop 10.10.236.6 Tunnel0 label 23

- R6/P router don't have visibility to customer network.
- It just forward packets based on MPLS labels assigned to BGP source IPs of PE Routers
- R6 will "pop(remove)" the MPLS label and forward this packet to next-hop IP 10.10.236.3 (DMVPN Spoke R3 Tunnel IP).

R6#show ip route 192.168.30.0
% Network not in table

R6#show ip route 10.0.0.3
Routing entry for 10.0.0.3/32
  Known via "ospf 1", distance 110, metric 25, type intra area
  Last update from 10.10.236.3 on Tunnel0, 00:37:24 ago
  Routing Descriptor Blocks:
  * 10.10.236.3, from 10.0.0.3, 00:37:24 ago, via Tunnel0
      Route metric is 25, traffic share count is 1

R6#show mpls forwarding-table 10.0.0.3
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
23         Pop Label  10.0.0.3/32      13312         Tu0        10.10.236.3 

R6#show ip cef 10.0.0.3 detail 
10.0.0.3/32, epoch 0
  local label info: global/23
  nexthop 10.10.236.3 Tunnel0

- R3/PE router shows this remote site network is reachable via BGP from 172.16.123.12 (Cust-ABC Site-3 R12 Router)

R3#show ip route vrf CUST-ABC 192.168.30.0

Routing Table: CUST-ABC
Routing entry for 192.168.30.0/24
  Known via "bgp 100", distance 20, metric 0
  Tag 65001, type external
  Last update from 172.16.123.12 00:42:02 ago
  Routing Descriptor Blocks:
  * 172.16.123.12, from 172.16.123.12, 00:42:02 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 65001
      MPLS label: none