Embedded Files
2547oDMVPN
2547oDMVPN is the second name for MPLS VPN over DMVPN. This solution is to extend MPLS VPN to the branches. In this solution, MPLS VPN is implemented in the enterprise network, while the Service Provider core network still runs on pure IP network.
Cisco recommends that to seamlessly extend MPLS VPN network to branches (spokes), the DMVPN Hub must be a P-device to label switch packets between Hub and Spokes. The P-device (DMVPN Hub) establishes an LDP neighbor relationship with Branch routers which act as MPLS VPN PE routers.
This article will demonstrate a scenario which consists of Dual DMVPN Hubs (for resiliency) acting as P-routers (P1-Hub and P2-Hub). Although DMVPN provides an ability to dynamically create Branch-to-Branch tunnel, that wont be available in MPLV VPN over DMVPN. The reason being MPLS network requires packets to be label switched all the way to PE routers. All the Branch routers in this solution becomes PE routers, and they perform label imposition and label switching. When a dynamic tunnel is setup between Branch-to-Branch, label imposition for this tunnel is not available. Hence, all Branch-to-Branch label switching is easily implemented through the Hub.
Since two hub routers (P1-Hub as Primary DMVPN Hub and P2-Hub as Backup DMVPN Hub) are implemented, two different tunnels will be configured on Br11-PE, Br12a-PE and Br12b-PE Branch routers for redundancy. When the Primary tunnel fails, after routing protocol convergence, the traffic can pass through the Backup tunnel.
The Route-Reflector (RR) router forms BGP adjacency with all PE devices in the enterprise network. This RR is responsible for distributing VPN routes between PE devices.
At a Branch location, Br12a-PE and Br12b-PE routers implement HSRP for high availability. The MPLS network supports two VRFs- IT_DEPT and ENGG_DEPT.
The following table provides the NBMA address to Tunnel IP address mapping for relevant routers.
MPLS VPN Configuration
All PE routers will have two VRFs configured as follows:
VRF Configuration
ip vrf IT_DEPT rd 1:1 route-target both 1:1!ip vrf ENGG_DEPT rd 1:2 route-target both 1:2The Campus-PE and Br11-PE routers have similar configuration as below:
Campus-PE MPLS VPN Configuration
interface Loopback 0 ip address 1.1.1.1 255.255.255.255 ip ospf 1 area 0!interface fastethernet 0/1 no shutdown!interface fastethernet 0/1.100 ip vrf forwarding IT_DEPT encapsulation dot1q 100 ip address 192.168.11.1 255.255.255.0!interface fastethernet 0/1.200 ip vrf forwarding ENGG_DEPT encapsulation dot1q 200 ip address 192.168.12.1 255.255.255.0!router bgp 100 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 update-source Loopback 0 ! address-family vpnv4 neighbor 2.2.2.2 activate exit-address-family ! address-family ipv4 vrf IT_DEPT redistribute connected exit-address-family ! address-family ipv4 vrf ENGG_DEPT redistribute connected exit-address-family!Br11-PE MPLS VPN Configuration
interface Loopback 0 ip address 5.5.5.5 255.255.255.255 ip ospf 1 area 0!interface fastethernet 1/0 no shutdown!interface fastethernet 1/0.100 ip vrf forwarding IT_DEPT encapsulation dot1q 100 ip address 192.168.21.1 255.255.255.0!interface fastethernet 1/0.200 ip vrf forwarding ENGG_DEPT encapsulation dot1q 200 ip address 192.168.22.1 255.255.255.0!router bgp 100 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 update-source Loopback 0 ! address-family vpnv4 neighbor 2.2.2.2 activate exit-address-family ! address-family ipv4 vrf IT_DEPT redistribute connected exit-address-family ! address-family ipv4 vrf ENGG_DEPT redistribute connected exit-address-family!The Br12a-PE and Br12b-PE routers have HSRP configuration as well for better resiliency. Br12a-PE will be configured to the Active HSRP router for both VRFs by making the priority higher than default of 100. The configuration is as follows:
Br12a-PE MPLS VPN Configuration
interface Loopback 0 ip address 6.6.6.6 255.255.255.255 ip ospf 1 area 0!interface fastethernet 0/1 no shutdown!interface fastethernet 0/1.100 encapsulation dot1q 100 ip vrf forwarding IT_DEPT ip address 192.168.31.2 255.255.255.0 standby 1 ip 192.168.31.1 ! HSRP for IT_DEPT VRF standby 1 preempt standby 1 priority 105 standby 1 track 10 decrement 10 standby 1 track 20 decrement 10!interface fastethernet 0/1.200 encapsulation dot1q 200 ip vrf forwarding ENGG_DEPT ip address 192.168.32.2 255.255.255.0 standby 2 ip 192.168.32.1 ! HSRP for ENGG_DEPT VRF standby 2 preempt standby 2 priority 105 standby 2 track 10 decrement 10 standby 2 track 20 decrement 10!track 10 interface Tunnel 11 line-protocol ! Tracking Primary Tunnel line-protocol and reachabilitytrack 20 ip route 192.168.100.1 255.255.255.0 reachability!router bgp 100 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 update-source Loopback 0 ! address-family vpnv4 neighbor 2.2.2.2 activate exit-address-family ! address-family ipv4 vrf IT_DEPT redistribute connected exit-address-family ! address-family ipv4 vrf ENGG_DEPT redistribute connected exit-address-family!Br12b-PE MPLS VPN Configuration
interface Loopback 0 ip address 7.7.7.7 255.255.255.255 ip ospf 1 area 0!interface fastethernet 0/1 no shutdown!interface fastethernet 0/1.100 encapsulation dot1q 100 ip vrf forwarding IT_DEPT ip address 192.168.31.3 255.255.255.0 standby 1 ip 192.168.31.1 ! HSRP for IT_DEPT VRF standby 1 preempt standby 1 track 10 decrement 10
standby 1 track 20 decrement 10!interface fastethernet 0/1.200 encapsulation dot1q 200 ip vrf forwarding ENGG_DEPT ip address 192.168.32.3 255.255.255.0 standby 2 ip 192.168.32.1 ! HSRP for ENGG_DEPT VRF standby 2 preempt standby 2 track 10 decrement 10 standby 2 track 20 decrement 10!track 10 interface Tunnel 22 line-protocol ! Tracking Backup Tunnel line-protocol and reachability delay up 20 ! Delay bringing the Tunnel UP for 20 secondstrack 20 ip route 192.168.200.1 255.255.255.0 reachability delay up 20!router bgp 100 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 update-source Loopback 0 ! address-family vpnv4 neighbor 2.2.2.2 activate exit-address-family ! address-family ipv4 vrf IT_DEPT redistribute connected exit-address-family ! address-family ipv4 vrf ENGG_DEPT redistribute connected exit-address-family!MP-BGP Configuration
The Route-reflector (RR) will be responsible for distributing VRF prefixes between PE routers. All PE routers will be the Clients for RR.
RR Configuration
router bgp 100 no bgp default route-target filter ! This causes the RR to accept all VRF prefixes i.e. ignore Route-Target neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback 0 neighbor 5.5.5.5 remote-as 100 neighbor 5.5.5.5 update-source Loopback 0 neighbor 6.6.6.6 remote-as 100 neighbor 6.6.6.6 update-source Loopback 0 neighbor 7.7.7.7 remote-as 100 neighbor 7.7.7.7 update-source Loopback 0 ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-reflector-client ! Campus-PE router neighbor 5.5.5.5 activate neighbor 5.5.5.5 route-reflector-client ! Br11-PE router neighbor 6.6.6.6 activate neighbor 6.6.6.6 route-reflector-client ! Br12a-PE router neighbor 7.7.7.7 activate neighbor 7.7.7.7 route-reflector-client ! Br12b-PE router!DMVPN Configuration
P1-Hub router is the Primary DMVPN Hub. It is also a P-router for MPLS VPN network.
P1-Hub Tunnel Configuration
interface Tunnel 11 ip address 192.168.100.1 255.255.255.0 tunnel mode gre multipoint tunnel source Fastethernet 0/1 tunnel key 123 mpls ip ! Enables LDP on this tunnel interface ip nhrp map multicast dynamic ip nhrp network-id 123 ip nhrp holdtime 240 ip ospf 1 area 0 ip ospf network point-to-multipoint ! This will cause all the traffic to pass through the Hub ip ospf cost 10 ! This causes this tunnel interface to be preferredP2-Hub is a Backup NHS for the DMVPN cloud. Again, this router is also a P-router for MPLS VPN network.
P2-Hub Tunnel Configuration
interface Tunnel 22 ip address 192.168.200.1 255.255.255.0 tunnel mode gre multipoint tunnel source Fastethernet 0/1 tunnel key 456 mpls ip ip nhrp map multicast dynamic ip nhrp network-id 456 ip nhrp holdtime 240 ip ospf 1 area 0 ip ospf network point-to-multipoint ip ospf cost 100!Br11-PE router has two tunnel interfaces. Primary tunnel is preferred over backup tunnel.
Br11-PE Tunnel Configuration
interface Tunnel 11 ip address 192.168.100.2 255.255.255.0 tunnel mode gre multipoint tunnel source Fastethernet 0/0 tunnel key 123 mpls ip ip nhrp nhs 192.168.100.1 ip nhrp map 192.168.100.1 10.35.1.1 ip nhrp map multicast 10.35.1.1 ip nhrp network-id 123 ip nhrp holdtime 240 ip ospf 1 area 0 ip ospf network point-to-multipoint ip ospf cost 10!interface Tunnel 22 ip address 192.168.200.2 255.255.255.0 tunnel mode gre multipoint tunnel source Fastethernet 0/1 tunnel key 456 mpls ip ip nhrp nhs 192.168.200.1 ip nhrp map 192.168.200.1 10.46.1.1 ip nhrp map multicast 10.46.1.1 ip nhrp network-id 456 ip nhrp holdtime 240 ip ospf 1 area 0 ip ospf network point-to-multipoint ip ospf cost 100!Br12a-PE router has the Primary Tunnel while Br12b-PE router has the Backup tunnel.
Br12a-PE Tunnel Configuration
interface Tunnel 11 ip address 192.168.100.3 255.255.255.0 tunnel mode gre multipoint tunnel source Fastethernet 0/0 tunnel key 123 mpls ip ip nhrp nhs 192.168.100.1 ip nhrp map 192.168.100.1 10.35.1.1 ip nhrp map multicast 10.35.1.1 ip nhrp network-id 123 ip nhrp holdtime 240 ip ospf 1 area 0 ip ospf network point-to-multipoint ip ospf cost 10!Br12b-PE Tunnel Configuration
interface Tunnel 22 ip address 192.168.200.3 255.255.255.0 tunnel mode gre multipoint tunnel source Fastethernet 0/1 tunnel key 456 mpls ip ip nhrp nhs 192.168.200.1 ip nhrp map 192.168.200.1 10.46.1.1 ip nhrp map multicast 10.46.1.1 ip nhrp network-id 456 ip nhrp holdtime 240 ip ospf 1 area 0 ip ospf network point-to-multipoint ip ospf cost 100!Verification
All Branch routers send Registration Request messages with NBMA-to-Tunnel IP address mapping to the NHS. Both, P1-Hub (Primary) and P2-Hub (Backup) NHS will learn about these mapping and respond with a Registration Reply message.
NHRP Mapping on Hub routers
P1-Hub# show ip nhrp192.168.100.2/32 via 192.168.100.2, Tunnel11 created 00:04:14, expire 00:03:24 Type: dynamic, Flags: unique registered used NBMA address: 10.57.1.2192.168.100.3/32 via 192.168.100.3, Tunnel11 created 00:03:37, expire 00:02:41 Type: dynamic, Flags: unique registered NBMA address: 10.68.1.2P2-Hub# show ip nhrp192.168.200.2/32 via 192.168.200.2, Tunnel22 created 00:04:51, expire 00:02:48 Type: dynamic, Flags: unique registered NBMA address: 10.67.1.2192.168.200.3/32 via 192.168.200.3, Tunnel22 created 00:04:08, expire 00:03:31 Type: dynamic, Flags: unique registered used NBMA address: 10.69.1.2Once NHRP mapping is completed, OSPF forms adjacency between Hub routers and Branch routers over Tunnel interfaces. Also, since the Tunnels are enabled for LDP, even LDP adjacency is formed between Hub routers and Branch routers over Tunnel interfaces.
LDP Adjacencies over Tunnel Interfaces
P1-Hub# show mpls ldp neighbor Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0 ! Route-Reflector Router TCP connection: 2.2.2.2.646 - 3.3.3.3.53238 State: Oper; Msgs sent/rcvd: 29/22; Downstream Up time: 00:03:32 LDP discovery sources: FastEthernet0/0, Src IP addr: 10.234.1.1 Addresses bound to peer LDP Ident: 10.12.1.2 2.2.2.2 10.234.1.1 Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0 ! P2-Hub over LAN interface TCP connection: 4.4.4.4.20096 - 3.3.3.3.646 State: Oper; Msgs sent/rcvd: 29/27; Downstream Up time: 00:03:20 LDP discovery sources: FastEthernet0/0, Src IP addr: 10.234.1.3 Addresses bound to peer LDP Ident: 10.234.1.3 4.4.4.4 10.46.1.1 192.168.200.1 Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 3.3.3.3:0 ! Br11-PE Router over Tunnel 11 TCP connection: 5.5.5.5.50517 - 3.3.3.3.646 State: Oper; Msgs sent/rcvd: 27/27; Downstream Up time: 00:01:56 LDP discovery sources: Tunnel11, Src IP addr: 192.168.100.2 Addresses bound to peer LDP Ident: 10.57.1.2 10.67.1.2 5.5.5.5 192.168.100.2 192.168.200.2 Peer LDP Ident: 6.6.6.6:0; Local LDP Ident 3.3.3.3:0 ! Br12a-PE Router over Tunnel 11 TCP connection: 6.6.6.6.60925 - 3.3.3.3.646 State: Oper; Msgs sent/rcvd: 26/26; Downstream Up time: 00:01:19 LDP discovery sources: Tunnel11, Src IP addr: 192.168.100.3 Addresses bound to peer LDP Ident: 10.68.1.2 6.6.6.6 192.168.100.3P2-Hub# show mpls ldp neighbor Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 4.4.4.4:0 ! P1-Hub Router over LAN Interface TCP connection: 3.3.3.3.646 - 4.4.4.4.20096 State: Oper; Msgs sent/rcvd: 31/32; Downstream Up time: 00:06:32 LDP discovery sources: FastEthernet0/0, Src IP addr: 10.234.1.2 Addresses bound to peer LDP Ident: 10.234.1.2 3.3.3.3 10.35.1.1 192.168.100.1 Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 4.4.4.4:0 ! RR Router TCP connection: 2.2.2.2.646 - 4.4.4.4.30422 State: Oper; Msgs sent/rcvd: 31/25; Downstream Up time: 00:06:17 LDP discovery sources: FastEthernet0/0, Src IP addr: 10.234.1.1 Addresses bound to peer LDP Ident: 10.12.1.2 2.2.2.2 10.234.1.1 Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 4.4.4.4:0 ! Br11-PE Router over Tunnel 22 TCP connection: 5.5.5.5.25406 - 4.4.4.4.646 State: Oper; Msgs sent/rcvd: 29/29; Downstream Up time: 00:04:25 LDP discovery sources: Tunnel22, Src IP addr: 192.168.200.2 Addresses bound to peer LDP Ident: 10.57.1.2 10.67.1.2 5.5.5.5 192.168.100.2 192.168.200.2 Peer LDP Ident: 7.7.7.7:0; Local LDP Ident 4.4.4.4:0 ! Br12b-PE Router over Tunnel 22 TCP connection: 7.7.7.7.11262 - 4.4.4.4.646 State: Oper; Msgs sent/rcvd: 29/29; Downstream Up time: 00:04:28 LDP discovery sources: Tunnel22, Src IP addr: 192.168.200.3 Addresses bound to peer LDP Ident: 10.69.1.2 7.7.7.7 192.168.200.3Also, as OSPF adjacency is formed over Tunnel interfaces, BGP neighbor relationship is formed between Branch routers and Route-Reflector router. The below output shows VRF prefixes learnt via MP-BGP on Br12a-PE router. Notice the RR forwards the updates without changing the next-hop.
VRF Prefixes on Br12a-PE
Br12a-PE# show ip bgp vpnv4 allBGP table version is 13, local router ID is 6.6.6.6Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:1 (default for vrf IT_DEPT)*>i192.168.11.0 1.1.1.1 0 100 0 ?*>i192.168.21.0 5.5.5.5 0 100 0 ?*> 192.168.31.0 0.0.0.0 0 32768 ?Route Distinguisher: 1:2 (default for vrf ENGG_DEPT)*>i192.168.12.0 1.1.1.1 0 100 0 ?*>i192.168.22.0 5.5.5.5 0 100 0 ?*> 192.168.32.0 0.0.0.0 0 32768 ?Br12a-PE# show ip cef vrf IT_DEPT 192.168.21.0192.168.21.0/24, version 13, epoch 00 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 29} via 5.5.5.5, 0 dependencies, recursive next hop 192.168.100.1, Tunnel11 via 5.5.5.5/32 valid adjacency tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 29}Br12a-PE# show ip cef vrf ENGG_DEPT 192.168.22.0192.168.22.0/24, version 13, epoch 00 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 30} via 5.5.5.5, 0 dependencies, recursive next hop 192.168.100.1, Tunnel11 via 5.5.5.5/32 valid adjacency tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 30}Currently, Br12a-PE router is set to be the Active HSRP router. The show standby command shows that Br12b-PE router is the Standby router.
show standby
Br12a-PE# show standbyFastEthernet0/1.100 - Group 1 State is Active 5 state changes, last state change 00:02:40 Virtual IP address is 192.168.31.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.044 secs Preemption enabled Active router is local Standby router is 192.168.31.3, priority 100 (expires in 9.140 sec) Priority 105 (configured 105) Track object 10 state Up decrement 10 Track object 20 state Up decrement 10 Group name is "hsrp-Fa0/1.100-1" (default)FastEthernet0/1.200 - Group 2 State is Active 2 state changes, last state change 00:32:57 Virtual IP address is 192.168.32.1 Active virtual MAC address is 0000.0c07.ac02 Local virtual MAC address is 0000.0c07.ac02 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.272 secs Preemption enabled Active router is local Standby router is 192.168.32.3, priority 100 (expires in 8.768 sec) Priority 105 (configured 105) Track object 10 state Up decrement 10 Track object 20 state Up decrement 10 Group name is "hsrp-Fa0/1.200-2" (default)DMVPN Hub Failover
When Primary Hub fails (P1-Hub), all Branch routers learn about VRF Prefixes over backup tunnel. On Br12a-PE router, the tracking object (20) fails to reach the Primary Hub. Hence, HSRP Standby router (Br12b-PE) now becomes the Active router.
Br12a-PE realizes Primary Hub is down
Br12a-PE#*Mar 1 00:36:34.527: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel11 from FULL to DOWN, Neighbor Down: Dead timer expiredBr12a-PE#*Mar 1 00:36:53.287: %TRACKING-5-STATE: 20 ip route 192.168.100.1/32 reachability Up->DownBr12a-PE#*Mar 1 00:36:55.415: %HSRP-5-STATECHANGE: FastEthernet0/1.100 Grp 1 state Active -> Speak*Mar 1 00:36:55.615: %HSRP-5-STATECHANGE: FastEthernet0/1.200 Grp 2 state Active -> SpeakBr12a-PE#*Mar 1 00:37:05.411: %HSRP-5-STATECHANGE: FastEthernet0/1.100 Grp 1 state Speak -> Standby*Mar 1 00:37:05.611: %HSRP-5-STATECHANGE: FastEthernet0/1.200 Grp 2 state Speak -> Standby*Mar 1 00:37:17.207: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Down BGP Notification sentBr12a-PE#*Mar 1 00:37:17.207: %BGP-3-NOTIFICATION: sent to neighbor 2.2.2.2 4/0 (hold time expired) 0 bytesBr12a-PE# show trackTrack 10 Interface Tunnel11 line-protocol Line protocol is Up 1 change, last change 00:09:12 Tracked by: HSRP FastEthernet0/1.100 1 HSRP FastEthernet0/1.200 2Track 20 IP route 192.168.100.1 255.255.255.255 reachability Reachability is Down (no route) 3 changes, last change 00:00:24 First-hop interface is unknown Tracked by: HSRP FastEthernet0/1.100 1 HSRP FastEthernet0/1.200 2Br12a-PE# show standbyFastEthernet0/1.100 - Group 1 State is Standby 7 state changes, last state change 00:00:17 Virtual IP address is 192.168.31.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.516 secs Preemption enabled Active router is 192.168.31.3, priority 100 (expires in 9.492 sec) Standby router is local Priority 95 (configured 105) Track object 10 state Up decrement 10 Track object 20 state Down decrement 10 Group name is "hsrp-Fa0/1.100-1" (default)FastEthernet0/1.200 - Group 2 State is Standby 4 state changes, last state change 00:00:17 Virtual IP address is 192.168.32.1 Active virtual MAC address is 0000.0c07.ac02 Local virtual MAC address is 0000.0c07.ac02 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.712 secs Preemption enabled Active router is 192.168.32.3, priority 100 (expires in 9.776 sec) Standby router is local Priority 95 (configured 105) Track object 10 state Up decrement 10 Track object 20 state Down decrement 10 Group name is "hsrp-Fa0/1.200-2" (default)All VRF prefixes at this branch location are learnt by Br12b-PE router.
VRF Prefixes on Br12b-PE
Br12b-PE# show ip bgp vpnv4 allBGP table version is 19, local router ID is 7.7.7.7Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:1 (default for vrf IT_DEPT)*>i192.168.11.0 1.1.1.1 0 100 0 ?*>i192.168.21.0 5.5.5.5 0 100 0 ?*> 192.168.31.0 0.0.0.0 0 32768 ?Route Distinguisher: 1:2 (default for vrf ENGG_DEPT)*>i192.168.12.0 1.1.1.1 0 100 0 ?*>i192.168.22.0 5.5.5.5 0 100 0 ?*> 192.168.32.0 0.0.0.0 0 32768 ?Br12b-PE# show ip cef vrf IT_DEPT 192.168.21.0192.168.21.0/24, version 16, epoch 00 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 29} via 5.5.5.5, 0 dependencies, recursive next hop 192.168.200.1, Tunnel22 via 5.5.5.5/32 valid adjacency tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 29}Br12b-PE# show ip cef vrf ENGG_DEPT 192.168.22.0192.168.22.0/24, version 15, epoch 00 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 30} via 5.5.5.5, 0 dependencies, recursive next hop 192.168.200.1, Tunnel22 via 5.5.5.5/32 valid adjacency tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 30}IPSec Configuration
No DMVPN configuration is complete without IPSec. A common IPSec configuration applies to all DMVPN routers. All traffic flowing through Tunnel interfaces is encrypted by IPSec.
IPSec Configuration
crypto isakmp policy 10 authentication pre-share!crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0!crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport!crypto ipsec profile DMVPN set transform-set TS!interface Tunnel 11 or 22 .... tunnel protection ipsec profile DMVPN [shared]!The below output shows successful IKE Phase 1 and 2 completed between Hub and Branch routers.
IPSec on Hubs
P1-Hub# show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status10.35.1.1 10.68.1.2 QM_IDLE 1002 0 ACTIVE10.35.1.1 10.67.1.2 QM_IDLE 1001 0 ACTIVEIPv6 Crypto ISAKMP SAP2-Hub# show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status10.46.1.1 10.69.1.2 QM_IDLE 1005 0 ACTIVE10.46.1.1 10.67.1.2 QM_IDLE 1006 0 ACTIVEIPv6 Crypto ISAKMP SABr11-PE router negotiates IKE over Tunnel 11 and Tunnel 22 due to LDP and OSPF messages flowing over both tunnels.
Successful IKE Phase 1 & 2 on Br11-PE
Br11-PE# show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status10.46.1.1 10.67.1.2 QM_IDLE 1005 0 ACTIVE10.35.1.1 10.67.1.2 QM_IDLE 1003 0 ACTIVEIPv6 Crypto ISAKMP SABr11-PE# show crypto ipsec sainterface: Tunnel11 Crypto map tag: DMVPN-head-1, local addr 10.67.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.57.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.35.1.1/255.255.255.255/47/0) current_peer 10.35.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 447, #pkts encrypt: 447, #pkts digest: 447 #pkts decaps: 471, #pkts decrypt: 471, #pkts verify: 471 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 42, #recv errors 0 local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.35.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xB568463F(3043509823) inbound esp sas: spi: 0xDA9D0B33(3667725107) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4487455/2441) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB568463F(3043509823) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4487458/2441) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.67.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.46.1.1/255.255.255.255/47/0) current_peer 10.46.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38 #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 0 local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.46.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x49D6961C(1238799900) inbound esp sas: spi: 0x5F199AAD(1595513517) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 11, flow_id: SW:11, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4384071/3499) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x49D6961C(1238799900) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 12, flow_id: SW:12, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4384070/3499) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:interface: Tunnel22 Crypto map tag: DMVPN-head-1, local addr 10.67.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.57.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.35.1.1/255.255.255.255/47/0) current_peer 10.35.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 447, #pkts encrypt: 447, #pkts digest: 447 #pkts decaps: 471, #pkts decrypt: 471, #pkts verify: 471 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 42, #recv errors 0 local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.35.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xB568463F(3043509823) inbound esp sas: spi: 0xDA9D0B33(3667725107) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4487455/2441) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB568463F(3043509823) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4487458/2441) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.67.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.46.1.1/255.255.255.255/47/0) current_peer 10.46.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38 #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 0 local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.46.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x49D6961C(1238799900) inbound esp sas: spi: 0x5F199AAD(1595513517) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 11, flow_id: SW:11, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4384071/3499) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x49D6961C(1238799900) transform: esp-3des esp-md5-hmac , in use settings ={Transport, } conn id: 12, flow_id: SW:12, crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4384070/3499) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:Page updated
Google Sites
Report abuse