Here is the topology.
As always we will start with basic interface configurations. Note that most of these configs are the same from Phase 2 with the exception of a couple commands under the tunnel interfaces.
- ip nhrp redirect on the hub
- ip nhrp shortcut on the spokes
R1#sh run int gig1.151
Building configuration...
Current configuration : 126 bytes
!
interface GigabitEthernet1.151
description Internet_Facing
encapsulation dot1Q 151
ip address 1.1.1.1 255.255.255.0
end
!
R1#sh run int lo100
interface Loopback100
ip address 10.10.10.1 255.255.255.255
end
R2#sh run int gig1.151
Building configuration...
Current configuration : 126 bytes
!
interface GigabitEthernet1.151
description Internet_Facing
encapsulation dot1Q 151
ip address 1.1.1.2 255.255.255.0
end
!
R2#sh run int lo100
interface Loopback100
ip address 10.10.10.2 255.255.255.255
end
R3#sh run int gig1.151
Building configuration...
Current configuration : 126 bytes
!
interface GigabitEthernet1.151
description Internet_Facing
encapsulation dot1Q 151
ip address 1.1.1.3 255.255.255.0
end
!
R3#sh run int lo100
interface Loopback100
ip address 10.10.10.3 255.255.255.255
end
Ping and verify basic Layer 3 connectivity between the routers.
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
Next let's move onto configuring the DMVPN including NHRP parameters on all 3 routers. We will use the private subnet 192.168.1.0/24 for the DMVPN tunnel.
R1#sh run int tun0
Building configuration...
Current configuration : 263 bytes
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
!!--Set the MTU to account for the GRE / IPSEC overhead
ip mtu 1400
!!--Optional NHRP Authentication
ip nhrp authentication AUTH
ip nhrp map multicast dynamic
!!--This command states that HUB perform a NHRP redirect / send a NHRP redirect message so the spokes can learn of the "real" next hop.
!!--When Spokes learn the real next hop, a dynamic spoke to spoke tunnel can be built.
ip nhrp redirect
!!--NHRP network-id must match on all routers
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1.151
tunnel mode gre multipoint
end
R2#sh run int tun0
Building configuration...
Current configuration : 291 bytes
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
ip nhrp authentication AUTH
!!--Map the NHRP Next hop server to the NBMA address of the HUB
ip nhrp map 192.168.1.1 1.1.1.1
!!--Remember to do map multicast to HUB NBMA address (not the tunnel address) or else routing protocols will not work
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
!!--This command states that the router should accept NHRP redirect message sent by the HUB and create the dynamic spoke to spoke tunnel.
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1.151
tunnel mode gre multipoint
end
R3#sh run int tun0
Building configuration...
Current configuration : 291 bytes
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip nhrp authentication AUTH
ip mtu 1400
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
!!-Make sure network-id matches on all the routers
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1.151
tunnel mode gre multipoint
end
At this point we should full tunnel-to-tunnel-end connectivity.
Now that we have DMVPN Phase 3 working, let's get EIGRP configured over the DMVPN tunnel and make sure that spoke-to-spoke tunnels are created dynamically.
R1# show run | sec eigrp
router eigrp 100
network 10.10.10.1 0.0.0.0
network 192.168.1.0
!!--Disable split horizon so the route advertisements from the spokes can be reflected to each other.
R1# sh run int tun0 | in split
interface Tunnel0
no ip split-horizon eigrp 100
R2# show run | sec eigrp
router eigrp 100
network 10.10.10.2 0.0.0.0
network 192.168.1.0
R3# show run | sec eigrp
router eigrp 100
network 10.10.10.3 0.0.0.0
network 192.168.1.0
Since this is Phase 3 let's summarize on EIGRP to send only the default route to the SPOKES. This is one of the major benefit of running EIGRP in Phase 3 ... summarize wherever you want unlike OSPF.
R1#sh run int tun 0 | in summary
int tunnel0
!!--Add the summary command under the tunnel interface
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
When you look at the spokes routing table ... you should only see the default routing pointed over to the HUB's DMVPN IP.
R2#
%BUFCAP-6-DISABLE: Capture Point 1 disabled.
R2#sh ip route eigrp
D* 0.0.0.0/0 [90/27008000] via 192.168.1.1, 00:12:50, Tunnel0
Let's take a look at the current R2 NHRP tunnels and as you can see only one static tunnel is built to the DMVPN HUB.
R2#show ip nhrp brief
Target Via NBMA Mode Intfc Claimed
192.168.1.1/32 192.168.1.1 1.1.1.1 static Tu0 < >
And yet when you ping 10.10.10.3 from R2 ... R2 creates a dynamic tunnel to R3.
R2#ping 10.10.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
You can see that now R2 / R3 has a dynamic spoke to spoke tunnel. How did R3 know to build a dynamic tunnel to R2?
R2#show ip nhrp brief
Target Via NBMA Mode Intfc Claimed
10.10.10.3/32 192.168.1.3 1.1.1.3 dynamic Tu0 < >
192.168.1.1/32 192.168.1.1 1.1.1.1 static Tu0 < >
192.168.1.3/32 192.168.1.3 1.1.1.3 dynamic Tu0 < >
!!-R3 nhrp information
R3#show ip nhrp detail
10.10.10.3/32 via 192.168.1.3
Tunnel0 created 00:23:04, expire 01:44:40
Type: dynamic, Flags: router unique local
NBMA address: 1.1.1.3
(no-socket)
Requester: 192.168.1.2 Request ID: 9
192.168.1.1/32 via 192.168.1.1
Tunnel0 created 08:47:27, never expire
Type: static, Flags: used
NBMA address: 1.1.1.1
192.168.1.2/32 via 192.168.1.2
Tunnel0 created 00:23:04, expire 00:44:40
Type: dynamic, Flags: router implicit used nhop
NBMA address: 1.1.1.2
Let's dig into the Packet Captures to answer that question.
This is a packet capture from R2's perspective ... When you first ping R3's loopback from R2, the packets make it to R1 (because of the default route)... and goes through the HUB. However, R1 (HUB) sends a special NHRP message back to R2 ... "NHRP Traffic Indication Packet" (Thanks to the ip nhrp redirect command). This message tells R2 that there is a shorter path and that R2 should resolve the next hop for 10.10.10.3 and then build a dynamic spoke to spoke tunnel for this traffic.
R2 now crafts a NHRP Request message for destination 10.10.10.3 and sends it to the HUB and R1 forwards this message to R3 which then sends a NHRP Reply message directly to R2. R2 can then build the spoke to spoke tunnel for 10.10.10.3. PCAPs from R2 below.
Now when we look at NHRP tunnels from R2 you can see that there is a dynamically created tunnel between R2 and R3 and traffic between R2 and R3 does not traverse R1 (HUB).
R2#show ip nhrp dynamic
10.10.10.3/32 via 192.168.1.3
Tunnel0 created 00:32:08, expire 01:27:51
Type: dynamic, Flags: router rib
NBMA address: 1.1.1.3
192.168.1.3/32 via 192.168.1.3
Tunnel0 created 00:32:08, expire 01:27:51
Type: dynamic, Flags: router nhop rib
NBMA address: 1.1.1.3
Also note that there is a special NHRP route installed in R2's RIB/CEF indicated by key "H".
R2#sh ip route
D* 0.0.0.0/0 [90/27008000] via 192.168.1.1, 00:42:25, Tunnel0
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1.151
L 1.1.1.2/32 is directly connected, GigabitEthernet1.151
10.0.0.0/32 is subnetted, 2 subnets
C 10.10.10.2 is directly connected, Loopback100
H 10.10.10.3 [250/1] via 192.168.1.3, 00:41:40, Tunnel0
192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.2/32 is directly connected, Tunnel0
H 192.168.1.3/32 is directly connected, 00:41:40, Tunnel0
R2# sh ip nhrp shortcut
10.10.10.3/32 via 192.168.1.3
Tunnel0 created 00:46:10, expire 01:13:49
Type: dynamic, Flags: router rib
NBMA address: 1.1.1.3
192.168.1.3/32 via 192.168.1.3
Tunnel0 created 00:46:10, expire 01:13:49
Type: dynamic, Flags: router nhop rib
NBMA address: 1.1.1.3
In conclusion, one of the key advantage to DMVPN Phase 3 is that HUB can summarize and still allow for spoke to spoke tunnels.
- "ip nhrp redirect" applied under the tunnel configuration on the HUB, so the HUB can send the "NHRP Traffic Indication" message to the spoke.
- "ip nhrp shortcut" applied under the tunnel configuration on the spokes so it can accept the NHRP Traffic Indication message and send the NHRP Request message accordingly.
- clear ip nhrp shortcut
- debug dmvpn
- debug nhrp routing
- show dmvpn
- show ip nhrp
- show ip nhrp shortcut
- show ip route
- show ip route next-hop-override
Many more articles to come so ....
Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.
No comments:
Post a Comment