Cisco DMVPN Phase 1 and OSPF routing Configuration and Verification
We will look at how to configure Cisco DMVPN phase 1. Further more we will run OSPF routing and everything will be encrypted with IPSec.
What is DMVPN
DMVPN is a combination of protocols (GRE, NHRP, IPSec etc.) which facilitates to create a HUB-And-Spoke overlay network with minimum configuration effort. Or we can archive a fully meshed network (phase 3) with minimum effort.
For theory and get an idea of how everything works, I recommend reading In-depth look at Fortigate's ADVPN - Part I and In-depth look at Fortigate's ADVPN - Part II, where the theory behind underlay network is almost same. The difference is Fortinet uses proprietary extension of IPSec protocol and Cisco uses proprietary implementation of GRE and NHRP. One can also do a Google search to get an idea about how DMVPN works.
In this blog post, we will configure DMVPN Phase 1 which means that from routing perspective, our network will work as hub-and-spoke topology. All the communications between two spokes goes thorough the Hub.
Topology
Our topology looks below -
 |
| DMVPN Physical Topology |
We have a hub and three spokes. The Hub1 is our NRHP server and spokes are our NHRP clients. We will configure DMVPN phase 1, OSPF routing and encrypt the traffic using IPSec. Spoke4 is getting its WAN IP adress from a DHCP server configured in Router1, we will show NHRP unique flag bit behavior by this.
The IP adressering is given in the table below -
The IP adressering is given in the table below -
Site
|
WAN
|
LAN
|
DMVPN Tunnel
|
Loopback
|
Hub1
|
172.16.0.2/30
|
192.168.1.1/24
|
192.168.10.1/24
|
192.168.0.1/32
|
Spoke1
|
172.16.0.6/30
|
192.168.2.1/24
|
192.168.10.2/24
|
192.168.0.2/32
|
Spoke2
|
172.16.0.10/30
|
192.168.3.1/24
|
192.168.10.3/24
|
192.168.0.3/32
|
Spoke3
|
172.16.0.14/30 (DHCP)
|
192.168.4.1/24
|
192.168.10.4/24
|
192.168.0.4/32
|
Routing
We will use OSPF as the routing protocol between hub and spokes. We need to understand how our routing topology looks beforehand to understand why we are configuring certain things in OSPF. Below is an example of routing topology -
 |
| DMVPN Routing Topology |
The most important thing here to understand is that the Hub sees the network as point-to-multipoint (Hub has one GRE tunnel to each Spoke) and each Spoke sees the network as point-to-point (Spoke has GRE tunnel only to the Hub). We will configure our OSPF plain and simple - Hub1 sees the network as a collection of point-to-point links to different spokes (hence point-to-multipoint) and Spokes sees the network as a point-to-point link to the Hub1 (hence point-to-point). We will also change the necessary OSPF (hello/dead) timers, so that the whole topology runs the same timers for OSPF routing.
Enough talking, let's start configuring -
Router1 Configuration
Router1 has nothing to do with our DMVPN topology. It is just a router which takes the gateway responsibility and provides WAN connectivity between HUB and SPOKES.
interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.252
!
interface GigabitEthernet0/1
ip address 172.16.0.5 255.255.255.252
!
interface GigabitEthernet0/2
ip address 172.16.0.9 255.255.255.252
!
interface GigabitEthernet0/3
ip address 172.16.0.13 255.255.255.252
!
!!!DHCP server for Spoke4 address assignment
ip dhcp pool pool-172.16.0.12/30
network 172.16.0.12 255.255.255.252
dns-server 172.16.0.13
domain-name family.local
default-router 172.16.0.13
lease 0 8
!
Hub1 Configuration
Hub1 interface and IP configuration -
interface Loopback0
ip address 192.168.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WAN
ip address 172.16.0.2 255.255.255.252
!
interface GigabitEthernet0/3
description LAN
ip address 192.168.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.0.1
!
Hub1 GRE tunnel configuration -
interface Tunnel0
description DMVPN-OVERLAY
ip address 192.168.10.1 255.255.255.0
!!!Manually setting mtu and tcp-mss to avoid fragmentation
ip mtu 1400
ip tcp adjust-mss 1360
!!! Set a nhrp network id, which defines to what DMVPN network the tunnel interface is participating, locally significant only.
ip nhrp network-id 1
!!! Defines NHRP password, maximum 8 characters
ip nhrp authentication NHRPKEY
!!! Enables multicast support for routing protocols. Applicable to HUB routers only, applicable to HUB only
ip nhrp map multicast dynamic
!!! As Hub tunnel is multipoint, we have only tunnel source, but no tunnel destination
tunnel source GigabitEthernet0/0
!!! Defines the tunnel as multipoint GRE (mGRE)
tunnel mode gre multipoint
!!! Tunnel key identifies the virtual tunnel interface if multiple tunnel interface uses the same source interface. If configured, it must be same in all routers (HUB and SPOKE) in a DMVPN domain.
tunnel key 1
!
Hub1 OSPF routing configuration
router ospf 1
passive-interface default
no passive-interface Tunnel0
network 192.168.0.1 0.0.0.0 area 0 --Loopback
network 192.168.1.0 0.0.0.255 area 0 --LAN
network 192.168.10.0 0.0.0.255 area 0 -- DMVPN Overlay
!
interface Loopback0
ip ospf network point-to-point
!
interface Tunnel0
!!! OSPF network type is p-to-mp (from HUB to each SPOKE)
ip ospf network point-to-multipoint
!!! Default OSPF p-to-mp timer is hello 30 sec, dead 120 sec. We are modifying that to 10/40 second, so that we do not need to change it in every Spoke.
ip ospf hello-interval 10
ip ospf dead-interval 40
ip ospf mtu-ignore
!
Hub1 IPSec encryption configuration -
We will run IKE2/IPSec to encrypt our traffic through the GRE tunnel. We need to understand one thing very clearly - that is we will run IPSec in transport mode, but not tunnel mode. The reason for that is we are already encapsulating our traffic in a GRE tunnel. So, it is enough that we just protect our payload - GRE packet, which is achieved by running IPSec in transport mode. We do not need to protect the whole IP packet by running IPSec tunnel mode.
crypto ikev2 keyring Dmvpn-Keyring
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key test123
!
crypto ikev2 proposal Dmvpn-Ike-Proposal
encryption aes-cbc-256
integrity sha256
group 15
!
crypto ikev2 policy Dmvpn-Ike-Policy
proposal Dmvpn-Ike-Proposal
!
crypto ikev2 profile Dmvpn-Ike-Profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local Dmvpn-Keyring
lifetime 28800
!
!
crypto ipsec transform-set Dmvpn-Ipsec-Tset esp-aes esp-sha256-hmac
!!! IPSec in transport mode
mode transport
!
crypto ipsec profile Dmvpn-Ipsec-Profile
set transform-set Dmvpn-Ipsec-Tset
set pfs group15
set security-association lifetime seconds 3600
set ikev2-profile Dmvpn-Ike-Profile
!
!
interface Tunnel0
!!! Activating IPSec on the tunnel interface
tunnel protection ipsec profile Dmvpn-Ipsec-Profile
!
Spoke2 Configuration
Spoke2 and Spoke3 has similar configuration; the difference is only in their interface IP addresses. We will show only the Spoke2 configuration.
Spoke2 interface and IP configuration -
interface Loopback0
ip address 192.168.0.2 255.255.255.255
!
interface GigabitEthernet0/0
description WAN
ip address 172.16.0.6 255.255.255.252
!
interface GigabitEthernet0/3
description LAN
ip address 192.168.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.0.5
!
Spoke2 GRE tunnel configuration -
interface Tunnel0
description DMVPN-Overlay
ip address 192.168.10.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp network-id 1
ip nhrp authentication NHRPKEY
!!! Defining NHRP server (hub's address information)
ip nhrp nhs 192.168.10.1 nbma 172.16.0.2 multicast
tunnel source GigabitEthernet0/0
!!! As this is a GRE p-to-p tunnel we need a tunnel destination, which is Hub1's WAN IP address
tunnel destination 172.16.0.2
tunnel key 1
!!! For phase 1, Spokes tunnel mode is p-to-p
tunnel mode gre ip
!!! Ties the tunnel line-protocol state to the reachability of the NHRP NHS (Hub), and if the NHS is unreachable, the tunnel line-protocol state changes to down.
if-state nhrp
!
Spoke2 OSPF routing configuration -
router ospf 1
passive-interface default
no passive-interface Tunnel0
network 192.168.0.2 0.0.0.0 area 0 --Loopback
network 192.168.2.0 0.0.0.255 area 0 --LAN
network 192.168.10.0 0.0.0.255 area 0 --DMVPN Overlay
!
interface Loopback0
ip ospf network point-to-point
!
interface Tunnel0
!!! Network type is p-to-p, as spokes forms neighbor-ship with Hub only
ip ospf network point-to-point
ip ospf mtu-ignore
!!! For p-to-p default hello/dead value is 10/40 by default, here it is just shown for clarity of OSPF configuration.
ip ospf hello-interval 10
ip ospf dead-interval 40
!
Spoke2 IPSec encryption configuration -
We will run IKE2/IPSec to encrypt our traffic through the GRE tunnel and we will run IPSec in transport mode because of the reason mentioned in Hub1 configuration.
crypto ikev2 keyring Dmvpn-Keyring
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key test123
!
crypto ikev2 proposal Dmvpn-Ike-Proposal
encryption aes-cbc-256
integrity sha256
group 15
!
crypto ikev2 policy Dmvpn-Ike-Policy
proposal Dmvpn-Ike-Proposal
!
crypto ikev2 profile Dmvpn-Ike-Profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local Dmvpn-Keyring
lifetime 28800
!
!
crypto ipsec transform-set Dmvpn-Ipsec-Tset esp-aes esp-sha256-hmac
!!! IPSec in transport mode
mode transport
!
crypto ipsec profile Dmvpn-Ipsec-Profile
set transform-set Dmvpn-Ipsec-Tset
set pfs group15
set security-association lifetime seconds 3600
set ikev2-profile Dmvpn-Ike-Profile
!
!
interface Tunnel0
!!! Activating IPSec on the tunnel interface
tunnel protection ipsec profile Dmvpn-Ipsec-Profile
!
Spoke4 Configuration
The only difference between Spoke4 and other spokes are - Spoke4's IP adress of the WAN interface is DHCP allocated. Then we need to run a command in Spoke's tunnel configuration to tell the HUB during NHRP registration that our IP adress is not unique and accept our request to update NHRP cache when we are assigned a new IP adress by the ISP.
Spoke4 interface, IP and tunnel configuration -
interface GigabitEthernet0/0
description WAN
!!! DHCP assigned IP address
ip address dhcp
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
interface Tunnel0
description DMVPN-Overlay
ip address 192.168.10.4 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
ip nhrp nhs 192.168.10.1 nbma 172.16.0.2 multicast
!!! Informing HUB (NHS) that our registration IP adress is not unique
ip nhrp registration no-unique
tunnel source GigabitEthernet0/0
tunnel destination 172.16.0.2
tunnel key 1
if-state nhrp
!
All other configuration is exactly same as Spoke2 configuration for that reason we are not showing that.
Verification
We start our verification with DMVPN status from Hub1 and Spoke2 -
Hub1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.0.6 192.168.10.2 UP 01:12:20 D
1 172.16.0.10 192.168.10.3 UP 01:11:45 D
1 172.16.0.14 192.168.10.4 UP 01:11:37 D
Hub1#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 192.168.10.1, VRF ""
Tunnel Src./Dest. addr: 172.16.0.2/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "Dmvpn-Ipsec-Profile"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 3
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.16.0.6 192.168.10.2 UP 01:12:27 D 192.168.10.2/32
1 172.16.0.10 192.168.10.3 UP 01:11:52 D 192.168.10.3/32
1 172.16.0.14 192.168.10.4 UP 01:11:44 D 192.168.10.4/32
We can see from the output of Hub1 above that, is has three dynamic peers (Flag - D), tunnel is running as mGRE and protected by IPSec profile named "Dmvpn-Ipsec-Profile".
Spoke2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.0.2 192.168.10.1 UP 01:16:45 S
Spoke2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 192.168.10.2, VRF ""
Tunnel Src./Dest. addr: 172.16.0.6/172.16.0.2, Tunnel VRF ""
Protocol/Transport: "GRE/IP", Protect "Dmvpn-Ipsec-Profile"
Interface State Control: Enabled
nhrp event-publisher : Disabled
IPv4 NHS:
192.168.10.1 RE NBMA Address: 172.16.0.2 priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.16.0.2 192.168.10.1 UP 01:16:47 S 192.168.10.1/32
From above output of Spoke2, we can see that it has only one DMVPN peer which is the Hub which is statically defined (Flag - S), tunnel is running in gre mode and protected by IPSec.
Hub1#show ip nhrp
192.168.10.2/32 via 192.168.10.2
Tunnel0 created 01:25:25, expire 01:54:34
Type: dynamic, Flags: unique registered used nhop
NBMA address: 172.16.0.6
192.168.10.3/32 via 192.168.10.3
Tunnel0 created 01:24:50, expire 01:55:10
Type: dynamic, Flags: unique registered used nhop
NBMA address: 172.16.0.10
192.168.10.4/32 via 192.168.10.4
Tunnel0 created 01:24:42, expire 01:55:14
Type: dynamic, Flags: registered used nhop
NBMA address: 172.16.0.14
From above output we can see that Hub1 has three nhrp mappings in its nhrp cache. And for our Spoke4 (DHCP assigned address), the flag is registered not unique registered.
Spoke2#show ip nhrp
192.168.10.1/32 via 192.168.10.1
Tunnel0 created 01:36:22, never expire
Type: static, Flags:
NBMA address: 172.16.0.2
From above output we can see that Spoke2 has only Hub1 in its nhrp cache and it is statically defined.
Hub1#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.0.1 to network 0.0.0.0
192.168.0.0/32 is subnetted, 4 subnets
O 192.168.0.2 [110/1001] via 192.168.10.2, 01:35:25, Tunnel0
O 192.168.0.3 [110/1001] via 192.168.10.3, 01:34:51, Tunnel0
O 192.168.0.4 [110/1001] via 192.168.10.4, 01:34:41, Tunnel0
O 192.168.2.0/24 [110/1001] via 192.168.10.2, 01:35:25, Tunnel0
O 192.168.3.0/24 [110/1001] via 192.168.10.3, 01:34:51, Tunnel0
O 192.168.4.0/24 [110/1001] via 192.168.10.4, 01:34:41, Tunnel0
We can see from the routing table of Hub1, we have full network connectivity to each Spokes and their corresponding networks.
Spoke2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.0.5 to network 0.0.0.0
192.168.0.0/32 is subnetted, 4 subnets
O 192.168.0.1 [110/1001] via 192.168.10.1, 01:36:13, Tunnel0
O 192.168.0.3 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
O 192.168.0.4 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
O 192.168.1.0/24 [110/1001] via 192.168.10.1, 01:36:13, Tunnel0
O 192.168.3.0/24 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
O 192.168.4.0/24 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
192.168.10.0/24 is variably subnetted, 3 subnets, 2 masks
O 192.168.10.1/32 [110/1000] via 192.168.10.1, 01:36:13, Tunnel0
And from Spoke2 routing table we can see that we have again full network connectivity through Hub1 (hub-and-spoke topology).
Remarks
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.0.6 192.168.10.2 UP 01:12:20 D
1 172.16.0.10 192.168.10.3 UP 01:11:45 D
1 172.16.0.14 192.168.10.4 UP 01:11:37 D
Hub1#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 192.168.10.1, VRF ""
Tunnel Src./Dest. addr: 172.16.0.2/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "Dmvpn-Ipsec-Profile"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 3
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.16.0.6 192.168.10.2 UP 01:12:27 D 192.168.10.2/32
1 172.16.0.10 192.168.10.3 UP 01:11:52 D 192.168.10.3/32
1 172.16.0.14 192.168.10.4 UP 01:11:44 D 192.168.10.4/32
We can see from the output of Hub1 above that, is has three dynamic peers (Flag - D), tunnel is running as mGRE and protected by IPSec profile named "Dmvpn-Ipsec-Profile".
Spoke2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.0.2 192.168.10.1 UP 01:16:45 S
Spoke2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 192.168.10.2, VRF ""
Tunnel Src./Dest. addr: 172.16.0.6/172.16.0.2, Tunnel VRF ""
Protocol/Transport: "GRE/IP", Protect "Dmvpn-Ipsec-Profile"
Interface State Control: Enabled
nhrp event-publisher : Disabled
IPv4 NHS:
192.168.10.1 RE NBMA Address: 172.16.0.2 priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.16.0.2 192.168.10.1 UP 01:16:47 S 192.168.10.1/32
From above output of Spoke2, we can see that it has only one DMVPN peer which is the Hub which is statically defined (Flag - S), tunnel is running in gre mode and protected by IPSec.
Hub1#show ip nhrp
192.168.10.2/32 via 192.168.10.2
Tunnel0 created 01:25:25, expire 01:54:34
Type: dynamic, Flags: unique registered used nhop
NBMA address: 172.16.0.6
192.168.10.3/32 via 192.168.10.3
Tunnel0 created 01:24:50, expire 01:55:10
Type: dynamic, Flags: unique registered used nhop
NBMA address: 172.16.0.10
192.168.10.4/32 via 192.168.10.4
Tunnel0 created 01:24:42, expire 01:55:14
Type: dynamic, Flags: registered used nhop
NBMA address: 172.16.0.14
From above output we can see that Hub1 has three nhrp mappings in its nhrp cache. And for our Spoke4 (DHCP assigned address), the flag is registered not unique registered.
Spoke2#show ip nhrp
192.168.10.1/32 via 192.168.10.1
Tunnel0 created 01:36:22, never expire
Type: static, Flags:
NBMA address: 172.16.0.2
From above output we can see that Spoke2 has only Hub1 in its nhrp cache and it is statically defined.
Hub1#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.0.1 to network 0.0.0.0
192.168.0.0/32 is subnetted, 4 subnets
O 192.168.0.2 [110/1001] via 192.168.10.2, 01:35:25, Tunnel0
O 192.168.0.3 [110/1001] via 192.168.10.3, 01:34:51, Tunnel0
O 192.168.0.4 [110/1001] via 192.168.10.4, 01:34:41, Tunnel0
O 192.168.2.0/24 [110/1001] via 192.168.10.2, 01:35:25, Tunnel0
O 192.168.3.0/24 [110/1001] via 192.168.10.3, 01:34:51, Tunnel0
O 192.168.4.0/24 [110/1001] via 192.168.10.4, 01:34:41, Tunnel0
We can see from the routing table of Hub1, we have full network connectivity to each Spokes and their corresponding networks.
Spoke2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.0.5 to network 0.0.0.0
192.168.0.0/32 is subnetted, 4 subnets
O 192.168.0.1 [110/1001] via 192.168.10.1, 01:36:13, Tunnel0
O 192.168.0.3 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
O 192.168.0.4 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
O 192.168.1.0/24 [110/1001] via 192.168.10.1, 01:36:13, Tunnel0
O 192.168.3.0/24 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
O 192.168.4.0/24 [110/2001] via 192.168.10.1, 01:35:29, Tunnel0
192.168.10.0/24 is variably subnetted, 3 subnets, 2 masks
O 192.168.10.1/32 [110/1000] via 192.168.10.1, 01:36:13, Tunnel0
And from Spoke2 routing table we can see that we have again full network connectivity through Hub1 (hub-and-spoke topology).
Remarks
The routing topology with DMVPN phase 1 is that Spoke to Spoke communication is done through Hub which is normal for hub-and-spoke topology. We can create a fully mesh network topology where a spoke can talk with another spoke without going to the hub first. We need to activate DMVPN phase 3 with just some simple commands in Hub and Spokes, then we will get a network which is fully meshed routed network.
In the other blog post - we will just configure that (DMVPN phase 3).
Comments
Post a Comment