Embedded Files
Dual DMVPN
DMVPN stands for Dynamic Multipoint Virtual Private Network. It is basically a concept involving three different technologies- multipoint GRE (mGRE), Next-Hop Resolution Protocol (NHRP) and IPSec.
Traditional site-to-site IPSec VPNs require individual (point-to-point GRE or IPSec) tunnels between a pair of Hub and Branch routers. For all new branch routers, configurations need to be added on the Branch router as well as the Hub router. Also, traffic between Branch routers go through the Hub router.
Conversely, DMVPN uses mGRE tunnel which has multiple end-points and is treated as a non-broadcast multi-access (NBMA) network. DMVPN has evolved into 3 phases-
Phase 1: Hub and Spoke - mGRE at the Hub and p2p GRE at the Branch routers
Phase 2: Hub and Spoke with Spoke-to-spoke tunnels (mGRE at the Hub and Branch routers)
Phase 3: Same as Phase 2 but now Spoke routers can also respond to NHRP Requests.
This article discusses Phase 2.
DMVPN Components
1. mGRE - Multipoint GRE
mGRE serves as a one-to-many interface for the creation of multiple hub-and-spoke tunnels. The tunnel destination for an mGRE tunnel does not have to be configured. mGRE tunnel is effectively NBMA medium like Frame-Relay. A mechanism like ARP is required to map logical (tunnel) IP addresses to physical (NBMA) IP addresses. This is taken care by NHRP.
All the Hub routers are configured with mGRE tunnel interface. If Hub-and-Spoke model is to be deployed, the Branch routers are configured with p2p GRE tunnel interface only. However, if Spoke-to-Spoke model is to be deployed, the Branch routers must be configured with mGRE tunnel interface.
2. NHRP - Next-Hop Resolution Protocol
NHRP (RFC 2332) is a Layer-2 address resolution protocol like ARP and Frame-relay Inverse-ARP. NHRP is used by a Branch router connected to NBMA network to determine the IP address of the NBMA Next-Hop (physical address)- this could be the Hub router or another Branch router.
All Branch routers register their physical (NBMA) IP addresses mapped to logical (tunnel) IP addresses with the Next-Hop Server (NHS). The IP address of the NHS is pre-configured on the Branch routers. These Branch routers become Next-Hop Clients (NHC). The NHS stores all registered mappings and replies to NHRP Requests from NHCs. An NHS can be an NHC to another NHS and can forward NHRP Requests to its NHS if it cannot find a registered mapping in its database.
NHRP facilitates in building mGRE tunnels. NHRP allows mGRE tunnel endpoints to discover each other's physical IP address.
Sample Scenario - Dual DMVPN
A dual DMVPN cloud topology with spoke-to-spoke model consists of two Hub routers, each with mGRE tunnel interface(s) connecting all Branch routers. Each DMVPN cloud represents a unique subnet. One DMVPN cloud is considered Primary- this is preferred by all Branch routers to send traffic. The second DMVPN cloud is implemented to provide resiliency to the Primary DMVPN cloud.
mGRE Tunnel and IP Addressing
Tunnel 11 is the Primary tunnel while Tunnel 22 is the Backup tunnel. The tunnel mode gre multipoint command configures the tunnel as multipoint GRE tunnel. The tunnel destination is not configured; destination endpoints (Branch routers) are dynamically discovered.
All LAN subnets on all routers belong to 192.168.x.0/24 network. The Primary cloud belongs to 10.1.0.0/24 subnet and the Backup cloud belongs to 10.2.0.0/24 subnet. The WAN interfaces use public addresses.
Primary router
interface Serial 0/0 description WAN Interface ip address 172.16.1.1 255.255.255.0!interface Fastethernet 0/0 description LAN Interface ip address 192.168.0.1 255.255.255.0!interface Tunnel 11 ip address 10.0.1.1 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 123!Backup router
interface Serial 0/0 description WAN Interface ip address 172.26.1.1 255.255.255.0!interface Fastethernet 0/0 description LAN Interface ip address 192.168.0.2 255.255.255.0!interface Tunnel 22 ip address 10.0.2.1 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 456!Branch1 router
interface Serial 0/0 description WAN Interface ip address 172.36.1.1 255.255.255.0!interface Fastethernet 0/0 ip address 192.168.1.1 255.255.255.0!interface Tunnel 11 ip address 10.0.1.2 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 123!interface Tunnel 22 ip address 10.0.2.2 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 456!Branch2 router
interface Serial 0/0 description WAN Interface ip address 172.46.1.1 255.255.255.0!interface Fastethernet 0/0 ip address 192.168.2.1 255.255.255.0!interface Tunnel 11 ip address 10.0.1.3 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 123!interface Tunnel 22 ip address 10.0.2.3 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 456!Branch3 router
interface Serial 0/0 description WAN Interface ip address 172.56.1.1 255.255.255.0!interface Fastethernet 0/0 ip address 192.168.3.1 255.255.255.0!interface Tunnel 11 ip address 10.0.1.4 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 123!interface Tunnel 22 ip address 10.0.2.4 255.255.255.0 tunnel mode gre multipoint tunnel source serial 0/0 tunnel key 456!NHRP Configuration
The most basic commands to implement NHRP are as follows-
1) ip nhrp map <tunnel-ip> <physical-ip> command creates a static binding between a tunnel IP address and physical IP address. This command is usually configured on the Branch routers (who act as NHRP Clients) to provide the information to Branch routers to reach the tunnel address of the Hub.
2) ip nhrp map multicast <dynamic | static-ip> command specifies the destination(s) that will receive multicast/broadcast traffic. Spokes map multicast to the physical IP address of the Hub, and the Hub maps multicast packets to the dynamic mappings i.e. to all NHRP Clients registered to the Hub (NHRP Server). This is important for routing protocols to form adjacency and exchange routing updates.
3) ip nhrp nhs <server-ip> command specifies the NHRP Server to the Branch routers. The "Server IP Address" is the tunnel IP address.
4) ip nhrp authentication <key> command is optional. The key is in plain-text and is used to authenticate the NHRP Client. This must be same on all NHRP routers.
5) ip nhrp network-id <id> command identifies the logical network. This must be same on all NHRP routers.
6) ip nhrp holdtime <seconds> command specifies the hold-time value in registration requests. The NHS will keep the registration request cache for the hold-time period, and if no updates are received, it will flush them out.
Primary router
interface Tunnel11 ...... ip nhrp map multicast dynamic ip nhrp network-id 123 ip nhrp holdtime 60!Backup router
interface Tunnel22 ..... ip nhrp map multicast dynamic ip nhrp network-id 456 ip nhrp holdtime 60!The NHRP configuration on all Branch routers looks same.
All Branch routers
interface Tunnel11 .... ip nhrp map 10.0.1.1 172.16.1.1 ! Statically mapping Primary Hub Tunnel IP and Physical IP Addresses ip nhrp map multicast 172.16.1.1 ip nhrp nhs 10.0.1.1 ! Pre-configured NHRP Server- Primary Hub ip nhrp network-id 123 ip nhrp holdtime 60!interface Tunnel22 .... ip nhrp map 10.0.2.1 172.26.1.1 ! Statically mapping Backup Hub Tunnel IP and Physical IP Addresses ip nhrp map multicast 172.26.1.1 ip nhrp nhs 10.0.2.1 ! Pre-configured NHRP Server- Backup Hub ip nhrp network-id 456 ip nhrp holdtime 60!Routing Instances
We will use two separate instance of routing protocol on Hub and Branch routers- one for WAN domain (OSPF) and another for VPN domain (EIGRP).
For EIGRP, we need to disable split-horizon on Hub mGRE tunnel interface to ensure optimal forwarding. We also need to disable the default EIGRP behavior to overwrite the next-hop as itself. And lastly, we also need to tweak the metric in EIGRP for tunnels to prefer Primary over Backup.
Primary router
router ospf 1 ! WAN domain ! network 172.16.1.0 0.0.0.255 area 0!router eigrp 1 ! VPN domain ! no auto-summary network 10.0.0.0 network 192.168.0.0!interface Tunnel11 .... no ip split-horizon eigrp 1
no ip next-hop-self eigrp 1 ! This command is not required in DMVPN Phase 1 delay 5!Backup router
router ospf 1 ! WAN domain ! network 172.26.1.0 0.0.0.255 area 0!router eigrp 1 ! VPN domain ! no auto-summary network 10.0.0.0 network 192.168.0.0!interface Tunnel22 .... delay 10 no ip split-horizon eigrp 1 no ip next-hop-self eigrp 1 ! This command is not required in DMVPN Phase 1
!Branch routers
Branch1 router:router ospf 1 network 172.36.1.0 0.0.0.255 area 0!router eigrp 1 no auto-summary network 10.0.0.0 network 192.168.1.0!interface Tunnel11 .... delay 5!interface Tunnel22 .... delay 10!Branch2 router:router ospf 1 network 172.46.1.0 0.0.0.255 area 0!router eigrp 1 no auto-summary network 10.0.0.0 network 192.168.2.0!interface Tunnel11 .... delay 5!interface Tunnel22 .... delay 10!Branch3 router:router ospf 1 network 172.56.1.0 0.0.0.255 area 0!router eigrp 1 no auto-summary network 10.0.0.0 network 192.168.3.0!interface Tunnel11 .... delay 5!interface Tunnel22 .... delay 10!All the Spoke routers try to register their logical IP address to NBMA IP address mapping with the Hub. Each Spoke router has 2 tunnel interfaces to two different Hubs- Primary and Backup. Hence all Spoke routers send Registration Request packets to both Primary and Backup with its logical-to-NBMA address mapping. The following output shows Spoke1 router registering with two Hubs. The Hubs respond with Registration Reply packet to the Spoke routers.
NHRP Registration
Primary#*Mar 1 09:55:23.589: NHRP: Receive Registration Request via Tunnel11 vrf 0, packet size: 92*Mar 1 09:55:23.589: NHRP: netid_in = 123, to_us = 1*Mar 1 09:55:23.589: NHRP: Tu11: Creating dynamic multicast mapping NBMA: 172.36.1.1*Mar 1 09:55:23.589: NHRP: Attempting to send packet via DEST 10.0.1.2*Mar 1 09:55:23.593: NHRP: Encapsulation succeeded. Tunnel IP addr 172.36.1.1*Mar 1 09:55:23.593: NHRP: Send Registration Reply via Tunnel11 vrf 0, packet size: 112*Mar 1 09:55:23.597: src: 10.0.1.1, dst: 10.0.1.2*Mar 1 09:55:23.597: NHRP: 112 bytes out Tunnel11Backup#*Mar 1 09:54:59.585: NHRP: Receive Registration Request via Tunnel22 vrf 0, packet size: 92*Mar 1 09:54:59.585: NHRP: netid_in = 456, to_us = 1*Mar 1 09:54:59.585: NHRP: Tu22: Creating dynamic multicast mapping NBMA: 172.36.1.1*Mar 1 09:54:59.589: NHRP: Attempting to send packet via DEST 10.0.2.2*Mar 1 09:54:59.589: NHRP: Encapsulation succeeded. Tunnel IP addr 172.36.1.1*Mar 1 09:54:59.593: NHRP: Send Registration Reply via Tunnel22 vrf 0, packet size: 112*Mar 1 09:54:59.593: src: 10.0.2.1, dst: 10.0.2.2*Mar 1 09:54:59.593: NHRP: 112 bytes out Tunnel22This registration on the mGRE interface on the Hub router to build a dynamic tunnel back to the registering Branch/Spoke router without having to know the Branch tunnel destination statically. NHRP tells mGRE interface where to tunnel a packet to reach a certain address.
The NHRP cache can be viewed using show ip nhrp command. The Hubs learn the mappings dynamically and the Spoke routers have only a single static mapping via each tunnel interface in their NHRP cache.
NHRP Cache
Primary# show ip nhrp10.0.1.2/32 via 10.0.1.2, Tunnel11 created 07:57:45, expire 00:00:58 Type: dynamic, Flags: unique registered used NBMA address: 172.36.1.110.0.1.3/32 via 10.0.1.3, Tunnel11 created 00:36:01, expire 00:00:49 Type: dynamic, Flags: unique registered used NBMA address: 172.46.1.110.0.1.4/32 via 10.0.1.4, Tunnel11 created 00:03:49, expire 00:00:49 Type: dynamic, Flags: unique registered used NBMA address: 172.56.1.1Spoke3# show ip nhrp10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:14:53, never expire Type: static, Flags: used NBMA address: 172.16.1.110.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:14:46, never expire Type: static, Flags: used NBMA address: 172.26.1.1The unique flag indicates that the Registration Request message had unique flag enabled. The NHS rejects all Registration Requests if the mapping in the message is already present or not unique. The used flag indicates that the router uses this mapping to switch IP packets.
All Branch routers learn about remote 192.168.x.0/24 networks via EIGRP over Tunnel 11 (Primary tunnel).
EIGRP routes
Spoke1# show ip route eigrpD 192.168.0.0/24 [90/284471296] via 10.0.1.1, 00:05:58, Tunnel11D 192.168.2.0/24 [90/284472576] via 10.0.1.3, 00:05:53, Tunnel11D 192.168.3.0/24 [90/284472576] via 10.0.1.4, 00:03:56, Tunnel11Spoke2# show ip route eigrpD 192.168.0.0/24 [90/284471296] via 10.0.1.1, 00:25:18, Tunnel11D 192.168.1.0/24 [90/284472576] via 10.0.1.2, 00:06:11, Tunnel11D 192.168.3.0/24 [90/284472576] via 10.0.1.4, 00:04:15, Tunnel11Spoke3# show ip route eigrpD 192.168.0.0/24 [90/284471296] via 10.0.1.1, 00:04:38, Tunnel11D 192.168.1.0/24 [90/284472576] via 10.0.1.2, 00:04:38, Tunnel11D 192.168.2.0/24 [90/284472576] via 10.0.1.3, 00:04:38, Tunnel11However, the CEF adjacency for prefixes connected to remote Branch router over the DMVPN cloud, are seen as invalid adjacency on the Branch3 routers. While the CEF adjacency for the next-hop is valid punt adjacency which means that the packet cannot be CEF-switched and need to be fast-switched or process-switched.
Spoke3# show ip cef 192.168.1.0192.168.1.0/24, version 33, epoch 00 packets, 0 bytes via 10.0.1.2, Tunnel11, 0 dependencies next hop 10.0.1.2, Tunnel11 invalid adjacencySpoke3# show ip cef 10.0.1.210.0.1.0/24, version 22, epoch 0, attached, connected0 packets, 0 bytes via Tunnel11, 0 dependencies valid punt adjacencyWhen Branch3 router tries to send packet to 192.168.1.0/24, it finds out that it has a punt adjacency for its next-hop of 10.0.1.2. Then Branch3 router attempts to send NHRP Resolution Request directly to its next-hop 10.0.1.2 i.e. Spoke1 router, but it fails as the NBMA address of Branch1 router is unknown. However, the Branch3 router continues to send packets via the NHS.
*Mar 1 08:36:58.865: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel11 netid-out 123*Mar 1 08:36:58.865: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).*Mar 1 08:36:58.869: NHRP: No node found.*Mar 1 08:36:58.869: NHRP: Sending packet to NHS 10.0.1.1 on Tunnel11*Mar 1 08:36:58.881: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).*Mar 1 08:36:58.881: NHRP: No node found.*Mar 1 08:36:58.881: NHRP: Attempting to send packet via DEST 10.0.1.2*Mar 1 08:36:58.885: NHRP: Send Resolution Request via Tunnel11 vrf 0, packet size: 72*Mar 1 08:36:58.885: src: 10.0.1.4, dst: 10.0.1.2*Mar 1 08:36:58.885: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1*Mar 1 08:36:58.889: shtl: 4(NSAP), sstl: 0(NSAP)*Mar 1 08:36:58.889: (M) flags: "router auth src-stable nat ", reqid: 129*Mar 1 08:36:58.889: src NBMA: 172.56.1.1*Mar 1 08:36:58.889: src protocol: 10.0.1.4, dst protocol: 10.0.1.2*Mar 1 08:36:58.893: (C-1) code: no error(0)*Mar 1 08:36:58.893: prefix: 0, mtu: 1514, hd_time: 60*Mar 1 08:36:58.893: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0*Mar 1 08:36:58.893: NHRP: Encapsulation failed for destination 10.0.1.2 out Tunnel11*Mar 1 08:36:58.897: NHRP: Attempting to send packet via NHS 10.0.1.1*Mar 1 08:36:58.897: NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.1.1An NHRP packet contains 3 parts-
1. Fixed Part (F): It specifies the address-family (afn), protocol type (IP) as well as subnetwork type and length.
2. Mandatory Part (M): It specifies the flags and the request ID (reqid). It also includes the source NBMA address and source/destination protocol IP addresses.
3. Client Information Element (CIE C-1) part: It contains information about networks connected to requesting/responding routers.
The Spoke3 router then tries to send the Resolution Request to NHS. It contains the source NBMA address of Spoke3 router (itself) and tunnel source address of Spoke3 router and tunnel destination address of Spoke1 router.
*Mar 1 08:36:58.897: NHRP: Send Resolution Request via Tunnel11 vrf 0, packet size: 72*Mar 1 08:36:58.901: src: 10.0.1.4, dst: 10.0.1.1*Mar 1 08:36:58.901: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1*Mar 1 08:36:58.901: shtl: 4(NSAP), sstl: 0(NSAP)*Mar 1 08:36:58.901: (M) flags: "router auth src-stable nat ", reqid: 129*Mar 1 08:36:58.905: src NBMA: 172.56.1.1*Mar 1 08:36:58.905: src protocol: 10.0.1.4, dst protocol: 10.0.1.2*Mar 1 08:36:58.905: (C-1) code: no error(0)*Mar 1 08:36:58.905: prefix: 0, mtu: 1514, hd_time: 60*Mar 1 08:36:58.909: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0*Mar 1 08:36:58.909: NHRP: 72 bytes out Tunnel11*Mar 1 08:36:59.125: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel11 netid-out 123*Mar 1 08:36:59.125: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).*Mar 1 08:36:59.129: NHRP: No node found.*Mar 1 08:36:59.129: NHRP: Sending packet to NHS 10.0.1.1 on Tunnel11The request arrives at NHS. The NHS has a mapping for 10.0.1.2 in its NHRP cache. It responds with a Resolution Reply message with correct mapping in the Mandatory part.
*Mar 1 08:36:59.133: NHRP: Receive Resolution Request via Tunnel11 vrf 0, packet size: 92*Mar 1 08:36:59.137: (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1*Mar 1 08:36:59.137: shtl: 4(NSAP), sstl: 0(NSAP)*Mar 1 08:36:59.137: (M) flags: "router auth src-stable nat ", reqid: 2970*Mar 1 08:36:59.137: src NBMA: 172.36.1.1*Mar 1 08:36:59.137: src protocol: 10.0.1.2, dst protocol: 10.0.1.4*Mar 1 08:36:59.141: (C-1) code: no error(0)*Mar 1 08:36:59.141: prefix: 0, mtu: 1514, hd_time: 60*Mar 1 08:36:59.141: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0*Mar 1 08:36:59.141: NHRP: netid_in = 123, to_us = 1The Spoke3 router receives the Resolution Reply packet and hence its CEF adjacency is now completed for 10.0.1.2. It now attempts to send the packet directly to Spoke1 router rather than through Hub router.
*Mar 1 08:36:59.285: NHRP: Receive Resolution Reply via Tunnel11 vrf 0, packet size: 120*Mar 1 08:36:59.289: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1*Mar 1 08:36:59.289: shtl: 4(NSAP), sstl: 0(NSAP)*Mar 1 08:36:59.289: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 129*Mar 1 08:36:59.289: src NBMA: 172.56.1.1*Mar 1 08:36:59.293: src protocol: 10.0.1.4, dst protocol: 10.0.1.2*Mar 1 08:36:59.293: (C-1) code: no error(0)*Mar 1 08:36:59.293: prefix: 32, mtu: 1514, hd_time: 59*Mar 1 08:36:59.293: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0*Mar 1 08:36:59.297: client NBMA: 172.36.1.1*Mar 1 08:36:59.297: client protocol: 10.0.1.2*Mar 1 08:36:59.297: NHRP: netid_in = 0, to_us = 1*Mar 1 08:36:59.297: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).*Mar 1 08:36:59.301: NHRP: No node found.*Mar 1 08:36:59.301: NHRP: No need to delay processing of resolution event nbma src:172.56.1.1 nbma dst:172.36.1.1The show ip cef command now shows that the CEF adjacency is completed. Also, the show ip nhrp command shows a dynamically learnt NHRP entry.
Spoke3# show ip cef 192.168.1.0192.168.1.0/24, version 65, epoch 00 packets, 0 bytes via 10.0.1.2, Tunnel11, 0 dependencies next hop 10.0.1.2, Tunnel11 valid adjacencySpoke3# show ip nhrp10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:10:37, never expire Type: static, Flags: used NBMA address: 172.16.1.110.0.1.2/32 via 10.0.1.2, Tunnel11 created 00:00:20, expire 00:00:54 Type: dynamic, Flags: router NBMA address: 172.36.1.110.0.1.4/32 via 10.0.1.4, Tunnel11 created 00:00:19, expire 00:00:40 Type: dynamic, Flags: router unique local NBMA address: 172.56.1.1 (no-socket)10.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:10:30, never expire Type: static, Flags: used NBMA address: 172.26.1.1The router flag means that the mapping is either for the remote router or for a network behind the remote router.
Backup Hub into picture
When the Primary Hub is not available, all Spoke routers learn about remote prefixes through Tunnel 22 rather than Tunnel 11.
Prefixes learnt through Tunnel 22
Spoke1# show ip route eigrp 1D 192.168.0.0/24 [90/284472576] via 10.0.2.1, 00:06:04, Tunnel22D 192.168.2.0/24 [90/284475136] via 10.0.2.3, 00:00:26, Tunnel22D 192.168.3.0/24 [90/284475136] via 10.0.2.4, 00:06:02, Tunnel22Spoke2# show ip route eigrpD 192.168.0.0/24 [90/284472576] via 10.0.2.1, 00:00:43, Tunnel22D 192.168.1.0/24 [90/284475136] via 10.0.2.2, 00:00:43, Tunnel22D 192.168.3.0/24 [90/284475136] via 10.0.2.4, 00:00:43, Tunnel22Spoke3# show ip route eigrpD 192.168.0.0/24 [90/284472576] via 10.0.2.1, 00:06:35, Tunnel22D 192.168.1.0/24 [90/284475136] via 10.0.2.2, 00:06:32, Tunnel22D 192.168.2.0/24 [90/284475136] via 10.0.2.3, 00:00:57, Tunnel22Spoke3# show ip cef 192.168.1.0192.168.1.0/24, version 72, epoch 00 packets, 0 bytes via 10.0.2.2, Tunnel22, 0 dependencies next hop 10.0.2.2, Tunnel22 invalid adjacencyOnce again when Spoke3 router attempts to send packet to 192.168.1.0/24 prefix connected to Spoke1 router, first it tries to send the packet directly to Spoke1 router but since the CEF adjacency is not complete, the packets are forwarded to the Hub. However, the Spoke3 router also sends a Resolution Request packet for Backup NHS via Tunnel 22.
Backup#*Mar 1 18:11:13.611: NHRP: Receive Resolution Request via Tunnel22 vrf 0, packet size: 72*Mar 1 18:11:13.615: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1*Mar 1 18:11:13.615: shtl: 4(NSAP), sstl: 0(NSAP)*Mar 1 18:11:13.615: (M) flags: "router auth src-stable nat ", reqid: 195*Mar 1 18:11:13.615: src NBMA: 172.56.1.1*Mar 1 18:11:13.615: src protocol: 10.0.2.4, dst protocol: 10.0.2.2*Mar 1 18:11:13.619: (C-1) code: no error(0)*Mar 1 18:11:13.619: prefix: 0, mtu: 1514, hd_time: 60*Mar 1 18:11:13.619: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0The Backup NHS receives the Resolution Reply packet. It looks up its NHRP cache and finds a valid mapping. It responds with a Resolution Reply packet back to the Spoke3 router with correct mapping.
*Mar 1 18:11:13.623: NHRP: Forwarding Resolution Request via Tunnel22 vrf 0, packet size: 92*Mar 1 18:11:13.627: src: 10.0.2.1, dst: 10.0.2.2*Mar 1 18:11:13.627: (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1*Mar 1 18:11:13.627: shtl: 4(NSAP), sstl: 0(NSAP)*Mar 1 18:11:13.627: (M) flags: "router auth src-stable nat ", reqid: 195*Mar 1 18:11:13.631: src NBMA: 172.56.1.1*Mar 1 18:11:13.631: src protocol: 10.0.2.4, dst protocol: 10.0.2.2*Mar 1 18:11:13.631: (C-1) code: no error(0)*Mar 1 18:11:13.631: prefix: 0, mtu: 1514, hd_time: 60*Mar 1 18:11:13.631: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0The show ip nhrp command confirms the dynamically learnt mapping on Spoke3 router.
show ip nhrp
Spoke3# show ip nhrp10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:28:08, never expire Type: static, Flags: used NBMA address: 172.16.1.110.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:28:01, never expire Type: static, Flags: used NBMA address: 172.26.1.110.0.2.2/32 via 10.0.2.2, Tunnel22 created 00:01:13, expire 00:00:23 Type: dynamic, Flags: router NBMA address: 172.36.1.110.0.2.4/32 via 10.0.2.4, Tunnel22 created 00:01:12, expire 00:00:05 Type: dynamic, Flags: router unique local NBMA address: 172.56.1.1 (no-socket)Adding IPSec
For simplicity, we will use pre-shared keys for authentication for IKE Phase 1 in IPSec. For most scalability, X.509 digital certificates and PKI must be used. For IKE Phase 2, we use IPSec Profiles with tunnel interfaces. This can be applied to tunnel interfaces using tunnel protection ipsec profile <profile-name> [shared] command. The shared keyword is used on Branch routers as the two mGRE tunnel interfaces use the same tunnel source (Serial 0/0). All the traffic passing through the tunnel will be protected by IPSec.
Since mGRE adds new IP header, the transport mode is used with IPSec. The IPSec configuration on all routers is as follows:
IPSec Configuration on Primary router
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0!crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport!crypto ipsec profile DMVPN set transform-set TS!interface Tunnel 11 .... tunnel protection ipsec profile DMVPNIPSec Configuration on Backup router
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0!crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport!crypto ipsec profile DMVPN set transform-set TS!interface Tunnel 22 .... tunnel protection ipsec profile DMVPNAll Branch routers share the same IPSec configuration.
IPSec Configuration on Branch routers
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0!crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport!crypto ipsec profile DMVPN set transform-set TS!interface Tunnel 11 .... tunnel protection ipsec profile DMVPN shared!interface Tunnel 22 .... tunnel protection ipsec profile DMVPN sharedSince all Branch routers send mGRE encapsulated EIGRP Hello multicast packets towards the Hub routers over both tunnels, ISAKMP negotiations start between Branch routers and Hub routers.
Both, Branch and Hub routers will create IPSec SA for GRE protocol (value = 47).
Spoke3# show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status172.26.1.1 172.56.1.1 QM_IDLE 1002 0 ACTIVE172.16.1.1 172.56.1.1 QM_IDLE 1001 0 ACTIVEIPv6 Crypto ISAKMP SASpoke3# show crypto ipsec sainterface: Tunnel11 Crypto map tag: DMVPN-head-1, local addr 172.56.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0) current_peer 172.26.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76 #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x6D677A69(1835498089) inbound esp sas: spi: 0x171FDA10(387963408) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437345/3357) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6D677A69(1835498089) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437345/3357) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 75, #pkts encrypt: 75, #pkts digest: 75 #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0xB4509812(3025180690) inbound esp sas: spi: 0xEF9D4CCB(4020063435) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569056/3351) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB4509812(3025180690) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569056/3351) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:interface: Tunnel22 Crypto map tag: DMVPN-head-1, local addr 172.56.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0) current_peer 172.26.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76 #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x6D677A69(1835498089) inbound esp sas: spi: 0x171FDA10(387963408) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437345/3357) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6D677A69(1835498089) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437345/3357) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 75, #pkts encrypt: 75, #pkts digest: 75 #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0xB4509812(3025180690) inbound esp sas: spi: 0xEF9D4CCB(4020063435) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569056/3351) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB4509812(3025180690) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569056/3351) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:When Branch3 router sends packets to 192.168.1.0/24 connected to Branch1 router, Branch3 router tries to resolve the next-hop IP address using NHRP Resolution Request packets. The NHS provides the correct mapping- NBMA address 172.36.1.1 and tunnel IP address 10.0.1.2. Now Branch3 router tries to send the packets directly to Branch1 router. This triggers ISAKMP negotiation with NBMA address 172.36.1.1. This results in an IPSec SA corresponding to IP address pair 172.56.1.1,172.36.1.1 and GRE protocol (47).
Spoke3# show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status172.56.1.1 172.36.1.1 QM_IDLE 1003 0 ACTIVE172.26.1.1 172.56.1.1 QM_IDLE 1002 0 ACTIVE172.36.1.1 172.56.1.1 QM_IDLE 1004 0 ACTIVE172.16.1.1 172.56.1.1 QM_IDLE 1001 0 ACTIVEIPv6 Crypto ISAKMP SASpoke3# show crypto ipsec sainterface: Tunnel11 Crypto map tag: DMVPN-head-1, local addr 172.56.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0) current_peer 172.26.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150 #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x6D677A69(1835498089) inbound esp sas: spi: 0x171FDA10(387963408) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437335/3078) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6D677A69(1835498089) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437336/3078) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.36.1.1/255.255.255.255/47/0) current_peer 172.36.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.36.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x665BD18E(1717293454) inbound esp sas: spi: 0xDED5217E(3738509694) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4477180/3502) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x665BD18E(1717293454) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4477180/3502) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 156, #pkts encrypt: 156, #pkts digest: 156 #pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0xB4509812(3025180690) inbound esp sas: spi: 0xEF9D4CCB(4020063435) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569045/3072) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB4509812(3025180690) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569046/3072) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:interface: Tunnel22 Crypto map tag: DMVPN-head-1, local addr 172.56.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0) current_peer 172.26.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150 #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x6D677A69(1835498089) inbound esp sas: spi: 0x171FDA10(387963408) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437335/3078) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6D677A69(1835498089) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4437336/3078) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.36.1.1/255.255.255.255/47/0) current_peer 172.36.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.36.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x665BD18E(1717293454) inbound esp sas: spi: 0xDED5217E(3738509694) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4477180/3502) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x665BD18E(1717293454) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4477180/3502) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 156, #pkts encrypt: 156, #pkts digest: 156 #pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0xB4509812(3025180690) inbound esp sas: spi: 0xEF9D4CCB(4020063435) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569045/3072) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB4509812(3025180690) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4569046/3072) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:Page updated
Google Sites
Report abuse