Cisco Site-to-Site VPN Technologies Comparison
Reference: www.cisco.com
Tag Archives: VPN
L2TPv3 – Layer 2 Tunneling Protocol Version 3
L2TPv3 – Layer 2 Tunneling Protocol Version 3
L2TPv3 provides the capabilities to tunnel Layer 2 payload over IP network. When L2TPv3 is implemented, the physical interfaces that are connected to the customer’s network are used as tunnel ingress and egress interfaces. It is documented in RFC3931.
L2TP is comprised of two types of messages, control messages and data messages.Control messages are used in the establishment, maintenance, and clearing of control connections and sessions. These messages utilize a reliable control channel within L2TP to guarantee delivery. Data messages are used to encapsulate the L2 traffic being carried over the L2TP session. Unlike control messages, data messages are not re-transmitted when packet loss occurs.
L2TPv3 Header Format
The session identifier identifies the tunnel context at the decapsulating router. The session ID of 0 is reserved for use by the protocol. Static L2TPv3 sessions need manual configuration of session ID on the PE routers. However, for dynamic L2TPv3 tunnel setup, the session IDs can be chosen depending on the number of tunnels that are supported by the router in question.
The cookie contains the key for the L2TPv3 session. The cookie length can be configured on a router, but the default value for the cookie length is 4 bytes. When the originating and terminating routers are different platforms, the cookie length needs to be configured manually to be 4 bytes.
Pseudowire control encapsulation consists of 4 bytes and implements sequencing with the L2TPv3 tunnel. It uses only the first bit and bits 8 through 31. The value of the first bit defines if bits 8 through 31 contain a sequence number and if it needs to be updated.
L2TPv3 Components
Control Connection
An L2TP control connection is a reliable control channel that is used to establish, maintain, and release individual L2TP sessions as well as the control connection itself.
Control Message
Control channel messages are used for signalling between the two routers that are the endpoints of the L2TPv3 pseudowire. These endpoints can be referred to as L2TP Control Connection Endpoints – LCCEs. Control connection messages can be used by the LCCEs to setup the control connection itself, to establish L2TPv3 sessions, to indicate circuit status changes, to tear down sessions, to terminate the control connection, and to provide a keepalive mechanism.
Data Channel
The channel for L2TP-encapsulated data traffic that passes between two LCCEs over IP Network.
Data Message
Data channel messages, on the other hand, are the messages that actually carry the Layer-2 protocols and connections over the IP backbone.
Pseudowire (PW)
It is an emulated circuit as it traverses a IP network.There is one Pseudowire per L2TP Session.
Network Topology
We will use following topology to configure L2TPv3 and extend Layer2 network from R4 to R5 and from R6 to R7.
Configuring L2TPv3 Static/Manual Tunnels
R1 - Provider Edge Router connected to Customer Routers hostname R1 ! ip cef ! !! -- L2TP class implements a template for control channel -- !! !! -- parameters that can be applied to different pseudowire -- !! !! -- classes on the router -- !! l2tp-class L2TP-CLASS cookie size 4 ! !! -- Pseudowire class defines the session level parameters of -- !! !! -- the L2TPV3 sessions -- !! pseudowire-class PW-CLASS !! -- Data Encapsulation Protocol -- !! encapsulation l2tpv3 !! -- No signaling protocol for Static Tunnels -- !! protocol none !! -- Configure the Source Address of the Tunnel -- !! ip local interface Loopback0 ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.1.13.1 255.255.255.0 ip ospf network point-to-point duplex full speed 100 ! interface FastEthernet0/1 description To Cust-A Site-1 R4 no ip address no cdp enable xconnect 10.1.1.2 101 encapsulation l2tpv3 manual pw-class PW-CLASS l2tp id 101 101 l2tp cookie local 4 1 l2tp cookie remote 4 1 l2tp hello L2TP-CLASS ! interface Serial1/0 description To Cust-B Site-1 R6 no ip address encapsulation ppp serial restart-delay 0 no cdp enable xconnect 10.1.1.2 102 encapsulation l2tpv3 manual pw-class PW-CLASS l2tp id 102 102 l2tp cookie local 4 1 l2tp cookie remote 4 1 l2tp hello L2TP-CLASS ! router ospf 1 network 10.1.0.0 0.0.255.255 area 0 ! R2 - Provider Edge Router connected to Customer Routers hostname R2 ! ip cef ! l2tp-class L2TP-CLASS cookie size 4 ! pseudowire-class PW-CLASS encapsulation l2tpv3 protocol none ip local interface Loopback0 ! interface Loopback0 ip address 10.1.1.2 255.255.255.255 ! interface FastEthernet0/0 ip address 10.1.23.2 255.255.255.0 ip ospf network point-to-point duplex full speed 100 ! interface FastEthernet0/1 description To Cust-A Site-2 R5 no ip address no cdp enable xconnect 10.1.1.1 101 encapsulation l2tpv3 manual pw-class PW-CLASS l2tp id 101 101 l2tp cookie local 4 1 l2tp cookie remote 4 1 l2tp hello L2TP-CLASS ! interface Serial1/0 description To Cust-B Site-2 R6 no ip address encapsulation ppp serial restart-delay 0 no cdp enable xconnect 10.1.1.1 102 encapsulation l2tpv3 manual pw-class PW-CLASS l2tp id 102 102 l2tp cookie local 4 1 l2tp cookie remote 4 1 l2tp hello L2TP-CLASS ! router ospf 1 network 10.1.0.0 0.0.255.255 area 0 ! R3 - Provider Core Network Router hostname R3 ! ip cef ! interface FastEthernet0/0 ip address 10.1.13.3 255.255.255.0 ip ospf network point-to-point duplex full speed 100 ! interface FastEthernet0/1 ip address 10.1.23.3 255.255.255.0 ip ospf network point-to-point duplex full speed 100 ! router ospf 1 network 10.1.0.0 0.0.255.255 area 0 ! R4 - Customer-A Site-1 Edge Router hostname R4 ! interface FastEthernet0/0 ip address 172.16.4.4 255.255.255.0 ! interface FastEthernet0/1 ip address 172.16.45.1 255.255.255.252 ! router eigrp 100 network 172.16.0.0 ! R5 - Customer-A Site-2 Edge Router hostname R5 ! interface FastEthernet0/0 ip address 172.16.5.5 255.255.255.0 ! interface FastEthernet0/1 ip address 172.16.45.2 255.255.255.252 ! router eigrp 100 network 172.16.0.0 ! R6 - Customer-B Site-1 Edge Router hostname R6 ! interface FastEthernet0/0 ip address 192.168.6.6 255.255.255.0 ! interface Serial1/0 ip address 192.168.67.1 255.255.255.252 encapsulation ppp serial restart-delay 0 ! router eigrp 100 network 192.168.0.0 0.0.255.255 ! R7 - Customer-B Site-2 Edge Router hostname R7 ! interface FastEthernet0/0 ip address 192.168.7.7 255.255.255.0 ! interface Serial1/0 ip address 192.168.67.2 255.255.255.252 encapsulation ppp serial restart-delay 0 ! router eigrp 100 network 192.168.0.0 0.0.255.255 !
Verification & Testing
R1#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks C 10.1.1.1/32 is directly connected, Loopback0 O 10.1.1.2/32 [110/3] via 10.1.13.3, 00:11:24, FastEthernet0/0 C 10.1.13.0/24 is directly connected, FastEthernet0/0 L 10.1.13.1/32 is directly connected, FastEthernet0/0 O 10.1.23.0/24 [110/2] via 10.1.13.3, 00:11:24, FastEthernet0/0 R2#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks O 10.1.1.1/32 [110/3] via 10.1.23.3, 00:11:35, FastEthernet0/0 C 10.1.1.2/32 is directly connected, Loopback0 O 10.1.13.0/24 [110/2] via 10.1.23.3, 00:11:45, FastEthernet0/0 C 10.1.23.0/24 is directly connected, FastEthernet0/0 L 10.1.23.2/32 is directly connected, FastEthernet0/0 R3#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks O 10.1.1.1/32 [110/2] via 10.1.13.1, 00:11:54, FastEthernet0/0 O 10.1.1.2/32 [110/2] via 10.1.23.2, 00:11:54, FastEthernet0/1 C 10.1.13.0/24 is directly connected, FastEthernet0/0 L 10.1.13.3/32 is directly connected, FastEthernet0/0 C 10.1.23.0/24 is directly connected, FastEthernet0/1 L 10.1.23.3/32 is directly connected, FastEthernet0/1 R1#show l2tun tunnel all L2TP Tunnel Information Total tunnels 1 sessions 2 Tunnel id 4276657069 is up, remote id is 1806975601, 2 active sessions Locally initiated tunnel Tunnel state is established, time since change 00:12:34 Tunnel transport is IP (115) Remote tunnel name is R2 Internet Address 10.1.1.2, port 0 Local tunnel name is R1 Internet Address 10.1.1.1, port 0 L2TP class for tunnel is L2TP-CLASS Counters, taking last clear into account: 0 packets sent, 0 received 0 bytes sent, 0 received Last clearing of counters never Counters, ignoring last clear: 0 packets sent, 0 received 0 bytes sent, 0 received Control Ns 3, Nr 13 Local RWS 1024 (default), Remote RWS 1024 Control channel Congestion Control is disabled Tunnel PMTU checking disabled Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 1 Total resends 0, ZLB ACKs sent 12 Total out-of-order dropped pkts 0 Total out-of-order reorder pkts 0 Total peer authentication failures 0 Current no session pak queue check 0 of 5 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 Control message authentication is disabled R2#show l2tun tunnel all L2TP Tunnel Information Total tunnels 1 sessions 2 Tunnel id 1806975601 is up, remote id is 4276657069, 2 active sessions Remotely initiated tunnel Tunnel state is established, time since change 00:13:47 Tunnel transport is IP (115) Remote tunnel name is R1 Internet Address 10.1.1.1, port 0 Local tunnel name is R2 Internet Address 10.1.1.2, port 0 L2TP class for tunnel is L2TP-CLASS Counters, taking last clear into account: 0 packets sent, 0 received 0 bytes sent, 0 received Last clearing of counters never Counters, ignoring last clear: 0 packets sent, 0 received 0 bytes sent, 0 received Control Ns 14, Nr 3 Local RWS 1024 (default), Remote RWS 1024 Control channel Congestion Control is disabled Tunnel PMTU checking disabled Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 1 Total resends 0, ZLB ACKs sent 2 Total out-of-order dropped pkts 0 Total out-of-order reorder pkts 0 Total peer authentication failures 0 Current no session pak queue check 0 of 5 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 Control message authentication is disabled R1#show l2tun session all L2TP Session Information Total tunnels 1 sessions 2 Session id 102 is up, logical session id 65548, tunnel id 4276657069 Remote session id is 102, remote tunnel id 1806975601 Locally initiated session Unique ID is 4 Session Layer 2 circuit, type is PPP, name is Serial1/0 Session vcid is 102 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 0 Remote tunnel name is Internet address is 10.1.1.2 Local tunnel name is Internet address is 10.1.1.1 IP protocol 115 Session is manually signaled Session state is established, time since change 00:15:06 408 Packets sent, 406 received 20885 Bytes sent, 20891 received Last clearing of counters never Counters, ignoring last clear: 408 Packets sent, 406 received 20885 Bytes sent, 20891 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified Session cookie information: local cookie, size 4 bytes, value 00 00 00 01 remote cookie, size 4 bytes, value 00 00 00 01 FS cached header information: encap size = 28 bytes 45000014 00000000 ff73a572 0a010101 0a010102 00000066 00000001 Sequencing is off Conditional debugging is disabled SSM switch id is 8200, SSM segment id is 16405 Session id 101 is up, logical session id 32778, tunnel id 4276657069 Remote session id is 101, remote tunnel id 1806975601 Locally initiated session Unique ID is 1 Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1 Session vcid is 101 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 0 Remote tunnel name is Internet address is 10.1.1.2 Local tunnel name is Internet address is 10.1.1.1 IP protocol 115 Session is manually signaled Session state is established, time since change 00:15:06 315 Packets sent, 310 received 26766 Bytes sent, 26400 received Last clearing of counters never Counters, ignoring last clear: 315 Packets sent, 310 received 26766 Bytes sent, 26400 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified Session cookie information: local cookie, size 4 bytes, value 00 00 00 01 remote cookie, size 4 bytes, value 00 00 00 01 FS cached header information: encap size = 28 bytes 45000014 00000000 ff73a572 0a010101 0a010102 00000065 00000001 Sequencing is off Conditional debugging is disabled SSM switch id is 4102, SSM segment id is 12308 R2#show l2tun session all L2TP Session Information Total tunnels 1 sessions 2 Session id 102 is up, logical session id 65548, tunnel id 1806975601 Remote session id is 102, remote tunnel id 4276657069 Locally initiated session Unique ID is 4 Session Layer 2 circuit, type is PPP, name is Serial1/0 Session vcid is 102 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 0 Remote tunnel name is Internet address is 10.1.1.1 Local tunnel name is Internet address is 10.1.1.2 IP protocol 115 Session is manually signaled Session state is established, time since change 00:15:56 433 Packets sent, 427 received 22397 Bytes sent, 21989 received Last clearing of counters never Counters, ignoring last clear: 433 Packets sent, 427 received 22397 Bytes sent, 21989 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified Session cookie information: local cookie, size 4 bytes, value 00 00 00 01 remote cookie, size 4 bytes, value 00 00 00 01 FS cached header information: encap size = 28 bytes 45000014 00000000 ff73a572 0a010102 0a010101 00000066 00000001 Sequencing is off Conditional debugging is disabled SSM switch id is 8200, SSM segment id is 16405 Session id 101 is up, logical session id 32778, tunnel id 1806975601 Remote session id is 101, remote tunnel id 4276657069 Locally initiated session Unique ID is 1 Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1 Session vcid is 101 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 0 Remote tunnel name is Internet address is 10.1.1.1 Local tunnel name is Internet address is 10.1.1.2 IP protocol 115 Session is manually signaled Session state is established, time since change 00:15:56 329 Packets sent, 330 received 27997 Bytes sent, 28095 received Last clearing of counters never Counters, ignoring last clear: 329 Packets sent, 330 received 27997 Bytes sent, 28095 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified Session cookie information: local cookie, size 4 bytes, value 00 00 00 01 remote cookie, size 4 bytes, value 00 00 00 01 FS cached header information: encap size = 28 bytes 45000014 00000000 ff73a572 0a010102 0a010101 00000065 00000001 Sequencing is off Conditional debugging is disabled SSM switch id is 4102, SSM segment id is 12307
!! -- Customer A Site-1 router can reach Site-2 Router WAN IP -- !! !! -- through L2TPV3 tunneling over Service Provider IP network -- !! R4#ping 172.16.45.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.45.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/103/108 ms !! -- Customer A Site-1 Router would see Site-2 Router as -- !! !! -- directly connected as they would be directly connected -- !! !! -- on a layer 2 network -- !! R4#ping 172.16.45.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.45.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/103/108 ms R4#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID R5 Fas 0/1 145 R 7206VXR Fas 0/1 R4#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 172.16.45.2 Fa0/1 10 00:17:52 1605 5000 0 3 R4#show ip route | beg Gate Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks C 172.16.4.0/24 is directly connected, FastEthernet0/0 L 172.16.4.4/32 is directly connected, FastEthernet0/0 D 172.16.5.0/24 [90/30720] via 172.16.45.2, 00:18:16, FastEthernet0/1 C 172.16.45.0/30 is directly connected, FastEthernet0/1 L 172.16.45.1/32 is directly connected, FastEthernet0/1 R5#show ip route | beg Gate Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D 172.16.4.0/24 [90/30720] via 172.16.45.1, 00:22:24, FastEthernet0/1 C 172.16.5.0/24 is directly connected, FastEthernet0/0 L 172.16.5.5/32 is directly connected, FastEthernet0/0 C 172.16.45.0/30 is directly connected, FastEthernet0/1 L 172.16.45.2/32 is directly connected, FastEthernet0/1 R4#ping 172.16.5.5 source 172.16.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.5.5, timeout is 2 seconds: Packet sent with a source address of 172.16.4.4 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 84/95/100 ms R4#traceroute 172.16.5.5 source 172.16.4.4 Type escape sequence to abort. Tracing the route to 172.16.5.5 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.45.2 100 msec * 92 msec !! -- Customer B Site-1 router can reach Site-2 Router WAN IP -- !! !! -- through L2TPV3 tunneling over Service Provider IP network -- !! R6#ping 192.168.67.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.67.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/105/116 ms R6#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID R7 Ser 1/0 136 R 7206VXR Ser 1/0 R6#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.67.2 Se1/0 14 00:22:46 140 840 0 3 R6#show ip route | beg Gate Gateway of last resort is not set 192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.6.0/24 is directly connected, FastEthernet0/0 L 192.168.6.6/32 is directly connected, FastEthernet0/0 D 192.168.7.0/24 [90/2172416] via 192.168.67.2, 00:22:57, Serial1/0 192.168.67.0/24 is variably subnetted, 3 subnets, 2 masks C 192.168.67.0/30 is directly connected, Serial1/0 L 192.168.67.1/32 is directly connected, Serial1/0 C 192.168.67.2/32 is directly connected, Serial1/0 R6#ping 192.168.7.7 source 192.168.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.7.7, timeout is 2 seconds: Packet sent with a source address of 192.168.6.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/103/112 ms R6#traceroute 192.168.7.7 source 192.168.6.6 Type escape sequence to abort. Tracing the route to 192.168.7.7 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.67.2 92 msec * 104 msec
Configuring L2TPv3 Dynamic Tunnels
The only differences are in the configuration of the pseudowire class or template as well as the attachment circuit configuration. In comparison to implementation of static/manual L2TPV3 tunnel configuration, Dynamic L2TPV3 Tunnel configuration is the configuration of a protocol for signalling the control channel parameters. We used “protocol none” (no signalling protocol) in pseudowire-class with static/manual tunnel configuration. We will not use this command with Dynamic tunnel configuration. By default it will use L2TP for signalling here.
R1 - Provider Edge Router connected to Customer Routers hostname R1 ! ip cef ! pseudowire-class PW-CLASS encapsulation l2tpv3 ip local interface Loopback0 ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.1.13.1 255.255.255.0 ip ospf network point-to-point ! interface FastEthernet0/1 description To Cust-A Site-1 R4 no ip address no cdp enable xconnect 10.1.1.2 101 pw-class PW-CLASS ! interface Serial1/0 description To Cust-B Site-1 R6 no ip address encapsulation ppp no cdp enable xconnect 10.1.1.2 102 pw-class PW-CLASS ! router ospf 1 network 10.1.0.0 0.0.255.255 area 0 ! R2 - Provider Edge Router connected to Customer Routers hostname R2 ! ip cef ! pseudowire-class PW-CLASS encapsulation l2tpv3 ip local interface Loopback0 ! interface Loopback0 ip address 10.1.1.2 255.255.255.255 ! interface FastEthernet0/0 ip address 10.1.23.2 255.255.255.0 ip ospf network point-to-point ! interface FastEthernet0/1 description To Cust-A Site-2 R5 no ip address no cdp enable xconnect 10.1.1.1 101 pw-class PW-CLASS ! interface Serial1/0 description To Cust-B Site-2 R7 no ip address encapsulation ppp no cdp enable xconnect 10.1.1.1 102 pw-class PW-CLASS ! router ospf 1 network 10.1.0.0 0.0.255.255 area 0 !
Verification & Testing
R1#show l2tun tunnel all L2TP Tunnel Information Total tunnels 1 sessions 2 Tunnel id 1776971907 is up, remote id is 329857833, 2 active sessions Remotely initiated tunnel Tunnel state is established, time since change 00:04:40 Tunnel transport is IP (115) Remote tunnel name is R2 Internet Address 10.1.1.2, port 0 Local tunnel name is R1 Internet Address 10.1.1.1, port 0 L2TP class for tunnel is l2tp_default_class Counters, taking last clear into account: 235 packets sent, 232 received 15766 bytes sent, 15568 received Last clearing of counters never Counters, ignoring last clear: 235 packets sent, 232 received 15766 bytes sent, 15568 received Control Ns 5, Nr 11 Local RWS 1024 (default), Remote RWS 1024 Control channel Congestion Control is disabled Tunnel PMTU checking disabled Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 2 Total resends 0, ZLB ACKs sent 8 Total out-of-order dropped pkts 0 Total out-of-order reorder pkts 0 Total peer authentication failures 0 Current no session pak queue check 0 of 5 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 Control message authentication is disabled R1#show l2tun session all L2TP Session Information Total tunnels 1 sessions 2 Session id 1211541847 is up, logical session id 98324, tunnel id 1776971907 Remote session id is 132911511, remote tunnel id 329857833 Remotely initiated session Unique ID is 4 Session Layer 2 circuit, type is PPP, name is Serial1/0 Session vcid is 102 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 1898000001 Remote tunnel name is R2 Internet address is 10.1.1.2 Local tunnel name is R1 Internet address is 10.1.1.1 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:05:01 142 Packets sent, 142 received 7563 Bytes sent, 7583 received Last clearing of counters never Counters, ignoring last clear: 142 Packets sent, 142 received 7563 Bytes sent, 7583 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified No session cookie information available FS cached header information: encap size = 24 bytes 45000014 00000000 ff73a572 0a010101 0a010102 07ec1197 Sequencing is off Conditional debugging is disabled SSM switch id is 8198, SSM segment id is 12312 Session id 2531932146 is up, logical session id 65558, tunnel id 1776971907 Remote session id is 490732246, remote tunnel id 329857833 Remotely initiated session Unique ID is 1 Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1 Session vcid is 101 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 1898000002 Remote tunnel name is R2 Internet address is 10.1.1.2 Local tunnel name is R1 Internet address is 10.1.1.1 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:05:01 109 Packets sent, 106 received 9059 Bytes sent, 8841 received Last clearing of counters never Counters, ignoring last clear: 109 Packets sent, 106 received 9059 Bytes sent, 8841 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified No session cookie information available FS cached header information: encap size = 24 bytes 45000014 00000000 ff73a572 0a010101 0a010102 1d3ffad6 Sequencing is off Conditional debugging is disabled SSM switch id is 4100, SSM segment id is 16409 R2#show l2tun tunnel all L2TP Tunnel Information Total tunnels 1 sessions 2 Tunnel id 329857833 is up, remote id is 1776971907, 2 active sessions Locally initiated tunnel Tunnel state is established, time since change 00:06:02 Tunnel transport is IP (115) Remote tunnel name is R1 Internet Address 10.1.1.1, port 0 Local tunnel name is R2 Internet Address 10.1.1.2, port 0 L2TP class for tunnel is l2tp_default_class Counters, taking last clear into account: 295 packets sent, 297 received 19736 bytes sent, 19872 received Last clearing of counters never Counters, ignoring last clear: 295 packets sent, 297 received 19736 bytes sent, 19872 received Control Ns 13, Nr 5 Local RWS 1024 (default), Remote RWS 1024 Control channel Congestion Control is disabled Tunnel PMTU checking disabled Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 3 Total resends 0, ZLB ACKs sent 4 Total out-of-order dropped pkts 0 Total out-of-order reorder pkts 0 Total peer authentication failures 0 Current no session pak queue check 0 of 5 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 Control message authentication is disabled R2#show l2tun session all L2TP Session Information Total tunnels 1 sessions 2 Session id 132911511 is up, logical session id 65548, tunnel id 329857833 Remote session id is 1211541847, remote tunnel id 1776971907 Locally initiated session Unique ID is 4 Session Layer 2 circuit, type is PPP, name is Serial1/0 Session vcid is 102 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 1898000001 Remote tunnel name is R1 Internet address is 10.1.1.1 Local tunnel name is R2 Internet address is 10.1.1.2 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:06:16 175 Packets sent, 174 received 9117 Bytes sent, 9035 received Last clearing of counters never Counters, ignoring last clear: 175 Packets sent, 174 received 9117 Bytes sent, 9035 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified No session cookie information available FS cached header information: encap size = 24 bytes 45000014 00000000 ff73a572 0a010102 0a010101 4836a957 Sequencing is off Conditional debugging is disabled SSM switch id is 8198, SSM segment id is 12310 Session id 490732246 is up, logical session id 32776, tunnel id 329857833 Remote session id is 2531932146, remote tunnel id 1776971907 Locally initiated session Unique ID is 1 Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1 Session vcid is 101 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 1898000002 Remote tunnel name is R1 Internet address is 10.1.1.1 Local tunnel name is R2 Internet address is 10.1.1.2 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:06:16 132 Packets sent, 135 received 11203 Bytes sent, 11421 received Last clearing of counters never Counters, ignoring last clear: 132 Packets sent, 135 received 11203 Bytes sent, 11421 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified No session cookie information available FS cached header information: encap size = 24 bytes 45000014 00000000 ff73a572 0a010102 0a010101 96ea37f2 Sequencing is off Conditional debugging is disabled SSM switch id is 4100, SSM segment id is 16407
R4#ping 172.16.45.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.45.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/105/116 ms R4#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 172.16.45.2 Fa0/1 14 00:07:29 192 1152 0 3 R4#show ip route | beg Gate Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks C 172.16.4.0/24 is directly connected, FastEthernet0/0 L 172.16.4.4/32 is directly connected, FastEthernet0/0 D 172.16.5.0/24 [90/30720] via 172.16.45.2, 00:07:45, FastEthernet0/1 C 172.16.45.0/30 is directly connected, FastEthernet0/1 L 172.16.45.1/32 is directly connected, FastEthernet0/1 R6#ping 192.168.67.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.67.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/104/116 ms R6#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.67.2 Se1/0 12 00:08:43 119 714 0 3 R6#show ip route | beg Gate Gateway of last resort is not set 192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.6.0/24 is directly connected, FastEthernet0/0 L 192.168.6.6/32 is directly connected, FastEthernet0/0 D 192.168.7.0/24 [90/2172416] via 192.168.67.2, 00:08:50, Serial1/0 192.168.67.0/24 is variably subnetted, 3 subnets, 2 masks C 192.168.67.0/30 is directly connected, Serial1/0 L 192.168.67.1/32 is directly connected, Serial1/0 C 192.168.67.2/32 is directly connected, Serial1/0
DMVPN Phase 3
DMVPN Phase 3
The Shortcut Switching Enhancements for NHRP in DMVPN Phase 3 provides a more scalable alternative to the previous NHRP model. Routers in a Dynamic Multipoint VPN (DMVPN) Phase 3 network use Next Hop Resolution Protocol (NHRP) Shortcut Switching to discover shorter paths to a destination network after receiving an NHRP redirect message from the hub. This allows the routers to communicate directly with each other without the need for an intermediate hop.
Benefits of DMVPN Phase 3 Design:
- Allows summarization of routing protocol updates from hub to spokes. The spokes no longer need to have an individual route with an IP next-hop of the tunnel IP address of the remote spoke for the networks behind all the other spokes. The spokes can use summarized routes or specific routes with an IP next-hop of the tunnel IP address of the hub and still be able to build spoke-to-spoke tunnels.
- Allows for hierarchical (greater than one level) and more complex tree-based DMVPN network topologies. Tree-based topologies allow the capability to build DMVPN networks with regional hubs that are spokes of central hubs. This architecture
allows the regional hub to handle the data and NHRP control traffic for its regional spokes, but still allows spoke-to-spoke tunnels to be built between any spokes within the DMVPN network, whether they are in the same region or not. This architecture also allows the DMVPN network layout to more closely match regional or hierarchical data flow patterns.
Check these links for
- DMVPN basics – http://www.amolak.net/dmvpn-basics/
- DMVPN Phase 1 Configuration – http://www.amolak.net/dmvpn-phase-1/
- DMVPN Phase 2 Configuration – http://www.amolak.net/dmvpn-phase-2/
Here is the network topology for DMVPN phase 3 discussion and configuration.
The DMVPN Phase 2 design requires to maintain full routing table on all spoke routers. Each route for remote spoke networks needs to be a specific route with the next hop pointing to the remote spoke’s tunnel address. This prevents the hub from being able to send down a summarized route to the spokes for a more concise routing table.
Phase 3 overcomes this restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. This functionality is enabled by configuring ip nhrp redirect on the hub and ip nhrp shortcut on the spokes. The redirect command tells the hub to send the NHRP traffic indication message while the shortcut command tells the spokes to accept the redirect and install the shortcut route.
DMVPN Phase 3 configuration with EIGRP
Configuration:
---------- R1 - Hub: ---------- hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp redirect ip summary-address eigrp 100 10.10.0.0 255.255.0.0 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! router eigrp 100 network 10.10.1.1 0.0.0.0 network 192.168.1.1 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ------------ R2 - Spoke: ------------ hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! router eigrp 100 network 10.10.2.2 0.0.0.0 network 192.168.1.2 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ------------ R3 - Spoke: ------------ hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! router eigrp 100 network 10.10.3.3 0.0.0.0 network 192.168.1.3 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4 --------------- R4 - Internet: --------------- hostname R4 ! interface FastEthernet0/0 ip address 1.1.14.4 255.255.255.0 ! interface FastEthernet0/1 ip address 1.1.24.4 255.255.255.0 ! interface FastEthernet1/0 ip address 1.1.34.4 255.255.255.0 !
Verification:
- Hub and Spokes routers are using mGRE tunnels R1#show int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.1/24 MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.14.1 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP R2#show int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.2/24 MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.24.2 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP R3#show int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.3/24 MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.34.3 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP - Routing adjacencies (EIGRP neighborship) are between Hub and Spokes only R1#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 192.168.1.2 Tu0 10 00:28:43 188 1128 0 3 0 192.168.1.3 Tu0 14 00:29:10 174 1044 0 3 R2#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.1 Tu0 14 00:28:45 1282 5000 0 5 R3#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.1 Tu0 11 00:29:16 200 1200 0 2 - Routing Table - Hub router advertised a summary route (10.10.0.0/16) to spoke EIGRP routers R1#show ip route eigrp | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks D 10.10.0.0/16 is a summary, 00:30:13, Null0 D 10.10.2.0/24 [90/1907456] via 192.168.1.2, 00:29:34, Tunnel0 D 10.10.3.0/24 [90/1907456] via 192.168.1.3, 00:30:04, Tunnel0 R2#show ip route eigrp | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks D 10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:29:38, Tunnel0 R3#show ip route eigrp | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks D 10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:30:10, Tunnel0 - DMVPN Status - Initially there is no spoke-to-spoke communication R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ==================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 00:30:53 D 1 1.1.34.3 192.168.1.3 UP 00:31:22 D R2#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 00:30:55 S R3#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 00:31:26 S - Traffic between Spoke R2 and Spoke R3 - First packet would traverse via Hub and it will trigger NHRP shortcut switching process then traffic will start using direct spoke-to-spoke tunnel R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 132 msec 136 msec 160 msec << Hub R1 Tunnel IP 2 192.168.1.3 236 msec << Spoke R3 Tunnel IP Following events occur for NHRP shortcut switching: When the traffic between Spokes R2 & R3 arrives at Hub-R1 router, it will send redirect message (due to "ip nhrp redirect") to spokes to tell them, as both of you are DMVPN spokes and there would be a better path if you can build a direct spoke-to-spoke tunnel. => Hub-R1 sends NHRP redirect to Spoke-R2 R1# *Mar 1 23:24:47.063: NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 100 *Mar 1 23:24:47.071: src: 192.168.1.1, dst: 10.10.2.2 *Mar 1 23:24:47.079: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.079: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.083: pktsz: 100 extoff: 68 *Mar 1 23:24:47.087: (M) traffic code: redirect(0) *Mar 1 23:24:47.087: src NBMA: 1.1.14.1 *Mar 1 23:24:47.087: src protocol: 192.168.1.1, dst protocol: 10.10.2.2 *Mar 1 23:24:47.087: Contents of nhrp traffic indication packet: *Mar 1 23:24:47.087: 45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 02 02 *Mar 1 23:24:47.087: 0A 0A 03 03 08 00 A8 A1 00 00 00 => Hub-R1 sends NHRP redirect to Spoke-R3 R1# *Mar 1 23:24:47.139: NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 100 *Mar 1 23:24:47.143: src: 192.168.1.1, dst: 10.10.3.3 *Mar 1 23:24:47.151: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.155: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.155: pktsz: 100 extoff: 68 *Mar 1 23:24:47.159: (M) traffic code: redirect(0) *Mar 1 23:24:47.163: src NBMA: 1.1.14.1 *Mar 1 23:24:47.163: src protocol: 192.168.1.1, dst protocol: 10.10.3.3 *Mar 1 23:24:47.171: Contents of nhrp traffic indication packet: *Mar 1 23:24:47.175: 45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 03 03 *Mar 1 23:24:47.179: 0A 0A 02 02 00 00 B0 A1 00 00 00 => Spoke-R2 receives NHRP redirect from Hub-R1 R2# *Mar 1 23:24:47.135: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 100 *Mar 1 23:24:47.139: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.139: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.139: pktsz: 100 extoff: 68 *Mar 1 23:24:47.139: (M) traffic code: redirect(0) *Mar 1 23:24:47.139: src NBMA: 1.1.14.1 *Mar 1 23:24:47.143: src protocol: 192.168.1.1, dst protocol: 10.10.2.2 *Mar 1 23:24:47.143: Contents of nhrp traffic indication packet: *Mar 1 23:24:47.143: 45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 02 02 *Mar 1 23:24:47.143: 0A 0A 03 03 08 00 A8 A1 00 00 00 => Spoke-R2 will accept this message and want to build a shortcut path (direct spoke-to-spoke tunnel) because of "ip nhrp shortcut" command. => Spoke-R2 will send a NHRP resolution request to Spoke-R3 via Hub-R1, to find NBMA IP of Spoke-R3 to build a direct spoke-to-spoke tunnel R2# *Mar 1 23:24:47.163: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88 *Mar 1 23:24:47.167: src: 192.168.1.2, dst: 10.10.3.3 *Mar 1 23:24:47.167: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.167: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.167: pktsz: 88 extoff: 52 *Mar 1 23:24:47.167: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 23:24:47.167: src NBMA: 1.1.24.2 *Mar 1 23:24:47.167: src protocol: 192.168.1.2, dst protocol: 10.10.3.3 *Mar 1 23:24:47.167: (C-1) code: no error(0) *Mar 1 23:24:47.167: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 23:24:47.167: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 => Similar events happens on Spoke-R3. => Spoke-R3 receives NHRP redirect from Hub-R1 => Spoke-R3 will also send a NHRP resolution request to Spoke-R2 via Hub-R1, to find NBMA IP of Spoke-R2 to build a direct spoke-to-spoke tunnel R3# *Mar 1 23:24:47.263: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 100 *Mar 1 23:24:47.267: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.271: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.275: pktsz: 100 extoff: 68 *Mar 1 23:24:47.275: (M) traffic code: redirect(0) *Mar 1 23:24:47.275: src NBMA: 1.1.14.1 *Mar 1 23:24:47.275: src protocol: 192.168.1.1, dst protocol: 10.10.3.3 *Mar 1 23:24:47.275: Contents of nhrp traffic indication packet: *Mar 1 23:24:47.275: 45 00 00 64 00 00 00 00 FE 01 A3 80 0A 0A 03 03 *Mar 1 23:24:47.275: 0A 0A 02 02 00 00 B0 A1 00 00 00 R3# *Mar 1 23:24:47.307: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88 *Mar 1 23:24:47.311: src: 192.168.1.3, dst: 10.10.2.2 *Mar 1 23:24:47.319: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.323: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.323: pktsz: 88 extoff: 52 R3#*Mar 1 23:24:47.327: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 23:24:47.331: src NBMA: 1.1.34.3 *Mar 1 23:24:47.335: src protocol: 192.168.1.3, dst protocol: 10.10.2.2 *Mar 1 23:24:47.335: (C-1) code: no error(0) *Mar 1 23:24:47.335: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 23:24:47.335: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 => Hub-R1 receives NHRP resolution requests and forward it to both the spokes (R2 & R3) R1# *Mar 1 23:24:47.211: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 88 *Mar 1 23:24:47.219: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.219: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.219: pktsz: 88 extoff: 52 *Mar 1 23:24:47.219: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 23:24:47.219: src NBMA: 1.1.24.2 *Mar 1 23:24:47.219: src protocol: 192.168.1.2, dst protocol: 10.10.3.3 *Mar 1 23:24:47.219: (C-1) code: no error(0) *Mar 1 23:24:47.219: R1# prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 23:24:47.219: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 *Mar 1 23:24:47.223: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 108 *Mar 1 23:24:47.223: src: 192.168.1.1, dst: 10.10.3.3 *Mar 1 23:24:47.223: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1 *Mar 1 23:24:47.223: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.223: pktsz: 108 extoff: 52 *Mar 1 23:24:47.223: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 23:24:47.223: src NBMA: 1.1.24.2 *Mar 1 23:24:47.223: src protocol: 192.168.1.2, dst protocol: 10.10.3.3 *Mar 1 23:24:47.223: (C-1) code: no error(0) *Mar 1 23:24:47.223: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 23:24:47.223: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 R1# *Mar 1 23:24:47.387: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 88 *Mar 1 23:24:47.395: (F) R1# afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:47.399: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.399: pktsz: 88 extoff: 52 *Mar 1 23:24:47.403: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 23:24:47.403: src NBMA: 1.1.34.3 *Mar 1 23:24:47.403: src protocol: 192.168.1.3, dst protocol: 10.10.2.2 *Mar 1 23:24:47.403: (C-1) code: no error(0) *Mar 1 23:24:47.403: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 23:24:47.403: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 *Mar 1 23:24:47.407: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 108 *Mar 1 23:24:47.407: src: 192.168.1.1, dst: 10.10.2.2 *Mar 1 23:24:47.407: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1 *Mar 1 23:24:47.407: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:47.407: pktsz: 108 extoff: 52 *Mar 1 23:24:47.407: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 23:24:47.407: src NBMA: 1.1.34.3 *Mar 1 23:24:47.407: src protocol: 192.168.1.3, dst protocol: 10.10.2.2 *Mar 1 23:24:47.407: (C-1) code: no error(0) *Mar 1 23:24:47.407: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 23:24:47.407: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 => Both Spoke-R2 & Spoke-R3 send NHRP resolution reply via Hub-R1 R2# *Mar 1 23:24:48.431: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 136 *Mar 1 23:24:48.435: src: 192.168.1.2, dst: 192.168.1.3 R3# *Mar 1 23:24:48.267: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 136 *Mar 1 23:24:48.271: src: 192.168.1.3, dst: 192.168.1.2 => Finally, both Spokes receives each other's NHRP resolution reply R2# *Mar 1 23:24:48.311: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 136 *Mar 1 23:24:48.319: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:48.323: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:48.323: pktsz: 136 extoff: 60 *Mar 1 23:24:48.327: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 *Mar 1 23:24:48.331: src NBMA: 1.1.24.2 *Mar 1 23:24:48.335: src protocol: 192.168.1.2, dst protocol: 10.10.3.3 *Mar 1 23:24:48.335: (C-1) code: no error(0) *Mar 1 23:24:48.335: prefix: 24, mtu: 17870, hd_time: 7199 *Mar 1 23:24:48.335: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0 *Mar 1 23:24:48.335: client NBMA: 1.1.34.3 *Mar 1 23:24:48.335: client protocol: 192.168.1.3 R3# *Mar 1 23:24:48.551: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 136 *Mar 1 23:24:48.559: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 23:24:48.563: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 23:24:48.563: pktsz: 136 extoff: 60 *Mar 1 23:24:48.567: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 *Mar 1 23:24:48.571: src NBMA: 1.1.34.3 *Mar 1 23:24:48.575: src protocol: 192.168.1.3, dst protocol: 10.10.2.2 *Mar 1 23:24:48.579: (C-1) code: no error(0) *Mar 1 23:24:48.579: prefix: 24, mtu: 17870, hd_time: 7200 *Mar 1 23:24:48.579: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0 *Mar 1 23:24:48.579: client NBMA: 1.1.24.2 *Mar 1 23:24:48.579: client protocol: 192.168.1.2 => Now both spokes know each other's NBMA & Tunnel IP address, and can build a direct spoke-to-spoke tunnel => And both spokes add a NHRP shortcut route entry to reach each other's LAN subnet R2# *Mar 1 23:24:48.455: NHRP: Adding route entry for 10.10.3.0/24 to RIB *Mar 1 23:24:48.455: NHRP: Route addition to RIB Successful R3# *Mar 1 23:24:48.587: NHRP: Adding route entry for 10.10.2.0/24 to RIB *Mar 1 23:24:48.595: NHRP: Route addition to RIB Successful - Let's test communication between Spoke-R2 and Spoke-R3 now R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/136/152 ms - Now traffic between Spoke-R2 and Spoke-R3 is using direct DMVPN tunnel R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 148 msec * 116 msec << Spoke-R3 Tunnel IP - Spokes routing table would show a new NHRP routing entry to reach subnet behind other spoke router R2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.24.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.24.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.24.0/24 is directly connected, FastEthernet0/0 L 1.1.24.2/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks D 10.10.0.0/16 [90/1907456] via 192.168.1.1, 01:31:44, Tunnel0 C 10.10.2.0/24 is directly connected, FastEthernet0/1 L 10.10.2.2/32 is directly connected, FastEthernet0/1 H 10.10.3.0/24 [250/1] via 192.168.1.3, 00:05:13, Tunnel0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 L 192.168.1.2/32 is directly connected, Tunnel0 R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.34.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.34.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.34.0/24 is directly connected, FastEthernet0/0 L 1.1.34.3/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks D 10.10.0.0/16 [90/1907456] via 192.168.1.1, 01:32:12, Tunnel0 H 10.10.2.0/24 [250/1] via 192.168.1.2, 00:06:01, Tunnel0 C 10.10.3.0/24 is directly connected, FastEthernet0/1 L 10.10.3.3/32 is directly connected, FastEthernet0/1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 L 192.168.1.3/32 is directly connected, Tunnel0 - DMVPN Status R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 01:37:55 D 1 1.1.34.3 192.168.1.3 UP 01:37:36 D R2#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 1.1.34.3 192.168.1.3 UP 00:11:26 DT1 192.168.1.3 UP 00:11:26 D 1 1.1.14.1 192.168.1.1 UP 01:37:59 S *T1 - Route Installed R3#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 1.1.24.2 192.168.1.2 UP 00:11:29 DT1 192.168.1.2 UP 00:11:29 D 1 1.1.14.1 192.168.1.1 UP 01:37:43 S *T1 - Route Installed - NHRP Table R1#show ip nhrp 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 01:38:52, expire 01:41:01 Type: dynamic, Flags: unique registered used NBMA address: 1.1.24.2 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 01:38:33, expire 01:41:00 Type: dynamic, Flags: unique registered used NBMA address: 1.1.34.3 R2#show ip nhrp 10.10.2.0/24 via 192.168.1.2 Tunnel0 created 00:12:24, expire 01:47:35 Type: dynamic, Flags: router unique local NBMA address: 1.1.24.2 (no-socket) 10.10.3.0/24 via 192.168.1.3 Tunnel0 created 00:12:24, expire 01:47:35 Type: dynamic, Flags: router used rib NBMA address: 1.1.34.3 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 01:39:13, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 00:12:25, expire 01:47:35 Type: dynamic, Flags: router implicit used NBMA address: 1.1.34.3 R3#show ip nhrp 10.10.2.0/24 via 192.168.1.2 Tunnel0 created 00:12:26, expire 01:47:33 Type: dynamic, Flags: router used rib NBMA address: 1.1.24.2 10.10.3.0/24 via 192.168.1.3 Tunnel0 created 00:12:26, expire 01:47:33 Type: dynamic, Flags: router unique local NBMA address: 1.1.34.3 (no-socket) 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 01:39:16, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 00:12:27, expire 01:47:33 Type: dynamic, Flags: router implicit used NBMA address: 1.1.24.2
DMVPN Phase 3 configuration with OSPF
- Tunnel mode mGRE on Hub and Spoke routers
- OSPF network type would be point-to-multipoint on Hub and Spoke Routers
- Route summarization is not feasible in single OSPF area, this is one of the main reason that OSPF is not an ideal routing protocol for DMVPN phase 3 designs
- Shortcut route is marked with “%” symbol which indicates next-hop override feature. It means router is not using next-hop IP from OSPF RIB entry, instead it is using DMVPN tunnel IP of remote spoke to route traffic over direct DMVPN tunnel.
Configuration:
---------- R1 - Hub: ---------- hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp redirect ip tcp adjust-mss 1360 ip ospf network point-to-multipoint tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! router ospf 1 network 10.10.1.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ------------ R2 - Spoke: ------------ hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip nhrp shortcut ip tcp adjust-mss 1360 ip ospf network point-to-multipoint tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! router ospf 1 network 10.10.2.2 0.0.0.0 area 0 network 192.168.1.2 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ------------ R3 - Spoke: ------------ hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip nhrp shortcut ip tcp adjust-mss 1360 ip ospf network point-to-multipoint tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! router ospf 1 network 10.10.3.3 0.0.0.0 area 0 network 192.168.1.3 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4
Verification:
- Tunnel OSPF Network Type R1#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 oob-resync timeout 120 Hello due in 00:00:19 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.1.3 Adjacent with neighbor 192.168.1.2 Suppress hello for 0 neighbor(s) R2#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.2, Network Type POINT_TO_MULTIPOINT, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 oob-resync timeout 120 Hello due in 00:00:15 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.1 Suppress hello for 0 neighbor(s) R3#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.3, Network Type POINT_TO_MULTIPOINT, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 oob-resync timeout 120 Hello due in 00:00:09 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.1 Suppress hello for 0 neighbor(s) - OSPF Adjacencies R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.3 0 FULL/ - 00:01:37 192.168.1.3 Tunnel0 192.168.1.2 0 FULL/ - 00:01:55 192.168.1.2 Tunnel0 R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 0 FULL/ - 00:01:50 192.168.1.1 Tunnel0 R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 0 FULL/ - 00:01:48 192.168.1.1 Tunnel0 - Traffic between Spoke-R2 and Spoke-R3 is via direct spoke-to-spoke DMVPN tunnel R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 120/134/148 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 128 msec * 152 msec << Spoke-R3 Tunnel IP - DMVPN Status R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 01:33:58 D 1 1.1.34.3 192.168.1.3 UP 01:33:48 D R2#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 1.1.34.3 192.168.1.3 UP 00:01:42 DT2 192.168.1.3 UP 00:01:42 D 1 1.1.14.1 192.168.1.1 UP 01:34:01 S *T2 - Nexthop-override R3#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 1.1.24.2 192.168.1.2 UP 00:01:44 DT2 192.168.1.2 UP 00:01:44 D 1 1.1.14.1 192.168.1.1 UP 01:33:54 S *T2 - Nexthop-override - Routing Table R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.14.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.14.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.14.0/24 is directly connected, FastEthernet0/0 L 1.1.14.1/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.1.0/24 is directly connected, FastEthernet0/1 L 10.10.1.1/32 is directly connected, FastEthernet0/1 O 10.10.2.0/24 [110/25] via 192.168.1.2, 01:36:33, Tunnel0 O 10.10.3.0/24 [110/25] via 192.168.1.3, 01:36:03, Tunnel0 192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 L 192.168.1.1/32 is directly connected, Tunnel0 O 192.168.1.2/32 [110/24] via 192.168.1.2, 01:36:33, Tunnel0 O 192.168.1.3/32 [110/24] via 192.168.1.3, 01:36:03, Tunnel0 R2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.24.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.24.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.24.0/24 is directly connected, FastEthernet0/0 L 1.1.24.2/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.1.0/24 [110/25] via 192.168.1.1, 01:36:38, Tunnel0 C 10.10.2.0/24 is directly connected, FastEthernet0/1 L 10.10.2.2/32 is directly connected, FastEthernet0/1 O % 10.10.3.0/24 [110/49] via 192.168.1.1, 01:35:58, Tunnel0 192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 O 192.168.1.1/32 [110/24] via 192.168.1.1, 01:36:38, Tunnel0 L 192.168.1.2/32 is directly connected, Tunnel0 O 192.168.1.3/32 [110/48] via 192.168.1.1, 01:35:58, Tunnel0 R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.34.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.34.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.34.0/24 is directly connected, FastEthernet0/0 L 1.1.34.3/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.1.0/24 [110/25] via 192.168.1.1, 01:36:10, Tunnel0 O % 10.10.2.0/24 [110/49] via 192.168.1.1, 01:36:10, Tunnel0 C 10.10.3.0/24 is directly connected, FastEthernet0/1 L 10.10.3.3/32 is directly connected, FastEthernet0/1 192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 O 192.168.1.1/32 [110/24] via 192.168.1.1, 01:36:10, Tunnel0 O 192.168.1.2/32 [110/48] via 192.168.1.1, 01:36:10, Tunnel0 L 192.168.1.3/32 is directly connected, Tunnel0 - NHRP Table R1#show ip nhrp 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 01:45:40, expire 01:33:54 Type: dynamic, Flags: unique registered used NBMA address: 1.1.24.2 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 01:45:30, expire 01:33:54 Type: dynamic, Flags: unique registered used NBMA address: 1.1.34.3 R2#show ip nhrp 10.10.2.0/24 via 192.168.1.2 Tunnel0 created 00:13:24, expire 01:46:35 Type: dynamic, Flags: router unique local NBMA address: 1.1.24.2 (no-socket) 10.10.3.0/24 via 192.168.1.3 Tunnel0 created 00:13:23, expire 01:46:36 Type: dynamic, Flags: router used rib nho << next-hop override NBMA address: 1.1.34.3 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 01:46:18, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 00:13:24, expire 01:46:35 Type: dynamic, Flags: router implicit NBMA address: 1.1.34.3 R3#show ip nhrp 10.10.2.0/24 via 192.168.1.2 Tunnel0 created 00:13:30, expire 01:46:28 Type: dynamic, Flags: router used rib nho << next-hop override NBMA address: 1.1.24.2 10.10.3.0/24 via 192.168.1.3 Tunnel0 created 00:13:30, expire 01:46:29 Type: dynamic, Flags: router unique local NBMA address: 1.1.34.3 (no-socket) 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 01:46:24, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 00:13:31, expire 01:46:29 Type: dynamic, Flags: router implicit NBMA address: 1.1.24.2
DMVPN Phase 3 configuration with BGP
- Hub and Spoke routers are using mGRE tunnels
- Hub router(s) act as route-reflector server(s)
- Spoke routers are route-reflector clients
- Hub router can send summary route to Spoke routers
- eBGP can also be used by configuring Hub and Spokes in different ASNs. Here we are using iBGP with route-reflector
Configuration:
---------- R1 - Hub: ---------- hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! router bgp 65001 bgp router-id 192.168.1.1 bgp log-neighbor-changes bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES bgp listen limit 50 network 10.10.1.0 mask 255.255.255.0 aggregate-address 10.10.0.0 255.255.0.0 summary-only neighbor DMVPN-SPOKES peer-group neighbor DMVPN-SPOKES remote-as 65001 neighbor DMVPN-SPOKES route-reflector-client ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ------------ R2 - Spoke: ------------ hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! router bgp 65001 bgp router-id 192.168.1.2 bgp log-neighbor-changes network 10.10.2.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ------------ R3 - Spoke: ------------ hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! router bgp 65001 bgp router-id 192.168.1.3 bgp log-neighbor-changes network 10.10.3.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4
Verification:
- BGP peering between Hub and Spokes only, No spoke to spoke peering R1#show ip bgp summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 8, main routing table version 8 4 network entries using 592 bytes of memory 4 path entries using 256 bytes of memory 3/3 BGP path/bestpath attribute entries using 408 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1256 total bytes of memory BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *192.168.1.2 4 65001 18 20 8 0 0 00:12:43 1 *192.168.1.3 4 65001 19 18 8 0 0 00:12:45 1 * Dynamically created based on a listen range command Dynamically created neighbors: 2, Subnet ranges: 1 BGP peergroup DMVPN-SPOKES listen range group members: 192.168.1.0/24 Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1 R2#show ip bgp summary BGP router identifier 192.168.1.2, local AS number 65001 BGP table version is 3, main routing table version 3 2 network entries using 296 bytes of memory 2 path entries using 128 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 696 total bytes of memory BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 20 18 3 0 0 00:12:50 1 R3#show ip bgp summary BGP router identifier 192.168.1.3, local AS number 65001 BGP table version is 3, main routing table version 3 2 network entries using 296 bytes of memory 2 path entries using 128 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 696 total bytes of memory BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 19 19 3 0 0 00:12:54 1 - Traffic between Spoke-R2 and Spoke-R3 R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/132/140 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 144 msec * 124 msec << Spoke R3 Tunnel IP - DMVPN Status R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 00:15:42 D 1 1.1.34.3 192.168.1.3 UP 00:15:42 D R2#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 1.1.34.3 192.168.1.3 UP 00:01:20 DT1 192.168.1.3 UP 00:01:20 D 1 1.1.14.1 192.168.1.1 UP 00:15:47 S *T1 - Route Installed R3#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 1.1.24.2 192.168.1.2 UP 00:01:23 DT1 192.168.1.2 UP 00:01:23 D 1 1.1.14.1 192.168.1.1 UP 00:15:49 S *T1 - Route Installed - BGP Table R1#show ip bgp BGP table version is 8, local router ID is 192.168.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.0.0/16 0.0.0.0 32768 i s> 10.10.1.0/24 0.0.0.0 0 32768 i s>i 10.10.2.0/24 192.168.1.2 0 100 0 i s>i 10.10.3.0/24 192.168.1.3 0 100 0 i R2#show ip bgp BGP table version is 3, local router ID is 192.168.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 10.10.0.0/16 192.168.1.1 0 100 0 i *> 10.10.2.0/24 0.0.0.0 0 32768 i R3#show ip bgp BGP table version is 3, local router ID is 192.168.1.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 10.10.0.0/16 192.168.1.1 0 100 0 i *> 10.10.3.0/24 0.0.0.0 0 32768 i - Routing Table R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.14.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.14.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.14.0/24 is directly connected, FastEthernet0/0 L 1.1.14.1/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks B 10.10.0.0/16 [200/0] via 0.0.0.0, 00:17:13, Null0 C 10.10.1.0/24 is directly connected, FastEthernet0/1 L 10.10.1.1/32 is directly connected, FastEthernet0/1 B 10.10.2.0/24 [200/0] via 192.168.1.2, 00:16:05 B 10.10.3.0/24 [200/0] via 192.168.1.3, 00:16:57 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 L 192.168.1.1/32 is directly connected, Tunnel0 R2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.24.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.24.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.24.0/24 is directly connected, FastEthernet0/0 L 1.1.24.2/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks B 10.10.0.0/16 [200/0] via 192.168.1.1, 00:16:11 C 10.10.2.0/24 is directly connected, FastEthernet0/1 L 10.10.2.2/32 is directly connected, FastEthernet0/1 H 10.10.3.0/24 [250/1] via 192.168.1.3, 00:02:52, Tunnel0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 L 192.168.1.2/32 is directly connected, Tunnel0 R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.34.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.34.4 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.1.34.0/24 is directly connected, FastEthernet0/0 L 1.1.34.3/32 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks B 10.10.0.0/16 [200/0] via 192.168.1.1, 00:17:06 H 10.10.2.0/24 [250/1] via 192.168.1.2, 00:02:55, Tunnel0 C 10.10.3.0/24 is directly connected, FastEthernet0/1 L 10.10.3.3/32 is directly connected, FastEthernet0/1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Tunnel0 L 192.168.1.3/32 is directly connected, Tunnel0 - NHRP Table R1#show ip nhrp 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 00:17:49, expire 01:42:10 Type: dynamic, Flags: unique registered used NBMA address: 1.1.24.2 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 00:17:49, expire 01:42:11 Type: dynamic, Flags: unique registered used NBMA address: 1.1.34.3 R2#show ip nhrp 10.10.2.0/24 via 192.168.1.2 Tunnel0 created 00:03:27, expire 01:56:32 Type: dynamic, Flags: router unique local NBMA address: 1.1.24.2 (no-socket) 10.10.3.0/24 via 192.168.1.3 Tunnel0 created 00:03:27, expire 01:56:31 Type: dynamic, Flags: router used rib NBMA address: 1.1.34.3 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 00:18:28, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 00:03:28, expire 01:56:32 Type: dynamic, Flags: router implicit used NBMA address: 1.1.34.3 R3#show ip nhrp 10.10.2.0/24 via 192.168.1.2 Tunnel0 created 00:03:29, expire 01:56:30 Type: dynamic, Flags: router used rib NBMA address: 1.1.24.2 10.10.3.0/24 via 192.168.1.3 Tunnel0 created 00:03:30, expire 01:56:29 Type: dynamic, Flags: router unique local NBMA address: 1.1.34.3 (no-socket) 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 00:18:31, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 00:03:31, expire 01:56:29 Type: dynamic, Flags: router implicit used NBMA address: 1.1.24.2
DMVPN Phase 2
Phase 2 – Spoke to Spoke Design
DMVPN Phase 2 design introduced the ability for dynamic spoke-to-spoke tunnels without having the traffic go through the hub. Phase 2 improved on Phase 1 by allowing spokes to build a spoke-to-spoke tunnel on demand with these restrictions:
- Spokes must use mGRE (Multipoint GRE) tunnels
- Spokes must receive specific routes for all remote spoke subnets
- The next hop of the entry in the routing table must list the remote spoke as the next hop
Check these links for
- DMVPN basics – http://www.amolak.net/dmvpn-basics/
- DMVPN Phase 1 Configuration – http://www.amolak.net/dmvpn-phase-1/
Here is the network topology for DMVPN phase 2 discussion and configuration.
DMVPN Phase 2 configuration with EIGRP
EIGRP Split Horizon Rule – The split horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach the destination. In DMVPN, Hub router learn route(s) from one spoke via Tunnel0 interface and have to advertise it to other spoke via same Tunnel0 interface. Thus, in order for DMVPN to work in Phase 2 with EIGRP, split horizon must be disabled on the tunnel interface using the “no ip split-horizon eigrp <asn>” command.
Next-hop self in EIGRP – The next hop for all of the routes must point to the remote spoke. This is the key to triggering the generation of a spoke-to-spoke tunnel. To instruct EIGRP to use the received next hop rather than itself, use the “no ip next-hop-self eigrp <asn>” command.
Configuration:
---------- R1 - Hub: ---------- hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! router eigrp 100 network 10.10.1.1 0.0.0.0 network 192.168.1.1 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ------------ R2 - Spoke: ------------ hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! router eigrp 100 network 10.10.2.2 0.0.0.0 network 192.168.1.2 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ------------ R3 - Spoke: ------------ hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! router eigrp 100 network 10.10.3.3 0.0.0.0 network 192.168.1.3 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4 --------------- R4 - Internet: --------------- hostname R4 ! interface FastEthernet0/0 ip address 1.1.14.4 255.255.255.0 ! interface FastEthernet0/1 ip address 1.1.24.4 255.255.255.0 ! interface FastEthernet1/0 ip address 1.1.34.4 255.255.255.0 !
Verification:
- Hub and Spokes routers are using mGRE tunnels R1#show int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.1/24 MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.14.1 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP R2#show int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.2/24 MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.24.2 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP R3#show int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.3/24 MTU 17870 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.34.3 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP - Routing adjacency (EIGRP neighborship) is between Hub and Spokes only R1#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 192.168.1.2 Tu0 13 05:09:22 201 1206 0 3 0 192.168.1.3 Tu0 13 05:09:32 167 1002 0 4 R2#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.1 Tu0 13 05:09:37 140 840 0 6 R3#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.1 Tu0 11 05:09:49 156 936 0 6 - Routing Table (see next-hop IP on spoke routers to reach other spoke subnets) R1#show ip route eigrp | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.10.2.0/24 [90/1907456] via 192.168.1.2, 05:11:20, Tunnel0 D 10.10.3.0/24 [90/1907456] via 192.168.1.3, 05:11:30, Tunnel0 R2#show ip route eigrp | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.10.1.0/24 [90/1907456] via 192.168.1.1, 05:11:31, Tunnel0 D 10.10.3.0/24 [90/3187456] via 192.168.1.3, 05:11:31, Tunnel0 R3#show ip route eigrp | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.10.1.0/24 [90/1907456] via 192.168.1.1, 05:11:42, Tunnel0 D 10.10.2.0/24 [90/3187456] via 192.168.1.2, 05:11:32, Tunnel0 - DMVPN Table - Hub shows dynamic entries, spokes registered themselves with hub - Spokes show static entries, static entry defined for hub R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 00:51:08 D 1 1.1.34.3 192.168.1.3 UP 00:51:08 D R2#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 00:51:28 S R3#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 00:51:30 S - Traffic between Spoke R2 and Spoke R3 Routing entry on R2 shows R3 subnet (10.10.3.0/24) is reachable via next-hop IP 192.168.1.3 (R3 Tunnel IP) D 10.10.3.0/24 [90/3187456] via 192.168.1.3, 00:05:12, Tunnel0 Lets check CEF adjacency for next-hop IP 192.168.1.3 R2#show adjacency 192.168.1.3 Protocol Interface Address IP Tunnel0 192.168.1.3(5) (incomplete) The adjacency is showing incomplete. The incomplete adjacency triggers a CEF punt to the CPU for further processing (to resolve the address). R2#show ip cef 192.168.1.3 internal 192.168.1.0/24, epoch 0, flags attached, connected, cover dependents, need deagg, RIB[C], refcount 5, per-destination sharing sources: RIB feature space: IPRM: 0x0003800C subblocks: gsb Connected chain head(1): 0x6A36ADFC Covered dependent prefixes: 3 need deagg: 2 notify cover updated: 1 ifnums: Tunnel0(6) path 695C0994, path list 6A90BBB8, share 1/1, type connected prefix, for IPv4 connected to Tunnel0, adjacency punt output chain: punt This causes R2(Spoke) to send a resolution request to R1(Hub) for Spoke-R3’s NBMA address. The request gets forwarded from R1(Hub) to Spoke-R3. Spoke-R3 replies directly to Spoke-R2 with its mapping information. During this process, R2(Spoke) will send the actual data packet to R1(Hub) to be delivered to R3(Spoke) as a last-ditch effort to not drop the traffic. The first traceroute will look as below, the traffic traverse via hub. R2#traceroute 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 180 msec 128 msec 152 msec << Hub R1 Tunnel IP 2 192.168.1.3 252 msec - Debug nhrp packet shows following events: Spoke-R2 sends resolution request via Tunnel0, it will reach to Hub-R1 as this is the only active tunnel on R2 at this moment. R2# *Mar 1 00:29:49.567: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88 *Mar 1 00:29:49.575: src: 192.168.1.2, dst: 192.168.1.3 *Mar 1 00:29:49.583: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 00:29:49.583: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 00:29:49.587: pktsz: 88 extoff: 52 *Mar 1 00:29:49.591: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 00:29:49.595: src NBMA: 1.1.24.2 *Mar 1 00:29:49.595: src protocol: 192.168.1.2, dst protocol: 192.168.1.3 *Mar 1 00:29:49.603: (C-1) code: no error(0) *Mar 1 00:29:49.603: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 00:29:49.603: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 This request arrives at Hub-R1. Hub-R1 finds it is destined for destination IP 192.168.1.3 and Hub-R1 will forward it to Spoke-R3. R1# *Mar 1 00:29:49.683: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 88 *Mar 1 00:29:49.687: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 00:29:49.691: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 00:29:49.695: pktsz: 88 extoff: 52 *Mar 1 00:29:49.695: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 00:29:49.699: src NBMA: 1.1.24.2 *Mar 1 00:29:49.703: src protocol: 192.168.1.2, dst protocol: 192.168.1.3 *Mar 1 00:29:49.707: (C-1) code: no error(0) *Mar 1 00:29:49.707: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 00:29:49.707: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 *Mar 1 00:29:49.715: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 108 *Mar 1 00:29:49.719: src: 192.168.1.1, dst: 192.168.1.3 *Mar 1 00:29:49.723: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1 *Mar 1 00:29:49.723: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 00:29:49.723: R1# pktsz: 108 extoff: 52 *Mar 1 00:29:49.723: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 00:29:49.723: src NBMA: 1.1.24.2 *Mar 1 00:29:49.723: src protocol: 192.168.1.2, dst protocol: 192.168.1.3 *Mar 1 00:29:49.723: (C-1) code: no error(0) *Mar 1 00:29:49.723: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 00:29:49.723: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 Then Spoke-R3 receives NHRP resolution request. This request contains Spoke-R2's details including NBMA and Tunnel IP of Spoke-R2. Spoke-R3 would initiate a direct DMVPN tunnel to R2 and send reply to R2. R3# *Mar 1 00:29:49.671: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 108 *Mar 1 00:29:49.675: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1 *Mar 1 00:29:49.675: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 00:29:49.675: pktsz: 108 extoff: 52 *Mar 1 00:29:49.675: (M) flags: "router auth src-stable nat ", reqid: 2 *Mar 1 00:29:49.675: src NBMA: 1.1.24.2 *Mar 1 00:29:49.675: src protocol: 192.168.1.2, dst protocol: 192.168.1.3 *Mar 1 00:29:49.675: (C-1) code: no error(0) *Mar 1 00:29:49.675: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 00:29:49.675: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 *Mar 1 00:29:50.487: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 136 *Mar 1 00:29:50.487: src: 192.168.1.3, dst: 192.168.1.2 *Mar 1 00:29:50.487: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 00:29:50.487: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 00:29:50.487: pktsz R3#: 136 extoff: 60 *Mar 1 00:29:50.487: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 *Mar 1 00:29:50.487: src NBMA: 1.1.24.2 *Mar 1 00:29:50.487: src protocol: 192.168.1.2, dst protocol: 192.168.1.3 *Mar 1 00:29:50.487: (C-1) code: no error(0) *Mar 1 00:29:50.487: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 00:29:50.487: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0 *Mar 1 00:29:50.487: client NBMA: 1.1.34.3 *Mar 1 00:29:50.487: client protocol: 192.168.1.3 R2 receives reply and at this moment both R2 and R3 knows each other's NBMA IP and have direct dmvpn tunnel. R2# *Mar 1 00:29:50.635: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 136 *Mar 1 00:29:50.643: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Mar 1 00:29:50.647: shtl: 4(NSAP), sstl: 0(NSAP) *Mar 1 00:29:50.647: pktsz: 136 extoff: 60 *Mar 1 00:29:50.651: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 2 *Mar 1 00:29:50.655: src NBMA: 1.1.24.2 *Mar 1 00:29:50.655: src protocol: 192.168.1.2, dst protocol: 192.168.1.3 *Mar 1 00:29:50.663: (C-1) code: no error(0) *Mar 1 00:29:50.663: prefix: 32, mtu: 17870, hd_time: 7200 *Mar 1 00:29:50.663: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0 *Mar 1 00:29:50.663: client NBMA: 1.1.34.3 *Mar 1 00:29:50.663: client protocol: 192.168.1.3 * 140 msec - Check DMVPN status now R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ===================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 05:15:09 D 1 1.1.34.3 192.168.1.3 UP 05:15:19 D R2#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 05:15:26 S 1 1.1.34.3 192.168.1.3 UP 00:34:02 D R3#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 05:15:51 S 1 1.1.24.2 192.168.1.2 UP 00:34:17 D - NHRP State R1#show ip nhrp 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 05:16:06, expire 01:23:19 Type: dynamic, Flags: unique registered used NBMA address: 1.1.24.2 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 05:16:16, expire 01:23:19 Type: dynamic, Flags: unique registered used NBMA address: 1.1.34.3 R2#show ip nhrp 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 05:17:28, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 00:35:19, expire 01:24:40 Type: dynamic, Flags: router unique local NBMA address: 1.1.24.2 (no-socket) 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 00:35:20, expire 01:24:40 Type: dynamic, Flags: router used NBMA address: 1.1.34.3 R3#show ip nhrp 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 05:17:14, never expire Type: static, Flags: used NBMA address: 1.1.14.1 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 00:35:06, expire 01:24:34 Type: dynamic, Flags: router used NBMA address: 1.1.24.2 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 00:35:05, expire 01:24:34 Type: dynamic, Flags: router unique local NBMA address: 1.1.34.3 (no-socket) - Ping and traceroute between Spoke-R2 and Spoke-R3 - Now traffic is going through direct spoke-to-spoke tunnel R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/128/136 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 156 msec * 144 msec << R3 Tunnel0 IP - CEF would look as below after direct spoke-to-spoke DMVPN tunnel creation R2#show adjacency 192.168.1.3 Protocol Interface Address IP Tunnel0 192.168.1.3(11) R2#show ip cef 192.168.1.3 internal 192.168.1.3/32, epoch 0, flags attached, refcount 5, per-destination sharing sources: Adj subblocks: Adj source: IP midchain out of Tunnel0, addr 192.168.1.3 6AFD37A0 Dependent covered prefix type adjfib, cover 192.168.1.0/24 ifnums: Tunnel0(6): 192.168.1.3 path 6AFD6068, path list 6AFD78A0, share 1/1, type adjacency prefix, for IPv4 attached to Tunnel0, adjacency IP midchain out of Tunnel0, addr 192.168.1.3 6AFD37A0 output chain: IP midchain out of Tunnel0, addr 192.168.1.3 6AFD37A0 IP adj out of FastEthernet0/0, addr 1.1.24.4 69237240 R2#
DMVPN Phase 2 configuration with OSPF
- Configure Hub router as DR. If there is 2nd hub for redundancy, 2nd hub will be BDR.
- Configure Spokes routers with ospf priority as ZERO so that they should not participate in DR election and always act as DROTHER.
- All spoke routers will have OSPF adjacencies with DR and BDR only.
Configuration:
--------- R1 - Hub: --------- hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 255 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! router ospf 1 network 10.10.1.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ------------ R2 - Spoke: ------------ hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 0 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! router ospf 1 network 10.10.2.2 0.0.0.0 area 0 network 192.168.1.2 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ------------ R3 - Spoke: ------------ hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 0 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! router ospf 1 network 10.10.3.3 0.0.0.0 area 0 network 192.168.1.3 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4 !
Verification:
- OSPF Tunnel Network Type R1#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.1, Network Type BROADCAST, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State DR, Priority 255 Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:04 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.1.2 Adjacent with neighbor 192.168.1.3 Suppress hello for 0 neighbor(s) R2#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.2, Network Type BROADCAST, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State DROTHER, Priority 0 Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:01 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.1 (Designated Router) Suppress hello for 0 neighbor(s) R3#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.3, Network Type BROADCAST, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State DROTHER, Priority 0 Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:07 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.1 (Designated Router) Suppress hello for 0 neighbor(s) - OSPF Adjacencies R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 0 FULL/DROTHER 00:00:32 192.168.1.2 Tunnel0 192.168.1.3 0 FULL/DROTHER 00:00:32 192.168.1.3 Tunnel0 R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 255 FULL/DR 00:00:31 192.168.1.1 Tunnel0 R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 255 FULL/DR 00:00:39 192.168.1.1 Tunnel0 - Routing Table R1#show ip route ospf | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.2.0/24 [110/25] via 192.168.1.2, 00:25:23, Tunnel0 O 10.10.3.0/24 [110/25] via 192.168.1.3, 00:25:23, Tunnel0 R2#show ip route ospf | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.1.0/24 [110/25] via 192.168.1.1, 00:25:28, Tunnel0 O 10.10.3.0/24 [110/25] via 192.168.1.3, 00:25:18, Tunnel0 R3#show ip route ospf | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.1.0/24 [110/25] via 192.168.1.1, 00:25:30, Tunnel0 O 10.10.2.0/24 [110/25] via 192.168.1.2, 00:25:30, Tunnel0 - Traffic between Spoke R2 and Spoke R3 R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/123/128 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 144 msec * 128 msec << R3 Tunnel IP
DMVPN Phase 2 configuration with BGP
- Hub router would be BGP Route-Reflector server
- Spoke routers would be BGP Route-Reflector clients
- All tunnels would be mGRE
- You can use eBGP also, where Hub and Spoke routers could be configured in different autonomous system number (ASN). Here we will use iBGP only.
----------- R1 - Hub: ----------- hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! router bgp 65001 bgp router-id 192.168.1.1 bgp log-neighbor-changes bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES bgp listen limit 50 network 10.10.1.0 mask 255.255.255.0 neighbor DMVPN-SPOKES peer-group neighbor DMVPN-SPOKES remote-as 65001 neighbor DMVPN-SPOKES route-reflector-client ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ------------ R2 - Spoke: ------------ hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! router bgp 65001 bgp router-id 192.168.1.2 bgp log-neighbor-changes network 10.10.2.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ------------ R3 - Spoke: ------------ hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile PROTECT-GRE ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! router bgp 65001 bgp router-id 192.168.1.3 bgp log-neighbor-changes network 10.10.3.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4
Verification:
- BGP Neighborship between Hub and Spokes only R1#show ip bgp sum BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 4, main routing table version 4 3 network entries using 444 bytes of memory 3 path entries using 192 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 908 total bytes of memory BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *192.168.1.2 4 65001 11 15 4 0 0 00:06:11 1 *192.168.1.3 4 65001 12 13 4 0 0 00:06:21 1 * Dynamically created based on a listen range command Dynamically created neighbors: 2, Subnet ranges: 1 BGP peergroup DMVPN-SPOKES listen range group members: 192.168.1.0/24 Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1 R2#show ip bgp sum BGP router identifier 192.168.1.2, local AS number 65001 BGP table version is 4, main routing table version 4 3 network entries using 444 bytes of memory 3 path entries using 192 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 1 BGP rrinfo entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 932 total bytes of memory BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 15 11 4 0 0 00:06:17 2 R3#show ip bgp sum BGP router identifier 192.168.1.3, local AS number 65001 BGP table version is 4, main routing table version 4 3 network entries using 444 bytes of memory 3 path entries using 192 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 1 BGP rrinfo entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 932 total bytes of memory BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 13 12 4 0 0 00:06:29 2 - BGP Table R1#show ip bgp BGP table version is 4, local router ID is 192.168.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.1.0/24 0.0.0.0 0 32768 i *>i 10.10.2.0/24 192.168.1.2 0 100 0 i *>i 10.10.3.0/24 192.168.1.3 0 100 0 i R2#show ip bgp BGP table version is 4, local router ID is 192.168.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 10.10.1.0/24 192.168.1.1 0 100 0 i *> 10.10.2.0/24 0.0.0.0 0 32768 i *>i 10.10.3.0/24 192.168.1.3 0 100 0 i R3#show ip bgp BGP table version is 4, local router ID is 192.168.1.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 10.10.1.0/24 192.168.1.1 0 100 0 i *>i 10.10.2.0/24 192.168.1.2 0 100 0 i *> 10.10.3.0/24 0.0.0.0 0 32768 i - Routing Table R1#show ip route bgp | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks B 10.10.2.0/24 [200/0] via 192.168.1.2, 00:07:09 B 10.10.3.0/24 [200/0] via 192.168.1.3, 00:08:11 R2#show ip route bgp | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks B 10.10.1.0/24 [200/0] via 192.168.1.1, 00:07:16 B 10.10.3.0/24 [200/0] via 192.168.1.3, 00:07:16 R3#show ip route bgp | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks B 10.10.1.0/24 [200/0] via 192.168.1.1, 00:08:20 B 10.10.2.0/24 [200/0] via 192.168.1.2, 00:07:18 - Traffic between Spoke R2 and Spoke R3 R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 108/120/128 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 132 msec * 120 msec << R3 Tunnel IP
DMVPN Phase 2 deployment provides direct spoke-to-spoke tunnels, but one of the limitations is maintaining full routing tables on the spokes. Each route for remote spoke networks needs to be a specific route with the next hop pointing to the remote spoke’s tunnel address. This prevents the hub from being able to send down a summarized route to the spokes for a more concise routing table. This limitation is addressed in DMVPN Phase 3 design, which we will discuss later.
DMVPN Phase 1
DMVPN Phase 1 – Hub to Spoke Design
DMVPN Phase 1 provides Hub and Spoke tunnel deployment. It means GRE tunnels are only built between Hub and Spokes. There is no spoke-to-spoke tunnel. Traffic from one spoke site to another spoke site always traverse via hub.
Check this link for DMVPN basics – http://www.amolak.net/dmvpn-basics/
We will discuss DMVPN Phase 1 configuration with:
- EIGRP
- OSPF
- BGP
Here is the network topology for our discussion and configuration.
Initial configuration on devices
Site-1 Router R1: hostname R1 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface FastEthernet0/0 ip address 1.1.14.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.1.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 1.1.14.4 ! Site-2 Router R2: hostname R2 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface FastEthernet0/0 ip address 1.1.24.2 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.2.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 1.1.24.4 ! Site-3 Router R3: hostname R3 ! ip cef ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile PROTECT-GRE set transform-set TRANSFORM-SET ! interface FastEthernet0/0 ip address 1.1.34.3 255.255.255.0 ! interface FastEthernet0/1 ip address 10.10.3.3 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 1.1.34.4 ! Internet Router R4: hostname R4 ! interface FastEthernet0/0 ip address 1.1.14.4 255.255.255.0 ! interface FastEthernet0/1 ip address 1.1.24.4 255.255.255.0 ! interface FastEthernet1/0 ip address 1.1.34.4 255.255.255.0 !
DMVPN NBMA Network Behavior
DMVPN creates Non Broadcast Multi Access (NBMA) networks. By default, NBMA network do not support multicast traffic and multicast traffic is required to enable dynamic routing protocols.
“ip nhrp map multicast dynamic“ command is used under hub router tunnel interface to enable support of multicast traffic. This allows each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast traffic to the spoke routers.
“ip nhrp map multicast <hub nbma ip>” command is used under spoke routers tunnel interface. It ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke.
With this set up, routing adjacencies are only formed between hub and spokes. Spokes do not form routing adjacencies with each other.
ip nhrp network-id
The NHRP network ID is used to define the NHRP domain for an NHRP interface and differentiate between multiple NHRP domains or networks, when two or more NHRP domains (GRE tunnel interfaces) are available on the same NHRP router. The NHRP network ID is used to help keep two NHRP networks (clouds) separate from each other when both are configured on the same router. NHRP network IDs are locally significant and can be different.
DMVPN Phase 1 configuration with EIGRP
---------- R1 - Hub: ---------- Since all spoke routers are configured with tunnel mode GRE (p2p GRE), they can send traffic via Hub only. So spoke routers do not require specific routes of each other. Hub router would advertise a single EIGRP summary route to all spoke routers. Basically Hub router is telling spokes if you want to reach any specific subnet from this summary route, send that traffic to me, I will forward it to actual destination spoke site. interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip summary-address eigrp 100 10.10.0.0 255.255.0.0 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile PROTECT-GRE ! router eigrp 100 network 10.10.1.1 0.0.0.0 network 192.168.1.1 0.0.0.0 ------------ R2 - Spoke: ------------ interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 1.1.14.1 tunnel protection ipsec profile PROTECT-GRE ! router eigrp 100 network 10.10.2.2 0.0.0.0 network 192.168.1.2 0.0.0.0 ----------- R3 - Spoke: ----------- interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 1.1.14.1 tunnel protection ipsec profile PROTECT-GRE ! router eigrp 100 network 10.10.3.3 0.0.0.0 network 192.168.1.3 0.0.0.0
Verification:
- Tunnel mode is mGRE on Hub Router. - Tunnel mode is GRE (Point-to-Point GRE) on Spoke Routers. R1: R1#sh int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.1/24 MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.14.1 (FastEthernet0/0) Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport multi-GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1434 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "PROTECT-GRE") <snip> R2: R2#sh int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.2/24 MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.24.2 (FastEthernet0/0), destination 1.1.14.1 Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1434 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "PROTECT-GRE") <snip> R3: R3#sh int t0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.1.3/24 MTU 17874 bytes, BW 4096 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.34.3 (FastEthernet0/0), destination 1.1.14.1 Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with FastEthernet0/0 Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1434 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "PROTECT-GRE") <snip> - Routing adjacencies are Hub to Spokes only R1#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 192.168.1.3 Tu0 11 00:19:56 191 1146 0 16 0 192.168.1.2 Tu0 14 00:19:56 178 1068 0 16 R2#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.1 Tu0 11 00:20:37 779 4674 0 10 R3#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.1 Tu0 14 00:20:39 183 1098 0 11 - Routing Table R1#show ip route eigrp | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks D 10.10.0.0/16 is a summary, 00:14:48, Null0 D 10.10.2.0/24 [90/1907456] via 192.168.1.2, 00:22:02, Tunnel0 D 10.10.3.0/24 [90/1907456] via 192.168.1.3, 00:22:04, Tunnel0 R2#show ip route eigrp | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks D 10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:15:06, Tunnel0 R3#show ip route eigrp | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks D 10.10.0.0/16 [90/1907456] via 192.168.1.1, 00:15:17, Tunnel0 - Spoke (R2) to Spoke (R3) traffic traverse via Hub R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 192/199/212 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 144 msec 140 msec 136 msec << Hub R1 Tunnel IP 2 192.168.1.3 204 msec * 196 msec << Spoke R3 Tunnel IP
- DMVPN status on Hub R1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ====================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.24.2 192.168.1.2 UP 01:21:07 D 1 1.1.34.3 192.168.1.3 UP 01:21:11 D R1#sh ip nhrp 192.168.1.2/32 via 192.168.1.2 Tunnel0 created 01:50:50, expire 01:29:09 Type: dynamic, Flags: unique registered used NBMA address: 1.1.24.2 192.168.1.3/32 via 192.168.1.3 Tunnel0 created 01:50:54, expire 01:29:05 Type: dynamic, Flags: unique registered used NBMA address: 1.1.34.3 - DMVPN status on Spoke Routers R2#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ===================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 01:22:47 S R2#sh ip nhrp 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 01:53:57, never expire Type: static, Flags: NBMA address: 1.1.14.1 R3#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ==================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.1.14.1 192.168.1.1 UP 01:23:09 S R3#sh ip nhrp 192.168.1.1/32 via 192.168.1.1 Tunnel0 created 01:54:39, never expire Type: static, Flags: NBMA address: 1.1.14.1
DMVPN Phase 1 configuration with OSPF
- Hub router tunnel would be OSPF network type point-to-multipoint - Spoke routers tunnel would be OSPF network type point-to-point - OSPF hello timers must match on tunnel interface on Hub and Spokes - Route summarization is not feasible in single OSPF area R1: interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast dynamic ip nhrp network-id 100 ip tcp adjust-mss 1360 ip ospf network point-to-multipoint ip ospf hello-interval 10 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile PROTECT-GRE ! router ospf 1 network 10.10.1.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 R2: interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 1.1.14.1 tunnel protection ipsec profile PROTECT-GRE ! router ospf 1 network 10.10.2.2 0.0.0.0 area 0 network 192.168.1.2 0.0.0.0 area 0 R3: interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map multicast 1.1.14.1 ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 1.1.14.1 tunnel protection ipsec profile PROTECT-GRE ! router ospf 1 network 10.10.3.3 0.0.0.0 area 0 network 192.168.1.3 0.0.0.0 area 0
Verification
R1: R1#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.1/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:05 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.1.3 Adjacent with neighbor 192.168.1.2 Suppress hello for 0 neighbor(s) R1#show ip ospf ne Neighbor ID Pri State Dead Time Address Interface 192.168.1.3 0 FULL/ - 00:00:33 192.168.1.3 Tunnel0 192.168.1.2 0 FULL/ - 00:00:34 192.168.1.2 Tunnel0 R1#show ip route ospf | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.2.0/24 [110/25] via 192.168.1.2, 00:04:05, Tunnel0 O 10.10.3.0/24 [110/25] via 192.168.1.3, 00:03:45, Tunnel0 R2: R2#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.2/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.2, Network Type POINT_TO_POINT, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:08 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.1 Suppress hello for 0 neighbor(s) R2#show ip ospf ne Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 0 FULL/ - 00:00:31 192.168.1.1 Tunnel0 R2#show ip route ospf | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.1.0/24 [110/25] via 192.168.1.1, 00:05:12, Tunnel0 O 10.10.3.0/24 [110/49] via 192.168.1.1, 00:04:35, Tunnel0 192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks O 192.168.1.1/32 [110/24] via 192.168.1.1, 00:05:12, Tunnel0 R3: R3#show ip ospf int t0 Tunnel0 is up, line protocol is up Internet Address 192.168.1.3/24, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.3, Network Type POINT_TO_POINT, Cost: 24 Topology-MTID Cost Disabled Shutdown Topology Name 0 24 no no Base Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:02 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.1 Suppress hello for 0 neighbor(s) R3#show ip ospf ne Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 0 FULL/ - 00:00:31 192.168.1.1 Tunnel0 R3#show ip route ospf | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.10.1.0/24 [110/25] via 192.168.1.1, 00:05:40, Tunnel0 O 10.10.2.0/24 [110/49] via 192.168.1.1, 00:05:40, Tunnel0 192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks O 192.168.1.1/32 [110/24] via 192.168.1.1, 00:05:40, Tunnel0 Spoke to Spoke traffic: R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 196/201/208 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 152 msec 120 msec 164 msec << Hub Tunnel IP 2 192.168.1.3 236 msec * 220 msec << Spoke-3 Tunnel IP
DMVPN Phase 1 configuration with BGP
- "bgp listen range ....." command can be used to define a range of IP address of BGP neighbors on hub router - "bgp listen limit xx" command can be used to set the limit of dynamic BGP neighbors - Hub router would act as BGP Route-reflector server - Spoke routers would be BGP route-reflector clients - As spokes would communicate via hub only, it is inefficient to advertise all specific prefixes to spoke BGP peers - Hub Router would advertise summary route to spokes R1: interface Tunnel0 bandwidth 4096 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp network-id 100 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile PROTECT-GRE ! router bgp 65001 bgp router-id 192.168.1.1 bgp log-neighbor-changes bgp listen range 192.168.1.0/24 peer-group DMVPN-SPOKES bgp listen limit 50 network 10.10.1.0 mask 255.255.255.0 aggregate-address 10.10.0.0 255.255.0.0 summary-only neighbor DMVPN-SPOKES peer-group neighbor DMVPN-SPOKES remote-as 65001 neighbor DMVPN-SPOKES route-reflector-client R2: interface Tunnel0 bandwidth 4096 ip address 192.168.1.2 255.255.255.0 ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 1.1.14.1 tunnel protection ipsec profile PROTECT-GRE ! router bgp 65001 bgp router-id 192.168.1.2 bgp log-neighbor-changes network 10.10.2.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001 R3: interface Tunnel0 bandwidth 4096 ip address 192.168.1.3 255.255.255.0 ip mtu 1400 ip nhrp authentication NhRp@UtH ip nhrp map 192.168.1.1 1.1.14.1 ip nhrp network-id 100 ip nhrp nhs 192.168.1.1 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 1.1.14.1 tunnel protection ipsec profile PROTECT-GRE ! router bgp 65001 bgp router-id 192.168.1.3 bgp log-neighbor-changes network 10.10.3.0 mask 255.255.255.0 neighbor 192.168.1.1 remote-as 65001
Verification
R1: R1#show ip bgp summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 8, main routing table version 8 4 network entries using 592 bytes of memory 4 path entries using 256 bytes of memory 3/3 BGP path/bestpath attribute entries using 408 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1256 total bytes of memory BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *192.168.1.2 4 65001 38 40 8 0 0 00:30:25 1 *192.168.1.3 4 65001 37 39 8 0 0 00:30:09 1 * Dynamically created based on a listen range command Dynamically created neighbors: 2, Subnet ranges: 1 BGP peergroup DMVPN-SPOKES listen range group members: 192.168.1.0/24 Total dynamically created neighbors: 2/(50 max), Subnet ranges: 1 R1#show ip bgp BGP table version is 8, local router ID is 192.168.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.0.0/16 0.0.0.0 32768 i s> 10.10.1.0/24 0.0.0.0 0 32768 i s>i 10.10.2.0/24 192.168.1.2 0 100 0 i s>i 10.10.3.0/24 192.168.1.3 0 100 0 i R1#show ip route bgp | beg Gate Gateway of last resort is 1.1.14.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks B 10.10.0.0/16 [200/0] via 0.0.0.0, 00:30:49, Null0 B 10.10.2.0/24 [200/0] via 192.168.1.2, 00:30:49 B 10.10.3.0/24 [200/0] via 192.168.1.3, 00:29:46 R2: R2#show ip bgp sum BGP router identifier 192.168.1.2, local AS number 65001 BGP table version is 5, main routing table version 5 2 network entries using 296 bytes of memory 2 path entries using 128 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 696 total bytes of memory BGP activity 3/1 prefixes, 3/1 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 41 40 5 0 0 00:31:43 1 R2#show ip bgp BGP table version is 5, local router ID is 192.168.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 10.10.0.0/16 192.168.1.1 0 100 0 i *> 10.10.2.0/24 0.0.0.0 0 32768 i R2#show ip route bgp | beg Gate Gateway of last resort is 1.1.24.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks B 10.10.0.0/16 [200/0] via 192.168.1.1, 00:31:53 R3: R3#show ip bgp sum BGP router identifier 192.168.1.3, local AS number 65001 BGP table version is 3, main routing table version 3 2 network entries using 296 bytes of memory 2 path entries using 128 bytes of memory 2/2 BGP path/bestpath attribute entries using 272 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 696 total bytes of memory BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 41 39 3 0 0 00:32:08 1 R3#show ip bgp BGP table version is 3, local router ID is 192.168.1.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 10.10.0.0/16 192.168.1.1 0 100 0 i *> 10.10.3.0/24 0.0.0.0 0 32768 i R3#show ip route bgp | beg Gate Gateway of last resort is 1.1.34.4 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks B 10.10.0.0/16 [200/0] via 192.168.1.1, 00:31:29 Spoke-to-Spoke traffic: R2#ping 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds: Packet sent with a source address of 10.10.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 180/192/204 ms R2#trace 10.10.3.3 so 10.10.2.2 Type escape sequence to abort. Tracing the route to 10.10.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 140 msec 176 msec 140 msec << Hub Tunnel IP 2 192.168.1.3 224 msec * 220 msec << Spoke-3 Tunnel IP
As we have seen that spoke-to-spoke traffic always traverse via hub in phase 1 design. In a large network, It increases overhead on hub router. Also spokes has to use sub-optimal routing path for traffic between spoke sites. The shortcomings of DMVPN phase 1 are addressed in Phase 2 design, which we will discuss in next blog.