DMVPN Phase 3

Introduction

Spoke routers will only have a single default route pointing to the hub router.

But the spoke routers will be able to access other spoke routers or the network(s) that the other spoke routers are advertising directly without going through the hub router. How is this possible?

Phase 3 is similar to Phase 2 in that it provides direct spoke-to-spoke tunnels. However, the underlying mechanism is significantly different. The change came with the requirement to allow spoke routers to receive only a summarized set of routes, possibly just a default route, from the hub router, and yet allow direct spoke-to-spoke communication.

Phase 3 Process:

  1. The data packet is forwarded from the originating spoke to the hub based on the routing table of the originating spoke.
    • No NHRP messaging is triggered by the originating spoke at this point, because it is not certain whether the destination is located in a DMVPN or in a normal network.
  2. The hub router receives the data packet from the originating spoke and forwards it to the destination spoke according to its routing table.
    • The hub realizes that the packet is being forwarded within the same DMVPN because the incoming and outgoing interface have the same ip nhrp network-id configured. The hub router thus realizes that it is a transit router for the data packets between the spokes.
  3. The hub router sends an NHRP Traffic Indication message back to the originating spoke router, telling it “that for the original packet whose header is carried in the Traffic Indication body, there might be a more direct way to the destination rather than through the hub.
  4. Upon receiving the NHRP Traffic Indication message, the originating spoke triggers an NHRP Resolution Request to map the known destination IP address of the original packet to the unknown NBMA address of the destination spoke.
    • As in Phase 2, the spoke router includes its tunnel-IP-to-NBMA-IP mapping in the Resolution Request.
  5. The hub router receives the NHRP Resolution Request.
    • Based on the destination address of the original packet indicated in the Resolution Request, it looks up the matching destination network in its routing table, finds the next hop, and forwards the Resolution Request to the next hop.
  6. The destination spoke receives the NHRP Resolution Request.
    • Using its contents, it learns about the originating spoke’s tunnel IP and NBMA IP and adds this mapping into its NHRP table.
    • The destination spoke then creates an NHRP Resolution Reply packet with its own tunnel IP and NBMA IP.
    • In addition, because the Resolution Request asked about the original packet’s destination address rather than the tunnel IP address of the destination spoke, the destination spoke will also insert the original packet’s destination address and the netmask of the matching destination network from its routing table into its Resolution Reply. This will allow the originating spoke to compute the address of the destination network for which the original packet is intended.
  7. If IPSec is also configured, before sending the Resolution Reply to the originating spoke, the destination spoke triggers IPSec to create a secured spoke-to-spoke tunnel.
  8. After the originating spoke receives the Resolution Reply, it will add the mapping for the destination spoke’s tunnel IP and NBMA IP into its NHRP table.
    • In addition, using the original packet’s destination address and the netmask of the matching network on the destination spoke carried in the Resolution Reply, the originating spoke will compute the address of the destination network and insert this network into its routing table, with the next-hop address pointing to the destination spoke’s tunnel IP. Because this added network has a longer prefix than the default route, it will be matched first for every packet going to this destination network. This will cause subsequent packets to be sent to the destination spoke directly, rather than being routed over the hub.

There are two new commands related to Phase 3:

  • ip nhrp redirect: This command allows a hub router to send out NHRP Traffic Indication messages.
  • ip nhrp shortcut: This command allows a spoke router to accept incoming NHRP Traffic Indication messages, and in turn send an NHRP Resolution Request message for the original packet’s destination address and then, after receiving an NHRP Resolution Reply, install the destination network discovered through the Resolution Reply into the routing table with the responding spoke router as a next hop.
				
					NHRP Registration Request and Reply

1- NHC sends an NHRP Registration Request to NHS
2- NHS receives it and sends an NHRP Registration Reply to NHC

382	335.012667	172.16.31.1	172.16.11.1	NHRP	130	NHRP Registration Request, ID=5

Next Hop Resolution Protocol (NHRP Registration Request)
	NHRP Mandatory Part
    	Source Protocol Len: 4
    	Destination Protocol Len: 4
    	Flags: 0x0002, Cisco NAT Supported
    	Request ID: 0x00000005 (5)
    	Source NBMA Address: 172.16.31.1
   		Source Protocol Address: 192.168.100.31
    	Destination Protocol Address: 192.168.100.11
    	Client Information Entry

*Mar 29 02:34:08.196: NHRP: 'Receive Registration Request via Tunnel0' vrf global(0x0), packet size: 92
*Mar 29 02:34:08.196:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:34:08.196:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:34:08.196:      pktsz: 92 extoff: 52
*Mar 29 02:34:08.196:  (M) flags: "nat ", reqid: 6 
*Mar 29 02:34:08.196:      src NBMA: 172.16.31.1
*Mar 29 02:34:08.196:      src protocol: 192.168.100.31, dst protocol: 192.168.100.11
*Mar 29 02:34:08.196:  (C-1) code: no error(0)
*Mar 29 02:34:08.196:        prefix: 32, mtu: 17916, hd_time: 600
*Mar 29 02:34:08.196:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

383	335.013623	172.16.11.1	172.16.31.1	NHRP	150	NHRP Registration Reply, ID=5, Code=Success

*Mar 29 02:34:08.197: NHRP: 'Send Registration Reply via Tunnel0' vrf global(0x0), packet size: 112
*Mar 29 02:34:08.198:  src: 192.168.100.11, dst: 192.168.100.31
*Mar 29 02:34:08.198:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:34:08.198:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:34:08.198:      pktsz: 112 extoff: 52
*Mar 29 02:34:08.198:  (M) flags: "nat ", reqid: 6 
*Mar 29 02:34:08.198:      src NBMA: 172.16.31.1
*Mar 29 02:34:08.198:      src protocol: 192.168.100.31, dst protocol: 192.168.100.11
*Mar 29 02:34:08.198:  (C-1) code: no error(0)
*Mar 29 02:34:08.198:        prefix: 32, mtu: 17916, hd_time: 600
*Mar 29 02:34:08.198:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

DMVPN Phase 3

1- R31 sends traffic to R41
2- NHS receives traffic and sends a NHRP Traffic Indication to R31
3- R31 receives it and sends an NHRP Resolution Request to R41
4- NHS receives R31's NHRP Resolution Request to R41, and forwards it to R41
5- R41 receives R31's Resolution Request and replies with a NHRP Resolution Reply
6- R31 receives R41's NHRP Resolution Reply
7- Spoke-to-Spoke Tunnel is established

[NHS]
*Mar 29 02:45:31.355: NHRP: 'Send Traffic Indication via Tunnel0' vrf global(0x0), packet size: 84
*Mar 29 02:45:31.356:  src: 192.168.100.11, dst: 10.31.31.31
*Mar 29 02:45:31.356:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:45:31.356:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.356:      pktsz: 84 extoff: 68
*Mar 29 02:45:31.356:  (M) traffic code: redirect(0)
*Mar 29 02:45:31.356:      src NBMA: 172.16.11.1
*Mar 29 02:45:31.356:      src protocol: 192.168.100.11, dst protocol: 10.31.31.31
*Mar 29 02:45:31.356:      Contents of nhrp traffic indication packet:
*Mar 29 02:45:31.356:         45 00 00 1C 01 69 00 00 01 11 5B D9 0A 1F 1F 1F 
*Mar 29 02:45:31.356:         0A 29 29 29 C0 09 82 9D 00 08 60 

[R31]
*Mar 29 02:45:31.365: NHRP: 'Receive Traffic Indication via Tunnel0' vrf global(0x0), packet size: 84
*Mar 29 02:45:31.365:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:45:31.365:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.365:      pktsz: 84 extoff: 68
*Mar 29 02:45:31.365:  (M) traffic code: redirect(0)
*Mar 29 02:45:31.365:      src NBMA: 172.16.11.1
*Mar 29 02:45:31.365:      src protocol: 192.168.100.11, dst protocol: 10.31.31.31
*Mar 29 02:45:31.365:      Contents of nhrp traffic indication packet:
*Mar 29 02:45:31.365:         45 00 00 1C 01 69 00 00 01 11 5B D9 0A 1F 1F 1F 
*Mar 29 02:45:31.365:         0A 29 29 29 C0 09 82 9D 00 08 60 

*Mar 29 02:45:31.374: NHRP: 'Send Resolution Request via Tunnel0' vrf global(0x0), packet size: 72
*Mar 29 02:45:31.374:  src: 192.168.100.31, dst: 10.41.41.41
*Mar 29 02:45:31.374:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:45:31.374:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.374:      pktsz: 72 extoff: 52
*Mar 29 02:45:31.374:  (M) flags: "router auth src-stable nat ", reqid: 3 
*Mar 29 02:45:31.374:      src NBMA: 172.16.31.1
*Mar 29 02:45:31.374:      src protocol: 192.168.100.31, dst protocol: 10.41.41.41
*Mar 29 02:45:31.374:  (C-1) code: no error(0)
*Mar 29 02:45:31.374:        prefix: 32, mtu: 17916, hd_time: 600
*Mar 29 02:45:31.374:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

[NHS]
*Mar 29 02:45:31.386: NHRP: 'Receive Resolution Request via Tunnel0' vrf global(0x0), packet size: 72
*Mar 29 02:45:31.386:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:45:31.386:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.386:      pktsz: 72 extoff: 52
*Mar 29 02:45:31.386:  (M) flags: "router auth src-stable nat ", reqid: 3 
*Mar 29 02:45:31.386:      src NBMA: 172.16.31.1
*Mar 29 02:45:31.386:      src protocol: 192.168.100.31, dst protocol: 10.41.41.41
*Mar 29 02:45:31.386:  (C-1) code: no error(0)
*Mar 29 02:45:31.386:        prefix: 32, mtu: 17916, hd_time: 600
*Mar 29 02:45:31.386:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

*Mar 29 02:45:31.386: NHRP: 'Forwarding Resolution Request via Tunnel0' vrf global(0x0), packet size: 92
*Mar 29 02:45:31.386:  src: 192.168.100.11, dst: 10.41.41.41
*Mar 29 02:45:31.386:  (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Mar 29 02:45:31.386:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.386:      pktsz: 92 extoff: 52
*Mar 29 02:45:31.386:  (M) flags: "router auth src-stable nat ", reqid: 3 
*Mar 29 02:45:31.386:      src NBMA: 172.16.31.1
*Mar 29 02:45:31.386:      src protocol: 192.168.100.31, dst protocol: 10.41.41.41
*Mar 29 02:45:31.386:  (C-1) code: no error(0)
*Mar 29 02:45:31.386:        prefix: 32, mtu: 17916, hd_time: 600
*Mar 29 02:45:31.386:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

[R41]
*Mar 29 02:45:31.401: NHRP: 'Receive Resolution Request via Tunnel0' vrf global(0x0), packet size: 92
*Mar 29 02:45:31.401:  (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Mar 29 02:45:31.401:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.401:      pktsz: 92 extoff: 52
*Mar 29 02:45:31.401:  (M) flags: "router auth src-stable nat ", reqid: 3 
*Mar 29 02:45:31.401:      src NBMA: 172.16.31.1
*Mar 29 02:45:31.401:      src protocol: 192.168.100.31, dst protocol: 10.41.41.41
*Mar 29 02:45:31.401:  (C-1) code: no error(0)
*Mar 29 02:45:31.401:        prefix: 32, mtu: 17916, hd_time: 600
*Mar 29 02:45:31.401:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

*Mar 29 02:45:31.402: NHRP: 'Send Resolution Reply via Tunnel0' vrf global(0x0), packet size: 120
*Mar 29 02:45:31.402:  src: 192.168.100.41, dst: 192.168.100.31
*Mar 29 02:45:31.402:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:45:31.402:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.402:      pktsz: 120 extoff: 60
*Mar 29 02:45:31.402:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 3 
*Mar 29 02:45:31.402:      src NBMA: 172.16.31.1
*Mar 29 02:45:31.402:      src protocol: 192.168.100.31, dst protocol: 10.41.41.41
*Mar 29 02:45:31.402:  (C-1) code: no error(0)
*Mar 29 02:45:31.402:        prefix: 24, mtu: 17916, hd_time: 600
*Mar 29 02:45:31.402:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 255
*Mar 29 02:45:31.402:        client NBMA: 172.16.41.1
*Mar 29 02:45:31.402:        client protocol: 192.168.100.41

[R31]
*Mar 29 02:45:31.405: NHRP: 'Receive Resolution Reply via Tunnel0' vrf global(0x0), packet size: 120
*Mar 29 02:45:31.405:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Mar 29 02:45:31.405:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar 29 02:45:31.405:      pktsz: 120 extoff: 60
*Mar 29 02:45:31.405:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 3 
*Mar 29 02:45:31.405:      src NBMA: 172.16.31.1
*Mar 29 02:45:31.405:      src protocol: 192.168.100.31, dst protocol: 10.41.41.41
*Mar 29 02:45:31.405:  (C-1) code: no error(0)
*Mar 29 02:45:31.405:        prefix: 24, mtu: 17916, hd_time: 600
*Mar 29 02:45:31.405:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 255
*Mar 29 02:45:31.405:        client NBMA: 172.16.41.1
*Mar 29 02:45:31.406:        client protocol: 192.168.100.41
				
			

Routing Scenarios

Tunnel

				
					interface Tunnel0
 bandwidth 4000
 ip address 192.168.100.11 255.255.255.0
 ip mtu 1400
 ip nhrp network-id 1
 ip nhrp redirect
 ip nhrp map multicast dynamic
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/3
 tunnel mode gre multipoint
end
				
			
				
					interface Tunnel0
 bandwidth 4000
 ip address 192.168.100.31 255.255.255.0
 ip mtu 1400
 ip nhrp network-id 1
 ip nhrp shortcut
 ip nhrp nhs 192.168.100.11 nbma 172.16.11.1 multicast
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
end
				
			

EIGRP

  • EIGRP on DMVPN phase 3 works very well. We don’t have to worry about split horizon since the spoke routers don’t have to learn each others networks.
  • Spoke routers do not require specific entries thanks to NHRP Traffic Indication.
				
					[ Hub ]
router eigrp A
 !
 address-family ipv4 unicast autonomous-system 15
  !
  af-interface Tunnel0
   summary-address 0.0.0.0 0.0.0.0
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 10.0.0.0
  network 192.0.0.0 0.255.255.255
 exit-address-family

				
			
				
					[ Spokes ]
router eigrp A
 !
 address-family ipv4 unicast autonomous-system 15
  !
  topology base
  exit-af-topology
  network 10.0.0.0
  network 192.0.0.0 0.255.255.255
 exit-address-family

				
			
				
					'[DMVPN]'
R11#show dmvpn
/*omitted*/
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 172.16.31.1      192.168.100.31    UP 01:41:53     D
     1 172.16.41.1      192.168.100.41    UP 01:41:53     D
R11#

R11#show ip nhrp 
192.168.100.31/32 via 192.168.100.31
   Tunnel0 created 01:44:06, expire 00:07:20
   Type: dynamic, Flags: registered used nhop 
   NBMA address: 172.16.31.1 
192.168.100.41/32 via 192.168.100.41
   Tunnel0 created 01:44:06, expire 00:07:20
   Type: dynamic, Flags: registered nhop 
   NBMA address: 172.16.41.1 
R11#

'[Routing]'
R11#show ip route eigrp 
/*omitted*/
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.31.31.0/24 [90/26880640] via 192.168.100.31, 01:40:26, Tunnel0
D        10.41.41.0/24 [90/26880640] via 192.168.100.41, 01:40:30, Tunnel0
R11#
				
			
				
					'[DMVPN]'
R31#show dmvpn
/*omitted*/
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 172.16.41.1      192.168.100.41    UP 00:03:24   DT1
                        192.168.100.41    UP 00:03:24   DT1
     1 172.16.11.1      192.168.100.11    UP 02:01:28     S
R31#

R31#show ip nhrp 
10.41.41.0/24 via 192.168.100.41
   Tunnel0 created 00:02:45, expire 00:07:14
   Type: dynamic, Flags: router used rib 
   NBMA address: 172.16.41.1 
192.168.100.11/32 via 192.168.100.11
   Tunnel0 created 02:00:59, never expire 
   Type: static, Flags: used 
   NBMA address: 172.16.11.1 
192.168.100.31/32 via 192.168.100.31
   Tunnel0 created 00:02:45, expire 00:07:14
   Type: dynamic, Flags: router unique local 
   NBMA address: 172.16.31.1 
    (no-socket) 
192.168.100.41/32 via 192.168.100.41
   Tunnel0 created 00:02:45, expire 00:07:14
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 172.16.41.1 
R31#

'[Routing]'
R31#show ip route eigrp 
/*omitted*/
Gateway of last resort is 192.168.100.11 to network 0.0.0.0
D*    0.0.0.0/0 [90/26880640] via 192.168.100.11, 01:43:33, Tunnel0
R31#

R31#show ip route nhrp 
/*omitted*/
Gateway of last resort is 192.168.100.11 to network 0.0.0.0
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
H        10.41.41.0/24 [250/255] via 192.168.100.41, 00:04:16, Tunnel0
      192.168.100.0/24 is variably subnetted, 3 subnets, 2 masks
H        192.168.100.41/32 is directly connected, 00:04:16, Tunnel0
R31#

R31#traceroute 10.41.41.41
/*Type escape sequence to abort.
Tracing the route to 10.41.41.41
VRF info: (vrf in name/id, vrf out name/id)*/
  1 192.168.100.41 16 msec 20 msec 20 msec
R31#
				
			

OSPF

OSPF for DMVPN phase 3 works but it’s not the best choice. We can’t use any summarization so the spoke routers will always have specific entries for the networks behind other spoke routers. If you use OSPF, it’s best to go for point-to-multipoint as it has automatic neighbor discovery and you don’t have to worry about the DR/BDR election.

Broadcast

  • Dynamic peering
  • Change network type to broadcast on all routers
    • interface tunnel0
      • ip ospf network broadcast
  • DR/BDR election happens
    • We need to make sure that the spoke router will never be elected as DR or BDR
      • Spokes
      • interface tunnel0
        • ip ospf priority 0
  • Each spoke routers will have the routes for other spoke routers. Because we use a single area for DMVPN network there is no way to get around this.
  • Nothing changes in RIB since we already have specific entries and the next-hop is preserved, doesn't change.
				
					'[Routing]'
R11#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
31.31.31.31       0   FULL/DROTHER    00:00:30    192.168.100.31  Tunnel0
41.41.41.41       0   FULL/DROTHER    00:00:34    192.168.100.41  Tunnel0
R11#

R11#show ip route ospf
/*omitted*/
Gateway of last resort is not set
      31.0.0.0/32 is subnetted, 1 subnets
O        31.31.31.31 [110/26] via 192.168.100.31, 00:15:49, Tunnel0
      41.0.0.0/32 is subnetted, 1 subnets
O        41.41.41.41 [110/26] via 192.168.100.41, 00:15:49, Tunnel0
R11#
				
			
				
					'[DMVPN]'
R31#show dmvpn 
/*omitted*/
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 172.16.41.1      192.168.100.41    UP 00:02:17     D
                        192.168.100.41    UP 00:02:17   DT1
     1 172.16.11.1      192.168.100.11    UP 00:44:38     S
R31#

R31#show ip nhrp 
41.41.41.41/32 via 192.168.100.41
   Tunnel0 created 00:03:00, expire 00:06:58
   Type: dynamic, Flags: router used 
   NBMA address: 172.16.41.1 
192.168.100.11/32 via 192.168.100.11
   Tunnel0 created 00:45:32, never expire 
   Type: static, Flags: used 
   NBMA address: 172.16.11.1 
192.168.100.41/32 via 192.168.100.41
   Tunnel0 created 00:03:00, expire 00:06:58
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 172.16.41.1 
R31#

'[Routing]'
R31#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
11.11.11.11       1   FULL/DR         00:00:39    192.168.100.11  Tunnel0
R31#

R31#show ip route ospf
/*omitted*/
Gateway of last resort is not set
      11.0.0.0/32 is subnetted, 1 subnets
O        11.11.11.11 [110/26] via 192.168.100.11, 00:05:38, Tunnel0
      41.0.0.0/32 is subnetted, 1 subnets
O        41.41.41.41 [110/26] via 192.168.100.41, 00:05:38, Tunnel0
R31#

R31#show ip route nhrp 
/*omitted*/
Gateway of last resort is not set
      192.168.100.0/24 is variably subnetted, 3 subnets, 2 masks
H        192.168.100.41/32 is directly connected, 00:00:47, Tunnel0
R31#

R31#traceroute 41.41.41.41 source lo0
/*Type escape sequence to abort.
Tracing the route to 41.41.41.41
VRF info: (vrf in name/id, vrf out name/id)*/
  1 192.168.100.41 5 msec *  10 msec
R31#
				
			

Non-Broadcast

  • Exactly the same as the previous network type with the exception that we have to configure static neighbors.
    • router ospf 1
      • neighbor 192.168.100.31
      • neighbor 192.168.100.41

Point-to-Multipoint

In DMVPN phase 2, we couldn’t really use this OSPF network type since it changes the next hop. Will it work better for DMVPN phase 3? Let's find out.

  • Dynamic peering
  • No DR/BDR
  • Next-hop changes, points to Hub
  • Change network type to point-to-multipoint

First time we can see that our traffic goes through the hub. Second time, traffic from Spoke R31 goes directly to Spoke R41.

Both entries in RIB still have the hub as the next hop but there’s this % symbol. This means that the next hop is overwritten because of NHRP. Next hop address has been overwritten in the CEF table. This allows the spoke routers to reach each other directly.

DT2 attribute means that it’s dynamic and that the next hop has been overwritten.

				
					'[Routing]'
R11#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
41.41.41.41       0   FULL/  -        00:01:54    192.168.100.41  Tunnel0
31.31.31.31       0   FULL/  -        00:01:42    192.168.100.31  Tunnel0
R11#

R11#show ip route ospf
/*omitted*/
Gateway of last resort is not set
      31.0.0.0/32 is subnetted, 1 subnets
O        31.31.31.31 [110/26] via 192.168.100.31, 00:01:39, Tunnel0
      41.0.0.0/32 is subnetted, 1 subnets
O        41.41.41.41 [110/26] via 192.168.100.41, 00:01:29, Tunnel0
      192.168.100.0/24 is variably subnetted, 4 subnets, 2 masks
O        192.168.100.31/32 [110/25] via 192.168.100.31, 00:01:39, Tunnel0
O        192.168.100.41/32 [110/25] via 192.168.100.41, 00:01:29, Tunnel0
R11#
				
			
				
					['DMVPN']
R31#show dmvpn 
/*omitted*/
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 172.16.41.1      192.168.100.41    UP 00:00:21   DT2
                        192.168.100.41    UP 00:00:21   DT2
     1 172.16.11.1      192.168.100.11    UP 00:12:55     S
R31#

R31#show ip nhrp 
31.31.31.31/32 via 192.168.100.31
   Tunnel0 created 00:00:34, expire 00:09:25
   Type: dynamic, Flags: router unique local 
   NBMA address: 172.16.31.1 
    (no-socket) 
41.41.41.41/32 via 192.168.100.41
   Tunnel0 created 00:00:34, expire 00:09:25
   Type: dynamic, Flags: router used rib nho 
   NBMA address: 172.16.41.1 
192.168.100.11/32 via 192.168.100.11
   Tunnel0 created 00:13:18, never expire 
   Type: static, Flags: used 
   NBMA address: 172.16.11.1 
192.168.100.41/32 via 192.168.100.41
   Tunnel0 created 00:00:34, expire 00:09:25
   Type: dynamic, Flags: router nhop rib nho 
   NBMA address: 172.16.41.1 
R31#

['Routing']
R31#show ip route ospf
/*omitted*/
Gateway of last resort is not set
      11.0.0.0/32 is subnetted, 1 subnets
O        11.11.11.11 [110/26] via 192.168.100.11, 00:02:37, Tunnel0
      41.0.0.0/32 is subnetted, 1 subnets
O   %    41.41.41.41 [110/51] via 192.168.100.11, 00:02:37, Tunnel0
      192.168.100.0/24 is variably subnetted, 4 subnets, 2 masks
O        192.168.100.11/32 [110/25] via 192.168.100.11, 00:02:37, Tunnel0
O   %    192.168.100.41/32 [110/50] via 192.168.100.11, 00:02:37, Tunnel0
R31#

R31#show ip route next-hop-override 
/*omitted*/
Gateway of last resort is not set
      11.0.0.0/32 is subnetted, 1 subnets
O        11.11.11.11 [110/26] via 192.168.100.11, 00:04:14, Tunnel0
      31.0.0.0/32 is subnetted, 1 subnets
C        31.31.31.31 is directly connected, Loopback0
      41.0.0.0/32 is subnetted, 1 subnets
O   %    41.41.41.41 [110/51] via 192.168.100.11, 00:04:14, Tunnel0
                     [NHO][110/255] via 192.168.100.41, 00:03:21, Tunnel0
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
S        172.16.11.0/24 [1/0] via 172.16.31.31
C        172.16.31.0/24 is directly connected, GigabitEthernet0/0
L        172.16.31.1/32 is directly connected, GigabitEthernet0/0
S        172.16.41.0/24 [1/0] via 172.16.31.31
      192.168.100.0/24 is variably subnetted, 4 subnets, 2 masks
C        192.168.100.0/24 is directly connected, Tunnel0
O        192.168.100.11/32 [110/25] via 192.168.100.11, 00:04:14, Tunnel0
L        192.168.100.31/32 is directly connected, Tunnel0
O   %    192.168.100.41/32 [110/50] via 192.168.100.11, 00:04:14, Tunnel0
                           [NHO][110/255] via 192.168.100.41, 00:03:21, Tunnel0
R31#

R31#show ip cef 41.41.41.41
41.41.41.41/32
  nexthop 192.168.100.41 Tunnel0
R31#

R31#traceroute 41.41.41.41 source lo0
/*Type escape sequence to abort.
Tracing the route to 41.41.41.41
VRF info: (vrf in name/id, vrf out name/id)*/
  1 192.168.100.11 5 msec 5 msec 4 msec
  2 192.168.100.41 11 msec *  8 msec
R31#

R31#traceroute 41.41.41.41 source lo0
/*Type escape sequence to abort.
Tracing the route to 41.41.41.41
VRF info: (vrf in name/id, vrf out name/id)*/
  1 192.168.100.41 6 msec *  5 msec
R31#
				
			

Point-to-Multipoint Non-Broadcast

  • Exactly the same as the previous one with the exception that we have to configure static neighbors.
    • interface tunnel0
      • ip ospf network point-to-multipoint non-broadcast
    • router ospf 1
      • neighbor 192.168.100.31
      • neighbor 192.168.100.41
  • Same behavior as previous one, in RIB we can see the hub as next-hop. Next-hop is overwritten by NHRP.

BGP

EBGP with same AS number on spokes

  • Spoke routers do not need to know any specific routes so we can a use a default route.
				
					[ Hub ]
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
!
route-map DEFAULT permit 10
 match ip address prefix-list DEFAULT_ROUTE
!
router bgp 65011
 bgp log-neighbor-changes
 bgp listen range 192.168.100.0/24 peer-group DMVPN_SPOKES
 network 0.0.0.0
 neighbor DMVPN_SPOKES peer-group
 neighbor DMVPN_SPOKES remote-as 65000
 neighbor DMVPN_SPOKES route-map DEFAULT out
				
			
				
					[ Spokes ]
router bgp 65000
 bgp log-neighbor-changes
 network 31.31.31.31 mask 255.255.255.255
 neighbor 192.168.100.11 remote-as 65011
 
 router bgp 65000
 bgp log-neighbor-changes
 network 41.41.41.41 mask 255.255.255.255
 neighbor 192.168.100.11 remote-as 65011
				
			
				
					'[Routing]'
R11#show bgp ipv4 unicast summary 
/*omitted*/
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*192.168.100.31 4        65000      22      25        8    0    0 00:14:19        1
*192.168.100.41 4        65000      20      24        8    0    0 00:13:59        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup DMVPN_SPOKES listen range group members: 
  192.168.100.0/24 

Total dynamically created neighbors: 2/(100 max), Subnet ranges: 1
R11#

R11#show ip bgp
/*omitted*/
     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          0.0.0.0                  0         32768 i
 *>   31.31.31.31/32   192.168.100.31           0             0 65000 i
 *>   41.41.41.41/32   192.168.100.41           0             0 65000 i
R11#

				
			
				
					'[DMVPN]'
R31#show dmvpn 
/*omitted*/
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 172.16.41.1      192.168.100.41    UP 00:05:52   DT1
                        192.168.100.41    UP 00:05:52   DT1
     1 172.16.11.1      192.168.100.11    UP 01:44:21     S
R31#

R31#show ip nhrp 
31.31.31.31/32 via 192.168.100.31
   Tunnel0 created 00:06:40, expire 00:03:19
   Type: dynamic, Flags: router unique local 
   NBMA address: 172.16.31.1 
    (no-socket) 
41.41.41.41/32 via 192.168.100.41
   Tunnel0 created 00:06:40, expire 00:03:19
   Type: dynamic, Flags: router used rib 
   NBMA address: 172.16.41.1 
192.168.100.11/32 via 192.168.100.11
   Tunnel0 created 01:45:20, never expire 
   Type: static, Flags: used 
   NBMA address: 172.16.11.1 
192.168.100.41/32 via 192.168.100.41
   Tunnel0 created 00:06:40, expire 00:03:19
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 172.16.41.1 
R31#

'[Routing]'
R31#show ip bgp summary 
/*omitted*/
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.100.11  4        65011      28      24        7    0    0 00:16:31        1
R31#

R31#show ip route bgp
/*omitted*/
Gateway of last resort is 192.168.100.11 to network 0.0.0.0
B*    0.0.0.0/0 [20/0] via 192.168.100.11, 00:05:31
R31#

R31#show ip route nhrp 
/*omitted*/
Gateway of last resort is 192.168.100.11 to network 0.0.0.0
      41.0.0.0/32 is subnetted, 1 subnets
H        41.41.41.41 [250/255] via 192.168.100.41, 00:04:42, Tunnel0
      192.168.100.0/24 is variably subnetted, 3 subnets, 2 masks
H        192.168.100.41/32 is directly connected, 00:04:42, Tunnel0
R31#

R31#traceroute 41.41.41.41 source lo0
/*Type escape sequence to abort.
Tracing the route to 41.41.41.41
VRF info: (vrf in name/id, vrf out name/id)*/
  1 192.168.100.41 [AS 65011] 6 msec *  7 msec
R31#
				
			
				
					R41#
*Apr  6 03:04:56.829: BGP(0): 192.168.100.11 rcv UPDATE w/ attr: nexthop 192.168.100.31, origin i, originator 0.0.0.0, merged path 65011 65000, AS_PATH , community , extended community , SSA attribute 
*Apr  6 03:04:56.832: BGPSSA ssacount is 0, Tunnel attribute 
*Apr  6 03:04:56.832: Tunnel encap type: 0, encap size: 0
*Apr  6 03:04:56.833: BGP(0): 192.168.100.11 rcv UPDATE about 31.31.31.31/32 -- DENIED due to: AS-PATH contains our own AS;
R41#

				
			

IBGP

  • Spoke routers do not need to know any specific routes so we can a use a default route.
				
					'[Routing]'
R11#show ip bgp summary 
/*BGP router identifier 11.11.11.11, local AS number 65000
codes omitted*/
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*192.168.100.31 4        65000      13      12        6    0    0 00:06:21        1
*192.168.100.41 4        65000      11      14        6    0    0 00:05:46        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup DMVPN_SPOKES listen range group members: 
  192.168.100.0/24 

Total dynamically created neighbors: 2/(100 max), Subnet ranges: 1
R11#

R11#show ip bgp 
/*omitted*/
     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          0.0.0.0                  0         32768 i
 *>i  31.31.31.31/32   192.168.100.31           0    100      0 i
 *>i  41.41.41.41/32   192.168.100.41           0    100      0 i
R11#

				
			
				
					'[DMVPN]'
R31#show dmvpn 
/*omitted*/
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 172.16.41.1      192.168.100.41    UP 00:02:45   DT1
                        192.168.100.41    UP 00:02:45   DT1
     1 172.16.11.1      192.168.100.11    UP 02:14:37     S
R31#

R31#show ip nhrp 
31.31.31.31/32 via 192.168.100.31
   Tunnel0 created 00:02:53, expire 00:07:06
   Type: dynamic, Flags: router unique local 
   NBMA address: 172.16.31.1 
    (no-socket) 
41.41.41.41/32 via 192.168.100.41
   Tunnel0 created 00:02:53, expire 00:07:06
   Type: dynamic, Flags: router used rib 
   NBMA address: 172.16.41.1 
192.168.100.11/32 via 192.168.100.11
   Tunnel0 created 02:14:56, never expire 
   Type: static, Flags: used 
   NBMA address: 172.16.11.1 
192.168.100.41/32 via 192.168.100.41
   Tunnel0 created 00:02:53, expire 00:07:06
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 172.16.41.1 
R31#

'[Routing]'
R31#show ip bgp summary 
/*omitted*/
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.100.11  4        65000      13      15       11    0    0 00:07:54        1
R31#

R31#show ip route bgp
/*omitted*/
Gateway of last resort is 192.168.100.11 to network 0.0.0.0
B*    0.0.0.0/0 [200/0] via 192.168.100.11, 00:03:36
R31#

R31#show ip route nhrp 
/*omitted*/
Gateway of last resort is 192.168.100.11 to network 0.0.0.0
      41.0.0.0/32 is subnetted, 1 subnets
H        41.41.41.41 [250/255] via 192.168.100.41, 00:02:36, Tunnel0
      192.168.100.0/24 is variably subnetted, 3 subnets, 2 masks
H        192.168.100.41/32 is directly connected, 00:02:36, Tunnel0
R31#

R31#traceroute 41.41.41.41 source lo0
/*Type escape sequence to abort.
Tracing the route to 41.41.41.41
VRF info: (vrf in name/id, vrf out name/id)*/
  1 192.168.100.41 6 msec *  5 msec
R31#
				
			

Leave a Reply

Related Post

DMVPNDMVPN

Overlay Tunnels An overlay network is a logical or virtual network built over a physical transport network referred to as an underlay network. Examples of overlay tunneling technologies include the