Monday, December 7, 2015

Configuring DMVPN Phase 3 w/ EIGRP

In this blogtorial we will configure DMVPN Phase 3 and run EIGRP over the tunnel. After reading this blogtorial, I hope that you will have a clear understanding of DMVPN Phase 3 and how it interacts with EIGRP. If you need a primer on DMVPN Phase 1 and Phase 2, please see my DMVPN blogtorials.

Here is the topology.



As always we will start with basic interface configurations. Note that most of these configs are the same from Phase 2 with the exception of a couple commands under the tunnel interfaces.
  • ip nhrp redirect on the hub
  • ip nhrp shortcut on the spokes
 R1#sh run int gig1.151  
 Building configuration...  
 Current configuration : 126 bytes  
 !  
 interface GigabitEthernet1.151  
  description Internet_Facing  
  encapsulation dot1Q 151  
  ip address 1.1.1.1 255.255.255.0  
 end  
 !
 R1#sh run int lo100
 interface Loopback100
  ip address 10.10.10.1 255.255.255.255
 end
 
 R2#sh run int gig1.151  
 Building configuration...  
 Current configuration : 126 bytes  
 !  
 interface GigabitEthernet1.151  
  description Internet_Facing  
  encapsulation dot1Q 151  
  ip address 1.1.1.2 255.255.255.0  
 end  
 !
 R2#sh run int lo100
 interface Loopback100
  ip address 10.10.10.2 255.255.255.255
 end

 R3#sh run int gig1.151  
 Building configuration...  
 Current configuration : 126 bytes  
 !  
 interface GigabitEthernet1.151  
  description Internet_Facing  
  encapsulation dot1Q 151  
  ip address 1.1.1.3 255.255.255.0  
 end
 !
 R3#sh run int lo100
 interface Loopback100
  ip address 10.10.10.3 255.255.255.255
 end  

Ping and verify basic Layer 3 connectivity between the routers.

 R2#ping 1.1.1.1  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms  
 R3#ping 1.1.1.1  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms  

Next let's move onto configuring the DMVPN including NHRP parameters on all 3 routers. We will use the private subnet 192.168.1.0/24 for the DMVPN tunnel.

 R1#sh run int tun0  
 Building configuration...  
 Current configuration : 263 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.1 255.255.255.0  
  no ip redirects

!!--Set the MTU to account for the GRE / IPSEC overhead 
  ip mtu 1400  

!!--Optional NHRP Authentication 
  ip nhrp authentication AUTH  
  ip nhrp map multicast dynamic  

!!--This command states that HUB perform a NHRP redirect / send a NHRP redirect message so the spokes can learn of the "real" next hop.
!!--When Spokes learn the real next hop, a dynamic spoke to spoke tunnel can be built.
  ip nhrp redirect

!!--NHRP network-id must match on all routers
  ip nhrp network-id 1  
  ip tcp adjust-mss 1360  
  tunnel source GigabitEthernet1.151  
  tunnel mode gre multipoint  
 end  

 R2#sh run int tun0  
 Building configuration...  
 Current configuration : 291 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.2 255.255.255.0  
  ip nhrp authentication AUTH  
!!--Map the NHRP Next hop server to the NBMA address of the HUB
  ip nhrp map 192.168.1.1 1.1.1.1  
!!--Remember to do map multicast to HUB NBMA address (not the tunnel address) or else routing protocols will not work 
  ip nhrp map multicast 1.1.1.1  
  ip nhrp network-id 1  
  ip nhrp nhs 192.168.1.1  

!!--This command states that the router should accept NHRP redirect message sent by the HUB and create the dynamic spoke to spoke tunnel. 
  ip nhrp shortcut
  ip tcp adjust-mss 1360  
  tunnel source GigabitEthernet1.151  
  tunnel mode gre multipoint
 end  

 R3#sh run int tun0  
 Building configuration...  
 Current configuration : 291 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.3 255.255.255.0  
  ip nhrp authentication AUTH  
  ip mtu 1400
  ip nhrp map 192.168.1.1 1.1.1.1  
  ip nhrp map multicast 1.1.1.1  
!!-Make sure network-id matches on all the routers
  ip nhrp network-id 1  
  ip nhrp nhs 192.168.1.1  
  ip nhrp shortcut
  ip tcp adjust-mss 1360  
  tunnel source GigabitEthernet1.151  
  tunnel mode gre multipoint  
 end  

At this point we should full tunnel-to-tunnel-end connectivity.

Now that we have DMVPN Phase 3 working, let's get EIGRP configured over the DMVPN tunnel and make sure that spoke-to-spoke tunnels are created dynamically. 

 R1# show run | sec eigrp   
 router eigrp 100  
  network 10.10.10.1 0.0.0.0  
  network 192.168.1.0  

!!--Disable split horizon so the route advertisements from the spokes can be reflected to each other. 
R1# sh run int tun0 | in split
interface Tunnel0
 no ip split-horizon eigrp 100

 R2# show run | sec eigrp   
 router eigrp 100  
  network 10.10.10.2 0.0.0.0  
  network 192.168.1.0  

 R3# show run | sec eigrp   
 router eigrp 100  
  network 10.10.10.3 0.0.0.0  
  network 192.168.1.0  

Since this is Phase 3 let's summarize on EIGRP to send only the default route to the SPOKES. This is one of the major benefit of running EIGRP in Phase 3 ... summarize wherever you want unlike OSPF.

 R1#sh run int tun 0 | in summary
  int tunnel0
!!--Add the summary command under the tunnel interface 
    ip summary-address eigrp 100 0.0.0.0 0.0.0.0  

When you look at the spokes routing table ... you should only see the default routing pointed over to the HUB's DMVPN IP.

 R2#  
 %BUFCAP-6-DISABLE: Capture Point 1 disabled.  
 R2#sh ip route eigrp  
   D*  0.0.0.0/0 [90/27008000] via 192.168.1.1, 00:12:50, Tunnel0  

Let's take a look at the current R2 NHRP tunnels and as you can see only one static tunnel is built to the DMVPN HUB.

 R2#show ip nhrp brief  
   Target       Via      NBMA      Mode  Intfc  Claimed  
    192.168.1.1/32 192.168.1.1   1.1.1.1     static  Tu0   <  >  

And yet when you ping 10.10.10.3 from R2 ... R2 creates a dynamic tunnel to R3.

 R2#ping 10.10.10.3  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms  

You can see that now R2 / R3 has a dynamic spoke to spoke tunnel. How did R3 know to build a dynamic tunnel to R2?

 R2#show ip nhrp brief  
   Target       Via      NBMA      Mode  Intfc  Claimed  
     10.10.10.3/32 192.168.1.3   1.1.1.3     dynamic Tu0   <  >  
    192.168.1.1/32 192.168.1.1   1.1.1.1     static  Tu0   <  >  
    192.168.1.3/32 192.168.1.3   1.1.1.3     dynamic Tu0   <  >  

!!-R3 nhrp information
 R3#show ip nhrp detail  
 10.10.10.3/32 via 192.168.1.3  
   Tunnel0 created 00:23:04, expire 01:44:40  
   Type: dynamic, Flags: router unique local  
   NBMA address: 1.1.1.3  
   (no-socket)  
  Requester: 192.168.1.2 Request ID: 9  
 192.168.1.1/32 via 192.168.1.1  
   Tunnel0 created 08:47:27, never expire  
   Type: static, Flags: used  
   NBMA address: 1.1.1.1  
 192.168.1.2/32 via 192.168.1.2  
   Tunnel0 created 00:23:04, expire 00:44:40  
   Type: dynamic, Flags: router implicit used nhop  
   NBMA address: 1.1.1.2  

Let's dig into the Packet Captures to answer that question.

This is a packet capture from R2's perspective ... When you first ping R3's loopback from R2, the packets make it to R1 (because of the default route)... and goes through the HUB. However, R1 (HUB) sends a special NHRP message back to R2 ... "NHRP Traffic Indication Packet" (Thanks to the ip nhrp redirect command). This message tells R2 that there is a shorter path and that R2 should resolve the next hop for 10.10.10.3 and then build a dynamic spoke to spoke tunnel for this traffic.


R2 now crafts a NHRP Request message for destination 10.10.10.3 and sends it to the HUB and R1 forwards this message to R3 which then sends a NHRP Reply message directly to R2. R2 can then build the spoke to spoke tunnel for 10.10.10.3. PCAPs from R2 below.




Now when we look at NHRP tunnels from R2 you can see that there is a dynamically created tunnel between R2 and R3 and traffic between R2 and R3 does not traverse R1 (HUB).

 R2#show ip nhrp dynamic  
 10.10.10.3/32 via 192.168.1.3  
   Tunnel0 created 00:32:08, expire 01:27:51  
   Type: dynamic, Flags: router rib  
   NBMA address: 1.1.1.3  
 192.168.1.3/32 via 192.168.1.3  
   Tunnel0 created 00:32:08, expire 01:27:51  
   Type: dynamic, Flags: router nhop rib  
   NBMA address: 1.1.1.3  

Also note that there is a special NHRP route installed in R2's RIB/CEF indicated by key "H".

 R2#sh ip route  
 D*  0.0.0.0/0 [90/27008000] via 192.168.1.1, 00:42:25, Tunnel0  
    1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks  
 C    1.1.1.0/24 is directly connected, GigabitEthernet1.151  
 L    1.1.1.2/32 is directly connected, GigabitEthernet1.151  
    10.0.0.0/32 is subnetted, 2 subnets  
 C    10.10.10.2 is directly connected, Loopback100  
 H    10.10.10.3 [250/1] via 192.168.1.3, 00:41:40, Tunnel0  
    192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks  
 C    192.168.1.0/24 is directly connected, Tunnel0  
 L    192.168.1.2/32 is directly connected, Tunnel0  
 H    192.168.1.3/32 is directly connected, 00:41:40, Tunnel0  

 R2#  sh ip nhrp shortcut  
 10.10.10.3/32 via 192.168.1.3  
   Tunnel0 created 00:46:10, expire 01:13:49  
   Type: dynamic, Flags: router rib  
   NBMA address: 1.1.1.3  
 192.168.1.3/32 via 192.168.1.3  
   Tunnel0 created 00:46:10, expire 01:13:49  
   Type: dynamic, Flags: router nhop rib  
   NBMA address: 1.1.1.3  

In conclusion, one of the key advantage to DMVPN Phase 3 is that HUB can summarize and still allow for spoke to spoke tunnels.
  • "ip nhrp redirect" applied under the tunnel configuration on the HUB, so the HUB can send the "NHRP Traffic Indication" message to the spoke. 
  • "ip nhrp shortcut" applied under the tunnel configuration on the spokes so it can accept the NHRP Traffic Indication message and send the NHRP Request message accordingly.
Debug and show commands to help with troubleshooting / verification.

  • clear ip nhrp shortcut
  • debug dmvpn
  • debug nhrp routing
  • show dmvpn
  • show ip nhrp
  • show ip nhrp shortcut
  • show ip route
  • show ip route next-hop-override

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

No comments:

Post a Comment