Tag Archives: OSPF

DMVPN Phase 3

Cisco, DMVPN, VPN, , , , , , , , , ,
DMVPN Phase 3

The Shortcut Switching Enhancements for NHRP in DMVPN Phase 3 provides a more scalable alternative to the previous NHRP model. Routers in a Dynamic Multipoint VPN (DMVPN) Phase 3 network use Next Hop Resolution Protocol (NHRP) Shortcut Switching to discover shorter paths to a destination network after receiving an NHRP redirect message from the hub. This allows the routers to communicate directly with each other without the need for an intermediate hop.

Benefits of DMVPN Phase 3 Design:

  • Allows summarization of routing protocol updates from hub to spokes. The spokes no longer need to have an individual route with an IP next-hop of the tunnel IP address of the remote spoke for the networks behind all the other spokes. The spokes can use summarized routes or specific routes with an IP next-hop of the tunnel IP address of the hub and still be able to build spoke-to-spoke tunnels.
  • Allows for hierarchical (greater than one level) and more complex tree-based DMVPN network topologies. Tree-based topologies allow the capability to build DMVPN networks with regional hubs that are spokes of central hubs. This architecture
    allows the regional hub to handle the data and NHRP control traffic for its regional spokes, but still allows spoke-to-spoke tunnels to be built between any spokes within the DMVPN network, whether they are in the same region or not. This architecture also allows the DMVPN network layout to more closely match regional or hierarchical data flow patterns.

Check these links for

Here is the network topology for DMVPN phase 3 discussion and configuration.

The DMVPN Phase 2 design requires to maintain full routing table on all spoke routers.  Each route for remote spoke networks needs to be a specific route with the next hop pointing to the remote spoke’s tunnel address. This prevents the hub from being able to send down a summarized route to the spokes for a more concise routing table.

Phase 3 overcomes this restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. This functionality is enabled by configuring ip nhrp redirect on the hub and ip nhrp shortcut on the spokes. The redirect command tells the hub to send the NHRP traffic indication message while the shortcut command tells the spokes to accept the redirect and install the shortcut route.

DMVPN Phase 3 configuration with EIGRP
Configuration:
----------
R1 - Hub:
----------

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp redirect
 ip summary-address eigrp 100 10.10.0.0 255.255.0.0
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
router eigrp 100
 network 10.10.1.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4

------------
R2 - Spoke:
------------

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
router eigrp 100
 network 10.10.2.2 0.0.0.0
 network 192.168.1.2 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4

------------
R3 - Spoke:
------------

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
router eigrp 100
 network 10.10.3.3 0.0.0.0
 network 192.168.1.3 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4

---------------
R4 - Internet:
---------------

hostname R4
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.24.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 1.1.34.4 255.255.255.0
!
Verification:
- Hub and Spokes routers are using mGRE tunnels

R1#show int t0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.1.1/24
  MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.14.1 (FastEthernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with FastEthernet0/0
          Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport multi-GRE/IP

R2#show int t0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.1.2/24
  MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.24.2 (FastEthernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with FastEthernet0/0
          Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport multi-GRE/IP

R3#show int t0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.1.3/24
  MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.34.3 (FastEthernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with FastEthernet0/0
          Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport multi-GRE/IP

- Routing adjacencies (EIGRP neighborship) are between Hub and Spokes only 

R1#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   192.168.1.2             Tu0                      10 00:28:43  188  1128  0  3
0   192.168.1.3             Tu0                      14 00:29:10  174  1044  0  3

R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.1.1             Tu0                      14 00:28:45 1282  5000  0  5

R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.1.1             Tu0                      11 00:29:16  200  1200  0  2

- Routing Table
- Hub router advertised a summary route (10.10.0.0/16) to spoke EIGRP routers


R1#show ip route eigrp | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
D        10.10.0.0/16 is a summary, 00:30:13, Null0
D        10.10.2.0/24 [90/1907456] via 192.168.1.2, 00:29:34, Tunnel0
D        10.10.3.0/24 [90/1907456] via 192.168.1.3, 00:30:04, Tunnel0

R2#show ip route eigrp | beg Gate
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:29:38, Tunnel0

R3#show ip route eigrp | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:30:10, Tunnel0

- DMVPN Status
- Initially there is no spoke-to-spoke communication

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
====================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.24.2            192.168.1.2    UP 00:30:53     D
     1 1.1.34.3            192.168.1.3    UP 00:31:22     D

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.14.1            192.168.1.1    UP 00:30:55     S

R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.14.1            192.168.1.1    UP 00:31:26     S

- Traffic between Spoke R2 and Spoke R3
- First packet would traverse via Hub and it will trigger NHRP shortcut switching process then traffic will start using direct spoke-to-spoke tunnel

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 132 msec 136 msec 160 msec    << Hub R1 Tunnel IP  
  2 192.168.1.3 236 msec                      << Spoke R3 Tunnel IP

Following events occur for NHRP shortcut switching:

When the traffic between Spokes R2 & R3 arrives at Hub-R1 router, it will send redirect message (due to "ip nhrp redirect") to spokes to tell them, as both of you are DMVPN spokes and there would be a better path if you can build a direct spoke-to-spoke tunnel.

=> Hub-R1 sends NHRP redirect to Spoke-R2
R1#
*Mar  1 23:24:47.063: NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 100
*Mar  1 23:24:47.071:  src: 192.168.1.1, dst: 10.10.2.2
*Mar  1 23:24:47.079:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.079:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.083:      pktsz: 100 extoff: 68
*Mar  1 23:24:47.087:  (M) traffic code: redirect(0)
*Mar  1 23:24:47.087:      src NBMA: 1.1.14.1
*Mar  1 23:24:47.087:      src protocol: 192.168.1.1, dst protocol: 10.10.2.2
*Mar  1 23:24:47.087:      Contents of nhrp traffic indication packet:
*Mar  1 23:24:47.087:         45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 02 02 
*Mar  1 23:24:47.087:         0A 0A 03 03 08 00 A8 A1 00 00 00 

=> Hub-R1 sends NHRP redirect to Spoke-R3
R1#
*Mar  1 23:24:47.139: NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 100
*Mar  1 23:24:47.143:  src: 192.168.1.1, dst: 10.10.3.3
*Mar  1 23:24:47.151:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.155:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.155:      pktsz: 100 extoff: 68
*Mar  1 23:24:47.159:  (M) traffic code: redirect(0)
*Mar  1 23:24:47.163:      src NBMA: 1.1.14.1
*Mar  1 23:24:47.163:      src protocol: 192.168.1.1, dst protocol: 10.10.3.3
*Mar  1 23:24:47.171:      Contents of nhrp traffic indication packet:
*Mar  1 23:24:47.175:         45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 03 03 
*Mar  1 23:24:47.179:         0A 0A 02 02 00 00 B0 A1 00 00 00 

=> Spoke-R2 receives NHRP redirect from Hub-R1
R2#
*Mar  1 23:24:47.135: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 100
*Mar  1 23:24:47.139:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.139:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.139:      pktsz: 100 extoff: 68
*Mar  1 23:24:47.139:  (M) traffic code: redirect(0)
*Mar  1 23:24:47.139:      src NBMA: 1.1.14.1
*Mar  1 23:24:47.143:      src protocol: 192.168.1.1, dst protocol: 10.10.2.2
*Mar  1 23:24:47.143:      Contents of nhrp traffic indication packet:
*Mar  1 23:24:47.143:         45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 02 02 
*Mar  1 23:24:47.143:         0A 0A 03 03 08 00 A8 A1 00 00 00 

=> Spoke-R2 will accept this message and want to build a shortcut path (direct spoke-to-spoke tunnel) because of "ip nhrp shortcut" command.
=> Spoke-R2 will send a NHRP resolution request to Spoke-R3 via Hub-R1, to find NBMA IP of Spoke-R3 to build a direct spoke-to-spoke tunnel   
 
R2#
*Mar  1 23:24:47.163: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88
*Mar  1 23:24:47.167:  src: 192.168.1.2, dst: 10.10.3.3
*Mar  1 23:24:47.167:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.167:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.167:      pktsz: 88 extoff: 52
*Mar  1 23:24:47.167:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 23:24:47.167:      src NBMA: 1.1.24.2
*Mar  1 23:24:47.167:      src protocol: 192.168.1.2, dst protocol: 10.10.3.3
*Mar  1 23:24:47.167:  (C-1) code: no error(0)
*Mar  1 23:24:47.167:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 23:24:47.167:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

=> Similar events happens on Spoke-R3.
=> Spoke-R3 receives NHRP redirect from Hub-R1
=> Spoke-R3 will also send a NHRP resolution request to Spoke-R2 via Hub-R1, to find NBMA IP of Spoke-R2 to build a direct spoke-to-spoke tunnel

R3#
*Mar  1 23:24:47.263: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 100
*Mar  1 23:24:47.267:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.271:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.275:      pktsz: 100 extoff: 68
*Mar  1 23:24:47.275:  (M) traffic code: redirect(0)
*Mar  1 23:24:47.275:      src NBMA: 1.1.14.1
*Mar  1 23:24:47.275:      src protocol: 192.168.1.1, dst protocol: 10.10.3.3
*Mar  1 23:24:47.275:      Contents of nhrp traffic indication packet:
*Mar  1 23:24:47.275:         45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 03 03 
*Mar  1 23:24:47.275:         0A 0A 02 02 00 00 B0 A1 00 00 00 

R3#
*Mar  1 23:24:47.307: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88
*Mar  1 23:24:47.311:  src: 192.168.1.3, dst: 10.10.2.2
*Mar  1 23:24:47.319:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.323:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.323:      pktsz: 88 extoff: 52

R3#*Mar  1 23:24:47.327:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 23:24:47.331:      src NBMA: 1.1.34.3
*Mar  1 23:24:47.335:      src protocol: 192.168.1.3, dst protocol: 10.10.2.2
*Mar  1 23:24:47.335:  (C-1) code: no error(0)
*Mar  1 23:24:47.335:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 23:24:47.335:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

=> Hub-R1 receives NHRP resolution requests and forward it to both the spokes (R2 & R3)

R1#
*Mar  1 23:24:47.211: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 88
*Mar  1 23:24:47.219:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.219:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.219:      pktsz: 88 extoff: 52
*Mar  1 23:24:47.219:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 23:24:47.219:      src NBMA: 1.1.24.2
*Mar  1 23:24:47.219:      src protocol: 192.168.1.2, dst protocol: 10.10.3.3
*Mar  1 23:24:47.219:  (C-1) code: no error(0)
*Mar  1 23:24:47.219:   
R1#     prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 23:24:47.219:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 23:24:47.223: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 108
*Mar  1 23:24:47.223:  src: 192.168.1.1, dst: 10.10.3.3
*Mar  1 23:24:47.223:  (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Mar  1 23:24:47.223:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.223:      pktsz: 108 extoff: 52
*Mar  1 23:24:47.223:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 23:24:47.223:      src NBMA: 1.1.24.2
*Mar  1 23:24:47.223:      src protocol: 192.168.1.2, dst protocol: 10.10.3.3
*Mar  1 23:24:47.223:  (C-1) code: no error(0)
*Mar  1 23:24:47.223:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 23:24:47.223:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

R1#
*Mar  1 23:24:47.387: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 88
*Mar  1 23:24:47.395:  (F)
R1# afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:47.399:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.399:      pktsz: 88 extoff: 52
*Mar  1 23:24:47.403:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 23:24:47.403:      src NBMA: 1.1.34.3
*Mar  1 23:24:47.403:      src protocol: 192.168.1.3, dst protocol: 10.10.2.2
*Mar  1 23:24:47.403:  (C-1) code: no error(0)
*Mar  1 23:24:47.403:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 23:24:47.403:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 23:24:47.407: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 108
*Mar  1 23:24:47.407:  src: 192.168.1.1, dst: 10.10.2.2
*Mar  1 23:24:47.407:  (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Mar  1 23:24:47.407:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:47.407:      pktsz: 108 extoff: 52
*Mar  1 23:24:47.407:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 23:24:47.407:      src NBMA: 1.1.34.3
*Mar  1 23:24:47.407:      src protocol: 192.168.1.3, dst protocol: 10.10.2.2
*Mar  1 23:24:47.407:  (C-1) code: no error(0)
*Mar  1 23:24:47.407:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 23:24:47.407:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

=> Both Spoke-R2 & Spoke-R3 send NHRP resolution reply via Hub-R1

R2#
*Mar  1 23:24:48.431: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 136
*Mar  1 23:24:48.435:  src: 192.168.1.2, dst: 192.168.1.3

R3#
*Mar  1 23:24:48.267: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 136
*Mar  1 23:24:48.271:  src: 192.168.1.3, dst: 192.168.1.2

=> Finally, both Spokes receives each other's NHRP resolution reply 

R2#
*Mar  1 23:24:48.311: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 136
*Mar  1 23:24:48.319:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:48.323:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:48.323:      pktsz: 136 extoff: 60
*Mar  1 23:24:48.327:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 
*Mar  1 23:24:48.331:      src NBMA: 1.1.24.2
*Mar  1 23:24:48.335:      src protocol: 192.168.1.2, dst protocol: 10.10.3.3
*Mar  1 23:24:48.335:  (C-1) code: no error(0)
*Mar  1 23:24:48.335:        prefix: 24, mtu: 17870, hd_time: 7199
*Mar  1 23:24:48.335:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Mar  1 23:24:48.335:        client NBMA: 1.1.34.3
*Mar  1 23:24:48.335:        client protocol: 192.168.1.3

R3#
*Mar  1 23:24:48.551: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 136
*Mar  1 23:24:48.559:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 23:24:48.563:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 23:24:48.563:      pktsz: 136 extoff: 60
*Mar  1 23:24:48.567:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 
*Mar  1 23:24:48.571:      src NBMA: 1.1.34.3
*Mar  1 23:24:48.575:      src protocol: 192.168.1.3, dst protocol: 10.10.2.2
*Mar  1 23:24:48.579:  (C-1) code: no error(0)
*Mar  1 23:24:48.579:        prefix: 24, mtu: 17870, hd_time: 7200
*Mar  1 23:24:48.579:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Mar  1 23:24:48.579:        client NBMA: 1.1.24.2
*Mar  1 23:24:48.579:        client protocol: 192.168.1.2

=> Now both spokes know each other's NBMA & Tunnel IP address, and can build a direct spoke-to-spoke tunnel
=> And both spokes add a NHRP shortcut route entry to reach each other's LAN subnet

R2#
*Mar  1 23:24:48.455: NHRP: Adding route entry for 10.10.3.0/24 to RIB
*Mar  1 23:24:48.455: NHRP: Route addition to RIB Successful 

R3#
*Mar  1 23:24:48.587: NHRP: Adding route entry for 10.10.2.0/24 to RIB
*Mar  1 23:24:48.595: NHRP: Route addition to RIB Successful 

- Let's test communication between Spoke-R2 and Spoke-R3 now

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/136/152 ms

- Now traffic between Spoke-R2 and Spoke-R3 is using direct DMVPN tunnel

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 148 msec *  116 msec        << Spoke-R3 Tunnel IP

- Spokes routing table would show a new NHRP routing entry to reach subnet behind other spoke router  

R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.24.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.24.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.24.0/24 is directly connected, FastEthernet0/0
L        1.1.24.2/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 01:31:44, Tunnel0
C        10.10.2.0/24 is directly connected, FastEthernet0/1
L        10.10.2.2/32 is directly connected, FastEthernet0/1
H        10.10.3.0/24 [250/1] via 192.168.1.3, 00:05:13, Tunnel0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
L        192.168.1.2/32 is directly connected, Tunnel0

R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.34.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.34.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.34.0/24 is directly connected, FastEthernet0/0
L        1.1.34.3/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 01:32:12, Tunnel0
H        10.10.2.0/24 [250/1] via 192.168.1.2, 00:06:01, Tunnel0
C        10.10.3.0/24 is directly connected, FastEthernet0/1
L        10.10.3.3/32 is directly connected, FastEthernet0/1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
L        192.168.1.3/32 is directly connected, Tunnel0

- DMVPN Status

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.24.2            192.168.1.2    UP 01:37:55     D
     1 1.1.34.3            192.168.1.3    UP 01:37:36     D


R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 1.1.34.3            192.168.1.3    UP 00:11:26   DT1
                           192.168.1.3    UP 00:11:26     D
     1 1.1.14.1            192.168.1.1    UP 01:37:59     S
*T1 - Route Installed

R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 1.1.24.2            192.168.1.2    UP 00:11:29   DT1
                           192.168.1.2    UP 00:11:29     D
     1 1.1.14.1            192.168.1.1    UP 01:37:43     S
*T1 - Route Installed

- NHRP Table

R1#show ip nhrp
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 01:38:52, expire 01:41:01
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 01:38:33, expire 01:41:00
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.34.3

R2#show ip nhrp
10.10.2.0/24 via 192.168.1.2
   Tunnel0 created 00:12:24, expire 01:47:35
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.24.2 
    (no-socket) 
10.10.3.0/24 via 192.168.1.3
   Tunnel0 created 00:12:24, expire 01:47:35
   Type: dynamic, Flags: router used rib 
   NBMA address: 1.1.34.3 
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:39:13, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 00:12:25, expire 01:47:35
   Type: dynamic, Flags: router implicit used 
   NBMA address: 1.1.34.3 

R3#show ip nhrp
10.10.2.0/24 via 192.168.1.2
   Tunnel0 created 00:12:26, expire 01:47:33
   Type: dynamic, Flags: router used rib 
   NBMA address: 1.1.24.2 
10.10.3.0/24 via 192.168.1.3
   Tunnel0 created 00:12:26, expire 01:47:33
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.34.3 
    (no-socket) 
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:39:16, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 00:12:27, expire 01:47:33
   Type: dynamic, Flags: router implicit used 
   NBMA address: 1.1.24.2
DMVPN Phase 3 configuration with OSPF
  • Tunnel mode mGRE on Hub and Spoke routers
  • OSPF network type would be point-to-multipoint on Hub and Spoke Routers
  • Route summarization is not feasible in single OSPF area, this is one of the main reason that OSPF is not an ideal routing protocol for DMVPN phase 3 designs
  • Shortcut route is marked with “%” symbol which indicates next-hop override feature. It means router is not using next-hop IP from OSPF RIB entry, instead it is using DMVPN tunnel IP of remote spoke to route traffic over direct DMVPN tunnel.
Configuration:
----------
R1 - Hub:
----------

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp redirect
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
router ospf 1
 network 10.10.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4


------------
R2 - Spoke:
------------

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
router ospf 1
 network 10.10.2.2 0.0.0.0 area 0
 network 192.168.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4

------------
R3 - Spoke:
------------

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
router ospf 1
 network 10.10.3.3 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4
Verification:
- Tunnel OSPF Network Type 

R1#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:19
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 2, Adjacent neighbor count is 2 
    Adjacent with neighbor 192.168.1.3
    Adjacent with neighbor 192.168.1.2
  Suppress hello for 0 neighbor(s)

R2#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.2, Network Type POINT_TO_MULTIPOINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:15
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1
  Suppress hello for 0 neighbor(s)

R3#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.3, Network Type POINT_TO_MULTIPOINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:09
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1
  Suppress hello for 0 neighbor(s)

- OSPF Adjacencies

R1#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.3       0   FULL/  -        00:01:37    192.168.1.3     Tunnel0
192.168.1.2       0   FULL/  -        00:01:55    192.168.1.2     Tunnel0

R2#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/  -        00:01:50    192.168.1.1     Tunnel0

R3#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/  -        00:01:48    192.168.1.1     Tunnel0

- Traffic between Spoke-R2 and Spoke-R3 is via direct spoke-to-spoke DMVPN tunnel

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/134/148 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 128 msec *  152 msec          << Spoke-R3 Tunnel IP

- DMVPN Status

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.24.2            192.168.1.2    UP 01:33:58     D
     1 1.1.34.3            192.168.1.3    UP 01:33:48     D

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 1.1.34.3            192.168.1.3    UP 00:01:42   DT2
                           192.168.1.3    UP 00:01:42     D
     1 1.1.14.1            192.168.1.1    UP 01:34:01     S
*T2 - Nexthop-override

R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 1.1.24.2            192.168.1.2    UP 00:01:44   DT2
                           192.168.1.2    UP 00:01:44     D
     1 1.1.14.1            192.168.1.1    UP 01:33:54     S
*T2 - Nexthop-override

- Routing Table

R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.14.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.14.0/24 is directly connected, FastEthernet0/0
L        1.1.14.1/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.10.1.0/24 is directly connected, FastEthernet0/1
L        10.10.1.1/32 is directly connected, FastEthernet0/1
O        10.10.2.0/24 [110/25] via 192.168.1.2, 01:36:33, Tunnel0
O        10.10.3.0/24 [110/25] via 192.168.1.3, 01:36:03, Tunnel0
      192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
L        192.168.1.1/32 is directly connected, Tunnel0
O        192.168.1.2/32 [110/24] via 192.168.1.2, 01:36:33, Tunnel0
O        192.168.1.3/32 [110/24] via 192.168.1.3, 01:36:03, Tunnel0

R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.24.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.24.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.24.0/24 is directly connected, FastEthernet0/0
L        1.1.24.2/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 01:36:38, Tunnel0
C        10.10.2.0/24 is directly connected, FastEthernet0/1
L        10.10.2.2/32 is directly connected, FastEthernet0/1
O   %    10.10.3.0/24 [110/49] via 192.168.1.1, 01:35:58, Tunnel0
      192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
O        192.168.1.1/32 [110/24] via 192.168.1.1, 01:36:38, Tunnel0
L        192.168.1.2/32 is directly connected, Tunnel0
O        192.168.1.3/32 [110/48] via 192.168.1.1, 01:35:58, Tunnel0

R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.34.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.34.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.34.0/24 is directly connected, FastEthernet0/0
L        1.1.34.3/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 01:36:10, Tunnel0
O   %    10.10.2.0/24 [110/49] via 192.168.1.1, 01:36:10, Tunnel0
C        10.10.3.0/24 is directly connected, FastEthernet0/1
L        10.10.3.3/32 is directly connected, FastEthernet0/1
      192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
O        192.168.1.1/32 [110/24] via 192.168.1.1, 01:36:10, Tunnel0
O        192.168.1.2/32 [110/48] via 192.168.1.1, 01:36:10, Tunnel0
L        192.168.1.3/32 is directly connected, Tunnel0

- NHRP Table

R1#show ip nhrp
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 01:45:40, expire 01:33:54
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 01:45:30, expire 01:33:54
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.34.3 

R2#show ip nhrp
10.10.2.0/24 via 192.168.1.2
   Tunnel0 created 00:13:24, expire 01:46:35
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.24.2 
    (no-socket) 
10.10.3.0/24 via 192.168.1.3
   Tunnel0 created 00:13:23, expire 01:46:36
   Type: dynamic, Flags: router used rib nho << next-hop override
   NBMA address: 1.1.34.3 
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:46:18, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 00:13:24, expire 01:46:35
   Type: dynamic, Flags: router implicit 
   NBMA address: 1.1.34.3 

R3#show ip nhrp
10.10.2.0/24 via 192.168.1.2
   Tunnel0 created 00:13:30, expire 01:46:28
   Type: dynamic, Flags: router used rib nho << next-hop override
   NBMA address: 1.1.24.2 
10.10.3.0/24 via 192.168.1.3
   Tunnel0 created 00:13:30, expire 01:46:29
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.34.3 
    (no-socket) 
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:46:24, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 00:13:31, expire 01:46:29
   Type: dynamic, Flags: router implicit 
   NBMA address: 1.1.24.2
DMVPN Phase 3 configuration with BGP
  • Hub and Spoke routers are using mGRE tunnels
  • Hub router(s) act as route-reflector server(s)
  • Spoke routers are route-reflector clients
  • Hub router can send summary route to Spoke routers
  • eBGP can also be used by configuring Hub and Spokes in different ASNs. Here we are using iBGP with route-reflector
Configuration:
----------
R1 - Hub:
----------

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp redirect
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.1.1
 bgp log-neighbor-changes
 bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES
 bgp listen limit 50
 network 10.10.1.0 mask 255.255.255.0
 aggregate-address 10.10.0.0 255.255.0.0 summary-only
 neighbor DMVPN-SPOKES peer-group
 neighbor DMVPN-SPOKES remote-as 65001
 neighbor DMVPN-SPOKES route-reflector-client
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4

------------
R2 - Spoke:
------------

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.1.2
 bgp log-neighbor-changes
 network 10.10.2.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4

------------
R3 - Spoke:
------------

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.1.3
 bgp log-neighbor-changes
 network 10.10.3.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4
Verification:
- BGP peering between Hub and Spokes only, No spoke to spoke peering

R1#show ip bgp summary 
BGP router identifier 192.168.1.1, local AS number 65001
BGP table version is 8, main routing table version 8
4 network entries using 592 bytes of memory
4 path entries using 256 bytes of memory
3/3 BGP path/bestpath attribute entries using 408 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1256 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*192.168.1.2    4        65001      18      20        8    0    0 00:12:43        1
*192.168.1.3    4        65001      19      18        8    0    0 00:12:45        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup DMVPN-SPOKES listen range group members: 
  192.168.1.0/24 

Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1

R2#show ip bgp summary 
BGP router identifier 192.168.1.2, local AS number 65001
BGP table version is 3, main routing table version 3
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 696 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      20      18        3    0    0 00:12:50        1

R3#show ip bgp summary 
BGP router identifier 192.168.1.3, local AS number 65001
BGP table version is 3, main routing table version 3
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 696 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      19      19        3    0    0 00:12:54        1

- Traffic between Spoke-R2 and Spoke-R3

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/132/140 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 144 msec *  124 msec         << Spoke R3 Tunnel IP

- DMVPN Status

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.24.2            192.168.1.2    UP 00:15:42     D
     1 1.1.34.3            192.168.1.3    UP 00:15:42     D

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 1.1.34.3            192.168.1.3    UP 00:01:20   DT1
                           192.168.1.3    UP 00:01:20     D
     1 1.1.14.1            192.168.1.1    UP 00:15:47     S
*T1 - Route Installed

R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 1.1.24.2            192.168.1.2    UP 00:01:23   DT1
                           192.168.1.2    UP 00:01:23     D
     1 1.1.14.1            192.168.1.1    UP 00:15:49     S
*T1 - Route Installed

- BGP Table

R1#show ip bgp
BGP table version is 8, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.0.0/16     0.0.0.0                            32768 i
 s>  10.10.1.0/24     0.0.0.0                  0         32768 i
 s>i 10.10.2.0/24     192.168.1.2              0    100      0 i
 s>i 10.10.3.0/24     192.168.1.3              0    100      0 i

R2#show ip bgp
BGP table version is 3, local router ID is 192.168.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.0.0/16     192.168.1.1              0    100      0 i
 *>  10.10.2.0/24     0.0.0.0                  0         32768 i

R3#show ip bgp
BGP table version is 3, local router ID is 192.168.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.0.0/16     192.168.1.1              0    100      0 i
 *>  10.10.3.0/24     0.0.0.0                  0         32768 i

- Routing Table

R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.14.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.14.0/24 is directly connected, FastEthernet0/0
L        1.1.14.1/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 0.0.0.0, 00:17:13, Null0
C        10.10.1.0/24 is directly connected, FastEthernet0/1
L        10.10.1.1/32 is directly connected, FastEthernet0/1
B        10.10.2.0/24 [200/0] via 192.168.1.2, 00:16:05
B        10.10.3.0/24 [200/0] via 192.168.1.3, 00:16:57
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
L        192.168.1.1/32 is directly connected, Tunnel0

R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.24.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.24.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.24.0/24 is directly connected, FastEthernet0/0
L        1.1.24.2/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 192.168.1.1, 00:16:11
C        10.10.2.0/24 is directly connected, FastEthernet0/1
L        10.10.2.2/32 is directly connected, FastEthernet0/1
H        10.10.3.0/24 [250/1] via 192.168.1.3, 00:02:52, Tunnel0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
L        192.168.1.2/32 is directly connected, Tunnel0

R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.34.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.34.4
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.34.0/24 is directly connected, FastEthernet0/0
L        1.1.34.3/32 is directly connected, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 192.168.1.1, 00:17:06
H        10.10.2.0/24 [250/1] via 192.168.1.2, 00:02:55, Tunnel0
C        10.10.3.0/24 is directly connected, FastEthernet0/1
L        10.10.3.3/32 is directly connected, FastEthernet0/1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel0
L        192.168.1.3/32 is directly connected, Tunnel0

- NHRP Table

R1#show ip nhrp
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 00:17:49, expire 01:42:10
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 00:17:49, expire 01:42:11
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.34.3 

R2#show ip nhrp
10.10.2.0/24 via 192.168.1.2
   Tunnel0 created 00:03:27, expire 01:56:32
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.24.2 
    (no-socket) 
10.10.3.0/24 via 192.168.1.3
   Tunnel0 created 00:03:27, expire 01:56:31
   Type: dynamic, Flags: router used rib 
   NBMA address: 1.1.34.3 
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 00:18:28, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 00:03:28, expire 01:56:32
   Type: dynamic, Flags: router implicit used 
   NBMA address: 1.1.34.3 

R3#show ip nhrp
10.10.2.0/24 via 192.168.1.2
   Tunnel0 created 00:03:29, expire 01:56:30
   Type: dynamic, Flags: router used rib 
   NBMA address: 1.1.24.2 
10.10.3.0/24 via 192.168.1.3
   Tunnel0 created 00:03:30, expire 01:56:29
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.34.3 
    (no-socket) 
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 00:18:31, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 00:03:31, expire 01:56:29
   Type: dynamic, Flags: router implicit used 
   NBMA address: 1.1.24.2

 

DMVPN Phase 2

Cisco, DMVPN, VPN, , , , , , , , ,
Phase 2 – Spoke to Spoke Design

DMVPN Phase 2 design introduced the ability for dynamic spoke-to-spoke tunnels without having the traffic go through the hub. Phase 2 improved on Phase 1 by allowing spokes to build a spoke-to-spoke tunnel on demand with these restrictions:

  • Spokes must use mGRE (Multipoint GRE) tunnels
  • Spokes must receive specific routes for all remote spoke subnets
  • The next hop of the entry in the routing table must list the remote spoke as the next hop

Check these links for

Here is the network topology for DMVPN phase 2 discussion and configuration.

DMVPN Phase 2 configuration with EIGRP

EIGRP Split Horizon Rule – The split horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach the destination. In DMVPN, Hub router learn route(s) from one spoke via Tunnel0 interface and have to advertise it to other spoke via same Tunnel0 interface. Thus, in order for DMVPN to work in Phase 2 with EIGRP, split horizon must be disabled on the tunnel interface using the “no ip split-horizon eigrp <asn>” command.

Next-hop self in EIGRP – The next hop for all of the routes must point to the remote spoke. This is the key to triggering the generation of a spoke-to-spoke tunnel. To instruct EIGRP to use the received next hop rather than itself, use the “no ip next-hop-self eigrp <asn>” command.

Configuration:
----------
R1 - Hub:
----------

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
router eigrp 100
 network 10.10.1.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4

------------
R2 - Spoke:
------------

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
router eigrp 100
 network 10.10.2.2 0.0.0.0
 network 192.168.1.2 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4

------------
R3 - Spoke:
------------

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
router eigrp 100
 network 10.10.3.3 0.0.0.0
 network 192.168.1.3 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4

---------------
R4 - Internet:
---------------

hostname R4
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.24.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 1.1.34.4 255.255.255.0
!
Verification:
- Hub and Spokes routers are using mGRE tunnels

R1#show int t0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.1.1/24
  MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.14.1 (FastEthernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with FastEthernet0/0
          Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport multi-GRE/IP

R2#show int t0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.1.2/24
  MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.24.2 (FastEthernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with FastEthernet0/0
          Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport multi-GRE/IP

R3#show int t0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.1.3/24
  MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.34.3 (FastEthernet0/0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with FastEthernet0/0
          Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport multi-GRE/IP

- Routing adjacency (EIGRP neighborship) is between Hub and Spokes only 

R1#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   192.168.1.2             Tu0                      13 05:09:22  201  1206  0  3
0   192.168.1.3             Tu0                      13 05:09:32  167  1002  0  4

R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.1.1             Tu0                      13 05:09:37  140   840  0  6

R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.1.1             Tu0                      11 05:09:49  156   936  0  6

- Routing Table (see next-hop IP on spoke routers to reach other spoke subnets) 

R1#show ip route eigrp | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.10.2.0/24 [90/1907456] via 192.168.1.2, 05:11:20, Tunnel0
D        10.10.3.0/24 [90/1907456] via 192.168.1.3, 05:11:30, Tunnel0

R2#show ip route eigrp | beg Gate
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.10.1.0/24 [90/1907456] via 192.168.1.1, 05:11:31, Tunnel0
D        10.10.3.0/24 [90/3187456] via 192.168.1.3, 05:11:31, Tunnel0

R3#show ip route eigrp | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.10.1.0/24 [90/1907456] via 192.168.1.1, 05:11:42, Tunnel0
D        10.10.2.0/24 [90/3187456] via 192.168.1.2, 05:11:32, Tunnel0

- DMVPN Table
- Hub shows dynamic entries, spokes registered themselves with hub
- Spokes show static entries, static entry defined for hub

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.24.2            192.168.1.2    UP 00:51:08     D
     1 1.1.34.3            192.168.1.3    UP 00:51:08     D

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.14.1            192.168.1.1    UP 00:51:28     S

R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.14.1            192.168.1.1    UP 00:51:30     S

- Traffic between Spoke R2 and Spoke R3

Routing entry on R2 shows R3 subnet (10.10.3.0/24) is reachable via next-hop IP 192.168.1.3 (R3 Tunnel IP)

D        10.10.3.0/24 [90/3187456] via 192.168.1.3, 00:05:12, Tunnel0

Lets check CEF adjacency for next-hop IP 192.168.1.3

R2#show adjacency 192.168.1.3
Protocol Interface                 Address
IP       Tunnel0                   192.168.1.3(5) (incomplete)

The adjacency is showing incomplete. The incomplete adjacency triggers a CEF punt to the CPU for further processing (to resolve the address).

R2#show ip cef 192.168.1.3 internal 
192.168.1.0/24, epoch 0, flags attached, connected, cover dependents, need deagg, RIB[C], refcount 5, per-destination sharing
  sources: RIB 
  feature space:
   IPRM: 0x0003800C
  subblocks:
   gsb Connected chain head(1): 0x6A36ADFC
   Covered dependent prefixes: 3
     need deagg: 2
     notify cover updated: 1
  ifnums:
   Tunnel0(6)
  path 695C0994, path list 6A90BBB8, share 1/1, type connected prefix, for IPv4
  connected to Tunnel0, adjacency punt
  output chain: punt

This causes R2(Spoke) to send a resolution request to R1(Hub) for Spoke-R3’s NBMA address. The request gets forwarded from R1(Hub) to Spoke-R3. Spoke-R3 replies directly to Spoke-R2 with its mapping information. During this process, R2(Spoke) will send the actual data packet to R1(Hub) to be delivered to R3(Spoke) as a last-ditch effort to not drop the traffic. The first traceroute will look as below, the traffic traverse via hub.

R2#traceroute 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 180 msec 128 msec 152 msec    << Hub R1 Tunnel IP
  2 192.168.1.3 252 msec

- Debug nhrp packet shows following events:

Spoke-R2 sends resolution request via Tunnel0, it will reach to Hub-R1 as this is the only active tunnel on R2 at this moment. 
R2#
*Mar  1 00:29:49.567: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88
*Mar  1 00:29:49.575:  src: 192.168.1.2, dst: 192.168.1.3
*Mar  1 00:29:49.583:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 00:29:49.583:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 00:29:49.587:      pktsz: 88 extoff: 52
*Mar  1 00:29:49.591:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 00:29:49.595:      src NBMA: 1.1.24.2
*Mar  1 00:29:49.595:      src protocol: 192.168.1.2, dst protocol: 192.168.1.3
*Mar  1 00:29:49.603:  (C-1) code: no error(0)
*Mar  1 00:29:49.603:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 00:29:49.603:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

This request arrives at Hub-R1. Hub-R1 finds it is destined for destination IP 192.168.1.3 and Hub-R1 will forward it to Spoke-R3.  
R1#
*Mar  1 00:29:49.683: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 88
*Mar  1 00:29:49.687:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 00:29:49.691:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 00:29:49.695:      pktsz: 88 extoff: 52
*Mar  1 00:29:49.695:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 00:29:49.699:      src NBMA: 1.1.24.2
*Mar  1 00:29:49.703:      src protocol: 192.168.1.2, dst protocol: 192.168.1.3
*Mar  1 00:29:49.707:  (C-1) code: no error(0)
*Mar  1 00:29:49.707:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 00:29:49.707:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 00:29:49.715: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 108
*Mar  1 00:29:49.719:  src: 192.168.1.1, dst: 192.168.1.3
*Mar  1 00:29:49.723:  (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Mar  1 00:29:49.723:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 00:29:49.723:     
R1# pktsz: 108 extoff: 52
*Mar  1 00:29:49.723:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 00:29:49.723:      src NBMA: 1.1.24.2
*Mar  1 00:29:49.723:      src protocol: 192.168.1.2, dst protocol: 192.168.1.3
*Mar  1 00:29:49.723:  (C-1) code: no error(0)
*Mar  1 00:29:49.723:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 00:29:49.723:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

Then Spoke-R3 receives NHRP resolution request. This request contains Spoke-R2's details including NBMA and Tunnel IP of Spoke-R2. Spoke-R3 would initiate a direct DMVPN tunnel to R2 and send reply to R2.

R3#
*Mar  1 00:29:49.671: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 108
*Mar  1 00:29:49.675:  (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Mar  1 00:29:49.675:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 00:29:49.675:      pktsz: 108 extoff: 52
*Mar  1 00:29:49.675:  (M) flags: "router auth src-stable nat ", reqid: 2 
*Mar  1 00:29:49.675:      src NBMA: 1.1.24.2
*Mar  1 00:29:49.675:      src protocol: 192.168.1.2, dst protocol: 192.168.1.3
*Mar  1 00:29:49.675:  (C-1) code: no error(0)
*Mar  1 00:29:49.675:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 00:29:49.675:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 00:29:50.487: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 136
*Mar  1 00:29:50.487:  src: 192.168.1.3, dst: 192.168.1.2
*Mar  1 00:29:50.487:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 00:29:50.487:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 00:29:50.487:      pktsz
R3#: 136 extoff: 60
*Mar  1 00:29:50.487:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 
*Mar  1 00:29:50.487:      src NBMA: 1.1.24.2
*Mar  1 00:29:50.487:      src protocol: 192.168.1.2, dst protocol: 192.168.1.3
*Mar  1 00:29:50.487:  (C-1) code: no error(0)
*Mar  1 00:29:50.487:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 00:29:50.487:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Mar  1 00:29:50.487:        client NBMA: 1.1.34.3
*Mar  1 00:29:50.487:        client protocol: 192.168.1.3

R2 receives reply and at this moment both R2 and R3 knows each other's NBMA IP and have direct dmvpn tunnel.

R2#
*Mar  1 00:29:50.635: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 136
*Mar  1 00:29:50.643:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar  1 00:29:50.647:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 00:29:50.647:      pktsz: 136 extoff: 60
*Mar  1 00:29:50.651:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 
*Mar  1 00:29:50.655:      src NBMA: 1.1.24.2
*Mar  1 00:29:50.655:      src protocol: 192.168.1.2, dst protocol: 192.168.1.3
*Mar  1 00:29:50.663:  (C-1) code: no error(0)
*Mar  1 00:29:50.663:        prefix: 32, mtu: 17870, hd_time: 7200
*Mar  1 00:29:50.663:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Mar  1 00:29:50.663:        client NBMA: 1.1.34.3
*Mar  1 00:29:50.663:        client protocol: 192.168.1.3 *  140 msec

- Check DMVPN status now

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
=====================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.24.2            192.168.1.2    UP 05:15:09     D
     1 1.1.34.3            192.168.1.3    UP 05:15:19     D

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.14.1            192.168.1.1    UP 05:15:26     S
     1 1.1.34.3            192.168.1.3    UP 00:34:02     D

R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.14.1            192.168.1.1    UP 05:15:51     S
     1 1.1.24.2            192.168.1.2    UP 00:34:17     D

- NHRP State

R1#show ip nhrp
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 05:16:06, expire 01:23:19
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 05:16:16, expire 01:23:19
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.34.3 

R2#show ip nhrp               
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 05:17:28, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 00:35:19, expire 01:24:40
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.24.2 
    (no-socket) 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 00:35:20, expire 01:24:40
   Type: dynamic, Flags: router used 
   NBMA address: 1.1.34.3 

R3#show ip nhrp
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 05:17:14, never expire 
   Type: static, Flags: used 
   NBMA address: 1.1.14.1 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 00:35:06, expire 01:24:34
   Type: dynamic, Flags: router used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 00:35:05, expire 01:24:34
   Type: dynamic, Flags: router unique local 
   NBMA address: 1.1.34.3 
    (no-socket)

- Ping and traceroute between Spoke-R2 and Spoke-R3
- Now traffic is going through direct spoke-to-spoke tunnel

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/128/136 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 156 msec *  144 msec         << R3 Tunnel0 IP

- CEF would look as below after direct spoke-to-spoke DMVPN tunnel creation

R2#show adjacency 192.168.1.3
Protocol Interface                 Address
IP       Tunnel0                   192.168.1.3(11)

R2#show ip cef 192.168.1.3 internal
192.168.1.3/32, epoch 0, flags attached, refcount 5, per-destination sharing
  sources: Adj 
  subblocks:
   Adj source: IP midchain out of Tunnel0, addr 192.168.1.3 6AFD37A0
    Dependent covered prefix type adjfib, cover 192.168.1.0/24
  ifnums:
   Tunnel0(6): 192.168.1.3
  path 6AFD6068, path list 6AFD78A0, share 1/1, type adjacency prefix, for IPv4
  attached to Tunnel0, adjacency IP midchain out of Tunnel0, addr 192.168.1.3 6AFD37A0
  output chain: IP midchain out of Tunnel0, addr 192.168.1.3 6AFD37A0 IP adj out of FastEthernet0/0, addr 1.1.24.4 69237240
R2#
DMVPN Phase 2 configuration with OSPF
  • Configure Hub router as DR. If there is 2nd hub for redundancy, 2nd hub will be BDR.
  • Configure Spokes routers with ospf priority as ZERO so that they should not participate in DR election and always act as DROTHER.
  • All spoke routers will have OSPF adjacencies with DR and BDR only.
Configuration:
---------
R1 - Hub:
---------

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 255
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
router ospf 1
 network 10.10.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4

------------
R2 - Spoke:
------------

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
router ospf 1
 network 10.10.2.2 0.0.0.0 area 0
 network 192.168.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4

------------
R3 - Spoke:
------------

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
router ospf 1
 network 10.10.3.3 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4
!
Verification:
- OSPF Tunnel Network Type

R1#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.1, Network Type BROADCAST, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State DR, Priority 255
  Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:04
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 2, Adjacent neighbor count is 2 
    Adjacent with neighbor 192.168.1.2
    Adjacent with neighbor 192.168.1.3
  Suppress hello for 0 neighbor(s)

R2#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.2, Network Type BROADCAST, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State DROTHER, Priority 0
  Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1  (Designated Router)
  Suppress hello for 0 neighbor(s)

R3#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.3, Network Type BROADCAST, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State DROTHER, Priority 0
  Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:07
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1  (Designated Router)
  Suppress hello for 0 neighbor(s)

- OSPF Adjacencies

R1#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.2       0   FULL/DROTHER    00:00:32    192.168.1.2     Tunnel0
192.168.1.3       0   FULL/DROTHER    00:00:32    192.168.1.3     Tunnel0

R2#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1     255   FULL/DR         00:00:31    192.168.1.1     Tunnel0

R3#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1     255   FULL/DR         00:00:39    192.168.1.1     Tunnel0

- Routing Table

R1#show ip route ospf | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.2.0/24 [110/25] via 192.168.1.2, 00:25:23, Tunnel0
O        10.10.3.0/24 [110/25] via 192.168.1.3, 00:25:23, Tunnel0

R2#show ip route ospf | beg Gate
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 00:25:28, Tunnel0
O        10.10.3.0/24 [110/25] via 192.168.1.3, 00:25:18, Tunnel0

R3#show ip route ospf | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 00:25:30, Tunnel0
O        10.10.2.0/24 [110/25] via 192.168.1.2, 00:25:30, Tunnel0

- Traffic between Spoke R2 and Spoke R3

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/123/128 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 144 msec *  128 msec         << R3 Tunnel IP
DMVPN Phase 2 configuration with BGP
  • Hub router would be BGP Route-Reflector server
  • Spoke routers would be BGP Route-Reflector clients
  • All tunnels would be mGRE
  • You can use eBGP also, where Hub and Spoke routers could be configured in different autonomous system number (ASN). Here we will use iBGP only.
-----------
R1 - Hub:
-----------

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.1.1
 bgp log-neighbor-changes
 bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES
 bgp listen limit 50
 network 10.10.1.0 mask 255.255.255.0
 neighbor DMVPN-SPOKES peer-group
 neighbor DMVPN-SPOKES remote-as 65001
 neighbor DMVPN-SPOKES route-reflector-client
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4

------------
R2 - Spoke:
------------

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.1.2
 bgp log-neighbor-changes
 network 10.10.2.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4

------------
R3 - Spoke:
------------

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.1.3
 bgp log-neighbor-changes
 network 10.10.3.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4
Verification:
- BGP Neighborship between Hub and Spokes only

R1#show ip bgp sum
BGP router identifier 192.168.1.1, local AS number 65001
BGP table version is 4, main routing table version 4
3 network entries using 444 bytes of memory
3 path entries using 192 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 908 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*192.168.1.2    4        65001      11      15        4    0    0 00:06:11        1
*192.168.1.3    4        65001      12      13        4    0    0 00:06:21        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup DMVPN-SPOKES listen range group members: 
  192.168.1.0/24 

Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1

R2#show ip bgp sum
BGP router identifier 192.168.1.2, local AS number 65001
BGP table version is 4, main routing table version 4
3 network entries using 444 bytes of memory
3 path entries using 192 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 932 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      15      11        4    0    0 00:06:17        2

R3#show ip bgp sum
BGP router identifier 192.168.1.3, local AS number 65001
BGP table version is 4, main routing table version 4
3 network entries using 444 bytes of memory
3 path entries using 192 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 932 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      13      12        4    0    0 00:06:29        2

- BGP Table

R1#show ip bgp
BGP table version is 4, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.1.0/24     0.0.0.0                  0         32768 i
 *>i 10.10.2.0/24     192.168.1.2              0    100      0 i
 *>i 10.10.3.0/24     192.168.1.3              0    100      0 i

R2#show ip bgp
BGP table version is 4, local router ID is 192.168.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.1.0/24     192.168.1.1              0    100      0 i
 *>  10.10.2.0/24     0.0.0.0                  0         32768 i
 *>i 10.10.3.0/24     192.168.1.3              0    100      0 i

R3#show ip bgp
BGP table version is 4, local router ID is 192.168.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.1.0/24     192.168.1.1              0    100      0 i
 *>i 10.10.2.0/24     192.168.1.2              0    100      0 i
 *>  10.10.3.0/24     0.0.0.0                  0         32768 i

- Routing Table

R1#show ip route bgp | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B        10.10.2.0/24 [200/0] via 192.168.1.2, 00:07:09
B        10.10.3.0/24 [200/0] via 192.168.1.3, 00:08:11

R2#show ip route bgp | beg Gate
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B        10.10.1.0/24 [200/0] via 192.168.1.1, 00:07:16
B        10.10.3.0/24 [200/0] via 192.168.1.3, 00:07:16

R3#show ip route bgp | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B        10.10.1.0/24 [200/0] via 192.168.1.1, 00:08:20
B        10.10.2.0/24 [200/0] via 192.168.1.2, 00:07:18

- Traffic between Spoke R2 and Spoke R3

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/120/128 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 132 msec *  120 msec        << R3 Tunnel IP

DMVPN Phase 2 deployment provides direct spoke-to-spoke tunnels, but one of the limitations is maintaining full routing tables on the spokes. Each route for remote spoke networks needs to be a specific route with the next hop pointing to the remote spoke’s tunnel address. This prevents the hub from being able to send down a summarized route to the spokes for a more concise routing table. This limitation is addressed in DMVPN Phase 3 design, which we will discuss later.

DMVPN Phase 1

Cisco, DMVPN, VPN, , , , , , , , , ,
DMVPN Phase 1 – Hub to Spoke Design

DMVPN Phase 1 provides Hub and Spoke tunnel deployment. It means GRE tunnels are only built between Hub and Spokes. There is no spoke-to-spoke tunnel. Traffic from one spoke site to another spoke site always traverse via hub.

Check this link for DMVPN basics – http://www.amolak.net/dmvpn-basics/

We will discuss DMVPN Phase 1 configuration with:

  • EIGRP
  • OSPF
  • BGP

Here is the network topology for our discussion and configuration.

Initial configuration on devices
Site-1 Router R1:

hostname R1
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface FastEthernet0/0
 ip address 1.1.14.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4
!

Site-2 Router R2:

hostname R2
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface FastEthernet0/0
 ip address 1.1.24.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.1.24.4
!

Site-3 Router R3: 

hostname R3
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface FastEthernet0/0
 ip address 1.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.1.34.4
!

Internet Router R4:

hostname R4
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.24.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 1.1.34.4 255.255.255.0
!
DMVPN NBMA Network Behavior

DMVPN creates Non Broadcast Multi Access (NBMA) networks. By default, NBMA network do not support multicast traffic and multicast traffic is required to enable dynamic routing protocols.

ip nhrp map multicast dynamic command is used under hub router tunnel interface to enable support of multicast traffic. This allows each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast traffic to the spoke routers.

“ip nhrp map multicast <hub nbma ip>” command is used under spoke routers tunnel interface. It ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke.

With this set up, routing adjacencies are only formed between hub and spokes. Spokes do not form routing adjacencies with each other.

ip nhrp network-id

The NHRP network ID is used to define the NHRP domain for an NHRP interface and differentiate between multiple NHRP domains or networks, when two or more NHRP domains (GRE tunnel interfaces) are available on the same NHRP router. The NHRP network ID is used to help keep two NHRP networks (clouds) separate from each other when both are configured on the same router. NHRP network IDs are locally significant and can be different.

DMVPN Phase 1 configuration with EIGRP
----------
R1 - Hub:
----------

Since all spoke routers are configured with tunnel mode GRE (p2p GRE), they can send traffic via Hub only. So spoke routers do not require specific routes of each other. Hub router would advertise a single EIGRP summary route to all spoke routers. Basically Hub router is telling spokes if you want to reach any specific subnet from this summary route, send that traffic to me, I will forward it to actual destination spoke site.

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip summary-address eigrp 100 10.10.0.0 255.255.0.0
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROTECT-GRE
!
router eigrp 100
 network 10.10.1.1 0.0.0.0
 network 192.168.1.1 0.0.0.0

------------
R2 - Spoke: 
------------

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router eigrp 100
 network 10.10.2.2 0.0.0.0
 network 192.168.1.2 0.0.0.0

-----------
R3 - Spoke:
-----------

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router eigrp 100
 network 10.10.3.3 0.0.0.0
 network 192.168.1.3 0.0.0.0

Verification:

- Tunnel mode is mGRE on Hub Router.
- Tunnel mode is GRE (Point-to-Point GRE) on Spoke Routers.
 
 R1:
 
 R1#sh int t0
 Tunnel0 is up, line protocol is up 
   Hardware is Tunnel
   Internet address is 192.168.1.1/24
   MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel source 1.1.14.1 (FastEthernet0/0)
    Tunnel Subblocks:
       src-track:
          Tunnel0 source tracking subblock associated with FastEthernet0/0
           Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
   Tunnel protocol/transport multi-GRE/IP
     Key disabled, sequencing disabled
     Checksumming of packets disabled
   Tunnel TTL 255, Fast tunneling enabled
   Tunnel transport MTU 1434 bytes
   Tunnel transmit bandwidth 8000 (kbps)
   Tunnel receive bandwidth 8000 (kbps)
   Tunnel protection via IPSec (profile "PROTECT-GRE")
  <snip>
 
 R2:
 
 R2#sh int t0
 Tunnel0 is up, line protocol is up 
   Hardware is Tunnel
   Internet address is 192.168.1.2/24
   MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel source 1.1.24.2 (FastEthernet0/0), destination 1.1.14.1
    Tunnel Subblocks:
       src-track:
          Tunnel0 source tracking subblock associated with FastEthernet0/0
           Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
   Tunnel protocol/transport GRE/IP
     Key disabled, sequencing disabled
     Checksumming of packets disabled
   Tunnel TTL 255, Fast tunneling enabled
   Tunnel transport MTU 1434 bytes
   Tunnel transmit bandwidth 8000 (kbps)
   Tunnel receive bandwidth 8000 (kbps)
   Tunnel protection via IPSec (profile "PROTECT-GRE")
  <snip>
 
 R3:
 
 R3#sh int t0
 Tunnel0 is up, line protocol is up 
   Hardware is Tunnel
   Internet address is 192.168.1.3/24
   MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, 
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel source 1.1.34.3 (FastEthernet0/0), destination 1.1.14.1
    Tunnel Subblocks:
       src-track:
          Tunnel0 source tracking subblock associated with FastEthernet0/0
           Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
   Tunnel protocol/transport GRE/IP
     Key disabled, sequencing disabled
     Checksumming of packets disabled
   Tunnel TTL 255, Fast tunneling enabled
   Tunnel transport MTU 1434 bytes
   Tunnel transmit bandwidth 8000 (kbps)
   Tunnel receive bandwidth 8000 (kbps)
   Tunnel protection via IPSec (profile "PROTECT-GRE")
  <snip>
 
 
 - Routing adjacencies are Hub to Spokes only
 
 R1#show ip eigrp neighbors 
 EIGRP-IPv4 Neighbors for AS(100)
 H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
 1   192.168.1.3             Tu0                      11 00:19:56  191  1146  0  16
 0   192.168.1.2             Tu0                      14 00:19:56  178  1068  0  16
 
 R2#show ip eigrp neighbors
 EIGRP-IPv4 Neighbors for AS(100)
 H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
 0   192.168.1.1             Tu0                      11 00:20:37  779  4674  0  10
 
 R3#show ip eigrp neighbors
 EIGRP-IPv4 Neighbors for AS(100)
 H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
 0   192.168.1.1             Tu0                      14 00:20:39  183  1098  0  11 
 
 - Routing Table
 
 R1#show ip route eigrp | beg Gate
 Gateway of last resort is 1.1.14.4 to network 0.0.0.0
 
       10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
 D        10.10.0.0/16 is a summary, 00:14:48, Null0
 D        10.10.2.0/24 [90/1907456] via 192.168.1.2, 00:22:02, Tunnel0
 D        10.10.3.0/24 [90/1907456] via 192.168.1.3, 00:22:04, Tunnel0
 
 R2#show ip route eigrp | beg Gate
 Gateway of last resort is 1.1.24.4 to network 0.0.0.0
 
       10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
 D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:15:06, Tunnel0
 
 R3#show ip route eigrp | beg Gate
 Gateway of last resort is 1.1.34.4 to network 0.0.0.0
 
       10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
 D        10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:15:17, Tunnel0
 
 
 - Spoke (R2) to Spoke (R3) traffic traverse via Hub
 
 R2#ping 10.10.3.3 so 10.10.2.2
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
 Packet sent with a source address of 10.10.2.2 
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 192/199/212 ms
 
 R2#trace 10.10.3.3 so 10.10.2.2
 Type escape sequence to abort.
 Tracing the route to 10.10.3.3
 VRF info: (vrf in name/id, vrf out name/id)
   1 192.168.1.1 144 msec 140 msec 136 msec   << Hub R1 Tunnel IP    
   2 192.168.1.3 204 msec *  196 msec         << Spoke R3 Tunnel IP


- DMVPN status on Hub
 
 R1#sh dmvpn
 Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
 ======================================================================
 Interface: Tunnel0, IPv4 NHRP Details 
 Type:Hub, NHRP Peers:2, 
 
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 1.1.24.2            192.168.1.2    UP 01:21:07     D
      1 1.1.34.3            192.168.1.3    UP 01:21:11     D
 
R1#sh ip nhrp 
192.168.1.2/32 via 192.168.1.2
   Tunnel0 created 01:50:50, expire 01:29:09
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.24.2 
192.168.1.3/32 via 192.168.1.3
   Tunnel0 created 01:50:54, expire 01:29:05
   Type: dynamic, Flags: unique registered used 
   NBMA address: 1.1.34.3 

 - DMVPN status on Spoke Routers
 
 R2#sh dmvpn
 Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
 =====================================================================
 Interface: Tunnel0, IPv4 NHRP Details 
 Type:Spoke, NHRP Peers:1, 
 
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 1.1.14.1            192.168.1.1    UP 01:22:47     S
 
R2#sh ip nhrp
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:53:57, never expire 
   Type: static, Flags: 
   NBMA address: 1.1.14.1 
 R3#sh dmvpn
 Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
 ====================================================================
 Interface: Tunnel0, IPv4 NHRP Details 
 Type:Spoke, NHRP Peers:1, 
 
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 1.1.14.1            192.168.1.1    UP 01:23:09     S


R3#sh ip nhrp
192.168.1.1/32 via 192.168.1.1
   Tunnel0 created 01:54:39, never expire 
   Type: static, Flags: 
   NBMA address: 1.1.14.1 
 DMVPN Phase 1 configuration with OSPF
- Hub router tunnel would be OSPF network type point-to-multipoint
- Spoke routers tunnel would be OSPF network type point-to-point
- OSPF hello timers must match on tunnel interface on Hub and Spokes
- Route summarization is not feasible in single OSPF area

R1:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf hello-interval 10
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROTECT-GRE
!
router ospf 1
 network 10.10.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0

R2:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router ospf 1
 network 10.10.2.2 0.0.0.0 area 0
 network 192.168.1.2 0.0.0.0 area 0

R3:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.14.1
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router ospf 1
 network 10.10.3.3 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0
 Verification
R1:

R1#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 2, Adjacent neighbor count is 2 
    Adjacent with neighbor 192.168.1.3
    Adjacent with neighbor 192.168.1.2
  Suppress hello for 0 neighbor(s)

R1#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.3       0   FULL/  -        00:00:33    192.168.1.3     Tunnel0
192.168.1.2       0   FULL/  -        00:00:34    192.168.1.2     Tunnel0

R1#show ip route ospf | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.2.0/24 [110/25] via 192.168.1.2, 00:04:05, Tunnel0
O        10.10.3.0/24 [110/25] via 192.168.1.3, 00:03:45, Tunnel0

R2:

R2#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.2, Network Type POINT_TO_POINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:08
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1
  Suppress hello for 0 neighbor(s)

R2#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/  -        00:00:31    192.168.1.1     Tunnel0

R2#show ip route ospf | beg Gate
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 00:05:12, Tunnel0
O        10.10.3.0/24 [110/49] via 192.168.1.1, 00:04:35, Tunnel0
      192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
O        192.168.1.1/32 [110/24] via 192.168.1.1, 00:05:12, Tunnel0


R3:

R3#show ip ospf int t0
Tunnel0 is up, line protocol is up 
  Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 192.168.1.3, Network Type POINT_TO_POINT, Cost: 24
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           24        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:02
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.1.1
  Suppress hello for 0 neighbor(s)

R3#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/  -        00:00:31    192.168.1.1     Tunnel0

R3#show ip route ospf | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.1.0/24 [110/25] via 192.168.1.1, 00:05:40, Tunnel0
O        10.10.2.0/24 [110/49] via 192.168.1.1, 00:05:40, Tunnel0
      192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
O        192.168.1.1/32 [110/24] via 192.168.1.1, 00:05:40, Tunnel0


Spoke to Spoke traffic:

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/201/208 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 152 msec 120 msec 164 msec   << Hub Tunnel IP
  2 192.168.1.3 236 msec *  220 msec         << Spoke-3 Tunnel IP
DMVPN Phase 1 configuration with BGP
- "bgp listen range ....." command can be used to define a range of IP address of BGP neighbors on hub router
- "bgp listen limit xx" command can be used to set the limit of dynamic BGP neighbors
- Hub router would act as BGP Route-reflector server
- Spoke routers would be BGP route-reflector clients
- As spokes would communicate via hub only, it is inefficient to advertise all specific prefixes to spoke BGP peers
- Hub Router would advertise summary route to spokes

R1:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROTECT-GRE
!
router bgp 65001
 bgp router-id 192.168.1.1
 bgp log-neighbor-changes
 bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES
 bgp listen limit 50
 network 10.10.1.0 mask 255.255.255.0
 aggregate-address 10.10.0.0 255.255.0.0 summary-only
 neighbor DMVPN-SPOKES peer-group
 neighbor DMVPN-SPOKES remote-as 65001
 neighbor DMVPN-SPOKES route-reflector-client

R2: 

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router bgp 65001
 bgp router-id 192.168.1.2
 bgp log-neighbor-changes
 network 10.10.2.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001

R3:

interface Tunnel0
 bandwidth 4096
 ip address 192.168.1.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map 192.168.1.1 1.1.14.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.1.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel destination 1.1.14.1
 tunnel protection ipsec profile PROTECT-GRE
!
router bgp 65001
 bgp router-id 192.168.1.3
 bgp log-neighbor-changes
 network 10.10.3.0 mask 255.255.255.0
 neighbor 192.168.1.1 remote-as 65001
Verification
R1:

R1#show ip bgp summary 
BGP router identifier 192.168.1.1, local AS number 65001
BGP table version is 8, main routing table version 8
4 network entries using 592 bytes of memory
4 path entries using 256 bytes of memory
3/3 BGP path/bestpath attribute entries using 408 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1256 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*192.168.1.2    4        65001      38      40        8    0    0 00:30:25        1
*192.168.1.3    4        65001      37      39        8    0    0 00:30:09        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup DMVPN-SPOKES listen range group members: 
  192.168.1.0/24 

Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1

R1#show ip bgp
BGP table version is 8, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.0.0/16     0.0.0.0                            32768 i
 s>  10.10.1.0/24     0.0.0.0                  0         32768 i
 s>i 10.10.2.0/24     192.168.1.2              0    100      0 i
 s>i 10.10.3.0/24     192.168.1.3              0    100      0 i

R1#show ip route bgp | beg Gate
Gateway of last resort is 1.1.14.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 0.0.0.0, 00:30:49, Null0
B        10.10.2.0/24 [200/0] via 192.168.1.2, 00:30:49
B        10.10.3.0/24 [200/0] via 192.168.1.3, 00:29:46

R2:

R2#show ip bgp sum
BGP router identifier 192.168.1.2, local AS number 65001
BGP table version is 5, main routing table version 5
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 696 total bytes of memory
BGP activity 3/1 prefixes, 3/1 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      41      40        5    0    0 00:31:43        1

R2#show ip bgp
BGP table version is 5, local router ID is 192.168.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.0.0/16     192.168.1.1              0    100      0 i
 *>  10.10.2.0/24     0.0.0.0                  0         32768 i

R2#show ip route bgp | beg Gate 
Gateway of last resort is 1.1.24.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 192.168.1.1, 00:31:53

R3:

R3#show ip bgp sum
BGP router identifier 192.168.1.3, local AS number 65001
BGP table version is 3, main routing table version 3
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 696 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65001      41      39        3    0    0 00:32:08        1

R3#show ip bgp
BGP table version is 3, local router ID is 192.168.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 10.10.0.0/16     192.168.1.1              0    100      0 i
 *>  10.10.3.0/24     0.0.0.0                  0         32768 i

R3#show ip route bgp | beg Gate
Gateway of last resort is 1.1.34.4 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        10.10.0.0/16 [200/0] via 192.168.1.1, 00:31:29

Spoke-to-Spoke traffic:

R2#ping 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 180/192/204 ms

R2#trace 10.10.3.3 so 10.10.2.2
Type escape sequence to abort.
Tracing the route to 10.10.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 140 msec 176 msec 140 msec   << Hub Tunnel IP
  2 192.168.1.3 224 msec *  220 msec         << Spoke-3 Tunnel IP

As we have seen that spoke-to-spoke traffic always traverse via hub in phase 1 design. In a large network, It increases overhead on hub router. Also spokes has to use sub-optimal routing path for traffic between spoke sites. The shortcomings of DMVPN phase 1 are addressed in Phase 2 design, which we will discuss in next blog.

OSPF Route Summarization

Cisco IOS, OSPF, , ,

Consolidation of multiple routes into one single advertisement is called Route Summarization. In a nut shell, route summarization is the process of summarizing subnets into a larger subnet to be advertised to upstream routers for ease of management/troubleshooting and resource conservation.

There are two types of route summarization in OSPF.

1. Inter-Area Route Summarization

Although summarization could be configured between any two areas, it is better to summarize in the direction of the backbone. This way the backbone receives all the aggregate addresses and in turn will injects them, already summarized, into other areas.

Inter-Area route summarization can only be done on the Area Boarder Router (ABR) and summarize routes from one particular area into the another Area.

To specify an address range, perform the following task in router configuration mode:

area area-id range address mask

Where the “area-id” is the area containing networks to be summarized. The “address” and “mask” will specify the range of addresses to be summarized in one range.

2. External Route Summarization

External route summarization is specific to external routes that are injected into OSPF via redistribution.
Summarization is done via the following router ospf subcommand:

summary-address ip-address mask

This command is effective only on ASBRs doing redistribution into OSPF.

We will use following network topology for our discussion.

OSPF Route Summarization

Pre-Configuration

R1:

interface FastEthernet0/0
 ip address 10.10.123.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.16.1 255.255.255.0
!
router eigrp 100
 redistribute ospf 1
 network 192.168.16.1 0.0.0.0
 default-metric 10000 100 255 1 1500
 no auto-summary
!
router ospf 1
 router-id 1.1.1.1
 summary-address 192.168.0.0 255.255.0.0
 redistribute eigrp 100 subnets
 network 10.0.0.0 0.255.255.255 area 0


R2:

interface FastEthernet0/0
 ip address 10.10.123.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.24.2 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 2.2.2.2
 network 10.10.24.2 0.0.0.0 area 1
 network 10.10.123.2 0.0.0.0 area 0


R3:

interface FastEthernet0/0
 ip address 10.10.123.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.35.3 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 3.3.3.3
 network 10.10.35.3 0.0.0.0 area 2
 network 10.10.123.3 0.0.0.0 area 0


R4:

interface Loopback4
 ip address 10.4.4.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback5
 ip address 10.4.5.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback6
 ip address 10.4.6.1 255.255.255.0
 ip ospf network point-to-point
!         
interface Loopback7
 ip address 10.4.7.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 10.10.24.4 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 4.4.4.4
 network 10.0.0.0 0.255.255.255 area 1

R5:

interface Loopback0
 ip address 10.5.0.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback1
 ip address 10.5.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback2
 ip address 10.5.2.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback3
 ip address 10.5.3.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 10.10.35.5 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 5.5.5.5
 network 10.0.0.0 0.255.255.255 area 2

R6:

interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!         
interface FastEthernet0/0
 ip address 192.168.16.6 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255
 no auto-summary

Note: Loopback Interfaces are used to simulate different networks connected to routers.

OSPF neighborships are UP and all routers have end-to-end network reachability.

R1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:34    10.10.123.2     FastEthernet0/0
3.3.3.3           1   FULL/DR         00:00:31    10.10.123.3     FastEthernet0/0

R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:31    10.10.123.1     FastEthernet0/0
3.3.3.3           1   FULL/DR         00:00:31    10.10.123.3     FastEthernet0/0
4.4.4.4           0   FULL/  -        00:00:34    10.10.24.4      FastEthernet0/1

R3#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:31    10.10.123.1     FastEthernet0/0
2.2.2.2           1   FULL/BDR        00:00:34    10.10.123.2     FastEthernet0/0
5.5.5.5           0   FULL/  -        00:00:33    10.10.35.5      FastEthernet0/1

R4#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:32    10.10.24.2      FastEthernet0/0

R5#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -        00:00:38    10.10.35.3      FastEthernet0/0

R6#sh ip eigrp neighbors 
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.16.1            Fa0/0             13 02:30:57   28   675  0  50

Routing Tables:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.7.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.4.0 [110/3] via 10.10.123.2, 00:29:08, FastEthernet0/0
O IA    10.4.5.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.5.3.0 [110/3] via 10.10.123.3, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/3] via 10.10.123.3, 00:27:56, FastEthernet0/0
O IA    10.10.24.0 [110/2] via 10.10.123.2, 00:30:27, FastEthernet0/0
O IA    10.10.35.0 [110/2] via 10.10.123.3, 00:30:27, FastEthernet0/0
C       10.10.123.0 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:30:25, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:06:06, FastEthernet0/1

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O       10.4.6.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O       10.4.7.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O       10.4.4.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O       10.4.5.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O IA    10.5.3.0 [110/3] via 10.10.123.3, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/3] via 10.10.123.3, 00:27:56, FastEthernet0/0
C       10.10.24.0 is directly connected, FastEthernet0/1
O IA    10.10.35.0 [110/2] via 10.10.123.3, 00:29:13, FastEthernet0/0
C       10.10.123.0 is directly connected, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.123.1, 00:29:13, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:29:13, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.123.1, 00:29:13, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.123.1, 00:29:14, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.123.1, 00:29:14, FastEthernet0/0


R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O IA    10.4.7.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O IA    10.4.4.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O IA    10.4.5.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O       10.5.3.0 [110/2] via 10.10.35.5, 00:28:53, FastEthernet0/1
O       10.5.2.0 [110/2] via 10.10.35.5, 00:27:46, FastEthernet0/1
O       10.5.1.0 [110/2] via 10.10.35.5, 00:27:46, FastEthernet0/1
O       10.5.0.0 [110/2] via 10.10.35.5, 00:27:56, FastEthernet0/1
O IA    10.10.24.0 [110/2] via 10.10.123.2, 00:28:53, FastEthernet0/0
C       10.10.35.0 is directly connected, FastEthernet0/1
C       10.10.123.0 is directly connected, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.123.1, 00:28:53, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:28:53, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.123.1, 00:28:53, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.123.1, 00:28:54, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.123.1, 00:28:54, FastEthernet0/0

R4#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
C       10.4.6.0 is directly connected, Loopback6
C       10.4.7.0 is directly connected, Loopback7
C       10.4.4.0 is directly connected, Loopback4
C       10.4.5.0 is directly connected, Loopback5
O IA    10.5.3.0 [110/4] via 10.10.24.2, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/4] via 10.10.24.2, 00:27:56, FastEthernet0/0
C       10.10.24.0 is directly connected, FastEthernet0/0
O IA    10.10.35.0 [110/3] via 10.10.24.2, 00:30:27, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.24.2, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.24.2, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.24.2, 00:29:31, FastEthernet0/0

R5#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.7.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.4.0 [110/4] via 10.10.35.3, 00:29:03, FastEthernet0/0
O IA    10.4.5.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
C       10.5.3.0 is directly connected, Loopback3
C       10.5.2.0 is directly connected, Loopback2
C       10.5.1.0 is directly connected, Loopback1
C       10.5.0.0 is directly connected, Loopback0
O IA    10.10.24.0 [110/3] via 10.10.35.3, 00:30:27, FastEthernet0/0
C       10.10.35.0 is directly connected, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.35.3, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.35.3, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.35.3, 00:29:31, FastEthernet0/0

R6#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
D EX    10.4.6.0 [170/284160] via 192.168.16.1, 00:29:12, FastEthernet0/0
D EX    10.4.7.0 [170/284160] via 192.168.16.1, 00:29:12, FastEthernet0/0
D EX    10.4.4.0 [170/284160] via 192.168.16.1, 00:29:08, FastEthernet0/0
D EX    10.4.5.0 [170/284160] via 192.168.16.1, 00:29:12, FastEthernet0/0
D EX    10.5.3.0 [170/284160] via 192.168.16.1, 00:28:53, FastEthernet0/0
D EX    10.5.2.0 [170/284160] via 192.168.16.1, 00:27:46, FastEthernet0/0
D EX    10.5.1.0 [170/284160] via 192.168.16.1, 00:27:46, FastEthernet0/0
D EX    10.5.0.0 [170/284160] via 192.168.16.1, 00:27:56, FastEthernet0/0
D EX    10.10.24.0 [170/284160] via 192.168.16.1, 00:30:27, FastEthernet0/0
D EX    10.10.35.0 [170/284160] via 192.168.16.1, 00:30:27, FastEthernet0/0
D EX    10.10.123.0 [170/284160] via 192.168.16.1, 02:12:11, FastEthernet0/0
C    192.168.0.0/24 is directly connected, Loopback0
C    192.168.16.0/24 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback1
C    192.168.2.0/24 is directly connected, Loopback2
C    192.168.3.0/24 is directly connected, Loopback3

First we want to summarize Area 1 routes. R2 is the ABR (Area Border Router), connecting Area1 to Backbone Area (Area 0). Here, R2 will do the inter-area route summarization and send summary advertisement into Area 0.

These four IP subnets can be summarized as follows:

10.4.4.0/24
10.4.5.0/24
10.4.6.0/24
10.4.7.0/24

Summary Network: 10.4.4.0
Mask: 255.255.252.0

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#area 1 range 10.4.4.0 255.255.252.0
R2(config-router)#end
R2#

Let’s see the changes in routing tables on other routers

R1 Before Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.7.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.4.0 [110/3] via 10.10.123.2, 00:29:08, FastEthernet0/0
O IA    10.4.5.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.5.3.0 [110/3] via 10.10.123.3, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/3] via 10.10.123.3, 00:27:56, FastEthernet0/0
O IA    10.10.24.0 [110/2] via 10.10.123.2, 00:30:27, FastEthernet0/0
O IA    10.10.35.0 [110/2] via 10.10.123.3, 00:30:27, FastEthernet0/0
C       10.10.123.0 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:30:25, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:06:06, FastEthernet0/1

R1 After Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 00:01:47, FastEthernet0/0
O IA    10.5.3.0/24 [110/3] via 10.10.123.3, 00:56:18, FastEthernet0/0
O IA    10.5.2.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.1.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.0.0/24 [110/3] via 10.10.123.3, 00:55:21, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 00:57:52, FastEthernet0/0
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:57:52, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:57:50, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:33:29, FastEthernet0/1

R5 Before Route Summarization:

R5#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.7.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.4.0 [110/4] via 10.10.35.3, 00:29:03, FastEthernet0/0
O IA    10.4.5.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
C       10.5.3.0 is directly connected, Loopback3
C       10.5.2.0 is directly connected, Loopback2
C       10.5.1.0 is directly connected, Loopback1
C       10.5.0.0 is directly connected, Loopback0
O IA    10.10.24.0 [110/3] via 10.10.35.3, 00:30:27, FastEthernet0/0
C       10.10.35.0 is directly connected, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.35.3, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.35.3, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.35.3, 00:29:31, FastEthernet0/0

R5 After Route Summarization:

R5#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O IA    10.4.4.0/22 [110/4] via 10.10.35.3, 00:06:30, FastEthernet0/0
C       10.5.3.0/24 is directly connected, Loopback3
C       10.5.2.0/24 is directly connected, Loopback2
C       10.5.1.0/24 is directly connected, Loopback1
C       10.5.0.0/24 is directly connected, Loopback0
O IA    10.10.24.0/24 [110/3] via 10.10.35.3, 01:02:34, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/0
O IA    10.10.123.0/24 [110/2] via 10.10.35.3, 01:03:04, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.35.3, 01:01:32, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0

 

Let’s do the same for Area 2. R3 is the ABR here and doing the route summarization for following networks.

10.5.0.0/24
10.5.1.0/24
10.5.2.0/24
10.5.3.0/24

Summary Network: 10.5.0.0
Mask: 255.255.252.0

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#area 2 range 10.5.0.0 255.255.252.0
R3(config-router)#end
R3#

Let’s see the changes in routing tables on other routers

Before Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 00:01:47, FastEthernet0/0
O IA    10.5.3.0/24 [110/3] via 10.10.123.3, 00:56:18, FastEthernet0/0
O IA    10.5.2.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.1.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.0.0/24 [110/3] via 10.10.123.3, 00:55:21, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 00:57:52, FastEthernet0/0
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:57:52, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:57:50, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:33:29, FastEthernet0/1
R1#

After Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 00:35:14, FastEthernet0/0
O IA    10.5.0.0/22 [110/3] via 10.10.123.3, 00:01:40, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:31:19, FastEthernet0/0
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 01:31:19, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 03:31:17, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 03:31:16, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 03:31:16, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 02:06:56, FastEthernet0/1

Let’s summarize external routes now. Router R1 is the ASBR connected to both EIGRP and OSPF domains and doing route redistribution between EIGRP and OSPF.

R1 (ASBR) will do the route summarization for external routes into OSPF.

These four IP subnets can be summarized as follows:

192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Summary Network: 192.168.0.0
Mask: 255.255.252.0

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#summary-address 192.168.0.0 255.255.252.0
R1(config-router)#end
R1#

Let’s see the changes in routing tables on other routers

Before Route Summarization:

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O       10.4.4.0/22 is a summary, 00:03:02, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O IA    10.5.3.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
O IA    10.5.2.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
O IA    10.5.1.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
O IA    10.5.0.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:03:02, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.123.1, 00:03:02, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0

After Route Summarization:

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O       10.4.4.0/22 is a summary, 00:43:59, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O IA    10.5.0.0/22 [110/3] via 10.10.123.3, 00:10:24, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:43:59, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:43:59, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 00:00:57, FastEthernet0/0
R2#

Let’s see the  routing tables on R4 and verify end-to-end connectivity.

Before Route Summarization:

R4#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
C       10.4.6.0 is directly connected, Loopback6
C       10.4.7.0 is directly connected, Loopback7
C       10.4.4.0 is directly connected, Loopback4
C       10.4.5.0 is directly connected, Loopback5
O IA    10.5.3.0 [110/4] via 10.10.24.2, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/4] via 10.10.24.2, 00:27:56, FastEthernet0/0
C       10.10.24.0 is directly connected, FastEthernet0/0
O IA    10.10.35.0 [110/3] via 10.10.24.2, 00:30:27, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.24.2, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.24.2, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.24.2, 00:29:31, FastEthernet0/0

After Route Summarization:

R4#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C       10.4.6.0/24 is directly connected, Loopback6
C       10.4.7.0/24 is directly connected, Loopback7
C       10.4.4.0/24 is directly connected, Loopback4
C       10.4.5.0/24 is directly connected, Loopback5
O IA    10.5.0.0/22 [110/4] via 10.10.24.2, 00:12:19, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/0
O IA    10.10.35.0/24 [110/3] via 10.10.24.2, 01:41:58, FastEthernet0/0
O IA    10.10.123.0/24 [110/2] via 10.10.24.2, 01:42:28, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.24.2, 01:41:00, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.24.2, 00:02:51, FastEthernet0/0
R4#

R4#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/64/84 ms

R4#ping 10.5.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/88 ms

So far we have seen that when route summarization is configured , either type inter-area or external, it advertise summary route and suppress advertisement of specific network advertisements.

Another point to note is, OSPF router advertise summary routes only if it is receiving advertisement for atleast one route, which falls within the summary network range.

R5 is sending LSA advertisements for networks  (10.5.0.0/24, 10.5.1.0/24, 10.5.2.0/24 and 10.5.3.0/24) and R3 is sending a single summary route (10.5.0.0/22) advertisement for those networks.

These Loopback interfaces are simulating different 10.5.x.x networks connected to R5.

R5#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.10.35.5      YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  up                    up      
Loopback0                  10.5.0.1        YES manual up                    up      
Loopback1                  10.5.1.1        YES manual up                    up      
Loopback2                  10.5.2.1        YES manual up                    up      
Loopback3                  10.5.3.1        YES manual up                    up      
R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int l0
R5(config-if)#shut
R5(config-if)#int l1
R5(config-if)#
*Mar  1 04:36:28.214: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
*Mar  1 04:36:29.214: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to down
R5(config-if)#shut  
R5(config-if)#int l2
R5(config-if)#
*Mar  1 04:36:33.582: %LINK-5-CHANGED: Interface Loopback1, changed state to administratively down
*Mar  1 04:36:34.582: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to down
R5(config-if)#shut  
R5(config-if)#
*Mar  1 04:36:37.922: %LINK-5-CHANGED: Interface Loopback2, changed state to administratively down
*Mar  1 04:36:38.922: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to down
R5(config-if)#

Loopback 0,1 and 2 are shutdown now.

See routing table on R3, It has route for 10.5.3.0/24 only now, but still sending advertisement for summary route 10.5.0.0/22.

R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 01:24:03, FastEthernet0/0
O       10.5.3.0/24 [110/2] via 10.10.35.5, 01:24:03, FastEthernet0/1
O       10.5.0.0/22 is a summary, 01:24:03, Null0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:24:03, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/1
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 01:24:03, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:14:35, FastEthernet0/0

Routing table on R2, it is still receiving summary advertisement from R3.

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O       10.4.4.0/22 is a summary, 02:00:05, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O IA    10.5.0.0/22 [110/3] via 10.10.123.3, 01:26:30, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 02:00:05, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 02:00:05, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:17:02, FastEthernet0/0

Let’s shutdown interface loopback 3 also on R5.

R5(config-if)#int l3
R5(config-if)#shut
R5(config-if)#
*Mar  1 05:09:59.566: %LINK-5-CHANGED: Interface Loopback3, changed state to administratively down
*Mar  1 05:10:00.566: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to down
R5(config-if)#

If we see routing table on R3.It has lost all routes for 10.5.x.x networks, and now it will not send advertisement for summary route.

R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 01:36:57, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:36:57, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/1
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 01:36:57, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:27:30, FastEthernet0/0

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
O       10.4.4.0/22 is a summary, 02:11:46, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 02:11:46, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 02:11:46, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:28:43, FastEthernet0/0
R2#show ip route 10.5.0.0
% Subnet not in table
R2#

Enable all Loopback interfaces on R5.

R5(config-if)#int l0
R5(config-if)#no shut
R5(config-if)#int l1
R5(config-if)#no shut
R5(config-if)#
*Mar  1 05:20:26.106: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
*Mar  1 05:20:27.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R5(config-if)#int l2
R5(config-if)#no shu
*Mar  1 05:20:28.898: %LINK-3-UPDOWN: Interface Loopback1, changed state to up
*Mar  1 05:20:29.898: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R5(config-if)#no shut
R5(config-if)#int l3
R5(config-if)#no shut
R5(config-if)#
*Mar  1 05:20:32.470: %LINK-3-UPDOWN: Interface Loopback2, changed state to up
*Mar  1 05:20:33.470: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
R5(config-if)#
*Mar  1 05:20:35.922: %LINK-3-UPDOWN: Interface Loopback3, changed state to up
*Mar  1 05:20:36.922: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up
R5(config-if)#do sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.10.35.5      YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  up                    up      
Loopback0                  10.5.0.1        YES manual up                    up      
Loopback1                  10.5.1.1        YES manual up                    up      
Loopback2                  10.5.2.1        YES manual up                    up      
Loopback3                  10.5.3.1        YES manual up                    up      
R5(config-if)#

Now R3 has routes for all those networks and sending advertisement for summary address into Backbone Area.

R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 01:46:59, FastEthernet0/0
O       10.5.3.0/24 [110/2] via 10.10.35.5, 00:00:31, FastEthernet0/1
O       10.5.2.0/24 [110/2] via 10.10.35.5, 00:00:31, FastEthernet0/1
O       10.5.1.0/24 [110/2] via 10.10.35.5, 00:00:31, FastEthernet0/1
O       10.5.0.0/24 [110/2] via 10.10.35.5, 00:00:41, FastEthernet0/1
O       10.5.0.0/22 is a summary, 00:00:41, Null0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:46:59, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/1
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 01:46:59, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:37:31, FastEthernet0/0
R3#

Did you notice this route on R3?

O       10.5.0.0/22 is a summary, 00:00:41, Null0

This is called a discard route.

Prior to Cisco IOS Software Release 12.1(6), it was recommended to manually configure, on the ABR, a discard static route for the summary address in order to prevent possible routing loops. For the summary route shown above, you can use this command:

ip route 10.5.0.0 255.255.252.0 null0

In IOS 12.1(6) and higher, the discard route is automatically generated by default. If for any reason you don’t want to use this discard route, you can configure the following commands under router ospf:

[no] discard-route internal
or
[no] discard-route external

 

JUNOS OSPF Configuration

Juniper, ,

We will discuss these topics in this session:

1. OSPF configuration
2. OSPF passive interface
3. OSPF Virtual Link
4. OSPF interface network type
5. OSPF interface cost manipulation
6. OSPF Authentication

This is the network topology for these configurations:

juniper-ospf

This is the initial configuration on these routers:

set version 10.1R1.8
set system host-name R1
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.12.1/24
set interfaces em1 unit 0 family inet address 1.1.21.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set routing-options router-id 1.1.1.1

set version 10.1R1.8
set system host-name R2
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.12.2/24
set interfaces em1 unit 0 family inet address 1.1.21.2/24
set interfaces em3 unit 0 family inet address 1.1.23.2/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set routing-options router-id 2.2.2.2

set version 10.1R1.8
set system host-name R3
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.34.3/24
set interfaces em3 unit 0 family inet address 1.1.23.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3

set version 10.1R1.8
set system host-name R4
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.34.4/24
set interfaces lo0 unit 0 family inet address 4.4.4.4/32
set routing-options router-id 4.4.4.4

## Router-ID is already configured on all routers with below command.

    set routing-options router-id x.x.x.x

1. OSPF configuration

– Configure OSPF area on router interfaces as per drawing. Configure loopback interface as passive interface.

R1:

amolak@R1> configure 
Entering configuration mode

[edit]
amolak@R1# set protocols ospf area 0 interface em0.0 
amolak@R1# set protocols ospf area 0 interface em1.0 
amolak@R1# set protocols ospf area 0 interface lo0.0 passive 
amolak@R1# commit and-quit 

R2:

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 0 interface em0.0 
amolak@R2# set protocols ospf area 0 interface em1.0    
amolak@R2# set protocols ospf area 0 interface lo0.0 passive 
amolak@R2# set protocols ospf area 1 interface em3.0 
amolak@R2# commit and-quit 

R3:

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 
amolak@R3# set protocols ospf area 2 interface em0.0 
amolak@R3# set protocols ospf area 1 interface lo0.0 passive 
amolak@R3# commit and-quit 

R4:

amolak@R4> configure 
Entering configuration mode

[edit]
amolak@R4# set protocols ospf area 2 interface em0.0 
amolak@R4# set protocols ospf area 2 interface lo0.0 passive 
amolak@R4# commit and-quit
Verification:

amolak@R1> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
em1.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0

amolak@R1> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
1.1.12.2         em0.0                  Full      2.2.2.2          128    34
1.1.21.2         em1.0                  Full      2.2.2.2          128    38

amolak@R1> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *1.1.1.1          1.1.1.1          0x80000005   130  0x22 0xd7da  60
Router   2.2.2.2          2.2.2.2          0x80000004   131  0x22 0x3b69  60
Network  1.1.12.2         2.2.2.2          0x80000002   131  0x22 0x26ee  32
Network  1.1.21.2         2.2.2.2          0x80000002   131  0x22 0xc249  32
Summary  1.1.23.0         2.2.2.2          0x80000002   166  0x22 0x3edb  28
Summary  3.3.3.3          2.2.2.2          0x80000001   102  0x22 0xcc5b  28

amolak@R1> show route protocol ospf 

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.23.0/24        *[OSPF/10] 00:01:21, metric 2
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
2.2.2.2/32         *[OSPF/10] 00:01:21, metric 1
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
3.3.3.3/32         *[OSPF/10] 00:00:55, metric 2
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
224.0.0.5/32       *[OSPF/10] 00:02:32, metric 1
                      MultiRecv

amolak@R2> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
em1.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0
em3.0               DR      0.0.0.1         2.2.2.2         3.3.3.3            1

amolak@R2> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
1.1.12.1         em0.0                  Full      1.1.1.1          128    33
1.1.21.1         em1.0                  Full      1.1.1.1          128    35
1.1.23.3         em3.0                  Full      3.3.3.3          128    35

amolak@R2> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   1.1.1.1          1.1.1.1          0x80000005   135  0x22 0xd7da  60
Router  *2.2.2.2          2.2.2.2          0x80000004   134  0x22 0x3b69  60
Network *1.1.12.2         2.2.2.2          0x80000002   134  0x22 0x26ee  32
Network *1.1.21.2         2.2.2.2          0x80000002   134  0x22 0xc249  32
Summary *1.1.23.0         2.2.2.2          0x80000002   169  0x22 0x3edb  28
Summary *3.3.3.3          2.2.2.2          0x80000001   105  0x22 0xcc5b  28

    OSPF database, Area 0.0.0.1
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *2.2.2.2          2.2.2.2          0x80000004   112  0x22 0xa246  36
Router   3.3.3.3          3.3.3.3          0x80000002   108  0x22 0xcef6  48
Network *1.1.23.2         2.2.2.2          0x80000001   112  0x22 0x13ef  32
Summary *1.1.1.1          2.2.2.2          0x80000001   129  0x22 0x2907  28
Summary *1.1.12.0         2.2.2.2          0x80000002   169  0x22 0xb76d  28
Summary *1.1.21.0         2.2.2.2          0x80000002   169  0x22 0x54c7  28
Summary  1.1.34.0         3.3.3.3          0x80000002   103  0x22 0xa664  28
Summary *2.2.2.2          2.2.2.2          0x80000002   169  0x22 0xee3d  28
Summary  4.4.4.4          3.3.3.3          0x80000001    64  0x22 0x809f  28

amolak@R2> show route protocol ospf 

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:01:33, metric 1
                    > to 1.1.12.1 via em0.0
                      to 1.1.21.1 via em1.0
3.3.3.3/32         *[OSPF/10] 00:01:09, metric 1
                    > to 1.1.23.3 via em3.0
224.0.0.5/32       *[OSPF/10] 00:02:24, metric 1
                      MultiRecv

amolak@R3> show ospf interface 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               BDR     0.0.0.1         2.2.2.2         3.3.3.3            1
lo0.0               DRother 0.0.0.1         0.0.0.0         0.0.0.0            0
em0.0               DR      0.0.0.2         3.3.3.3         4.4.4.4            1

amolak@R3> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.23.2         em3.0                  Full      2.2.2.2          128    38
1.1.34.4         em0.0                  Full      4.4.4.4          128    39

amolak@R3> show ospf database 

    OSPF database, Area 0.0.0.1
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   2.2.2.2          2.2.2.2          0x80000004   131  0x22 0xa246  36
Router  *3.3.3.3          3.3.3.3          0x80000002   125  0x22 0xcef6  48
Network  1.1.23.2         2.2.2.2          0x80000001   131  0x22 0x13ef  32
Summary  1.1.1.1          2.2.2.2          0x80000001   148  0x22 0x2907  28
Summary  1.1.12.0         2.2.2.2          0x80000002   188  0x22 0xb76d  28
Summary  1.1.21.0         2.2.2.2          0x80000002   188  0x22 0x54c7  28
Summary *1.1.34.0         3.3.3.3          0x80000002   120  0x22 0xa664  28
Summary  2.2.2.2          2.2.2.2          0x80000002   188  0x22 0xee3d  28
Summary *4.4.4.4          3.3.3.3          0x80000001    80  0x22 0x809f  28

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *3.3.3.3          3.3.3.3          0x80000004    85  0x22 0x6167  36
Router   4.4.4.4          4.4.4.4          0x80000002    84  0x22 0xdcc5  48
Network *1.1.34.3         3.3.3.3          0x80000002    85  0x22 0xc326  32
Summary *1.1.23.0         3.3.3.3          0x80000002   120  0x22 0x20f5  28
Summary *3.3.3.3          3.3.3.3          0x80000002   120  0x22 0xa281  28

amolak@R3> show route protocol ospf   

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:01:15, metric 2
                    > to 1.1.23.2 via em3.0
1.1.12.0/24        *[OSPF/10] 00:01:15, metric 2
                    > to 1.1.23.2 via em3.0
1.1.21.0/24        *[OSPF/10] 00:01:15, metric 2
                    > to 1.1.23.2 via em3.0
2.2.2.2/32         *[OSPF/10] 00:01:15, metric 1
                    > to 1.1.23.2 via em3.0
4.4.4.4/32         *[OSPF/10] 00:00:35, metric 1
                    > to 1.1.34.4 via em0.0
224.0.0.5/32       *[OSPF/10] 00:01:25, metric 1
                      MultiRecv

amolak@R4> show ospf interface 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.2         3.3.3.3         4.4.4.4            1
lo0.0               DRother 0.0.0.2         0.0.0.0         0.0.0.0            0

amolak@R4> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.34.3         em0.0                  Full      3.3.3.3          128    36

amolak@R4> show ospf database 

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   3.3.3.3          3.3.3.3          0x80000004    96  0x22 0x6167  36
Router  *4.4.4.4          4.4.4.4          0x80000002    92  0x22 0xdcc5  48
Network  1.1.34.3         3.3.3.3          0x80000002    96  0x22 0xc326  32
Summary  1.1.23.0         3.3.3.3          0x80000002   131  0x22 0x20f5  28
Summary  3.3.3.3          3.3.3.3          0x80000002   131  0x22 0xa281  28

amolak@R4> show route protocol ospf 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.23.0/24        *[OSPF/10] 00:00:42, metric 2
                    > to 1.1.34.3 via em0.0
3.3.3.3/32         *[OSPF/10] 00:00:42, metric 1
                    > to 1.1.34.3 via em0.0
224.0.0.5/32       *[OSPF/10] 00:00:52, metric 1
                      MultiRecv

amolak@R1> ping 3.3.3.3 source 1.1.1.1 
PING 3.3.3.3 (3.3.3.3): 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=0 ttl=63 time=0.856 ms
64 bytes from 3.3.3.3: icmp_seq=1 ttl=63 time=0.704 ms
^C
--- 3.3.3.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.704/0.780/0.856/0.076 ms

amolak@R1> ping 2.2.2.2 source 1.1.1.1    
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=0.552 ms
^C
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.552/0.552/0.552/nan ms

3. OSPF Virtual Link

As per OSPF requirement, All Areas should be connected to backbone Area0. Here Area2 is not connected to Area0, because of this design issue Area0 and Area2 routers are not having each others advertised LSA in their ospf database. We need to create a virtual link to fix this issue.

– Configure OSPF virtual link between R2 and R3.

 amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 0 virtual-link neighbor-id 3.3.3.3 transit-area 1

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 0 virtual-link neighbor-id 2.2.2.2 transit-area 1

## 'neighbor-id' is the peer router's router-id ##

Verification:

amolak@R2> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
em1.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0
vl-3.3.3.3          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1
em3.0               DR      0.0.0.1         2.2.2.2         3.3.3.3            1

amolak@R2> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.12.1         em0.0                  Full      1.1.1.1          128    33
1.1.21.1         em1.0                  Full      1.1.1.1          128    34
1.1.23.3         vl-3.3.3.3             Full      3.3.3.3            0    32
1.1.23.3         em3.0                  Full      3.3.3.3          128    33

amolak@R3> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               BDR     0.0.0.1         2.2.2.2         3.3.3.3            1
lo0.0               DRother 0.0.0.1         0.0.0.0         0.0.0.0            0
em0.0               DR      0.0.0.2         3.3.3.3         4.4.4.4            1
vl-2.2.2.2          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

amolak@R3> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.23.2         em3.0                  Full      2.2.2.2          128    33
1.1.34.4         em0.0                  Full      4.4.4.4          128    34
1.1.23.2         vl-2.2.2.2             Full      2.2.2.2            0    37

Now R3 is connected to Area0 via virtual-link and become ABR for Area0,Area1 and Area2. 
Area0 and Area2 router should have each others prefix in their databases.

amolak@R3> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   1.1.1.1          1.1.1.1          0x80000005   414  0x22 0xd7da  60
Router   2.2.2.2          2.2.2.2          0x80000007    78  0x22 0x9dca  72
Router  *3.3.3.3          3.3.3.3          0x80000003    77  0x22 0xd51c  36
Network  1.1.12.2         2.2.2.2          0x80000002   413  0x22 0x26ee  32
Network  1.1.21.2         2.2.2.2          0x80000002   413  0x22 0xc249  32
Summary  1.1.23.0         2.2.2.2          0x80000002   448  0x22 0x3edb  28
Summary *1.1.23.0         3.3.3.3          0x80000001    77  0x22 0x22f4  28
Summary *1.1.34.0         3.3.3.3          0x80000001    77  0x22 0xa863  28
Summary  3.3.3.3          2.2.2.2          0x80000001   384  0x22 0xcc5b  28
Summary *3.3.3.3          3.3.3.3          0x80000001    77  0x22 0xa480  28
Summary *4.4.4.4          3.3.3.3          0x80000001    77  0x22 0x809f  28

    OSPF database, Area 0.0.0.1
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   2.2.2.2          2.2.2.2          0x80000006    78  0x22 0xaa38  36
Router  *3.3.3.3          3.3.3.3          0x80000004    77  0x22 0xd6e8  48
Network  1.1.23.2         2.2.2.2          0x80000001   393  0x22 0x13ef  32
Summary  1.1.1.1          2.2.2.2          0x80000001   410  0x22 0x2907  28
Summary  1.1.12.0         2.2.2.2          0x80000002   450  0x22 0xb76d  28
Summary  1.1.21.0         2.2.2.2          0x80000002   450  0x22 0x54c7  28
Summary *1.1.34.0         3.3.3.3          0x80000002   382  0x22 0xa664  28
Summary  2.2.2.2          2.2.2.2          0x80000002   450  0x22 0xee3d  28
Summary *4.4.4.4          3.3.3.3          0x80000001   342  0x22 0x809f  28

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *3.3.3.3          3.3.3.3          0x80000005    77  0x22 0x5f68  36
Router   4.4.4.4          4.4.4.4          0x80000002   346  0x22 0xdcc5  48
Network *1.1.34.3         3.3.3.3          0x80000002   347  0x22 0xc326  32
Summary *1.1.1.1          3.3.3.3          0x80000001    77  0x22 0x1516  28
Summary *1.1.12.0         3.3.3.3          0x80000001    77  0x22 0xa57b  28
Summary *1.1.21.0         3.3.3.3          0x80000001    77  0x22 0x42d5  28
Summary *1.1.23.0         3.3.3.3          0x80000002   382  0x22 0x20f5  28
Summary *2.2.2.2          3.3.3.3          0x80000001    77  0x22 0xdc4b  28
Summary *3.3.3.3          3.3.3.3          0x80000002   382  0x22 0xa281  28

amolak@R4> show ospf database 

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   3.3.3.3          3.3.3.3          0x80000005    68  0x22 0x5f68  36
Router  *4.4.4.4          4.4.4.4          0x80000002   344  0x22 0xdcc5  48
Network  1.1.34.3         3.3.3.3          0x80000002   348  0x22 0xc326  32
Summary  1.1.1.1          3.3.3.3          0x80000001    68  0x22 0x1516  28
Summary  1.1.12.0         3.3.3.3          0x80000001    68  0x22 0xa57b  28
Summary  1.1.21.0         3.3.3.3          0x80000001    68  0x22 0x42d5  28
Summary  1.1.23.0         3.3.3.3          0x80000002   383  0x22 0x20f5  28
Summary  2.2.2.2          3.3.3.3          0x80000001    68  0x22 0xdc4b  28
Summary  3.3.3.3          3.3.3.3          0x80000002   383  0x22 0xa281  28

amolak@R4> show route protocol ospf   

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:01:08, metric 3
                    > to 1.1.34.3 via em0.0
1.1.12.0/24        *[OSPF/10] 00:01:08, metric 3
                    > to 1.1.34.3 via em0.0
1.1.21.0/24        *[OSPF/10] 00:01:08, metric 3
                    > to 1.1.34.3 via em0.0
1.1.23.0/24        *[OSPF/10] 00:05:40, metric 2
                    > to 1.1.34.3 via em0.0
2.2.2.2/32         *[OSPF/10] 00:01:08, metric 2
                    > to 1.1.34.3 via em0.0
3.3.3.3/32         *[OSPF/10] 00:05:40, metric 1
                    > to 1.1.34.3 via em0.0
224.0.0.5/32       *[OSPF/10] 00:05:50, metric 1
                      MultiRecv

amolak@R1> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *1.1.1.1          1.1.1.1          0x80000005   402  0x22 0xd7da  60
Router   2.2.2.2          2.2.2.2          0x80000007    70  0x22 0x9dca  72
Router   3.3.3.3          3.3.3.3          0x80000003    71  0x22 0xd51c  36
Network  1.1.12.2         2.2.2.2          0x80000002   403  0x22 0x26ee  32
Network  1.1.21.2         2.2.2.2          0x80000002   403  0x22 0xc249  32
Summary  1.1.23.0         2.2.2.2          0x80000002   438  0x22 0x3edb  28
Summary  1.1.23.0         3.3.3.3          0x80000001    71  0x22 0x22f4  28
Summary  1.1.34.0         3.3.3.3          0x80000001    71  0x22 0xa863  28
Summary  3.3.3.3          2.2.2.2          0x80000001   374  0x22 0xcc5b  28
Summary  3.3.3.3          3.3.3.3          0x80000001    71  0x22 0xa480  28
Summary  4.4.4.4          3.3.3.3          0x80000001    71  0x22 0x809f  28

amolak@R1> show route protocol ospf        

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.23.0/24        *[OSPF/10] 00:07:00, metric 2
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
1.1.34.0/24        *[OSPF/10] 00:01:33, metric 3
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
2.2.2.2/32         *[OSPF/10] 00:07:00, metric 1
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
3.3.3.3/32         *[OSPF/10] 00:06:34, metric 2
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
4.4.4.4/32         *[OSPF/10] 00:01:33, metric 3
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
224.0.0.5/32       *[OSPF/10] 00:08:11, metric 1
                      MultiRecv

Let's check end to end connectivity.

amolak@R1> ping 4.4.4.4 source 1.1.1.1 
PING 4.4.4.4 (4.4.4.4): 56 data bytes
64 bytes from 4.4.4.4: icmp_seq=0 ttl=62 time=0.696 ms
64 bytes from 4.4.4.4: icmp_seq=1 ttl=62 time=0.816 ms
64 bytes from 4.4.4.4: icmp_seq=2 ttl=62 time=0.815 ms
^C
--- 4.4.4.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.696/0.776/0.816/0.056 ms

4. OSPF interface network type

All the links are actually connected between two routers only, i.e, point-to-point link. But ethernet interface has default ospf network type is LAN that requires DR/BDR election and LSA type 2 in the OSPF database.

– Configure interface type as point-to-point between R2 and R3.

Interface type before this configuration:

amolak@R3> show ospf interface em3.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               DR      0.0.0.1         3.3.3.3         0.0.0.0            1
  Type: LAN, Address: 1.1.23.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.23.3, Priority: 128
  Adj count: 0
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 1 interface em3.0 interface-type p2p 
amolak@R2# commit and-quit 

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 interface-type p2p 
amolak@R3# commit and-quit 
commit complete
Exiting configuration mode

amolak@R3> show ospf interface em3.0 detail    
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 1.1.23.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R3> show ospf interface   
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
lo0.0               DRother 0.0.0.1         0.0.0.0         0.0.0.0            0
em0.0               DR      0.0.0.2         3.3.3.3         4.4.4.4            1
vl-2.2.2.2          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

 

5. OSPF interface cost manipulation

There are two equal cost paths on R1 to reach rest of the network. Change ospf cost on interface so that the interface em0 link should be prefer path and em1 should be backup path.

When evaluating the cost of individual network segments, OSPF evaluates the reference bandwidth. For any link faster than 100 Mbps, the default cost metric is 1. To control the cost of the network segment, you can modify the metric value on an individual interface.

amolak@R1> show ospf interface em0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
  Type: LAN, Address: 1.1.12.1, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.12.2, BDR addr: 1.1.12.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R1> show ospf interface em1.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em1.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
  Type: LAN, Address: 1.1.21.1, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.21.2, BDR addr: 1.1.21.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

Let's increase the cost of interface em1.0 to make it as less prefered path.

amolak@R1> configure 
Entering configuration mode

[edit]
amolak@R1# set protocols ospf area 0 interface em1.0 metric 2 
amolak@R1# commit and-quit 

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 0 interface em1.0 metric 2 
amolak@R2# commit and-quit 

amolak@R1> show route 2.2.2.2 

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[OSPF/10] 00:01:30, metric 1
                    > to 1.1.12.2 via em0.0

If em0.0 goes down.

amolak@R1> configure 
Entering configuration mode

[edit]
amolak@R1# set interfaces em0.0 disable 

[edit]
amolak@R1# commit 
commit complete

[edit]
amolak@R1# run show route 2.2.2.2 

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[OSPF/10] 00:00:01, metric 2
                    > to 1.1.21.2 via em1.0

[edit]
amolak@R1# run ping 2.2.2.2 source 1.1.1.1 
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=0.521 ms
^C
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.521/0.521/0.521/nan ms

[edit]
amolak@R1# delete interfaces em0.0 disable 

[edit]
amolak@R1# commit and-quit 
commit complete
Exiting configuration mode

6. OSPF Authentication

All OSPFv2 protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in the autonomous system’s routing. By default, OSPFv2 authentication is disabled.

Simple authentication – Authenticates by using a plain-text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. Simple authentication uses a plain-text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. Plain-text passwords are not encrypted and might be subject to packet interception.

- Configure Simple Authentication between R3 and R4. Use password key '@SIMPLE'

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 2 interface em0.0 authentication simple-password @SIMPLE
amolak@R3# commit and-quit 

amolak@R4> configure 
Entering configuration mode

[edit]
amolak@R4# set protocols ospf area 2 interface em0.0 authentication simple-password @SIMPLE    
amolak@R4# commit and-quit 

amolak@R3> show ospf interface em0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.2         4.4.4.4         3.3.3.3            1
  Type: LAN, Address: 1.1.34.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.34.4, BDR addr: 1.1.34.3, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: Password
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R4> show ospf interface em0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               DR      0.0.0.2         4.4.4.4         3.3.3.3            1
  Type: LAN, Address: 1.1.34.4, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.34.4, BDR addr: 1.1.34.3, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: Password
  Protection type: None
  Topology default (ID 0) -> Cost: 1

MD5 authentication – Authenticates by using an encoded MD5 checksum that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet.

You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts OSPFv2 packets sent using the same key identifier (ID) that is defined for that interface.

For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the OSPF packet uses the ID to determine which key to use for authentication.

– Configure MD5 Authentication between R2 and R3.Use password key ‘@OSPFMD5′

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 ?
Possible completions:
  <key-id>             Key ID for MD5 authentication (0..255)
[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 1 ?
Possible completions:
  key                  MD5 authentication key value
  start-time           Start time for key transmission (YYYY-MM-DD.HH:MM)
[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 1 key @OSPFMD5 ?         
Possible completions:
  <[Enter]>            Execute this command
  start-time           Start time for key transmission (YYYY-MM-DD.HH:MM)
  |                    Pipe through a command
[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 1 key @OSPFMD5    

[edit]
amolak@R3# commit and-quit 

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 1 interface em3.0 authentication md5 1 key @OSPFMD5           

[edit]
amolak@R2# commit and-quit 

amolak@R2> show ospf interface em3.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 1.1.23.2, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R3> show ospf interface em3.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 1.1.23.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 1

Here is the final configuration on all routers:

R1:

amolak@R1> show configuration 
## Last commit: 2014-05-11 09:19:56 UTC by amolak
version 10.1R1.8;
system {
    host-name R1;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.12.1/24;
            }
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 1.1.21.1/24;
            }
        }
    }
    lo0 {
        unit 0 {                        
            family inet {
                address 1.1.1.1/32;
            }
        }
    }
}
routing-options {
    router-id 1.1.1.1;
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface em0.0;
            interface em1.0 {
                metric 2;
            }
        }
    }
}

amolak@R1> 

R2:

amolak@R2> show configuration 
## Last commit: 2014-05-11 09:26:23 UTC by amolak
version 10.1R1.8;
system {
    host-name R2;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.12.2/24;
            }
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 1.1.21.2/24;
            }
        }
    }
    em3 {
        unit 0 {                        
            family inet {
                address 1.1.23.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
}
routing-options {
    router-id 2.2.2.2;
}
protocols {
    ospf {
        area 0.0.0.0 {
            virtual-link neighbor-id 3.3.3.3 transit-area 0.0.0.1;
            interface em0.0;
            interface em1.0 {
                metric 2;               
            }
            interface lo0.0 {
                passive;
            }
        }
        area 0.0.0.1 {
            interface em3.0 {
                interface-type p2p;
                authentication {
                    md5 1 key "$9$3Mtqn6CrlvL7dikTFnC0OEhSrWL"; ## SECRET-DATA
                }
            }
        }
    }
}

amolak@R2> 

R3:

amolak@R3> show configuration 
## Last commit: 2014-05-11 09:26:30 UTC by amolak
version 10.1R1.8;
system {
    host-name R3;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.34.3/24;
            }
        }
    }
    em3 {
        unit 0 {
            family inet {
                address 1.1.23.3/24;
            }
        }
    }
    lo0 {
        unit 0 {                        
            family inet {
                address 3.3.3.3/32;
            }
        }
    }
}
routing-options {
    router-id 3.3.3.3;
}
protocols {
    ospf {
        area 0.0.0.1 {
            interface em3.0 {
                interface-type p2p;
                authentication {
                    md5 1 key "$9$NG-dwkqPQ3/ylL7-w4oUDik5Q"; ## SECRET-DATA
                }
            }
            interface lo0.0 {
                passive;
            }
        }
        area 0.0.0.2 {                  
            interface em0.0 {
                authentication {
                    simple-password "$9$8w8LXNbsgoJUz3hyrvXxbwY"; ## SECRET-DATA
                }
            }
        }
        area 0.0.0.0 {
            virtual-link neighbor-id 2.2.2.2 transit-area 0.0.0.1;
        }
    }
}

 amolak@R3> 

R4:

amolak@R4> show configuration 
## Last commit: 2014-05-11 09:26:59 UTC by amolak
version 10.1R1.8;
system {
    host-name R4;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.34.4/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 4.4.4.4/32;
            }
        }
    }
}
routing-options {                       
    router-id 4.4.4.4;
}
protocols {
    ospf {
        area 0.0.0.2 {
            interface em0.0 {
                authentication {
                    simple-password "$9$61fb/9tO1Ecyebs.f5F9COBI"; ## SECRET-DATA
                }
            }
            interface lo0.0 {
                passive;
            }
        }
    }
}

 amolak@R4>