BRKSEC-4052-2011_Advanced Concepts of DMVPN

BRKSEC-4052

Advanced Concepts of Dynamic Multipoint VPN(DMVPN)

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 2

DMVPN Overview

NHRP Details

Use Case: iBGP over DMVPN

Recent and New Features

Agenda

DMVPN Overview


DMVPN is a Cisco IOS software solution for building IPsec+GRE VPNs in an easy, dynamic and scalable manner

Relies on two proven technologiesNext Hop Resolution Protocol (NHRP)

Creates a distributed mapping database of VPN(tunnel interface) to real (public interface) addresses

Multipoint GRE Tunnel Interface

Single GRE interface to support multiple GRE/IPsec tunnels and endpoints

Simplifies size and complexity of configuration

Supports dynamic tunnel creation

What is Dynamic Multipoint VPN?


Configuration reduction and no-touch deployment

Supports:

Passenger protocols:

IP(v4/v6) unicast, multicast and dynamic Routing Protocols.

Transport protocols (NBMA):

IPv4 and IPv6 (new)

Remote peers with dynamically assigned transport addresses.

Spoke routers behind dynamic NAT; Hub routers behind static NAT.

Dynamic spoke-spoke tunnels for partial/full mesh scaling.

Can be used without IPsec Encryption

Works with MPLS; GRE tunnels and/or data packets in VRFsand MPLS switching over the tunnels

Wide variety of network designs and options.

DMVPN: Major Features


Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server (hub).

When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke.

Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address).

The dynamic spoke-to-spoke tunnel is built over the mGRE interface.

When traffic ceases then the spoke-to-spoke tunnel is removed.

DMVPN: How it works


DMVPN: Example

Dynamic Spoke-to-spoke tunnels

Spoke A

Spoke B

192.168.2.0/24

.1

192.168.1.0/24

.1

192.168.0.0/24

.1

. . .

Physical: 172.17.0.1

Tunnel0: 10.0.0.1

Physical: dynamic

Tunnel0: 10.0.0.11

Physical: dynamic

Tunnel0: 10.0.0.12

Static Spoke-to-hub tunnels

Static known

IP address

Dynamicunknown

IP addresses

LANs can have

private addressing


NHRP RegistrationsSpoke (NHC) dynamically register its VPN to NBMA address mapping with hub (NHS).

Static NHRP mappings on spokes for Hub (NHS)

Needed to ―start the game‖

Builds hub-and-spoke control plane network

NHRP ResolutionsDynamically resolve spoke to spoke VPN to NBMA mapping to build spoke-spoke tunnels.

Single instead of multiple tunnel hops across NBMA network

NHRP Resolution requests/replies sent via hub-and-spoke control plane path

NHRP Main Functionality


IPsec integrated with DMVPN, but not required

Packets Encapsulated in GRE, then Encrypted with IPsec

NHRP controls the tunnels, IPsec does encryption

Bringing up a tunnelNHRP signals IPsec to setup encryption

ISAKMP authenticates peer, generates SAs

IPsec responds to NHRP and the tunnel is activated

All NHRP and data traffic is Encrypted

Bringing down a tunnelNHRP signals IPsec to tear down tunnel

IPsec can signal NHRP if encryption is cleared or lost

ISAKMP Keepalives monitor state of spoke-spoke tunnels

DMVPN and IPsec


Spokes are only routing neighbors with hubs, not with other spokesSpokes advertise local network to hubs

Hubs are routing neighbors with spokesCollect spoke network routes from spokes

Advertise spoke and local networks to all spokes

All Phases:

Turn off split-horizon (EIGRP, RIP)

Single area and no summarization when using OSPF

Phase 1 & 3:

Hubs can not preserve original IP next-hop; Can Summarize

EIGRP, iBGP (next-hop-self); RIP, ODR, eBGP (default)

OSPF (network point-multipoint); # hubs not limited

Phase 2:

Hubs must preserve original IP next-hop; Cannot summarize

EIGRP, eBGP (no ip next-hop-self); iBGP (default)

OSPF (network broadcast); Only 2 hubs

Hubs are routing neighbors with other hubsPhase 1 & 3: Can use different routing protocol than hub-spoke tunnels

Phase 2: Must use same routing protocol as hub-spoke tunnels

Routing


Active-active redundancy model – two or more hubs per spokeAll configured hubs are active and are routing neighbors with spoke

Routing protocol routes are used to determine traffic forwarding

Single route: one tunnel (hub) at a time – primary/backup mode

Multiple routes: both tunnels (hubs) – load-balancing mode

ISAKMP/IPsecCannot use IPsec Stateful failover (NHRP isn‘t supported)

ISAKMP invalid SPI recovery is not useful with DMVPN

ISAKMP keepalives on spokes for timely hub recoverycrypto isakmp keepalives initial retry

Can use single or multiple DMVPNs for redundancyEach mGRE interface is a separate DMVPN network using

different tunnel key, NHRP network-id and IP subnet

Can ―glue‖ mGRE interfaces into same DMVPN network(*)

same tunnel source, NHRP network-id and authentication; no tunnel key and different IP subnet (Phase 3 only)

If using same tunnel source (must use tunnel key)

tunnel protection ipsec profile name shared

Redundancy


Spokes – at least two hubs (NHSs)Phase 1: (Hub-and-spoke)

p-pGRE interfaces two DMVPN networks, one hub on each

Phase 1, 2 or 3: (Hub-and-spoke or Dynamic Mesh)mGRE interface one DMVPN network, two hubs

Hubs – interconnect and routingPhase 1: (Hub and spoke only)

Interconnect hubs directly over physical link, p-pGRE or mGRE

Hubs can exchange routing through any of these paths

Phase 2: (Dynamic Mesh)Interconnect hubs over same mGRE, daisy-chain as NHSs

Hubs must exchange routing over DMVPN network

Phase 3: (Dynamic Mesh)Interconnect hubs over same or different mGRE (same DMVPN)

Hubs must exchange routing over DMVPN network

Redundancy (cont)


Network Designs

Hub-and-spoke – Order(n)

Spoke-to-spoke traffic via hubPhase 1: Hub bandwidth and CPU limit VPN

SLB: Many ―identical‖ hubs increase CPU limit

Spoke-to-spoke – Order(n) « Order(n2)

Control traffic — Hub and spoke; Hub to hubPhase 2: (single)

Phase 3: (hierarchical)

Unicast Data traffic — Dynamic meshSpoke routers support spoke-hub and spoke-spoke tunnels currently in use.

Hub supports spoke-hub traffic and overflow from spoke-spoke traffic.

Network VirtualizationVRF-lite – Multiple DMVPNs

MPLS over DMVPN (2547oDMVPN) – Single DMVPN


Network Designs

Hub and spoke

(Phase 1)

Spoke-to-spoke

(Phase 2)

Server Load Balancing Hierarchical (Phase 3)

Spoke-to-hub tunnels

Spoke-to-spoke tunnels

2547oDMVPN tunnels

VRF-lite

2547oDMVPN


GRE, NHRP and IPsec configurationp-pGRE or mGRE on spokes; mGRE on hubs

ISAKMP Authentication

Certificate, (Pairwise/Wildcard) Pre-shared Key

NHRP RegistrationStatic NHRP mapping for Hub on Spoke

Dynamically learn NHRP mapping for Spoke on Hub

Dynamically addressed spokes (DHCP, NAT , …)

NAT detection support

Hub-and-SpokeFunctionality


mGRE/NHRP+IPsec configurationOn both hub and spokes

ISAKMP authentication information

Certificates, Wildcard Pre-shared Keys

Spoke-spoke data traffic direct Reduced load on hub

Reduced latency

Single IPsec encrypt/decrypt

NAT support

NHRP Resolutions (Phase 2)

NHRP Redirect and Resolutions (Phase 3)Double forwarding lookup

Modify Routing Table (ASR – now; ISR – 15.2(1)T)

Dynamic Mesh (Spoke-Spoke Tunnels)Functionality


ResiliencyNo monitoring of spoke-spoke tunnel (use ISAKMP keepalives)

crypto isakmp keepalives initial retry

Path SelectionNHRP will always build spoke-spoke tunnel

No latency or performance measurement of spoke-spoke vs spoke-hub-spoke paths

Overloading spoke routersCPU or memory IKE Call Admission Control (CAC)

crypto call admission limit ike {sa | in-negotiation } max-SAs

call admission limit percent

show crypto call admission statistics

Bandwidth Design for expected traffic

Hub-spoke versus Spoke-spoke

Spoke-spoke availability is best effort

Dynamic Mesh (Spoke-Spoke Tunnels)Considerations


Separate DMVPN mGRE tunnel per VRF

Hub routers handle all DMVPNsMultiple Hub routers for redundancy and load

IGP used for routing protocol outside of and over DMVPNs on Spokes and Hubs

Address family per VRF

Routing neighbor per spoke per VRF

BGP used only on the hubRedistribute between IGP and BGP for import/export of routes between VRFs

―Internet‖ VRF for Internet access and routing between VRFs

Global routing table for routing DMVPN tunnel packets

Network VirtualizationSeparate DMVPNs – VRF-lite


Single DMVPN (Hub-and-spoke Only)MPLS VPN over DMVPN

Single mGRE tunnel on all routers

MPLS configurationHub and Spoke routers are MPLS PEs

Multiple Hub routers for redundancy and load

IGP is used for routing outside of DMVPN network

BGP used for routing protocol over DMVPNRedistribute between IGP and BGP for transport over DMVPN

Import/export of routes between VRFs and Internet VRF

―Internet‖ VRF for Internet access and routing between VRFs

Routing neighbor per spoke

Global routing table for routing DMVPN tunnel packets

Network VirtualizationMPLS over DMVPN – 2547oDMVPN

NHRP Details


Agenda

DMVPN Overview

NHRP DetailsNHRP Overview

NHRP Registrations

NHRP Resolutions/Redirects

Phase 2

Phase 3




NHRP Message Types

RegistrationBuild base hub-and-spoke network for control traffic(single layer – Phase 1&2, hierarchical – Phase 3)Also used for data traffic

ResolutionGet mapping to build dynamic spoke-spoke tunnels

Traffic Indication (Redirect) – Phase 3Trigger resolution requests at previous GRE tunnel hop

PurgeClear out stale dynamic NHRP mappings

ErrorSignal error conditions


Responder Address Extension:Address mapping for Responding node (Reply messages)

Forward Transit NHS Record Extension:List of NHSs that NHRP request message traversed

– copied to reply message

Reverse Transit NHS Record Extension:List of NHSs that NHRP reply message traversed

Authentication Extension:NHRP Authentication

NAT Address Extension: (12.4(6)T)

Address mapping for peer (Registration message)

Address mapping for self (Resolution request/reply)

NHRP Message Extension Types


NHRP Mapping Entries

StaticBoth host (/32) and network (/<x>) mappings

DynamicRegistered (/32)

From NHRP Registration

NAT – record both inside and outside NAT address

Learned (/32 or /<x>)

From NHRP Resolution

NAT – record both inside and outside NAT address

Incomplete (/32) (also see Temporary)Rate-limit sending of NHRP Resolution Requests

Process-switching of data packet while building spoke-spoke tunnels.

Local (/32 or /<x>)Mapping for local network sent in an NHRP Resolution Reply

Record which nodes were sent this mapping

Temporary (/32) (12.4(22)T – Phase 2 only)

Same as ―Incomplete‖ mapping except that NBMA is set to Hub

CEF-switching of data packets while building spoke-spoke tunnels.

(no socket)Not used to forward data packets

Do not trigger IPsec encryption


NHRP Mapping Entries

10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:20:10, never expire Type: static, Flags: used NBMA address: 172.17.0.9

10.0.0.19/32 via 10.0.0.19, Tunnel0 created 01:20:08, expire 00:05:51Type: dynamic, Flags: unique registered used NBMA address: 172.16.3.1

10.0.0.18/32 via 10.0.0.18, Tunnel0 created 00:16:09, expire 00:05:50Type: dynamic, Flags: unique registered used NBMA address: 172.18.0.2 (Claimed NBMA address: 172.16.2.1)

10.0.0.18/32 via 10.0.0.18, Tunnel0 created 00:09:04, expire 00:00:22Type: dynamic, Flags: router implicit NBMA address: 172.18.0.2 (Claimed NBMA address: 172.16.2.1)

192.168.23.0/24 via 10.0.0.19, Tunnel0 created 00:00:11, expire 00:05:48Type: dynamic, Flags: router used NBMA address: 172.16.3.1

10.0.0.45/32, Tunnel0 created 00:00:21, expire 00:02:43Type: incomplete, Flags: negative Cache hits: 2

10.0.0.17/32 via 10.0.2.17, Tunnel0 created 00:00:09, expire 00:02:55Type: dynamic, Flags: used temporary NBMA address: 172.17.0.9

192.168.15.0/24 via 10.0.0.11, Tunnel0 created 00:05:39, expire 00:05:50Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1(no-socket)

Spoke to Hub

NAT

Registered

Resolution

Incomplete

Local,

(no-socket)

Temporary


NHRP Mapping flags

unique Mapping entry is unique, don‘t allow overwrite with new NBMA

registered Mapping entry from an NHRP registration

authoritative Mapping entry can be used to answer NHRP resolution requests

used Mapping entry was used in last 60 seconds to forward data traffic

router Mapping entry for remote router

implicit Mapping entry from source information in NHRP packet

local Mapping entry for a local network, record remote requester

nat(added 12.4(6)T, removed 12.4(15)T)

Remote peer supports the NHRP NAT extension

rib(12.2(33)XNE – ASR1k)

Routing Table entry created

nho(12.2(33)XNE – ASR1k)

Next-Hop-Override Routing Table entry created


Used to clear invalid NHRP mapping information from the network

NHRP ―local‖ mapping entriesCreated when sending an NHRP resolution reply

Copy of mapping information sent in reply

Entry tied to corresponding entry in routing table

Keeps list of nodes where resolution reply was sent

To see use ‗show ip nhrp detail‘

If routing table changes so that local mapping entry is no longer valid

Purge message is sent to each NHRP node in list

NHRP nodes clear that mapping from their table

Purge messages forwarded over direct tunnel if available, otherwise sent via routed path

NHRP Purge Messages


Agenda

DMVPN Overview


NHRP Registrations


Phase 2

Phase 3




Builds base hub-and-spoke networkHub-and-spoke data traffic

Control traffic; NHRP, Routing protocol, IP multicast

Phase 2 – Single level hub-and-spoke

Phase 3 – Hierarchical hub-and-spoke (tree).

Next Hop Client (NHC) has static mapping for Next Hop Servers (NHSs)

NHC dynamically registers own mapping with NHSSupports spokes with dynamic NBMA addresses or NAT

Supplies outside NAT address of Hub

NHRP-group for per-Tunnel QoS (12.4(22)T)

NHS registration reply gives liveliness of NHSSupplies outside NAT address of spoke

NHRP Registration


NHRP Registration Building Spoke-Hub Tunnels

Spoke1 Hub Spoke2

Encrypted

NHRP Regist. Req.

Host1 Host2

IKE/IPsec Established

IKE Initialization

NHRP Regist. Rep.

IKE Initialization


Encrypted

NHRP Regist. Rep.

NHRP Regist. Req.


NHRP RegistrationBuilding Spoke-Hub Tunnels

Spoke A192.168.1.1/24

= Dynamic permanent IPsec tunnels

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 Conn.192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

172.16.1.1

172.16.2.1

NHRP Registration


NHRP Registration Request

Spoke to hub

Every ⅓ ‗ip nhrp holdtime‘ or ‗ip nhrp registration timeout‘

If no reply, retransmit after 1, 2, 4, 8, 16, 32, 64, 64 ,… sec., mark Hub down after 3rd retransmit

Contains Spoke‘s VPN to NBMA mapping

Extension headers

Responder Address, Forward and Reverse Transit NHS, Authentication, NAT

NHRP: Send Registration Request via Tunnel0 vrf 0, src: 10.0.0.11, dst: 10.0.0.1

(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)

(M) flags: "unique nat", src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.1

(C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360

Responder Address Extension(3):

Forward Transit NHS Record Extension(4):

Reverse Transit NHS Record Extension(5):

Authentication Extension(7): type:Cleartext(1), data:test

NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1


NHRP Registration Reply

Hub to spoke

Liveliness of Hub

Contains

Spoke‘s VPN to NBMA mapping

Hub‘s VPN to NBMA mapping as responder

Extension headers

Responder Address, Forward and Reverse Transit NHS, Authentication,NAT

NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.11





(C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1






NHRP Mapping TablesAfter Registration

10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:11:03, expire 00:04:52

Type: dynamic, Flags: unique registered

NBMA address: 172.16.1.1




. . .

Hub

10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire

Type: static, Flags: used


Spoke A




Spoke B


NHRP Registration (cont)Routing Adjacency

Spoke1 Hub Spoke2

Encrypted

Host1 Host2

Encrypted

Routing Update

Routing Adjacency

Routing Update

Routing Adjacency

Routing Update

Routing Update

NHRP Regist. Req.


IKE Initialization

NHRP Regist. Rep.

IKE Initialization


NHRP Regist. Rep.

NHRP Regist. Req.


NHRP Registration (cont)Routing Adjacency

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical:

Tunnel0: 10.0.0.11

Physical:

Tunnel0: 10.0.0.12

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1


10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.1.0/24 Conn. 192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

172.16.1.1

172.16.2.1

Routing packet

192.168.0.0/16 Summ.


Hub-and-SpokeData Packet Forwarding

Process-switchingRouting table selects outgoing interface and IP next-hop

NHRP looks up packet IP destination to select IP next-hop, overriding IP next-hop from routing table.

Could attempt to trigger spoke-spoke tunnel

‗tunnel destination …‘ Can only send to hub

‗ip nhrp server-only‘ Don‘t send NHRP resolution request

If no matching NHRP mapping then send to NHS (hub)

CEF switchingIP Next-hop from FIB table (Routing table)

IP Next-hop Hub data packets send to Hub

Adjacency will be complete so CEF switch packet to hub

NHRP not involved


Agenda

DMVPN Overview


NHRP Registrations


Phase 2

Phase 3




IP Data packet is forwarded out tunnel interface to IP next-hop from routing table

NHRP looks in mapping table for IP destinationIf (socket) Entry Found

Forward to NBMA from mapping table – overriding IP next-hop

If (no socket) Entry Found

If arriving interface is not tunnel interface – convert entry to (socket)

Trigger IPsec to bring up crypto socket

Forward to IP next-hop (if in NHRP table) otherwise to NHS

If No Entry Found

Forward to IP next-hop (if in NHRP table) otherwise to NHS

If arriving interface was not tunnel interface

Initiate NHRP Resolution Request for IP destination

Phase 2 – Process switchingTriggering NHRP Resolutions


CEF FIB table has IP next-hop of tunnel IP address of remote spoke for network behind remote spoke

Triggered by IP next-hop from FIB pointing to glean or incomplete adjacency entry (no valid adjacency entry)

Send resolution request for IP next-hop (tunnel IP address) of remote Spoke

Resolution request forwarded via NHS path

Phase 2 – CEF-switchingTriggering NHRP Resolutions


When:12.4(6)T, 12.4(7), 12.2(33)XNE and later (not on 6500/7600 yet)

Why:To Support spoke-spoke tunnels when spokes are behind NAT

How:Registered NHRP mappings on hub are not marked Authoritative

Effect:Resolution request will be forwarded via NHS path all the way to the remote spoke

Resolution request is answered by the remote spoke

Spoke-spoke tunnel is built

Resolution reply forwarded back via spoke-spoke tunnel

Phase 2NHRP Resolution process changes


Phase 2NHRP Resolution Request

Spoke1 Hubs Spoke2Host1 Host2

NHRP Res. Request

NHRP Res. RequestNHRP Res. Request

NHRP Res. Request

IKE Initialization

IKE Initialization



Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.12 ???10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12

192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1

10.0.0.12 incomplete10.0.0.11 incomplete

10.0.0.11 172.16.1.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1


Phase 2NHRP Resolutions Request Message

NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104


(M) flags: "router auth src-stable nat ", reqid: 164

src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12



Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1



NAT address Extension(9):

NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1




(C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360





NAT address Extension(9):As Sent

As Rcvd


Phase 2NHRP Resolution Reply


NHRP Res. Request

NHRP Res. Request


NHRP Res. Request

NHRP Res. Request

Encrypted

IKE Initialization

IKE Initialization

NHRP Resolution Response



Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.12 ???10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 incomplete10.0.0.12 172.16.2.1 10.0.0.11 incomplete 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

10.0.0.12 172.16.2.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1

10.0.0.11 172.16.1.1

10.0.0.12 172.16.2.1 (l)


Phase 2NHRP Resolution Reply Message

Lookup protocol destination in routing table directly connected

Create NHRP local mapping entry for protocol destination address with mask-length of 32 to NBMA address

Create NHRP Resolution Response with protocol destination, NBMA address and mask-length of 32

Delay Resolution response to send via direct spoke-spoke tunnel

NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.12, dst: 10.0.0.11


(M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164


(C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360,

client NBMA: 172.16.2.1, client protocol: 10.0.0.12


(C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360

client NBMA: 172.16.2.1, client protocol: 10.0.0.12






Phase 2NHRP Resolution Response Processing

Receive NHRP Resolution reply

If using IPsec (tunnel protection …) then

Trigger IPsec to setup ISAKMP and IPsec SAs for tunnel

Data packets still forwarded via spoke-hub-…-hub-spoke path

IPsec triggers back to NHRP when done

Install new mapping in NHRP mapping table

Send trigger to CEF to complete corresponding CEFadjacency

Data packets now forwarded via direct spoke-spoke tunnel by CEF, NHRP no longer involved


Phase 2NHRP Mapping Tables











Type: dynamic, Flags: router unique local

NBMA address: 172.16.1.1 (no-socket)


Type: dynamic, Flags: router used


Hub1

Spoke A










Spoke B


Phase 2: Dynamic mappingsRefresh or Remove

Dynamic NHRP mapping entries have finite lifetimeControlled by ‗ip nhrp holdtime …‘ on source of mapping (spoke)

Background process checks mapping entry every 60 seconds

Process-switchingUsed flag set each time mapping entry is used

If used flag is set and expire time < 120 seconds, then refresh entry, otherwise clear used flag

CEF-switchingIf expire time < 120 seconds, CEF Adjacency entry marked ―stale‖

If CEF Adjacency entry is used, signal to NHRP to refresh entry

Another resolution request is sent to refresh entryResolution request via NHS path; reply via direct tunnel

If entry expires it is removedIf using IPsec Trigger IPsec to remove IPsec/ISAKMP SAs


Phase 2: CEF SwitchingData Packet Forwarding

IP Data packet is forwarded out tunnel interface to IP next-hop from CEF FIB table

If adjacency is of type ValidPacket is encapsulated and forwarded by CEF out tunnel interface – NHRP is not involved

If adjacency is of type Glean or IncompletePunt packet to process switching

If original arriving interface was not this tunnel interface

Initiate NHRP Resolution Request for IP next-hop

Resolution reply is used to create NHRP mappingand to complete the Adjacency


Agenda

DMVPN Overview


NHRP Registrations


Phase 2

Phase 3




Originating spokeIP Data packet is forwarded out tunnel interface to destination via Hub (NHS)

Hub (NHS)Receives and forwards data packet on tunnel interfaces with same NHRP Network-id.

Sends NHRP Redirect message to originating spoke.

Originating spokeReceives NHRP redirect message

Sends NHRP Resolution Request for Data IP packet destination via NHS

Destination spokeReceives NHRP Resolution Request

Builds spoke-spoke tunnel

Sends NHRP Resolution Reply over spoke-spoke tunnel

Phase 3Building Spoke-spoke Tunnels


Phase 3NHRP Redirects


NHRP RedirectNHRP Redirect


Phase 3NHRP Redirects

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1


Phase 3NHRP Redirect Message

NHRP: inserting (172.16.1.1/192.168.2.1) in redirect table

NHRP: Attempting to send packet via DEST 192.168.1.1

NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.1.1

NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 96, src: 10.0.0.1, dst: 192.168.1.1


(M) traffic code: redirect(0)


Contents of nhrp traffic indication packet:

45 00 00 64 00 19 00 00 FD 01 25 2D C0 A8 01 01 C0 A8 02 01 08 00 A8 E3 0B 78 0C




NAT Address Extension(9):


SenderInsert (GRE IP header source, packet destination IP address) in NHRP redirect table – used to rate-limit NHRP redirect messages

Send NHRP redirect to GRE/IP header source

Time out rate-limit entries from the NHRP redirect table

ReceiverCheck data IP source address from data IP header in redirect

If routing to the IP source is out:

• A GRE tunnel interface with the same NHRP Network-idthen drop redirect

• Another interface, the IP destination is permitted by‗ip nhrp interest <ACL>‘ and ‗ip nhrp shortcut‘ is configured

Trigger an NHRP resolution request to IP destination

• Otherwise drop redirect

Phase 3NHRP Redirect Processing




NHRP Res. Request NHRP Res. Request

IKE Initialization

IKE Initialization





Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.110.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1

10.0.0.11 172.16.1.1


Phase 3NHRP Resolution Request Message

NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104










NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84,

src: 10.0.0.11, dst: 192.168.2.1




(C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360





NAT address Extension(9): As Sent

As Rcvd


Spoke (NHC) routing table has Hub (NHS) as IP next-hop for networks behind remote Spoke

Note, if routing table has IP next-hop of remote spoke then process as in Phase 2

Data packets are forwarded (CEF-switched) via routed path

Redirect message sent by next tunnel hop on routed path

Redirect for data packet triggers resolution request

Send resolution request for IP destination from data packet header in redirect message

Resolution requests forwarded via routed path

Resolution replies forwarded over direct tunnel

Direct tunnel initiated from remote local spoke

NHRP forwards data packets over direct tunnel when resolution reply is received

Phase 3 NHRP Resolution Processing


Phase 3 NHRP Resolution Reply




Encrypted

IKE Initialization

IKE Initialization



NHRP Resolution Reply



Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

172.16.2.1 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

192.168.2.0/24 172.16.2.110.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1


Phase 3NHRP Resolution Reply Message

Lookup protocol destination in routing table for matching network, subnet mask and IP next-hop.

Create NHRP local mapping entry for protocol destination network with mask-length to NBMA address

Create NHRP Resolution Response with protocol destination, NBMA address and mask-length

Delay Resolution response to send via direct spoke-spoke tunnel

NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 132, src: 10.0.0.12, dst: 10.0.0.11(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)(M) flags: "router auth dst-stable unique src-stable nat ", reqid: 10599

src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1(C-1) code: no error(0), prefix: 24, mtu: 1514, hd_time: 360,

client NBMA: 172.16.2.1, client protocol: 10.0.0.12Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360

client NBMA: 172.16.2.1, client protocol: 10.0.0.12Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1Reverse Transit NHS Record Extension(5):Authentication Extension(7): type:Cleartext(1), data:testNAT address Extension(9):


Phase 3 NHRP Mapping Tables





Type: dynamic, Flags: router implicit used






Type: dynamic, Flags: router


Spoke A













Spoke B


IP Data packet is forwarded out tunnel interface

1. IP next-hop from CEF FIB mapped to Adjacency

If adjacency is:

Glean or Incomplete Punt to process switching

Valid Select adjacency for the packet

2. NHRP in CEF Feature path

Look up packet IP destination in NHRP mapping table

Matching entry– reselect adjacency use direct spoke-spoke tunnel

No matching entry– leave CEF adjacency packet goes to hub

If packet arrived on and is forwarded out the same tunnel interface

Forward data packet

If ‗ip nhrp redirect‘ is on inbound tunnel then send NHRP redirect

Packet is encapsulated, encrypted and forwarded

Phase 3: CEF SwitchingData Packet Forwarding (Current – ISR, 7200)


Phase 3: NHRP and Routing TableData Packet Forwarding (ASR1k; 15.2(1)T – ISR, 7200)

When NHRP resolution is received

Insert mapping information in mapping table replacing Incomplete/Temporary mapping

Insert NHRP routing entry in Routing Table (RT)

• NHRP NET/Mask is more specific than RT Net/Mask

Add new route owned by NHRP (Type = H)

Monitor parent route

If parent route changes outbound interface then remove NHRP route.

• NHRP Net/Mask is equal to RT Net/Mask

Add Override Alternate Next-hop (% flag)

Route still owned by original owner

• NHRP Net/Mask is less specific than RT Net/Mask

Reduce NHRP mask to = RT Mask

Add Override Alternate Next-hop (% flag)


Phase 3: NHRP and RTRouting Table (ASR1k; 15.2(1)T – ISR, 7200)

Routing entry for 192.168.128.0/24Known via "eigrp 1", distance 90, metric 3200000, type internalRedistributing via eigrp 1Last update from 10.0.2.16 on Tunnel0, 00:43:44 agoRouting Descriptor Blocks:* 10.0.2.16, from 10.0.2.16, 00:43:44 ago, via Tunnel0

Route metric is 3200000, traffic share count is 1…

#show ip route next-hop-override | section H|%

D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:50:56, Tunnel0

#show ip route

D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:50:56, Tunnel0

EIGRP

Routes

NHRP

Routes

Next-Hop-Override

Entries

H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02

H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02

Routing entry for 192.168.11.0/24Known via "nhrp", distance 250, metric 1Last update from 10.0.1.11 00:05:29 agoRouting Descriptor Blocks:* 10.0.1.11, from 10.0.1.11, 00:05:29 ago

Route metric is 1, traffic share count is 1

H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02

H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02

Routing entry for 192.168.11.0/24Known via "nhrp", distance 250, metric 1Last update from 10.0.1.11 00:05:29 agoRouting Descriptor Blocks:* 10.0.1.11, from 10.0.1.11, 00:05:29 ago

Route metric is 1, traffic share count is 1

%

%[NHO][90/1] via 10.0.0.1, 00:00:40, Tunnel0

[NHO]10.0.0.1, from 10.0.0.1, 00:05:57 ago, via Tunnel0Route metric is 1, traffic share count is 1

…

%

%[NHO][90/1] via 10.0.0.1, 00:00:40, Tunnel0

[NHO]10.0.0.1, from 10.0.0.1, 00:05:57 ago, via Tunnel0Route metric is 1, traffic share count is 1

…


Phase 3: Dynamic MappingsRefresh or Remove

Dynamic NHRP mapping entries have finite lifetimeControlled by ‗ip nhrp holdtime …‘ on source of mapping (spoke)

Two types of mapping entries

Master entry – Remote Spoke Tunnel IP address

Child entries – Remote Network address(es)

Background process checks mapping entries every 60 secondsChild entry: Marked used and timing out refresh Child entry

Master entry: Timing out mark CEF adjacency stale

If CEF adjacency is used refresh Master entry

Refreshing entriesSend another Resolution request and reply

Resolution request/reply sent over direct tunnel

If entry expires it is removedIf using IPsec and last entry using NBMA address

Trigger IPsec to remove IPsec and ISAKMP SAs

Use Case:iBGP over DMVPN


Agenda

DMVPN Overview

NHRP Details

Use Case: iBGP over DMVPNLoad-balancing Hubs



iBGP over DMVPNBase Physical Topology

Spoke1

192.168.1.0/24

.1

192.168.0.0/24

.1.2

.3

.2

RS1

.1

192.168.11.0/24

Hub1 Hub2

Spoke4

192.168.4.0/24

.1

.2

.1

192.168.14.0/24

R2

Spoke2

192.168.2.0/24

.1

.2

.1192.168.12.0/24

Spoke3

192.168.3.0/24

.1

.2

.1 192.168.13.0/24

RS2 RS3

RS4

InternetBGP 2

.2 .6

.2.2 .2

172.17.0.0/30

.2

172.16.1.1/30

172.16.2.1/30 172.16.3.1/30

172.16.4.1/30

.1 .5

.1

19

2.1

68.1

0.0

/24


iBGP over DMVPNBase Logical Topology

192.168.1.0/24

.1

192.168.0.0/24

.1.2

.3

.2

RS1

EIGRP 1.1

192.168.4.0/24

.1

.2

.1

.1

192.168.2.0/24

.1

.2

RS2

BGP 1

192.168.3.0/24

.1

.2

19

2.1

68.1

0.0

/24

Spoke1

BGP 1

Hub1

BGP 1

Hub2

BGP 1

Spoke4

BGP 1

R2

BGP 1

Spoke2

BGP 1

Spoke3

BGP 1

192.168.11.0/24 192.168.14.0/24

.1192.168.12.0/24

.1192.168.13.0/24

RS3

OSPF 1

RS4

EIGRP 1

InternetBGP 2

.1 .2

.11

.12 .13

.14

192.168.10.0/24

DMVPN10.0.0.0/24

BGP 1


Hubs:

interface Tunnel0bandwidth 1000ip address 10.0.0.(w) 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp map 10.0.0.(x) 172.17.0.(y)ip nhrp map multicast 172.17.0.(y)ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectip tcp adjust-mss 1360delay 1000tunnel source Serial2/0tunnel mode gre multipointtunnel key 100000tunnel protection ipsec profile vpnprof

!interface Ethernet0/0

ip address 192.168.0.(w) 255.255.255.0!interface Serial2/0

ip address 172.17.0.(z) 255.255.255.252

iBGP over DMVPNBase Interface configurations

Spokes:

interface Tunnel0bandwidth 1000ip address 10.0.0.(x) 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map 10.0.0.2 172.17.0.5ip nhrp map multicast 172.17.0.5ip nhrp map 10.0.0.1 172.17.0.1ip nhrp map multicast 172.17.0.1ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp nhs 10.0.0.2ip nhrp shortcutip tcp adjust-mss 1360delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000tunnel protection ipsec profile vpnprof


ip address 192.168.(y).1 255.255.255.0!interface Serial1/0

ip address 172.16.(y).1 255.255.255.252

Hub 1 2(w) 1 2(x) 2 1(y) 5 1

(z) 1 5

Spoke 1 2 3 4(x) 11 12 13 14(y) 1 2 3 4


Hubs:Dynamic Neighbors (15.1(2)T)

Route-reflector for spokes (client)

Regular neighbor between hubs

Add to MED when advertising between hubs

Spokes:Route-reflector-client

Both:Set next-hop to self/peer; DMVPN Phase 3

Use same BGP AS over DMVPN on all nodesDynamic Neighbors, Route Reflection

Block ISP routes from advertising over DMVPN and LANUse Community 1:10

Accept only local LAN routes from LANUse Community 1:20 for BGP and route-tag 225 for IGP

iBGP over DMVPN


router bgp 1bgp log-neighbor-changesbgp listen range 10.0.0.0/24 peer-group spokesnetwork 192.168.0.0timers bgp 10 30

neighbor spokes peer-groupneighbor spokes remote-as 1neighbor spokes route-reflector-clientneighbor spokes route-map DMVPN-OUT out

neighbor 10.0.0.(2,1) remote-as 1neighbor 10.0.0.(2,1) route-map H2H-IN inneighbor 10.0.0.(2,1) route-map DMVPN-OUT out

neighbor 172.17.0.(2,6) remote-as 2neighbor 172.17.0.(2,6) route-map ISP-IN inneighbor 172.17.0.(2,6) route-map ISP-OUT out

neighbor 192.168.0.3 remote-as 1neighbor 192.168.0.3 route-map LAN-IN inneighbor 192.168.0.3 route-map LAN-OUT out

maximum-paths ibgp 4distance bgp 20 160 160

iBGP over DMVPNHub Routing Configuration

ip bgp-community new-format

ip community-list 10 permit 1:10

ip community-list 11 deny 1:10ip community-list 11 permit

ip community-list 21 deny 1:20ip community-list 21 permit!route-map DMVPN-OUT permit 10

match community 11set ip next-hop 10.0.0.(1,2)

route-map LAN-OUT permit 10match community 11set ip next-hop 192.168.0.(1,2)

route-map H2H-IN permit 10set metric +10000

route-map ISP-IN permit 10set community 1:10

route-map ISP-OUT permit 10match community 10

route-map LAN-IN permit 10match community 21

Dynamic Neighbors Change MED

Next-hop setting Route Filtering


router eigrp 1default-metric 1000 0 255 100 1500network 192.168.1.0redistribute bgp 1 route-map BGP2IGP

!router bgp 1

bgp log-neighbor-changesbgp redistribute-internaltimers bgp 10 30redistribute eigrp 1 route-map IGP2BGP

neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs next-hop-selfneighbor hubs route-map DMVPN-OUT outneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs

neighbor 172.16.1.2 remote-as 2neighbor 172.16.1.2 route-map ISP-IN inneighbor 172.16.1.2 route-map ISP-OUT out


iBGP over DMVPNSpoke1 Routing (IGP) Configuration



ip community-list 11 deny 1:10ip community-list 11 permit!



route-map DMVPN-OUT permit 10match community 11

route-map BGP2IGP permit 10match community 11set tag 225

route-map IGP2BGP deny 10match tag 225

route-map IGP2BGP permit 20

Neighbors BGP IGP


Spokes 3,4

are similar


router bgp 1bgp log-neighbor-changestimers bgp 10 30

neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs route-map DMVPN-OUT outneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs

neighbor 172.16.1.2 remote-as 2neighbor 172.16.1.2 route-map ISP-IN inneighbor 172.16.1.2 route-map ISP-OUT out

neighbor 192.168.2.2 remote-as 1neighbor 192.168.2.2 route-reflector-clientneighbor 192.168.2.2 route-map LAN-IN inneighbor 192.168.2.2 route-map LAN-OUT out


iBGP over DMVPNSpoke2 Routing (iBGP) Configuration



ip community-list 11 deny 1:10ip community-list 11 permit

ip community-list 21 deny 1:20ip community-list 21 permit!route-map DMVPN-OUT permit 10

match community 11set ip next-hop 10.0.0.12

route-map LAN-OUT permit 10match community 11set ip next-hop 192.168.2.1



route-map LAN-IN permit 10match community 21

Neighbors

Next-hop settingRoute Filtering


R2 (behind hubs)

router bgp 1…network 192.168.0.0network 192.168.10.0

neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs route-reflector-clientneighbor hubs next-hop-selfneighbor hubs send-communityneighbor hubs route-map FROM-DMVPN inneighbor 192.168.0.1 peer-group hubsneighbor 192.168.0.2 peer-group hubsmaximum-paths ibgp 4…


route-map FROM-DMVPN permit 10set community 1:20

iBGP over DMVPNR2, RS2 Routing (iBGP) Configuration

RS2 (behind Spoke2)

router bgp 1…network 192.168.2.0network 192.168.12.0

neighbor 192.168.2.1 remote-as 1

neighbor 192.168.2.1 next-hop-selfneighbor hubs send-communityneighbor 192.168.2.1 route-map FROM-DMVPN in

maximum-paths ibgp 4…


route-map FROM-DMVPN permit 10set community 1:20


RS1, 3 ,4 use

standard IGP

configuration


Hub1, 2...

B 172.16.1.0 [20/0] via 172.17.0.(2,6), B 172.16.2.0 [20/0] via 172.17.0.(2,6), B 172.16.3.0 [20/0] via 172.17.0.(2,6),B 172.16.4.0 [20/0] via 172.17.0.(2,6),...

C 172.17.0.0/30 is directly connected, Serial2/0L 172.17.0.1/32 is directly connected, Serial2/0

B 172.17.0.4/30 [20/0] via 172.17.0.2, ...

B 172.17.0.0/30 [20/0] via 172.17.0.6,

C 172.17.0.4/30 is directly connected, Serial2/0L 172.17.0.5/32 is directly connected, Serial2/0...

iBGP over DMVPNISP Routes

Spoke1, 2...

C 172.16.1.0/30 is directly connected, Serial1/0L 172.16.1.1/32 is directly connected, Serial1/0

B 172.16.2.0/30 [20/0] via 172.16.1.2...

B 172.16.1.0/30 [20/0] via 172.16.2.2,

C 172.16.2.0/30 is directly connected, Serial1/0L 172.16.2.1/32 is directly connected, Serial1/0...

B 172.16.3.0/30 [20/0] via 172.16.(1,2).2B 172.16.4.0/30 [20/0] via 172.16.(1,2).2

B 172.17.0.0 [20/0] via 172.16.(1,2).2, B 172.17.0.4 [20/0] via 172.16.(1,2).2, ...

Internet Router(NO INTERNAL ROUTES!)

C 172.17.0.4 is directly connected, Serial2/0C 172.17.0.0 is directly connected, Serial1/0

C 172.16.4.0 is directly connected, Serial6/0C 172.16.1.0 is directly connected, Serial3/0C 172.16.2.0 is directly connected, Serial4/0C 172.16.3.0 is directly connected, Serial5/0

RS(x), R2...

(NO ISP ROUTES!)

...

Spokes 3,4

are similar


# show ip bgp

Network Next Hop Metric LocPrf W P

*> i 192.168.10.0 192.168.0.3 0 100 0 i

*m i 192.168.11.0 10.0.0.2 307200 100 0 ?

*> i 10.0.0.11 307200 100 0 ?

*> i 192.168.12.0 10.0.0.12 0 100 0 i

*m i 10.0.0.2 0 100 0 i

*m i 192.168.13.0 10.0.0.2 20 100 0 ?

*> i 10.0.0.13 20 100 0 ?

*> i 192.168.14.0 10.0.0.14 307200 100 0 ?

*m i 10.0.0.2 307200 100 0 ?

# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100 0 i

* i 192.168.11.0 10.0.0.2 317200 100 0 ?

*> i 10.0.0.11 307200 100 0 ?

*> i 192.168.12.0 10.0.0.12 0 100 0 i

* i 10.0.0.2 10000 100 0 i

* i 192.168.13.0 10.0.0.2 10020 100 0 ?

*> i 10.0.0.13 20 100 0 ?

*> i 192.168.14.0 10.0.0.14 307200 100 0 ?

* i 10.0.0.2 317200 100 0 ?

# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100 0 i

*> i 192.168.11.0 10.0.0.11 307200 100 0 ?

*m i 10.0.0.1 307200 100 0 ?

*m i 192.168.12.0 10.0.0.1 0 100 0 i

*> i 10.0.0.12 0 100 0 i

*m i 192.168.13.0 10.0.0.1 20 100 0 ?

*> i 10.0.0.13 20 100 0 ?

*m i 192.168.14.0 10.0.0.1 307200 100 0 ?

*> i 10.0.0.14 307200 100 0 ?

# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100 0 i

*> i 192.168.11.0 10.0.0.11 307200 100 0 ?

* i 10.0.0.1 317200 100 0 ?

* i 192.168.12.0 10.0.0.1 10000 100 0 i

*> i 10.0.0.12 0 100 0 i

* i 192.168.13.0 10.0.0.1 10020 100 0 ?

*> i 10.0.0.13 20 100 0 ?

* i 192.168.14.0 10.0.0.1 317200 100 0 ?

*> i 10.0.0.14 307200 100 0 ?

Hub1#show ip route

B 192.168.10.0/24 [160/0] via 192.168.0.3,

B 192.168.11.0/24 [160/307200] via 10.0.0.11,

[160/307200] via 10.0.0.2,

B 192.168.12.0/24 [160/0] via 10.0.0.12,

[160/0] via 10.0.0.2,

B 192.168.13.0/24 [160/20] via 10.0.0.13,

[160/20] via 10.0.0.2,

B 192.168.14.0/24 [160/307200] via 10.0.0.14,

[160/307200] via 10.0.0.2,

iBGP over DMVPNHub internal routes (192.168.1x.0/24)

Hub2#show ip route

B 192.168.10.0/24 [160/0] via 192.168.0.3,

B 192.168.11.0/24 [160/307200] via 10.0.0.11,

[160/307200] via 10.0.0.1,

B 192.168.12.0/24 [160/0] via 10.0.0.12,

[160/0] via 10.0.0.1,

B 192.168.13.0/24 [160/20] via 10.0.0.13,

[160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.14,

[160/307200] via 10.0.0.1,

MED +10000 via other Hub


Spoke1#show ip route

B 192.168.10.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

D 192.168.11.0/24 [90/307200] via 192.168.1.2,

B 192.168.12.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

B 192.168.13.0/24 [160/20] via 10.0.0.2,

[160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.2,

[160/307200] via 10.0.0.1,

iBGP over DMVPNSpoke1,2 internal routes (192.168.1x.0/24)


B 192.168.10.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

B 192.168.11.0/24 [160/307200] via 10.0.0.2,

[160/307200] via 10.0.0.1,

B 192.168.12.0/24 [160/0] via 192.168.2.2,

B 192.168.13.0/24 [160/20] via 10.0.0.2,

[160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.2,

[160/307200] via 10.0.0.1,

Spokes 3,4

are similar

# show ip bgp


*m i 192.168.10.0 10.0.0.2 0 100 0 i

*> i 10.0.0.1 0 100 0 i

*> 192.168.11.0 192.168.1.2 307200 32768 ?

*m i 192.168.12.0 10.0.0.2 0 100 0 i

*> i 10.0.0.1 0 100 0 i

*m i 192.168.13.0 10.0.0.2 20 100 0 ?

*> i 10.0.0.1 20 100 0 ?

*m i 192.168.14.0 10.0.0.2 307200 100 0 ?

*> i 10.0.0.1 307200 100 0 ?

# show ip bgp


*> i 192.168.10.0 10.0.0.1 0 100 0 i

*m i 10.0.0.2 0 100 0 i

*m i 192.168.11.0 10.0.0.2 307200 100 0 ?

*> i 10.0.0.1 307200 100 0 ?

*> i 192.168.12.0 192.168.2.2 0 100 0 i

*> i 192.168.13.0 10.0.0.1 307200 100 0 ?

*m i 10.0.0.2 307200 100 0 ?

*> i 192.168.14.0 10.0.0.1 20 100 0 ?

*m i 10.0.0.2 20 100 0 ?


R2#show ip route

C 192.168.10.0/24 is directly connected, Ethernet1/0

B 192.168.11.0/24 [200/307200] via 192.168.0.1,

[200/307200] via 192.168.0.2,

B 192.168.12.0/24 [200/0] via 192.168.0.2,

[200/0] via 192.168.0.1,

B 192.168.13.0/24 [200/20] via 192.168.0.1,

[200/20] via 192.168.0.2,

B 192.168.14.0/24 [200/307200] via 192.168.0.2,

[200/307200] via 192.168.0.1,

iBGP over DMVPNR2, RS(x) internal routes (192.168.1x.0/24)

RS1#show ip route

D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1,


D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1,

D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1,

D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,

RS(3,4) are

similar

RS2#show ip route

B 192.168.10.0/24 [200/0] via 192.168.2.1,

B 192.168.11.0/24 [200/307200] via 192.168.2.1,


B 192.168.13.0/24 [200/307200] via 192.168.2.1,

B 192.168.14.0/24 [200/20] via 192.168.2.1,

# show ip bgp

Network Next Hop Metric LocPrf Cmnty

*> i 192.168.10.0 192.168.2.1 0 100 1:20

*> i 192.168.11.0 192.168.2.1 307200 100 1:20

*> 192.168.12.0 0.0.0.0 0

*> i 192.168.13.0 192.168.2.1 20 100 1:20

*> i 192.168.14.0 192.168.2.1 307200 100 1:20

# show ip bgp


*> 192.168.10.0 0.0.0.0 0

*m i 192.168.11.0 192.168.0.2 307200 100 1:20

*> i 192.168.0.1 307200 100 1:20

*> i 192.168.12.0 192.168.0.1 0 100 1:20

*m i 192.168.0.2 0 100 1:20

*m i 192.168.13.0 192.168.0.2 20 100 1:20

*> i 192.168.0.1 20 100 1:20

*> i 192.168.14.0 192.168.0.1 307200 100 1:20

*m i 192.168.0.2 307200 100 1:20


Agenda

DMVPN Overview

NHRP Details

Use Case: iBGP over DMVPNLoad-balancing Hubs



Hubs:Use Communities to add to MED when learning from Spokes

Hub1 – Community 1:1 (+0), Community 1:2 (+5000), Other (+7500)

Hub2 – Community 1:2 (+0), Community 1:1 (+5000), Other (+7500)

+5000 for other community < +10000 via other hub

Spokes:Multiple spokes at a spoke site

Can use communities to add to IGP metric when advertising to LAN

Can use communities to add to MED when learning from Hubs

BothSet Community when learning routes from LAN

Odd Spokes; Hub1 – Community 1:1

Even Spokes; Hub2 – Community 1:2

iBGP over DMVPN – Load balancing Hubs


iBGP over DMVPN – Load balancing HubsHub Routing Configuration changes

router bgp 1…neighbor spokes send-communityneighbor spokes route-map CMNTY in…neighbor 10.0.0.(x) send-community…

!ip bgp-community new-format

ip community-list 1 permit 1:1ip community-list 2 permit 1:2

route-map CMNTY permit 10match community (y)

route-map CMNTY permit 20match community (x)set metric +5000

route-map CMNTY permit 30set metric +7500

route-map LAN-IN permit 10

match community 21

set community 1:(y)

Send communities

to DMVPN Neighbors

Routes with different

community from Hub

Routes with same

community as Hub

Other Routes

Hub 1 2(x) 2 1(y) 1 2

Set community on

inbound from LAN


Spoke1router bgp 1

…neighbor hubs peer-group…neighbor hubs send-communityneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs


route-map IGP2BGP deny 10match tag 225

route-map IGP2BGP permit 20set community 1:1

iBGP over DMVPN – Load balancing Hubs Spoke Routing Configuration changes

Set community on

inbound from LAN

Spoke2router bgp 1

…neighbor hubs peer-group…neighbor hubs send-communityneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs


route-map LAN-IN permit 10match community 21set community 1:2

Spoke 3

is similar

Send communities

to DMVPN Neighbors

Spoke 4

is similar


# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100

* i 192.168.11.0 10.0.0.2 317200 100

*> i 10.0.0.11 307200 100

*> i 192.168.12.0 10.0.0.12 0 100

* i 10.0.0.2 10000 100

* i 192.168.13.0 10.0.0.2 10020 100

*> i 10.0.0.13 20 100

*> i 192.168.14.0 10.0.0.14 307200 100

* i 10.0.0.2 317200 100

# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100

*> i 192.168.11.0 10.0.0.11 307200 100

* i 10.0.0.1 317200 100

* i 192.168.12.0 10.0.0.1 10000 100

*> i 10.0.0.12 0 100

* i 192.168.13.0 10.0.0.1 10020 100

*> i 10.0.0.13 20 100

* i 192.168.14.0 10.0.0.1 317200 100

*> i 10.0.0.14 307200 100

Hub2#show ip route

B 192.168.10.0/24 [160/0] via 192.168.0.3,

B 192.168.11.0/24 [160/307200] via 10.0.0.11,

B 192.168.12.0/24 [160/0] via 10.0.0.12,

B 192.168.13.0/24 [160/20] via 10.0.0.13,

B 192.168.14.0/24 [160/307200] via 10.0.0.14,

Hub1#show ip route

B 192.168.10.0/24 [160/0] via 192.168.0.3,

B 192.168.11.0/24 [160/307200] via 10.0.0.11,

B 192.168.12.0/24 [160/0] via 10.0.0.12,

B 192.168.13.0/24 [160/20] via 10.0.0.13,

B 192.168.14.0/24 [160/307200] via 10.0.0.14,

# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100 1:1

* i 192.168.11.0 10.0.0.2 322200 100 1:1

*> i 10.0.0.11 307200 100 1:1

*> i 192.168.12.0 10.0.0.12 5000 100 1:2

* i 10.0.0.2 10000 100 1:2

* i 192.168.13.0 10.0.0.2 15020 100 1:1

*> i 10.0.0.13 20 100 1:1

*> i 192.168.14.0 10.0.0.14 312200 100 1:2

* i 10.0.0.2 317200 100 1:2

# show ip bgp


*> i 192.168.10.0 192.168.0.3 0 100 1:2

*> i 192.168.11.0 10.0.0.11 312200 100 1:1

* i 10.0.0.1 317200 100 1:1

* i 192.168.12.0 10.0.0.1 15000 100 1:2

*> i 10.0.0.12 0 100 1:2

* i 192.168.13.0 10.0.0.1 10020 100 1:1

*> i 10.0.0.13 5020 100 1:1

* i 192.168.14.0 10.0.0.1 322200 100 1:2

*> i 10.0.0.14 307200 100 1:2

Hub2 (Cmnty 1:2)

#show ip route

B 192.168.10.0/24 [160/0] via 192.168.0.3,

B 192.168.11.0/24 [160/312200] via 10.0.0.11,

B 192.168.12.0/24 [160/0] via 10.0.0.12,

B 192.168.13.0/24 [160/5020] via 10.0.0.13,

B 192.168.14.0/24 [160/307200] via 10.0.0.14,

Hub1 (Cmnty 1:1)

#show ip route

B 192.168.10.0/24 [160/0] via 192.168.0.3,

B 192.168.11.0/24 [160/307200] via 10.0.0.11,

B 192.168.12.0/24 [160/5000] via 10.0.0.12,

B 192.168.13.0/24 [160/20] via 10.0.0.13,

B 192.168.14.0/24 [160/312200] via 10.0.0.14,

iBGP over DMVPN – Load balancing Hubs Hub internal routes (192.168.1x.0/24)



B 192.168.10.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

B 192.168.11.0/24 [160/307200] via 10.0.0.2,

[160/307200] via 10.0.0.1,

B 192.168.12.0/24 [160/0] via 192.168.2.2,

B 192.168.13.0/24 [160/20] via 10.0.0.2,

[160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.2,

[160/307200] via 10.0.0.1,


B 192.168.10.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

D 192.168.11.0/24 [90/307200] via 192.168.1.2,

B 192.168.12.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

B 192.168.13.0/24 [160/20] via 10.0.0.2,

[160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.2,

[160/307200] via 10.0.0.1,

# show ip bgp


*m i 192.168.10.0 10.0.0.2 0 100

*> i 10.0.0.1 0 100

*> 192.168.11.0 192.168.1.2 307200

*m i 192.168.12.0 10.0.0.2 0 100

*> i 10.0.0.1 0 100

*m i 192.168.13.0 10.0.0.2 20 100

*> i 10.0.0.1 20 100

*m i 192.168.14.0 10.0.0.2 307200 100

*> i 10.0.0.1 307200 100

# show ip bgp


*> i 192.168.10.0 10.0.0.1 0 100

*m i 10.0.0.2 0 100

*m i 192.168.11.0 10.0.0.2 307200 100

*> i 10.0.0.1 307200 100

*> i 192.168.12.0 192.168.2.2 0 100

*> i 192.168.13.0 10.0.0.1 307200 100

*m i 10.0.0.2 307200 100

*> i 192.168.14.0 10.0.0.1 20 100

*m i 10.0.0.2 20 100

iBGP over DMVPN – Load balancing Hubs Spoke1,2 internal routes (192.168.1x.0/24)

# show ip bgp


*> i 192.168.10.0 10.0.0.1 0 100 1:1

*m i 10.0.0.2 0 100 1:2

* i 192.168.11.0 10.0.0.2 312200 100 1:1

*> i 10.0.0.1 307200 100 1:1

*> i 192.168.12.0 192.168.2.2 0 100 1:2

*> i 192.168.13.0 10.0.0.1 20 100 1:1

* i 10.0.0.2 5020 100 1:1

* i 192.168.14.0 10.0.0.1 312200 100 1:2

*> i 10.0.0.2 307200 100 1:2

# show ip bgp


*m i 192.168.10.0 10.0.0.2 0 100 1:2

*> i 10.0.0.1 0 100 1:1

*> 192.168.11.0 192.168.1.2 307200 1:1

*> i 192.168.12.0 10.0.0.2 0 100 1:2

* i 10.0.0.1 5000 100 1:2

* i 192.168.13.0 10.0.0.2 5020 100 1:1

*> i 10.0.0.1 20 100 1:1

*> i 192.168.14.0 10.0.0.2 307200 100 1:2

* i 10.0.0.1 312200 100 1:2

Spoke1 (Cmnty 1:1)

#show ip route

B 192.168.10.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

D 192.168.11.0/24 [90/307200] via 192.168.1.2,

B 192.168.12.0/24 [160/0] via 10.0.0.2,

B 192.168.13.0/24 [160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.2,

Spoke2 (Cmnty 1:2)

#show ip route

B 192.168.10.0/24 [160/0] via 10.0.0.2,

[160/0] via 10.0.0.1,

B 192.168.11.0/24 [160/307200] via 10.0.0.1,

B 192.168.12.0/24 [160/0] via 192.168.2.2,

B 192.168.13.0/24 [160/20] via 10.0.0.1,

B 192.168.14.0/24 [160/307200] via 10.0.0.2,

Spoke 3

is similar

Spoke 4

is similar


RS2#show ip route

B 192.168.10.0/24 [200/0] via 192.168.2.1,

B 192.168.11.0/24 [200/307200] via 192.168.2.1,


B 192.168.13.0/24 [200/307200] via 192.168.2.1,

B 192.168.14.0/24 [200/20] via 192.168.2.1,

# show ip bgp


*> i 192.168.10.0 192.168.2.1 0 100 1:20

*> i 192.168.11.0 192.168.2.1 307200 100 1:20

*> 192.168.12.0 0.0.0.0 0

*> i 192.168.13.0 192.168.2.1 20 100 1:20

*> i 192.168.14.0 192.168.2.1 307200 100 1:20

RS1#show ip route

D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1,


D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1,

D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1,

D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,

RS2 (no change)

#show ip route

B 192.168.10.0/24 [200/0] via 192.168.2.1,

B 192.168.11.0/24 [200/307200] via 192.168.2.1,


B 192.168.13.0/24 [200/307200] via 192.168.2.1,

B 192.168.14.0/24 [200/20] via 192.168.2.1,

# show ip bgp


*> i 192.168.10.0 192.168.2.1 0 100 1:20

*> i 192.168.11.0 192.168.2.1 307200 100 1:20

*> 192.168.12.0 0.0.0.0 0

*> i 192.168.13.0 192.168.2.1 20 100 1:20

*> i 192.168.14.0 192.168.2.1 307200 100 1:20

RS1 (no change)

#show ip route

D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1,


D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1,

D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1,

D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,

# show ip bgp


*> 192.168.10.0 0.0.0.0 0

*m i 192.168.11.0 192.168.0.2 307200 100 1:20

*> i 192.168.0.1 307200 100 1:20

*> i 192.168.12.0 192.168.0.1 0 100 1:20

*m i 192.168.0.2 0 100 1:20

*m i 192.168.13.0 192.168.0.2 20 100 1:20

*> i 192.168.0.1 20 100 1:20

*> i 192.168.14.0 192.168.0.1 307200 100 1:20

*m i 192.168.0.2 307200 100 1:20

# show ip bgp


*> 192.168.10.0 0.0.0.0 0

* i 192.168.11.0 192.168.0.2 312200 100 1:20

*> i 192.168.0.1 307200 100 1:20

* i 192.168.12.0 192.168.0.1 5000 100 1:20

*> i 192.168.0.2 0 100 1:20

* i 192.168.13.0 192.168.0.2 5020 100 1:20

*> i 192.168.0.1 20 100 1:20

* i 192.168.14.0 192.168.0.1 312200 100 1:20

*> i 192.168.0.2 307200 100 1:20

R2#show ip route


B 192.168.11.0/24 [200/307200] via 192.168.0.1,

[200/307200] via 192.168.0.2,

B 192.168.12.0/24 [200/0] via 192.168.0.2,

[200/0] via 192.168.0.1,

B 192.168.13.0/24 [200/20] via 192.168.0.1,

[200/20] via 192.168.0.2,

B 192.168.14.0/24 [200/307200] via 192.168.0.2,

[200/307200] via 192.168.0.1,

iBGP over DMVPN – Load balancing Hubs R2, RS(x) internal routes (192.168.1x.0/24)

R2#show ip route


B 192.168.11.0/24 [200/307200] via 192.168.0.1,

B 192.168.12.0/24 [200/0] via 192.168.0.2,

B 192.168.13.0/24 [200/20] via 192.168.0.1,

B 192.168.14.0/24 [200/307200] via 192.168.0.2,

RS(3,4) are

similar



Agenda

DMVPN Overview

NHRP Details


Recent and New FeaturesIKEv2 with DMVPN

Tunnel Health Monitoring

Backup and FQDN NHS

DHCP over DMVPN

DMVPN IPv6 Transport


IKEv2 with DMPVN

DMVPN can work with ISAKMP (IKEv1) and/or IKEv2Transparent to DMVPN

Node can be responder for both ISAKMP and IKEv2

Both ISAKMP and IKEv2 are configured.

Node can be Initiator for either ISAKMP or IKEv2 not both

Configure under the ‗crypto ipsec profile ...‘

crypto isakmp policy 2encr aesauthentication pre-sharegroup 2

crypto ikev2 keyring DMVPNpeer DMVPN

address 0.0.0.0 0.0.0.0pre-shared-key cisco123

crypto ikev2 profile DMVPNmatch identity remote address 0.0.0.0 authentication local pre-shareauthentication remote pre-sharekeyring DMVPN

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmacmode transport [require]

crypto ipsec profile DMVPNset transform-set DMVPN set ikev2-profile DMVPN

interface Tunnel0...tunnel protection ipsec profile DMVPN


Tunnel Health MonitoringInterface State – 15.0(1)M

Issue

mGRE tunnel Interface is always ―up‖

Can‘t use standard backup/recovery mechanismsbackup interface, static interface routes, …

interface Tunnel0ip address 10.0.0.11 255.255.255.0…ip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp map multicast 172.17.0.5ip nhrp map 10.0.0.2 172.17.0.5…ip nhrp nhs 10.0.0.1ip nhrp nhs 10.0.0.2…if-state nhrp…

Solution

New Command ‗if-state nhrp‘

Monitor NHRP registration replies

If all NHSs are ―down‖ then set tunnel interface up/down

Continue to send NHRPregistration requests

If a single NHS is ―up‖ thenset tunnel interface up/up


Tunnel Health MonitoringInterface State (cont)

#show ip nhrp nhs detail10.0.0.1 RE req-sent 100 req-failed 0 repl-recv 90 (00:01:38 ago)10.0.0.2 RE req-sent 125 req-failed 0 repl-recv 79 (00:01:38 ago)

#show interface tunnel0Tunnel0 is up, line protocol is up

*Apr 19 21:32:52 NHRP: NHS-DOWN: 10.0.0.1*Apr 19 21:32:52 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'E' from 'RE' *Apr 19 21:32:53 NHRP: NHS-DOWN: 10.0.0.2*Apr 19 21:32:53 NHRP: NHS 10.0.0.2 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'E' from 'RE'

*Apr 19 21:33:02 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down*Apr 19 21:33:02 NHRP: if_down: Tunnel0 proto IPv4

#show ip nhrp nhs detail10.0.0.1 E req-sent 105 req-failed 0 repl-recv 90 (00:02:12 ago)10.0.0.2 E req-sent 130 req-failed 0 repl-recv 79 (00:02:12 ago)

#show interface tunnel0Tunnel0 is up, line protocol is down

*Apr 19 21:33:12 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92*Apr 19 21:33:13 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92…*Apr 19 21:34:36 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E' *Apr 19 21:34:36 NHRP: NHS-UP: 10.0.0.1*Apr 19 21:34:42 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up*Apr 19 21:34:42 NHRP: if_up: Tunnel0 proto 0

#show ip nhrp nhs detail10.0.0.1 RE req-sent 110 req-failed 0 repl-recv 96 (00:00:19 ago)10.0.0.2 E req-sent 135 req-failed 0 repl-recv 79 (00:04:09 ago)

#show interface tunnel0Tunnel0 is up, line protocol is up


IssueBackup NHSs only needed when primary NHSs are down

Backup NHSs can be over subscribed

SolutionSet NHS ‗max-connections‘

Can set NHS priority (default=0 (best))Can have multiple hubs at the same priority

Can group NHSs into clusters (default=0)Separate max-connection value per cluster

Configuration reductionSingle line NHS configuration and FQDN NHS

Functionality• NHSs are brought up in priority order, until cluster max-connections

• Down NHS at same priority is probed if not at max-connections

• Down NHS at a lower priority than an active NHS is probed even when max-connections is reached

• FQDN resolved when bringing up NHS

Backup and FQDN NHS – 15.1(2)T


Backup and FQDN NHS (cont)

interface Tunnel0…ip nhrp nhs 10.0.0.1 nbma Hub1.cisco.com multicast priority 10 cluster 1ip nhrp nhs 10.0.0.2 nbma 172.17.0.5 multicast priority 20 cluster 1ip nhrp nhs 10.0.0.3 nbma 172.17.0.9 multicast priority 10 cluster 2ip nhrp nhs 10.0.0.4 nbma 172.17.0.13 multicast priority 10 cluster 2ip nhrp nhs cluster 1 max-connections 1ip nhrp nhs cluster 2 max-connections 1

#show ip nhrp nhsLegend: E=Expecting replies, R=Responding, W=WaitingTunnel0:10.0.0.1 RE NBMA Address: 172.17.0.1 (Hub1.Cisco.com) priority = 10 cluster = 110.0.0.2 W NBMA Address: 172.17.0.5 priority = 20 cluster = 110.0.0.3 RE NBMA Address: 172.17.0.9 priority = 10 cluster = 210.0.0.4 W NBMA Address: 172.17.0.13 priority = 10 cluster = 2

interface Tunnel0…ip nhrp map 10.0.0.1 172.17.0.1ip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.2 172.17.0.5ip nhrp map multicast 172.17.0.5ip nhrp map 10.0.0.3 172.17.0.9ip nhrp map multicast 172.17.0.9ip nhrp map 10.0.0.4 172.17.0.13ip nhrp map multicast 172.17.0.13…ip nhrp nhs 10.0.0.1ip nhrp nhs 10.0.0.2ip nhrp nhs 10.0.0.3ip nhrp nhs 10.0.0.4ip nhrp nhs cluster 0 max-connections 2…

#show ip nhrp10.0.0.1/32 via 10.0.0.1 Tunnel0 Type: static, Flags: used

NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 Type: static, Flags: used

NBMA address: 172.17.0.510.0.0.3/32 via 10.0.0.3 Tunnel0 Type: static, Flags: used

NBMA address: 172.17.0.9 (no-socket) 10.0.0.4/32 via 10.0.0.4 Tunnel0 Type: static, Flags: used


#show ip nhrp nhsLegend: E=Expecting replies, R=Responding, W=WaitingTunnel0:10.0.0.1 RE priority = 0 cluster = 010.0.0.2 RE priority = 0 cluster = 010.0.0.3 W priority = 0 cluster = 010.0.0.4 W priority = 0 cluster = 0


DHCP over DMVPN – 15.1(3)T

IssueMust pre-configure tunnel interface IP Address and Subnet on Spokes

SolutionUse DHCP to allocate Spoke‘s Tunnel IP Address/Subnet

ip address dhcp

ip dhcp client broadcast-flag clear

Hub is DHCP Relay Agent

Global

ip dhcp support tunnel unicast

Tunnel Interface

ip helper-address <ip-dhcp-server>

Functionality

DHCP request broadcast to all NHSs, replies unicast back to Spoke

Sticky until tunnel interface goes down


DHCP and FQDN NHSExample:

Spoke:

interface Tunnel0ip dhcp client broadcast-flag clearip address dhcp…ip nhrp network-id 100000…ip nhrp nhs dynamic nbma Hub1-NBMA multicast…ip nhrp shortcuttunnel source Serial1/0tunnel key 100000tunnel protection ipsec profile vpnprof

Hub:

ip dhcp support tunnel unicast!interface Tunnel0

ip address 10.0.0.1 255.255.255.0ip helper-address 192.168.0.3…ip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp redirecttunnel source Serial2/0tunnel key 100000tunnel protection ipsec profile vpnprof

DHCP:

22:52:32.658: DHCP: Starting DHCP discover on Tunnel022:52:32.658: DHCP: SDiscover attempt # 1 for entry:22:52:32.658: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0

22:52:32.738: DHCP: Offer Message, Offered Address: 10.0.0.1322:52:32.738: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 75600

22:52:32.738: DHCP: SRequest attempt # 1 for entry:22:52:32.738: Temp IP addr: 10.0.0.13 for peer on Interface: Tunnel022:52:32.738: Temp sub net mask: 255.255.255.022:52:32.738: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0

22:52:32.818: DHCP: Ack Message Offered Address: 10.0.0.1322:52:32.818: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 7560022:52:32.818: DHCP: Host Name Option: Spoke1.cisco-test.com


NHRP:

22:52:32.242: NHRP: Resolved FQDN Hub1-NBMA to 172.17.0.122:52:32.242: NHRP: Supressing registration requests (Tunnel0) has invalid address . . .

22:52:32.818: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 10422:52:32.818: src NBMA: 172.16.1.1, src proto: 10.0.0.13, dst proto: 10.0.0.1322:52:32.818: NAT address Extension(9): client NBMA: 172.17.0.1, client protocol: 10.0.0.13. . .

22:52:32.870: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 12422:52:32.870: src NBMA: 172.16.1.1, src proto: 10.0.0.13, dst proto: 10.0.0.122:52:32.870: Responder Address Extension(3): client NBMA: 172.17.0.1, client protocol: 10.0.0.122:52:32.870: NAT address Extension(9): client NBMA: 172.17.0.1, client protocol: 10.0.0.1

22:52:32.870: NHRP: Tu0: Creating nhs mapping for 10.0.0.1/32 NBMA: 172.17.0.122:52:32.870: NHRP: Tunnel0: Cache add for target 10.0.0.1/32 next-hop 10.0.0.1, 172.17.0.1

22:52:32.870: NHRP: Adding Tunnel Endpoints (VPN: 10.0.0.1, NBMA: 172.17.0.1)

Tunnel:

22:52:29.618: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up22:52:29.622: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up . . .

22:52:32.870: Tunnel0: Linking endpoint 10.0.0.1/172.17.0.122:52:32.870: FIBtunnel: Tu0:TED: Adding adj for 10.0.0.1, conn_id 022:52:32.870: FIBtunnel: Tu0: stacking IP 10.0.0.1 to Default:172.17.0.1. . .

22:52:32.902: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.1 (Tunnel0) is up: new adjacency

DHCP and FQDN NHSExample: (cont)


IPv6 and IPv4 packets over DMVPN IPv6 tunnels

Introducing in IOS release 15.2(1)T

IPv6 infrastructure network

IPv6 and/or IPv4 data packets over same IPv6 GRE tunnel

NHRP modifies Routing Table – like on ASR1k routers

Can run both DMVPN IPv4 and DMVPN IPv6

Separate DMVPNs (mGRE tunnel interfaces)

DMVPN IPv4 DMVPN IPv6 spoke to spoke via hub

Configuration

Standard IPv6 configuration on Outside (WAN) interface

Small change on mGRE tunnel interface

Must use IKEv2 to setup IPsec encryption

Split-tunneling

Enterprise versus ISP assigned IPv6 addresses at spoke

No NAT66

DMVPN over IPv6 Transport15.2(1)T (August 2011)


DMVPN over IPv6 TransportConfiguration

crypto ikev2 keyring DMVPNpeer DMVPNv6

address ::/0pre-shared-key cisco123v6

crypto ikev2 profile DMVPNmatch identity remote address ::/0authentication local pre-shareauthentication remote pre-sharekeyring DMVPN

crypto ipsec profile DMVPNset transform-set DMVPNset ikev2-profile DMVPN

…interface Tunnel0

ip address 10.0.0.1 255.255.255.0...ip nhrp map multicast dynamicip nhrp network-id 100000...ipv6 address 2001:DB8:0:100::1/64...ipv6 nhrp map multicast dynamicipv6 nhrp network-id 100006...tunnel source Serial2/0tunnel mode gre multipoint ipv6tunnel protection ipsec profile DMVPN

!interface Serial2/0

ip address 172.17.0.1 255.255.255.252ipv6 address 2001:DB8:0:FFFF:1::1/126

!ipv6 route ::/0 Serial2/0

crypto ikev2 keyring DMVPNpeer DMVPNv6

address ::/0pre-shared-key cisco123v6

crypto ikev2 profile DMVPNmatch identity remote address ::/0authentication local pre-shareauthentication remote pre-sharekeyring DMVPNdpd keepalive 30 5 on-demand

crypto ipsec profile DMVPNset transform-set DMVPNset ikev2-profile DMVPN

…interface Tunnel0

ip address 10.0.0.11 255.255.255.0ip nhrp network-id 100000ip nhrp nhs 10.0.0.1 nbma 2001:DB8:0:FFFF:1::1 multicast...ipv6 address 2001:DB8:0:100::B/64...ipv6 nhrp network-id 100006ipv6 nhrp nhs 2001:DB8:0:100::1 nbma 2001:DB8:0:FFFF:1::1 multicast...tunnel source Serial1/0tunnel mode gre multipoint ipv6tunnel protection ipsec profile DMVPN


ip address 172.16.1.1 255.255.255.252ipv6 address 2001:DB8:0:FFFF:0:1:0:1/126

!ipv6 route ::/0 Serial1/0

SpokeHub


DMVPN over IPv6 TransportData Structures

Hub1#show ipv6 nhrp

2001:DB8:0:100::B/128 via 2001:DB8:0:100::B

Tunnel0 created 22:27:52, expire 00:03:39


NBMA address: 2001:DB8:0:FFFF:0:1:0:1

FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B




Hub1#show ip nhrp

10.0.0.11/32 via 10.0.0.11


Type: dynamic, Flags: unique registered used


Hub1#show crypto session

Interface: Tunnel0; Session status: UP-ACTIVE

Peer: 2001:DB8:0:FFFF:0:1:0:1 port 500

IKEv2 SA: local 2001:DB8:0:FFFF:1::1/500

remote 2001:DB8:0:FFFF:0:1:0:1/500 Active

IPSEC FLOW: permit 47 host 2001:DB8:0:FFFF:1::1 host 2001:DB8:0:FFFF:0:1:0:1

Active SAs: 2, origin: crypto map

DMVPN Futures


Q4 CY2011iBGP ‗local-as‘

Routing Protocol Scalability/Convergence

EEM with DMVPN integration – Smart Spoke

DHCP over DMVPN IPv4

Retrieve LAN IP Subnet for Spoke to serve addresses to Hosts

Q1 CY2012DHCP over DMVPN IPv6

Per-tunnel QoS on ASR

FutureDMVPN native multicast

GRE per-tunnel Keepalives

Per-tunnel QoS IPv6 over DMVPN on Hub

DMVPN Futures

Q & A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press®

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company StoreSM


Complete Your OnlineSession Evaluation

Receive 25 Cisco Preferred Access points for each session evaluation you complete.

Give us your feedback andyou could win fabulous prizes. Points are calculated on a daily basis. Winners will be announced by email after July 22nd.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live

and Networkers Virtual account for access

to all session materials, communities, and

on-demand and live activities throughout

the year. Activate your account at any

internet station or visit

www.ciscolivevirtual.com.

http://www.ciscolivevirtual.com/


Visit the Cisco Store for Related Titles

http://theciscostores.com

http://theciscostore.com/



Thank you.

Appendix


Appendix

DMVPN Overview

NHRP Details


Phase 3 Hierarchical Design

Interaction with other Features


Dynamic Multipoint VPN—Example

Spoke A

Spoke B

192.168.2.0/24

.1

192.168.1.0/24

.1

192.168.0.0/24

.1

. . .


Tunnel0: 10.0.0.1

Physical: dynamic

Tunnel0: 10.0.0.11

Physical: dynamic

Tunnel0: 10.0.0.12

Static known

IP address

Dynamicunknown

IP addresses

LANs can have

private addressing


Dynamic Multipoint VPN—Example(Step 1)

Spoke A

Spoke B

192.168.2.0/24

.1

192.168.1.0/24

.1

192.168.0.0/24

.1

. . .


Tunnel0: 10.0.0.1

Physical: dynamic

Tunnel0: 10.0.0.11

Physical: dynamic

Tunnel0: 10.0.0.12


BuildSpoke-Hub

Tunnels




Spoke A

Spoke B

192.168.2.0/24

.1

192.168.1.0/24

.1

192.168.0.0/24

.1

. . .


Tunnel0: 10.0.0.1

Physical: dynamic

Tunnel0: 10.0.0.11

Physical: dynamic

Tunnel0: 10.0.0.12


BuildDynamic

Spoke-spoke Tunnel




Spoke A

Spoke B

192.168.2.0/24

.1

192.168.1.0/24

.1

192.168.0.0/24

.1

. . .


Tunnel0: 10.0.0.1

Physical: dynamic

Tunnel0: 10.0.0.11

Physical: dynamic

Tunnel0: 10.0.0.12


RemoveDynamic

Spoke-spokeTunnel


Appendix

DMVPN Overview


NHRP Registrations


Phase 2

Phase 3





NHRP Registration Building Hub-and-Spoke Tunnels

Spoke1 Hub Spoke2Host1 Host2


NHRP RegistrationBuilding Hub-and-Spoke Tunnels (Step 1)

Spoke1 Hub Spoke2

Encrypted

Host1 Host2


IKE InitializationIKE Initialization


Encrypted


NHRP Registration Building Hub-and-Spoke Tunnels (Step 2)

Spoke1 Hub Spoke2

Encrypted

NHRP Regist. Req.

Host1 Host2

NHRP Regist. Rep.

Encrypted

NHRP Regist. Rep.

NHRP Regist. Req.


NHRP RegistrationRouting Adjacency (Step 3)

Spoke1 Hub Spoke2

Encrypted

Host1 Host2

Encrypted

Routing Update

Routing Adjacency

Routing Update

Routing Adjacency

Routing Update

Routing Update


NHRP RegistrationBuilding Hub-and-Spoke Tunnels

Spoke A192.168.1.1/24


192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

192.168.0.1/24

192.168.1.0/24 Conn.192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

NHRP Registration


NHRP RegistrationBuilding Hub-and-Spoke Tunnels (Step 1&2)

Spoke A192.168.1.1/24


192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.1192.168.0.1/24

192.168.1.0/24 Conn.192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

172.16.1.1

NHRP Registration

1

2

4

5

3


NHRP RegistrationBuilding Hub-and-Spoke Tunnels (Step 1&2)

Spoke A192.168.1.1/24


192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 Conn.192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

172.16.1.1

172.16.2.1

NHRP Registration

1

2

4

5 3


NHRP RegistrationRouting Adjacency (Step 3a)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1


10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.1.0/24 Conn. 192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

172.16.1.1

172.16.2.1

Routing packet

192.168.0.0/16 Summ.

1

2

4

3


NHRP RegistrationRouting Adjacency (Step 3b)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1


10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.1.0/24 Conn. 192.168.2.0/24 Conn.

192.168.0.0/24 Conn.

NHRP mapping

Routing Table

172.16.1.1

172.16.2.1

Routing packet

192.168.0.0/16 Summ.

2

3 3

2

1


Appendix

DMVPN Overview


NHRP Registrations


Phase 2

Phase 3





Phase 2 NHRP Resolution Request (Step 1)




Phase 2 NHRP Resolution Reply (Step 2)



Encrypted

IKE Initialization

Encrypted



Phase 2 NHRP Resolution Request

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12

192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1


10.0.0.11 172.16.1.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1


Phase 2 NHRP Resolution Request (Step 1a)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.12 ???

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12

192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1


10.0.0.11 172.16.1.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1

1

2

4

5

67

3


Phase 2 NHRP Resolution Request (Step 1b)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.12 ???10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12

192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.110.0.0.1 172.17.0.1


10.0.0.11 172.16.1.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1

1

2

4

5

3


Phase 2 NHRP Resolution Reply (Step 2a)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.12 ???10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 incomplete 10.0.0.11 incomplete 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1

10.0.0.11 172.16.1.1

1

2

3


Phase 2 NHRP Resolution Reply (Step 2b)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 172.16.2.1 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

10.0.0.12 172.16.2.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1

10.0.0.11 172.16.1.1

10.0.0.12 172.16.2.1 (l)1

24

5

3


Phase 2 NHRP Resolution Reply (Step 2c)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

172.16.1.1

172.16.2.1

192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

192.168.0.0/24 10.0.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 (*)

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 172.16.2.1 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

10.0.0.12 172.16.2.1

CEF FIB Table

NHRP mapping

CEF Adjacency

Data packet

NHRP Resolution

10.0.0.12 172.16.2.1

10.0.0.11 172.16.1.1

10.0.0.12 172.16.2.1 (l)

1

2

3


Appendix

DMVPN Overview


NHRP Registrations


Phase 2

Phase 3





Phase 3NHRP Redirect (Step 1)


NHRP Redirect


Phase 3NHRP Resolution Request (Step 2)




Phase 3 NHRP Resolution Reply (Step 3)



Encrypted

IKE Initialization



Phase 3 NHRP Resolution Redirect

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1


Phase 3NHRP Resolution Redirect (Step 1a)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1

1

2

4

5

67

3


Phase 3 NHRP Resolution Redirect (Step 1b)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.11

2


Phase 3NHRP Resolution Request (Step 2)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1

3

4

5

6

2

1


Phase 3NHRP Resolution Reply (Step 3a)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.110.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1

10.0.0.11 172.16.1.11

2

3


Phase 3NHRP Resolution Reply (Step 3b)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

172.16.2.1 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

192.168.2.0/24 172.16.2.110.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1

1

2

4

3


Phase 3NHRP Resolution Reply (Step 3c)

Spoke A192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1

CEF Adjacency

10.0.0.1 172.17.0.1

172.16.2.1 10.0.0.11 172.16.1.1

10.0.0.11 172.16.1.1

192.168.2.0/24 172.16.2.110.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1

3

2

1

5

4


Appendix

DMVPN Overview

NHRP Details





iBGP over DMVPNBase Logical Topology

192.168.1.0/24

.1

192.168.0.0/24

.1.2

.3

.2

RS1

EIGRP 1.1

192.168.4.0/24

.1

.2

.1

.1

192.168.2.0/24

.1

.2

RS2

BGP 1

192.168.3.0/24

.1

.2

19

2.1

68.1

0.0

/24

Spoke1

BGP 1

Hub1

BGP 1

Hub2

BGP 1

Spoke4

BGP 1

R2

BGP 1

Spoke2

BGP 1

Spoke3

BGP 1

192.168.11.0/24 192.168.14.0/24

.1192.168.12.0/24

.1192.168.13.0/24

RS3

EIGRP 1

RS4

OSPF 1

InternetBGP 2

.1 .2

.11

.12 .13

.14

192.168.10.0/24

DMVPN10.0.0.0/24

BGP 1


version 15.1

!

hostname Hub1

!

ip cef

!

crypto isakmp policy 2

authentication pre-share


!

crypto ipsec transform-set t3 esp-des esp-md5-hmac

mode transport require

!

crypto ipsec profile vpnprof

set transform-set t3

!

interface Tunnel0

bandwidth 1000

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp map 10.0.0.2 172.17.0.5

ip nhrp map multicast 172.17.0.5

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp redirect

iBGP over DMVPNHub1 Configuration

…ip tcp adjust-mss 1360

delay 1000

tunnel source Serial2/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile vpnprof

!

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0

!

interface Serial2/0

ip address 172.17.0.1 255.255.255.252

!

router bgp 1

bgp log-neighbor-changes

bgp listen range 10.0.0.0/24 peer-group spokes

timers bgp 10 30

neighbor spokes peer-group

neighbor spokes remote-as 1

neighbor spokes route-reflector-client

neighbor spokes send-community

neighbor spokes route-map CMNTY in

neighbor spokes route-map DMVPN-OUT out


neighbor 10.0.0.2 send-community

neighbor 10.0.0.2 route-map H2H-IN in

neighbor 10.0.0.2 route-map DMVPN-OUT out


…neighbor 172.17.0.2 remote-as 2

neighbor 172.17.0.2 route-map ISP-IN in

neighbor 172.17.0.2 route-map ISP-OUT out


neighbor 192.168.0.3 route-map LAN-IN in

neighbor 192.168.0.3 route-map LAN-OUT out

maximum-paths ibgp 4

distance bgp 20 160 160

no auto-summary

!





ip community-list 11 deny 1:10

ip community-list 11 permit



!

route-map H2H-IN permit 10

set metric +10000

!

route-map LAN-OUT permit 10

match community 11

set ip next-hop 192.168.0.1

!

iBGP over DMVPNHub1 Configuration (cont)

route-map DMVPN-OUT permit 10

match community 11


!

route-map ISP-OUT permit 10

match community 10

!

route-map CMNTY permit 10

match community 1

!


match community 2

set metric +5000

!


set metric +7500

!

route-map ISP-IN permit 10

set community 1:10

!


match community 21

set community 1:1

!

control-plane

!

end


version 15.1

!

hostname Hub2

!

ip cef

!




!


mode transport require

!



!

interface Tunnel0

bandwidth 1000

ip address 10.0.0.2 255.255.255.0

no ip redirects

ip mtu 1400


ip nhrp map multicast dynamic

ip nhrp map 10.0.0.1 172.17.0.1




ip nhrp redirect

iBGP over DMVPNHub2 Configuration

…ip tcp adjust-mss 1360

delay 1000



tunnel key 100000


!


ip address 192.168.0.2 255.255.255.0

!

interface Serial2/0

ip address 172.17.0.5 255.255.255.252

!

router bgp 1


bgp listen range 10.0.0.0/24 peer-group spokes

timers bgp 10 30

neighbor spokes peer-group

neighbor spokes remote-as 1

neighbor spokes route-reflector-client

neighbor spokes send-community

neighbor spokes route-map CMNTY in

neighbor spokes route-map DMVPN-OUT out


neighbor 10.0.0.1 send-community

neighbor 10.0.0.1 route-map H2H-IN in

neighbor 10.0.0.1 route-map DMVPN-OUT out


…neighbor 172.17.0.6 remote-as 2








no auto-summary

!









!

route-map H2H-IN permit 10

set metric +10000

!


match community 11


!

iBGP over DMVPNHub2 Configuration (cont)


match community 11


!


match community 10

!


match community 2

!


match community 1

set metric +5000

!


set metric +7500

!


set community 1:10

!


match community 21

set community 1:2

!

control-plane

!

end


version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Spoke1

!

ip cef

!




crypto isakmp keepalive 30 5

!


mode transport

!



iBGP over DMVPNSpoke1 Configuration

interface Tunnel0

bandwidth 1000

ip address 10.0.0.11 255.255.255.0

no ip redirects

ip mtu 1400


ip nhrp map 10.0.0.2 172.17.0.5


ip nhrp map 10.0.0.1 172.17.0.1




ip nhrp nhs 10.0.0.1


ip nhrp shortcut

ip tcp adjust-mss 1360

delay 1000



tunnel key 100000


!


ip address 192.168.1.1 255.255.255.0

!

interface Serial1/0

ip address 172.16.1.1 255.255.255.252


router eigrp 1

default-metric 1000 0 255 100 1500

network 192.168.1.0

redistribute bgp 1 route-map BGP2IGP

!

router bgp 1


bgp redistribute-internal

timers bgp 10 30

redistribute eigrp 1 route-map IGP2BGP

neighbor hubs peer-group

neighbor hubs remote-as 1

neighbor hubs next-hop-self

neighbor hubs send-community

neighbor hubs route-map DMVPN-OUT out

neighbor 10.0.0.1 peer-group hubs







no auto-summary

!





iBGP over DMVPNSpoke1 Configuration (cont)


match community 11

!


match community 10

!

route-map IGP2BGP deny 10

match tag 225

!


set community 1:1

!

route-map BGP2IGP permit 10

match community 11

set tag 225

!


set community 1:10

!

control-plane

!

end


version 15.1

!

hostname Spoke2

!

ip cef

!





!


mode transport

!



iBGP over DMVPNSpoke2 Configuration

interface Tunnel0

bandwidth 1000

ip address 10.0.0.12 255.255.255.0

no ip redirects

ip mtu 1400


ip nhrp map 10.0.0.2 172.17.0.5


ip nhrp map 10.0.0.1 172.17.0.1






ip nhrp shortcut


delay 1000



tunnel key 100000


!


ip address 192.168.2.1 255.255.255.0

!

interface Serial1/0

ip address 172.16.2.1 255.255.255.252


router bgp 1



timers bgp 10 30











neighbor 192.168.2.2 route-reflector-client





no auto-summary

!







iBGP over DMVPNSpoke2 Configuration (cont)


match community 11


!


match community 11


!


match community 10

!


set community 1:10

!


match community 21

set community 1:2

!

control-plane

!

end


version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Spoke(3,4)

!

ip cef

!





!


mode transport

!



iBGP over DMVPN(Spoke3, Spoke4) Configuration

interface Tunnel0

bandwidth 1000

ip address 10.0.0.(13,14) 255.255.255.0

no ip redirects

ip mtu 1400


ip nhrp map 10.0.0.2 172.17.0.5


ip nhrp map 10.0.0.1 172.17.0.1






ip nhrp shortcut


delay 1000



tunnel key 100000


!


ip address 192.168.(3,4).1 255.255.255.0

!

interface Serial1/0

ip address 172.16.(3,4).1 255.255.255.252


router ospf 1

redistribute bgp 1 subnets route-map BGP2IGP

network 192.168.3.0 0.0.0.255 area 1

!

router eigrp 1

default-metric 1000 0 255 100 1500

network 192.168.4.0

redistribute bgp 1 route-map BGP2IGP

!

router bgp 1



timers bgp 10 30

redistribute ospf 1 route-map IGP2BGP

redistribute eigrp 1 route-map IGP2BGP



neighbor hubs next-hop-self





neighbor 172.16.(3,4).2 remote-as 2

neighbor 172.16.(3,4).2 route-map ISP-IN in

neighbor 172.16.(3,4).2 route-map ISP-OUT out



no auto-summary

iBGP over DMVPN(Spoke3, Spoke4) Configuration (cont)





!


match community 11

!


match community 10

!

route-map IGP2BGP deny 10

match tag 225

!


set community 1:1

!

route-map BGP2IGP permit 10

match community 11

set tag 225

!


set community 1:10

!

control-plane

!

end


version 12.3

!

hostname Internet

!

interface Serial1/0

ip address 172.17.0.2 255.255.255.252

!

interface Serial2/0

ip address 172.17.0.6 255.255.255.252

!

interface Serial3/0

ip address 172.16.1.2 255.255.255.252

!

interface Serial4/0

ip address 172.16.2.2 255.255.255.252

!

interface Serial5/0

ip address 172.16.3.2 255.255.255.252

!

interface Serial6/0

ip address 172.16.4.2 255.255.255.252

iBGP over DMVPNInternet Configuration

router bgp 2

no synchronization


network 172.16.1.0 mask 255.255.255.252

network 172.16.2.0 mask 255.255.255.252

network 172.16.3.0 mask 255.255.255.252

network 172.16.4.0 mask 255.255.255.252

network 172.17.0.0 mask 255.255.255.252

network 172.17.0.4 mask 255.255.255.252







no auto-summary

!

end


hostname R2!interface Loopback0

ip address 172.20.0.1 255.255.255.0!interface Ethernet0/0


ip address 192.168.10.1 255.255.255.0!router bgp 1

no synchronizationbgp log-neighbor-changesnetwork 172.20.0.0 mask 255.255.255.0network 192.168.0.0network 192.168.10.0neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs route-reflector-clientneighbor hubs next-hop-selfneighbor hubs send-communityneighbor hubs route-map FROM-DMVPN inneighbor 192.168.0.1 peer-group hubsneighbor 192.168.0.2 peer-group hubsmaximum-paths ibgp 4no auto-summary

!ip bgp-community new-format!route-map FROM-DMVPN permit 10

set community 1:20

iBGP over DMVPNR2 (behind hubs), RS2 (behind Spoke2) Configuration

hostname RS2!interface Loopback0



ip address 192.168.12.1 255.255.255.0!router bgp 1

no synchronizationbgp log-neighbor-changesnetwork 172.20.2.0 mask 255.255.255.0network 192.168.2.0network 192.168.12.0neighbor 192.168.2.1 remote-as 1neighbor 192.168.2.1 next-hop-selfneighbor 192.168.2.1 send-communityneighbor 192.168.2.1 route-map FROM-DMVPN inno auto-summary

!ip bgp-community new-format!route-map FROM-DMVPN permit 10

set community 1:20

R2 RS2


hostname (RS1,RS4)

!

interface Loopback0

ip address 172.20.(1,4).1 255.255.255.0

!


ip address 192.168.(1,4).2 255.255.255.0

!


ip address 192.168.(11,14).1 255.255.255.0

!

router eigrp 1

network 172.20.(1,4).0 0.0.0.255

network 192.168.(1,4).0

network 192.168.(11,14).0

no auto-summary

!

iBGP over DMVPN(RS1,RS4); RS3 Configuration

hostname RS3

!

interface Loopback0

ip address 172.20.3.1 255.255.255.0

!


ip address 192.168.3.2 255.255.255.0

!


ip address 192.168.13.1 255.255.255.0

!

router ospf 1

log-adjacency-changes

network 172.20.3.0 0.0.0.255

network 192.168.3.0

network 192.168.13.0

!

RS1,RS4 RS3


Appendix

DMVPN Overview

NHRP Details





Hierarchical Design

Multiple layers of ―Hub-and-Spoke‖ control planeCan use single mGRE subnet across all nodes

Best to use multiple mGRE subnets

Spokes and Central hub have single mGRE interface

Distribution hubs have two mGRE interfaces

Use ‗nhrp network-id <id>‘ to ―glue‖ together mGRE interfaces into a single DMVPN cloud.

Still preserve any-to-any spoke-spoke tunnels

Region 1 mGRE subnet



Central mGRE subnet


Hierarchical Design

Multiple Hub routers at each layer for redundancyHub routers in a layer/region

Configured similar to each other

Interconnected as NHSs to each other

Interconnected as NHSs to next lower layer hubs

RoutingSummarize routes toward spokes (leaves)

No summarization of routes toward root (central hub)

Routes for other mGRE subnets learned over tunnel interface

IP MulticastMulticast source behind hub can use single mGRE subnet

Multicast source behind spoke must use multiple mGRE subnets/interfaces


DMVPN Hierarchical Hub(Phase 3)

192.168.19.0/24

.1

192.168.11.0/24

.1

192.168.1.0/24

.1

.1


Tunnel0: 10.0.0.16


Tunnel1: 10.0.1.11


Tunnel2: 10.0.2.19Physical: 172.17.0.1

Tunnel0: 10.0.0.8

Spoke 1

Spoke 3

192.168.8.0/24

.1

192.168.16.0/24


Tunnel0: 10.0.0.1


Tunnel2: 10.0.2.18

Spoke 2

192.168.18.0/24.1

Hub 1

Hub 0Hub 2

Loopback: 172.18.0.1

Tunnel1: 10.0.1.8

Loopback: 172.18.0.5

Tunnel2: 10.0.2.16

= mGRE subnet 10.0.0.0/24



= Dynamic spoke to spoke

192.168.128.0/24

.1


interface Tunnel0bandwidth 1000ip address 10.0.0.1 255.255.255.0no ip redirectsip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp shortcutip nhrp redirectno ip split-horizon eigrp 1ip summary-address eigrp 1 192.168.0.0 255.255.192.0delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000

DMVPN Hierarchical HubCentral Hub Configuration

version 12.2!hostname Hub0!ip cef!interface Loopback0

ip address 192.168.100.1 255.255.255.0!interface Loopback1


ip address 192.168.0.1 255.255.255.0!interface Serial1/0

ip address 172.17.0.9 255.255.255.252!router eigrp 1

network 10.0.0.0 0.0.0.255network 192.168.0.0network 192.168.100.0network 192.168.128.0 0.0.0.255

!ip route 0.0.0.0 0.0.0.0 172.17.0.10


version 12.2!hostname Hub1!ip cef! interface Loopback0





network 10.0.0.0 0.0.0.255network 10.0.1.0 0.0.0.255network 192.168.8.0network 192.168.101.0

!ip route 0.0.0.0 0.0.0.0 172.17.0.2

DMVPN Hierarchical HubRegional Hub1 Configuration

interface Tunnel0bandwidth 1000ip address 10.0.0.8 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast 172.17.0.9ip nhrp map 10.0.0.1 172.17.0.9ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp shortcutip nhrp redirectip summary-address eigrp 1 192.168.8.0 255.255.248.0delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000

!interface Tunnel1

bandwidth 1000ip address 10.0.1.8 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectno ip split-horizon eigrp 1ip summary-address eigrp 1 192.168.8.0 255.255.248.0ip summary-address eigrp 1 192.168.100.0 255.255.252.0delay 1000tunnel source Loopback1tunnel mode gre multipointtunnel key 100000


version 12.2!hostname Hub2!ip cef!interface Loopback0





network 10.0.0.0 0.0.0.255network 10.0.2.0 0.0.0.255network 192.168.16.0network 192.168.102.0

!ip route 0.0.0.0 0.0.0.0 172.17.0.6

DMVPN Hierarchical HubRegional Hub2 Configuration

interface Tunnel0bandwidth 1000ip address 10.0.0.16 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast 172.17.0.9ip nhrp map 10.0.0.1 172.17.0.9ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp shortcutip nhrp redirectip summary-address eigrp 1 192.168.16.0 255.255.248.0delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000

!interface Tunnel2

bandwidth 1000ip address 10.0.2.16 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectno ip split-horizon eigrp 1ip summary-address eigrp 1 192.168.16.0 255.255.248.0ip summary-address eigrp 1 192.168.100.0 255.255.252.0delay 1100tunnel source Loopback1tunnel mode gre multipointtunnel key 100000


version 12.2!hostname Spoke1!ip cef!interface Ethernet0/0



network 10.0.1.0 0.0.0.255network 192.168.11.0

!ip route 0.0.0.0 0.0.0.0 172.16.1.2

DMVPN Hierarchical HubSpoke1 Configuration

interface Tunnel0bandwidth 1000ip address 10.0.1.11 255.255.255.0no ip redirectsip mtu 1400ip nhrp authentication testip nhrp map 10.0.1.8 172.18.0.1ip nhrp map multicast 172.18.0.1ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.1.8ip nhrp shortcutdelay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000





network 10.0.2.0 0.0.0.255network 192.168.18.0

!ip route 0.0.0.0 0.0.0.0 172.16.2.2







network 10.0.2.0 0.0.0.255network 192.168.19.0

!ip route 0.0.0.0 0.0.0.0 172.16.3.2




DMVPN Heirarchical Hub (12.4T)Spoke2 – Before spoke-spoke tunnels

10.0.2.16/32 via 10.0.2.16

Tunnel0 created 1d01h, never expire



D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0


D 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0

D 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0

192.168.0.0/18 10.0.2.16 Tunnel0

192.168.16.0/21 10.0.2.16 Tunnel0

192.168.18.0/24 attached Ethernet0/0

192.168.128.0/24 10.0.2.16 Tunnel0

IP Tunnel0 10.0.2.16(16)

NHRP

Routing Table

CEF

Adjacency


DMVPN Heirarchical Hub (12.4T)Spoke2 – Ping to Spoke1 and Hub0

#ping 192.168.11.1 source 192.168.18.1

Sending 10, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 16/54/80 ms

#traceroute 192.168.11.1 source 192.168.18.1 numeric

Tracing the route to 192.168.11.1

1 10.0.1.11 32 msec * 28 msec

#ping 192.168.128.1 source 192.168.18.1 repeat 10

Sending 10, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 20/28/48 ms


Tracing the route to 192.168.128.1

1 10.0.0.1 24 msec * 28 msec

Spoke2 to Spoke1

Spoke2 to Hub0


DMVPN Heirarchical Hub (12.4T)Spoke B – After spoke-spoke tunnels

10.0.0.1/32 via 10.0.0.1


Type: dynamic, Flags: router implicit


10.0.1.11/32 via 10.0.1.11




10.0.2.16/32 via 10.0.2.16




192.168.11.0/24 via 10.0.1.11




192.168.18.0/24 via 10.0.2.18




(no-socket)

192.168.128.0/24 via 10.0.0.1




NHRP

Mappings fortunnel to Hub0

Mappings for

tunnel to Spoke1

Local entry

Static Mapping

to NHS (Hub2)


DMVPN Heirarchical Hub (12.4T)Spoke2 – After spoke-spoke tunnels (cont)

D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0


D 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0

D 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0

192.168.0.0/18 10.0.2.16 Tunnel0

192.168.16.0/21 10.0.2.16 Tunnel0

192.168.18.0/24 attached Ethernet0/0

192.168.128.0/24 10.0.2.16 Tunnel0

IP Tunnel0 10.0.0.1(5)

IP Tunnel0 10.0.1.11(5)

IP Tunnel0 10.0.2.16(16)

Adjacency for Hub0

Adjacency for Spoke1

Adjacency for Hub2

Routing Table(no change)

CEF(no change)

Adjacency


DMVPN Hierarchical Hub (12.2(33)XNE)Changes for ASR1K

Routes for other mGRE subnets must be directly connected for CEF switching to work

Currently must use static connected routes.

Hub0:

ip route 10.0.1.0 255.255.255.0 Tunnel0ip route 10.0.2.0 255.255.255.0 Tunnel0

Hub1:

ip route 10.0.2.0 255.255.255.0 Tunnel0

Hub2:

ip route 10.0.1.0 255.255.255.0 Tunnel0

Spoke1:


Spoke2:


Spoke3:



DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – Before spoke-spoke tunnels

10.0.2.16/32 via 10.0.2.16Tunnel0 created 1w0d, never expire Type: static, Flags: used NBMA address: 172.18.0.5

S 10.0.0.0/24 is directly connected, Tunnel0S 10.0.1.0/24 is directly connected, Tunnel0C 10.0.2.0/24 is directly connected, Tunnel0L 10.0.2.18/32 is directly connected, Tunnel0D 192.168.0.0/18 [90/3635200] via 10.0.2.16, 5d21h, Tunnel0D 192.168.16.0/21 [90/3123200] via 10.0.2.16, 5d21h, Tunnel0C 192.168.18.0/24 is directly connected, Ethernet0/0L 192.168.18.1/32 is directly connected, Ethernet0/0D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1w0d, Tunnel0

10.0.0.0/24 attached Tunnel010.0.1.0/24 attached Tunnel010.0.2.0/24 attached Tunnel010.0.2.16/32 attached Tunnel010.0.2.18/32 receive Tunnel0192.168.0.0/18 10.0.2.16 Tunnel0192.168.16.0/21 10.0.2.16 Tunnel0192.168.18.0/24 attached Ethernet0/0192.168.18.1/32 receive Ethernet0/0192.168.128.0/24 10.0.2.16 Tunnel0

IP Tunnel0 10.0.2.16(15)

NHRP

Routing Table

CEF

Adjacency


DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – Ping to Spoke1 and Hub0


Sending 20, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 20/41/85 ms


Type escape sequence to abort.Tracing the route to 192.168.11.1

1 10.0.1.11 24 msec * 28 msec


Sending 20, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 16/25/64 ms


Type escape sequence to abort.Tracing the route to 192.168.128.1

1 10.0.0.1 40 msec * 20 msec

Spoke2 to Spoke1

Spoke2 to Hub0


DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – After spoke-spoke tunnels

10.0.0.1/32 via 10.0.0.1




10.0.1.11/32 via 10.0.1.11




10.0.2.16/32 via 10.0.2.16

Tunnel0 created 00:06:24, never expire



192.168.11.0/24 via 10.0.1.11


Type: dynamic, Flags: router used rib


192.168.18.0/24 via 10.0.2.18




(no-socket)

192.168.128.0/24 via 10.0.0.1


Type: dynamic, Flags: router rib nho


Mappings fortunnel to Hub0

Mappings for

tunnel to Spoke1

Local entry

Static Mapping

to NHS (Hub2)

Entered in

Routing

Table

rib

rib nho

NHRP


DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – After spoke-spoke tunnels (cont)

S 10.0.0.0/24 is directly connected, Tunnel0S 10.0.1.0/24 is directly connected, Tunnel0C 10.0.2.0/24 is directly connected, Tunnel0L 10.0.2.18/32 is directly connected, Tunnel0D 192.168.0.0/18 [90/3635200] via 10.0.2.16, 00:06:28, Tunnel0H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:00:47D 192.168.16.0/21 [90/3123200] via 10.0.2.16, 00:06:28, Tunnel0C 192.168.18.0/24 is directly connected, Ethernet0/0L 192.168.18.1/32 is directly connected, Ethernet0/0D % 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:06:28, Tunnel0

[NHO][90/1] via 10.0.0.1, 00:01:27, Tunnel0

10.0.0.0/24 attached Tunnel010.0.0.1/32 attached Tunnel010.0.1.0/24 attached Tunnel010.0.1.11/32 attached Tunnel010.0.2.0/24 attached Tunnel010.0.2.16/32 attached Tunnel010.0.2.18/32 receive Tunnel0192.168.0.0/18 10.0.2.16 Tunnel0192.168.11.0/24 10.0.1.11 Tunnel0192.168.16.0/21 10.0.2.16 Tunnel0192.168.18.0/24 attached Ethernet0/0192.168.18.1/32 receive Ethernet0/0192.168.128.0/24 10.0.0.1 Tunnel0

Routing Table

CEF

IP Tunnel0 10.0.0.1(11)IP Tunnel0 10.0.1.11(10)IP Tunnel0 10.0.2.16(14)

Adjacency

NHRP

Next-hop-override

%

10.0.0.1

H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:00:47

192.168.11.0/24 10.0.1.11 Tunnel0

[NHO][90/1] via 10.0.0.1, 00:01:27, Tunnel0


Appendix

DMVPN Overview

NHRP Details



Interaction with other FeaturesIPv6 Phase 1, NAT, Per-Tunnel QoS, MIBs


IPv6 Phase 1

IPv6 packets over DMVPN IPv4 tunnelsIntroduced in IOS release 12.4(20)T

IPv4 infrastructure network

IPv6 and/or IPv4 data packets over same IPv4 GRE tunnel

Configure IPv6 just like on other interfacesComplete set of NHRP commands

network-id, holdtime, authentication, map, etc.

NHRP registers two addressesLink-local for routing protocol (Automatic or Manual)

Unicast Global for packet forwarding (Mandatory)


IPv6 Phase 1Configuration

ipv6 unicast-routingipv6 cef…interface Tunnel0

ip address 10.0.0.1 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectip tcp adjust-mss 1360no ip split-horizon eigrp 1ipv6 address 2001:DB8:0:100::1/64ipv6 mtu 1400ipv6 eigrp 1no ipv6 split-horizon eigrp 1ipv6 nhrp authentication testv6ipv6 nhrp map multicast dynamicipv6 nhrp network-id 100006ipv6 nhrp holdtime 300ipv6 nhrp redirecttunnel source Serial2/0tunnel mode gre multipointtunnel protection ipsec profile vpnprof


ip address 192.168.0.1 255.255.255.0ipv6 address 2001:DB8::1/64ipv6 eigrp 1


ip address 172.17.0.1 255.255.255.252!ipv6 router eigrp 1

no shutdown

ipv6 unicast-routingipv6 cef…interface Tunnel0

ip address 10.0.0.11 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp shortcutip tcp adjust-mss 1360ipv6 address 2001:DB8:0:100::B/64ipv6 mtu 1400ipv6 eigrp 1ipv6 nhrp authentication testv6ipv6 nhrp map multicast 172.17.0.1ipv6 nhrp map 2001:DB8:0:100::1/128 172.17.0.1ipv6 nhrp network-id 100006ipv6 nhrp holdtime 300ipv6 nhrp nhs 2001:DB8:0:100::1ipv6 nhrp shortcuttunnel source Serial1/0tunnel mode gre multipointtunnel protection ipsec profile vpnprof


ip address 192.168.1.1 255.255.255.0ipv6 address 2001:DB8:0:1::1/64ipv6 eigrp 1


ip address 172.16.1.1 255.255.255.252!ipv6 router eigrp 1

no shutdown

SpokeHub


IPv6 Phase 1‘show ipv6 nhrp’

2001:DB8:0:100::1/128 via 2001:DB8:0:100::1




FE80::A8BB:CCFF:FE00:6400/128 via FE80::A8BB:CCFF:FE00:6400

Tunnel0 created 1d16h, expire 00:04:59

Type: dynamic, Flags:


Spoke

Hub2001:DB8:0:100::B/128 via 2001:DB8:0:100::B


Type: dynamic, Flags: unique registered used


FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B





DMVPN and NAT-T Spoke-SpokePhase 2 & 3 (12.4(6)T)

Spoke-spoke dynamic tunnels are now supported to/from NAT translated spokes

Hub reports spoke‘s outside NAT IP address back to spoke in NHRP registration reply.

Spoke‘s outside NAT IP address passed in NHRP resolution request and reply packets

Spokes use remote spoke‘s outside NAT IP address to build spoke-to-spoke tunnel.

Two spokes behind the same NAT nodeMust be NAT translated to unique outside NAT IP address

NAT node must support spokes using outside IP NAT address for each other—traffic loops through NAT node

If spoke-spoke tunnel will not come up, traffic will continue to be forwarded via the hub.


DMVPN and NAT-T

Spoke A192.168.1.1/24

192.168.3.1/24Spoke C

Physical: (dynamic)

Tunnel0: 10.0.0.11

10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1

10.0.0.11 172.16.1.110.0.0.13 172.18.0.3* (172.16.3.1)

192.168.0.1/24

Peer – 172.17.0.1Peer – 172.17.0.1

NHRP mapping *(NAT-T)

Crypto Map Table

172.16.1.1 Physical: (dynamic)

Tunnel0: 10.0.0.13

172.16.3.1

10.0.0.13 ?10.0.0.13 172.18.0.3* (172.16.3.1) 10.0.0.11 172.16.1.1

Peer – 172.16.1.1

Peer – 172.18.0.3

NAT: 172.16.3.1 172.18.0.3

Peer – 172.18.0.3 Peer – 172.16.1.1

10.0.0.13 172.18.0.3* (172.16.3.1)


Tunnel0: 10.0.0.1


DMVPN and NAT-TRegistrations

NHRP: Send Registration Request via Tunnel0 vrf 0, src: 10.0.0.13, dst: 10.0.0.1








NAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1

NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.13





(C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1





(C-2) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13


NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.13, dst: 10.0.0.11(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)(M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164

src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13(C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360,

client NBMA: 172.16.3.1, client protocol: 10.0.0.13Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360

client NBMA: 172.16.3.1, client protocol: 10.0.0.13Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1Reverse Transit NHS Record Extension(5):Authentication Extension(7): type:Cleartext(1), data:testNAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13

DMVPN and NAT-TPhase 3 – Resolutions

NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)(M) flags: "router auth src-stable nat ", reqid: 164

src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13(C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360

Responder Address Extension(3):Forward Transit NHS Record Extension(4):Reverse Transit NHS Record Extension(5):Authentication Extension(7): type:Cleartext(1), data:testNAT address Extension(9):


Per-tunnel QoS – 12.4(22)T

QoS per tunnel (spoke) on hubDynamically selected Hierarchical (parent/child) QoS Policy

Spoke: Configure NHRP group name

Hub: NHRP group name mapped to QoS template policy

Multiple spokes with same NHRP group mapped to individual instances of same QoS template policy

QoS policy applied at outbound physical interfaceClassification done before GRE encapsulation by tunnel

ACL match against Data IP packet

‗qos pre-classify‘ not configured on tunnel interface

Shaping/policing done on physical after IPsec encryption

Can‘t have separate aggregate QoS policy on physical


Per-tunnel QoSConfigurations

class-map match-all typeA_voicematch access-group 100

class-map match-all typeB_voicematch access-group 100

class-map match-all typeA_Routingmatch ip precedence 6

class-map match-all typeB_Routingmatch ip precedence 6

policy-map typeAclass typeA_voice

priority 1000class typeA_Routing

bandwidth percent 20

policy-map typeBclass typeB_voice

priority percent 20class typeB_Routing

bandwidth percent 10

policy-map typeA_parentclass class-default

shape average 3000000service-policy typeA

policy-map typeB_parentclass class-default

shape average 2000000service-policy typeB

interface Tunnel0ip address 10.0.0.1 255.255.255.0…ip nhrp map group typeA service-policy output typeA_parentip nhrp map group typeB service-policy output typeB_parent…ip nhrp redirectno ip split-horizon eigrp 100ip summary-address eigrp 100 192.168.0.0 255.255.192.0 5…

interface Tunnel0ip address 10.0.0.11 255.255.255.0…ip nhrp group typeAip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp nhs 10.0.0.1…

Spoke1

Hub Hub (cont)

interface Tunnel0ip address 10.0.0.12 255.255.255.0…ip nhrp group typeBip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp nhs 10.0.0.1…

Spoke2

interface Tunnel0ip address 10.0.0.13 255.255.255.0…ip nhrp group typeAip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp nhs 10.0.0.1…

Spoke3


Per-tunnel QoSQoS Output

Hub#show ip nhrp

10.0.0.11/32 via 10.0.0.11Tunnel0 created 21:24:03, expire 00:04:01Type: dynamic, Flags: unique registeredNBMA address: 172.16.1.1Group: typeA

10.0.0.12/32 via 10.0.0.12Tunnel0 created 21:22:33, expire 00:05:30Type: dynamic, Flags: unique registeredNBMA address: 172.16.2.1Group: typeB

10.0.0.13/32 via 10.0.0.13Tunnel0 created 00:09:04, expire 00:04:05Type: dynamic, Flags: unique registeredNBMA address: 172.16.3.1Group: typeA

Hub#show ip nhrp group-map

Interface: Tunnel0NHRP group: typeA

QoS policy: typeA_parentTunnels using the QoS policy:Tunnel destination overlay/transport address10.0.0.11/172.16.1.110.0.0.13/172.16.3.1

NHRP group: typeBQoS policy: typeB_parentTunnels using the QoS policy:Tunnel destination overlay/transport address10.0.0.12/172.16.2.1

Hub#show policy-map multipoint tunnel 0 <spoke> output

Interface Tunnel0 172.16.1.1

Service-policy output: typeA_parentClass-map: class-default (match-any)19734 packets, 6667163 bytesshape (average) cir 3000000, bc 12000, be 12000

Service-policy : typeAClass-map: typeA_voice (match-all) 3737 packets, 4274636 bytesClass-map: typeA_Routing (match-all) 14424 packets, 1269312 bytesClass-map: class-default (match-any) 1573 packets, 1123215 bytes


Service-policy output: typeB_parentClass-map: class-default (match-any)11420 packets, 1076898 bytesshape (average) cir 2000000, bc 8000, be 8000

Service-policy : typeBClass-map: typeB_voice (match-all) 1005 packets, 128640 bytesClass-map: typeB_Routing (match-all) 10001 packets, 880088 bytesClass-map: class-default (match-any) 414 packets, 68170 bytes


Service-policy output: typeA_parentClass-map: class-default (match-any)5458 packets, 4783903 bytesshape (average) cir 3000000, bc 12000, be 12000

Service-policy : typeAClass-map: typeA_voice (match-all) 4914 packets, 4734392 bytesClass-map: typeA_Routing (match-all) 523 packets, 46004 bytesClass-map: class-default (match-any) 21 packets, 14995 bytes


Per-tunnel QoSScaling – 7200 NPE-G1/VAM2+

Key

1) Tunnels/Active = Number of tunnels versus number of active shapers

2) "Unstable" corresponds to detaching and re-attaching service policy on the tunnels

3) All CPU values are observed steady state values (99%) within braces means CPU was 99% for a while before stabilization.

4) Original EC = 700/210 @ 47.6 Mbps <= 80% CPU under unstable conditions (presumably)

5) For 7200 NPE-G2/VSA low scale numbers, CSCsu73714 filed.

Stable CPU Utilization

Tunnels/Active No traffic 28 Mbps 38 Mbps 47.6 Mbps

500/150 9% 41% 52% 64%

600/180 12% 49% 62% 75%

700/210 14% 53% 73% 85%

Unstable CPU Utilization

Tunnels/Active N/A 28 Mbps 38 Mbps 47.6 Mbps

500/150 43% 52% 64%

600/180 51% 68%(99%) 78%(99%)

700/210 53%(99%) 76%(99%) 99%(flapping)


NHRP MIB and SYSLog Extensions 15.0(1)M

NHRP Extension MIBAn extension of the NHRP MIB (RFC-2677)

Defines notifications for critical events in NHRP (RFC 2332)

NHServer and NHClient (up/down); NHPeer (up/down);RateLimitExceeded; NHRP Errors

Cisco proprietary enhancements to the protocol

NHRP Redirect

SYSLog ExtensionNHServer, NHClient, NHPeer (up/down)

DMVPN Crypto Session (up/down)

NHRP Resolution (receive/reply/timeout/fail)

NHRP Max Send

NHRP Errors: (Send, Multicast , Encap)


Thank you.

Documents

BRKSEC-4052-2011_Advanced Concepts of DMVPN