2547oDMVPN

2547oDMVPN

2547oDMVPN is the second name for MPLS VPN over DMVPN. This solution is to extend MPLS VPN to the branches. In this solution, MPLS VPN is implemented in the enterprise network, while the Service Provider core network still runs on pure IP network.

Cisco recommends that to seamlessly extend MPLS VPN network to branches (spokes), the DMVPN Hub must be a P-device to label switch packets between Hub and Spokes. The P-device (DMVPN Hub) establishes an LDP neighbor relationship with Branch routers which act as MPLS VPN PE routers.

This article will demonstrate a scenario which consists of Dual DMVPN Hubs (for resiliency) acting as P-routers (P1-Hub and P2-Hub). Although DMVPN provides an ability to dynamically create Branch-to-Branch tunnel, that wont be available in MPLV VPN over DMVPN. The reason being MPLS network requires packets to be label switched all the way to PE routers. All the Branch routers in this solution becomes PE routers, and they perform label imposition and label switching. When a dynamic tunnel is setup between Branch-to-Branch, label imposition for this tunnel is not available. Hence, all Branch-to-Branch label switching is easily implemented through the Hub.

Since two hub routers (P1-Hub as Primary DMVPN Hub and P2-Hub as Backup DMVPN Hub) are implemented, two different tunnels will be configured on Br11-PE, Br12a-PE and Br12b-PE Branch routers for redundancy. When the Primary tunnel fails, after routing protocol convergence, the traffic can pass through the Backup tunnel.

The Route-Reflector (RR) router forms BGP adjacency with all PE devices in the enterprise network. This RR is responsible for distributing VPN routes between PE devices.

At a Branch location, Br12a-PE and Br12b-PE routers implement HSRP for high availability. The MPLS network supports two VRFs- IT_DEPT and ENGG_DEPT.

The following table provides the NBMA address to Tunnel IP address mapping for relevant routers.

MPLS VPN Configuration

All PE routers will have two VRFs configured as follows:

VRF Configuration

ip vrf IT_DEPT

 rd 1:1

 route-target both 1:1

ip vrf ENGG_DEPT

 rd 1:2

 route-target both 1:2

The Campus-PE and Br11-PE routers have similar configuration as below:

Campus-PE MPLS VPN Configuration

interface Loopback 0

 ip address 1.1.1.1 255.255.255.255

 ip ospf 1 area 0

interface fastethernet 0/1

 no shutdown

interface fastethernet 0/1.100

 ip vrf forwarding IT_DEPT

 encapsulation dot1q 100

 ip address 192.168.11.1 255.255.255.0

interface fastethernet 0/1.200

 ip vrf forwarding ENGG_DEPT

 encapsulation dot1q 200

 ip address 192.168.12.1 255.255.255.0

router bgp 100

 neighbor 2.2.2.2 remote-as 100

 neighbor 2.2.2.2 update-source Loopback 0

 address-family vpnv4

 neighbor 2.2.2.2 activate

 exit-address-family

 address-family ipv4 vrf IT_DEPT

 redistribute connected

 exit-address-family

 address-family ipv4 vrf ENGG_DEPT

 redistribute connected

 exit-address-family

Br11-PE MPLS VPN Configuration

interface Loopback 0

 ip address 5.5.5.5 255.255.255.255

 ip ospf 1 area 0

interface fastethernet 1/0

 no shutdown

interface fastethernet 1/0.100

 ip vrf forwarding IT_DEPT

 encapsulation dot1q 100

 ip address 192.168.21.1 255.255.255.0

interface fastethernet 1/0.200

 ip vrf forwarding ENGG_DEPT

 encapsulation dot1q 200

 ip address 192.168.22.1 255.255.255.0

router bgp 100

 neighbor 2.2.2.2 remote-as 100

 neighbor 2.2.2.2 update-source Loopback 0

 address-family vpnv4

 neighbor 2.2.2.2 activate

 exit-address-family

 address-family ipv4 vrf IT_DEPT

 redistribute connected

 exit-address-family

 address-family ipv4 vrf ENGG_DEPT

 redistribute connected

 exit-address-family

The Br12a-PE and Br12b-PE routers have HSRP configuration as well for better resiliency. Br12a-PE will be configured to the Active HSRP router for both VRFs by making the priority higher than default of 100. The configuration is as follows:

Br12a-PE MPLS VPN Configuration

interface Loopback 0

 ip address 6.6.6.6 255.255.255.255

 ip ospf 1 area 0

interface fastethernet 0/1

 no shutdown

interface fastethernet 0/1.100

 encapsulation dot1q 100

 ip vrf forwarding IT_DEPT

 ip address 192.168.31.2 255.255.255.0

 standby 1 ip 192.168.31.1        ! HSRP for IT_DEPT VRF

 standby 1 preempt

 standby 1 priority 105

 standby 1 track 10 decrement 10

 standby 1 track 20 decrement 10

interface fastethernet 0/1.200

 encapsulation dot1q 200

 ip vrf forwarding ENGG_DEPT

 ip address 192.168.32.2 255.255.255.0

 standby 2 ip 192.168.32.1        ! HSRP for ENGG_DEPT VRF

 standby 2 preempt

 standby 2 priority 105

 standby 2 track 10 decrement 10

 standby 2 track 20 decrement 10

track 10 interface Tunnel 11 line-protocol    ! Tracking Primary Tunnel line-protocol and reachability

track 20 ip route 192.168.100.1 255.255.255.0 reachability

router bgp 100

 neighbor 2.2.2.2 remote-as 100

 neighbor 2.2.2.2 update-source Loopback 0

 address-family vpnv4

 neighbor 2.2.2.2 activate

 exit-address-family

 address-family ipv4 vrf IT_DEPT

 redistribute connected

 exit-address-family

 address-family ipv4 vrf ENGG_DEPT

 redistribute connected

 exit-address-family

Br12b-PE MPLS VPN Configuration

interface Loopback 0

 ip address 7.7.7.7 255.255.255.255

 ip ospf 1 area 0

interface fastethernet 0/1

 no shutdown

interface fastethernet 0/1.100

 encapsulation dot1q 100

 ip vrf forwarding IT_DEPT

 ip address 192.168.31.3 255.255.255.0

 standby 1 ip 192.168.31.1        ! HSRP for IT_DEPT VRF

 standby 1 preempt

standby 1 track 10 decrement 10

 standby 1 track 20 decrement 10

interface fastethernet 0/1.200

 encapsulation dot1q 200

 ip vrf forwarding ENGG_DEPT

 ip address 192.168.32.3 255.255.255.0

 standby 2 ip 192.168.32.1        ! HSRP for ENGG_DEPT VRF

 standby 2 preempt

 standby 2 track 10 decrement 10

 standby 2 track 20 decrement 10

track 10 interface Tunnel 22 line-protocol    ! Tracking Backup Tunnel line-protocol and reachability

 delay up 20                                  ! Delay bringing the Tunnel UP for 20 seconds

track 20 ip route 192.168.200.1 255.255.255.0 reachability

 delay up 20

router bgp 100

 neighbor 2.2.2.2 remote-as 100

 neighbor 2.2.2.2 update-source Loopback 0

 address-family vpnv4

 neighbor 2.2.2.2 activate

 exit-address-family

 address-family ipv4 vrf IT_DEPT

 redistribute connected

 exit-address-family

 address-family ipv4 vrf ENGG_DEPT

 redistribute connected

 exit-address-family

MP-BGP Configuration

The Route-reflector (RR) will be responsible for distributing VRF prefixes between PE routers. All PE routers will be the Clients for RR.

RR Configuration

router bgp 100

 no bgp default route-target filter            ! This causes the RR to accept all VRF prefixes i.e. ignore Route-Target

 neighbor 1.1.1.1 remote-as 100

 neighbor 1.1.1.1 update-source Loopback 0

 neighbor 5.5.5.5 remote-as 100

 neighbor 5.5.5.5 update-source Loopback 0

 neighbor 6.6.6.6 remote-as 100

 neighbor 6.6.6.6 update-source Loopback 0

 neighbor 7.7.7.7 remote-as 100

 neighbor 7.7.7.7 update-source Loopback 0

 address-family vpnv4

 neighbor 1.1.1.1 activate

 neighbor 1.1.1.1 route-reflector-client        ! Campus-PE router

 neighbor 5.5.5.5 activate

 neighbor 5.5.5.5 route-reflector-client        ! Br11-PE router

 neighbor 6.6.6.6 activate

 neighbor 6.6.6.6 route-reflector-client        ! Br12a-PE router

 neighbor 7.7.7.7 activate

 neighbor 7.7.7.7 route-reflector-client        ! Br12b-PE router

DMVPN Configuration

P1-Hub router is the Primary DMVPN Hub. It is also a P-router for MPLS VPN network.

P1-Hub Tunnel Configuration

interface Tunnel 11

 ip address 192.168.100.1 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Fastethernet 0/1

 tunnel key 123

 mpls ip                                ! Enables LDP on this tunnel interface

 ip nhrp map multicast dynamic

 ip nhrp network-id 123

 ip nhrp holdtime 240

 ip ospf 1 area 0

 ip ospf network point-to-multipoint    ! This will cause all the traffic to pass through the Hub

 ip ospf cost 10                        ! This causes this tunnel interface to be preferred

P2-Hub is a Backup NHS for the DMVPN cloud. Again, this router is also a P-router for MPLS VPN network.

P2-Hub Tunnel Configuration

interface Tunnel 22

 ip address 192.168.200.1 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Fastethernet 0/1

 tunnel key 456

 mpls ip

 ip nhrp map multicast dynamic

 ip nhrp network-id 456

 ip nhrp holdtime 240

 ip ospf 1 area 0

 ip ospf network point-to-multipoint

 ip ospf cost 100

Br11-PE router has two tunnel interfaces. Primary tunnel is preferred over backup tunnel.

Br11-PE Tunnel Configuration

interface Tunnel 11

 ip address 192.168.100.2 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Fastethernet 0/0

 tunnel key 123

 mpls ip

 ip nhrp nhs 192.168.100.1

 ip nhrp map 192.168.100.1 10.35.1.1

 ip nhrp map multicast 10.35.1.1

 ip nhrp network-id 123

 ip nhrp holdtime 240

 ip ospf 1 area 0

 ip ospf network point-to-multipoint

 ip ospf cost 10

interface Tunnel 22

 ip address 192.168.200.2 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Fastethernet 0/1

 tunnel key 456

 mpls ip

 ip nhrp nhs 192.168.200.1

 ip nhrp map 192.168.200.1 10.46.1.1

 ip nhrp map multicast 10.46.1.1

 ip nhrp network-id 456

 ip nhrp holdtime 240

 ip ospf 1 area 0

 ip ospf network point-to-multipoint

 ip ospf cost 100

Br12a-PE router has the Primary Tunnel while Br12b-PE router has the Backup tunnel.

Br12a-PE Tunnel Configuration

interface Tunnel 11

 ip address 192.168.100.3 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Fastethernet 0/0

 tunnel key 123

 mpls ip

 ip nhrp nhs 192.168.100.1

 ip nhrp map 192.168.100.1 10.35.1.1

 ip nhrp map multicast 10.35.1.1

 ip nhrp network-id 123

 ip nhrp holdtime 240

 ip ospf 1 area 0

 ip ospf network point-to-multipoint

 ip ospf cost 10

Br12b-PE Tunnel Configuration

interface Tunnel 22

 ip address 192.168.200.3 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Fastethernet 0/1

 tunnel key 456

 mpls ip

 ip nhrp nhs 192.168.200.1

 ip nhrp map 192.168.200.1 10.46.1.1

 ip nhrp map multicast 10.46.1.1

 ip nhrp network-id 456

 ip nhrp holdtime 240

 ip ospf 1 area 0

 ip ospf network point-to-multipoint

 ip ospf cost 100

Verification

All Branch routers send Registration Request messages with NBMA-to-Tunnel IP address mapping to the NHS. Both, P1-Hub (Primary) and P2-Hub (Backup) NHS will learn about these mapping and respond with a Registration Reply message.

NHRP Mapping on Hub routers

P1-Hub# show ip nhrp

192.168.100.2/32 via 192.168.100.2, Tunnel11 created 00:04:14, expire 00:03:24

  Type: dynamic, Flags: unique registered used

  NBMA address: 10.57.1.2

192.168.100.3/32 via 192.168.100.3, Tunnel11 created 00:03:37, expire 00:02:41

  Type: dynamic, Flags: unique registered

  NBMA address: 10.68.1.2

P2-Hub# show ip nhrp

192.168.200.2/32 via 192.168.200.2, Tunnel22 created 00:04:51, expire 00:02:48

  Type: dynamic, Flags: unique registered

  NBMA address: 10.67.1.2

192.168.200.3/32 via 192.168.200.3, Tunnel22 created 00:04:08, expire 00:03:31

  Type: dynamic, Flags: unique registered used

  NBMA address: 10.69.1.2

Once NHRP mapping is completed, OSPF forms adjacency between Hub routers and Branch routers over Tunnel interfaces. Also, since the Tunnels are enabled for LDP, even LDP adjacency is formed between Hub routers and Branch routers over Tunnel interfaces.

LDP Adjacencies over Tunnel Interfaces

P1-Hub# show mpls ldp neighbor

    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0            ! Route-Reflector Router

        TCP connection: 2.2.2.2.646 - 3.3.3.3.53238

        State: Oper; Msgs sent/rcvd: 29/22; Downstream

        Up time: 00:03:32

        LDP discovery sources:

          FastEthernet0/0, Src IP addr: 10.234.1.1

        Addresses bound to peer LDP Ident:

          10.12.1.2       2.2.2.2         10.234.1.1

    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0        ! P2-Hub over LAN interface

        TCP connection: 4.4.4.4.20096 - 3.3.3.3.646

        State: Oper; Msgs sent/rcvd: 29/27; Downstream

        Up time: 00:03:20

        LDP discovery sources:

          FastEthernet0/0, Src IP addr: 10.234.1.3

        Addresses bound to peer LDP Ident:

          10.234.1.3      4.4.4.4         10.46.1.1       192.168.200.1

    Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 3.3.3.3:0        ! Br11-PE Router over Tunnel 11

        TCP connection: 5.5.5.5.50517 - 3.3.3.3.646

        State: Oper; Msgs sent/rcvd: 27/27; Downstream

        Up time: 00:01:56

        LDP discovery sources:

          Tunnel11, Src IP addr: 192.168.100.2

        Addresses bound to peer LDP Ident:

          10.57.1.2       10.67.1.2       5.5.5.5         192.168.100.2

          192.168.200.2

    Peer LDP Ident: 6.6.6.6:0; Local LDP Ident 3.3.3.3:0        ! Br12a-PE Router over Tunnel 11

        TCP connection: 6.6.6.6.60925 - 3.3.3.3.646

        State: Oper; Msgs sent/rcvd: 26/26; Downstream

        Up time: 00:01:19

        LDP discovery sources:

          Tunnel11, Src IP addr: 192.168.100.3

        Addresses bound to peer LDP Ident:

          10.68.1.2       6.6.6.6         192.168.100.3

P2-Hub# show mpls ldp neighbor

    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 4.4.4.4:0        ! P1-Hub Router over LAN Interface

        TCP connection: 3.3.3.3.646 - 4.4.4.4.20096

        State: Oper; Msgs sent/rcvd: 31/32; Downstream

        Up time: 00:06:32

        LDP discovery sources:

          FastEthernet0/0, Src IP addr: 10.234.1.2

        Addresses bound to peer LDP Ident:

          10.234.1.2      3.3.3.3         10.35.1.1       192.168.100.1

    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 4.4.4.4:0        ! RR Router

        TCP connection: 2.2.2.2.646 - 4.4.4.4.30422

        State: Oper; Msgs sent/rcvd: 31/25; Downstream

        Up time: 00:06:17

        LDP discovery sources:

          FastEthernet0/0, Src IP addr: 10.234.1.1

        Addresses bound to peer LDP Ident:

          10.12.1.2       2.2.2.2         10.234.1.1

    Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 4.4.4.4:0        ! Br11-PE Router over Tunnel 22

        TCP connection: 5.5.5.5.25406 - 4.4.4.4.646

        State: Oper; Msgs sent/rcvd: 29/29; Downstream

        Up time: 00:04:25

        LDP discovery sources:

          Tunnel22, Src IP addr: 192.168.200.2

        Addresses bound to peer LDP Ident:

          10.57.1.2       10.67.1.2       5.5.5.5         192.168.100.2

          192.168.200.2

    Peer LDP Ident: 7.7.7.7:0; Local LDP Ident 4.4.4.4:0        ! Br12b-PE Router over Tunnel 22

        TCP connection: 7.7.7.7.11262 - 4.4.4.4.646

        State: Oper; Msgs sent/rcvd: 29/29; Downstream

        Up time: 00:04:28

        LDP discovery sources:

          Tunnel22, Src IP addr: 192.168.200.3

        Addresses bound to peer LDP Ident:

          10.69.1.2       7.7.7.7         192.168.200.3

Also, as OSPF adjacency is formed over Tunnel interfaces, BGP neighbor relationship is formed between Branch routers and Route-Reflector router. The below output shows VRF prefixes learnt via MP-BGP on Br12a-PE router. Notice the RR forwards the updates without changing the next-hop.

VRF Prefixes on Br12a-PE

Br12a-PE# show ip bgp vpnv4 all

BGP table version is 13, local router ID is 6.6.6.6

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf IT_DEPT)

*>i192.168.11.0     1.1.1.1                  0    100      0 ?

*>i192.168.21.0     5.5.5.5                  0    100      0 ?

*> 192.168.31.0     0.0.0.0                  0         32768 ?

Route Distinguisher: 1:2 (default for vrf ENGG_DEPT)

*>i192.168.12.0     1.1.1.1                  0    100      0 ?

*>i192.168.22.0     5.5.5.5                  0    100      0 ?

*> 192.168.32.0     0.0.0.0                  0         32768 ?

Br12a-PE# show ip cef vrf IT_DEPT 192.168.21.0

192.168.21.0/24, version 13, epoch 0

0 packets, 0 bytes

  tag information set

    local tag: VPN-route-head

    fast tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 29}

  via 5.5.5.5, 0 dependencies, recursive

    next hop 192.168.100.1, Tunnel11 via 5.5.5.5/32

    valid adjacency

    tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 29}

Br12a-PE# show ip cef vrf ENGG_DEPT 192.168.22.0

192.168.22.0/24, version 13, epoch 0

0 packets, 0 bytes

  tag information set

    local tag: VPN-route-head

    fast tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 30}

  via 5.5.5.5, 0 dependencies, recursive

    next hop 192.168.100.1, Tunnel11 via 5.5.5.5/32

    valid adjacency

    tag rewrite with Tu11, 192.168.100.1, tags imposed: {28 30}

Currently, Br12a-PE router is set to be the Active HSRP router. The show standby command shows that Br12b-PE router is the Standby router.

show standby

Br12a-PE# show standby

FastEthernet0/1.100 - Group 1

  State is Active

    5 state changes, last state change 00:02:40

  Virtual IP address is 192.168.31.1

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 1.044 secs

  Preemption enabled

  Active router is local

  Standby router is 192.168.31.3, priority 100 (expires in 9.140 sec)

  Priority 105 (configured 105)

    Track object 10 state Up decrement 10

    Track object 20 state Up decrement 10

  Group name is "hsrp-Fa0/1.100-1" (default)

FastEthernet0/1.200 - Group 2

  State is Active

    2 state changes, last state change 00:32:57

  Virtual IP address is 192.168.32.1

  Active virtual MAC address is 0000.0c07.ac02

    Local virtual MAC address is 0000.0c07.ac02 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 1.272 secs

  Preemption enabled

  Active router is local

  Standby router is 192.168.32.3, priority 100 (expires in 8.768 sec)

  Priority 105 (configured 105)

    Track object 10 state Up decrement 10

    Track object 20 state Up decrement 10

  Group name is "hsrp-Fa0/1.200-2" (default)

DMVPN Hub Failover

When Primary Hub fails (P1-Hub), all Branch routers learn about VRF Prefixes over backup tunnel. On Br12a-PE router, the tracking object (20) fails to reach the Primary Hub. Hence, HSRP Standby router (Br12b-PE) now becomes the Active router.

Br12a-PE realizes Primary Hub is down

Br12a-PE#

*Mar  1 00:36:34.527: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel11 from FULL to DOWN, Neighbor Down: Dead timer expired

Br12a-PE#

*Mar  1 00:36:53.287: %TRACKING-5-STATE: 20 ip route 192.168.100.1/32 reachability Up->Down

Br12a-PE#

*Mar  1 00:36:55.415: %HSRP-5-STATECHANGE: FastEthernet0/1.100 Grp 1 state Active -> Speak

*Mar  1 00:36:55.615: %HSRP-5-STATECHANGE: FastEthernet0/1.200 Grp 2 state Active -> Speak

Br12a-PE#

*Mar  1 00:37:05.411: %HSRP-5-STATECHANGE: FastEthernet0/1.100 Grp 1 state Speak -> Standby

*Mar  1 00:37:05.611: %HSRP-5-STATECHANGE: FastEthernet0/1.200 Grp 2 state Speak -> Standby

*Mar  1 00:37:17.207: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Down BGP Notification sent

Br12a-PE#

*Mar  1 00:37:17.207: %BGP-3-NOTIFICATION: sent to neighbor 2.2.2.2 4/0 (hold time expired) 0 bytes

Br12a-PE# show track

Track 10

  Interface Tunnel11 line-protocol

  Line protocol is Up

    1 change, last change 00:09:12

  Tracked by:

    HSRP FastEthernet0/1.100 1

    HSRP FastEthernet0/1.200 2

Track 20

  IP route 192.168.100.1 255.255.255.255 reachability

  Reachability is Down (no route)

    3 changes, last change 00:00:24

  First-hop interface is unknown

  Tracked by:

    HSRP FastEthernet0/1.100 1

    HSRP FastEthernet0/1.200 2

Br12a-PE# show standby

FastEthernet0/1.100 - Group 1

  State is Standby

    7 state changes, last state change 00:00:17

  Virtual IP address is 192.168.31.1

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 0.516 secs

  Preemption enabled

  Active router is 192.168.31.3, priority 100 (expires in 9.492 sec)

  Standby router is local

  Priority 95 (configured 105)

    Track object 10 state Up decrement 10

    Track object 20 state Down decrement 10

  Group name is "hsrp-Fa0/1.100-1" (default)

FastEthernet0/1.200 - Group 2

  State is Standby

    4 state changes, last state change 00:00:17

  Virtual IP address is 192.168.32.1

  Active virtual MAC address is 0000.0c07.ac02

    Local virtual MAC address is 0000.0c07.ac02 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 0.712 secs

  Preemption enabled

  Active router is 192.168.32.3, priority 100 (expires in 9.776 sec)

  Standby router is local

  Priority 95 (configured 105)

    Track object 10 state Up decrement 10

    Track object 20 state Down decrement 10

  Group name is "hsrp-Fa0/1.200-2" (default)

All VRF prefixes at this branch location are learnt by Br12b-PE router.

VRF Prefixes on Br12b-PE

Br12b-PE# show ip bgp vpnv4 all

BGP table version is 19, local router ID is 7.7.7.7

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf IT_DEPT)

*>i192.168.11.0     1.1.1.1                  0    100      0 ?

*>i192.168.21.0     5.5.5.5                  0    100      0 ?

*> 192.168.31.0     0.0.0.0                  0         32768 ?

Route Distinguisher: 1:2 (default for vrf ENGG_DEPT)

*>i192.168.12.0     1.1.1.1                  0    100      0 ?

*>i192.168.22.0     5.5.5.5                  0    100      0 ?

*> 192.168.32.0     0.0.0.0                  0         32768 ?

Br12b-PE# show ip cef vrf IT_DEPT 192.168.21.0

192.168.21.0/24, version 16, epoch 0

0 packets, 0 bytes

  tag information set

    local tag: VPN-route-head

    fast tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 29}

  via 5.5.5.5, 0 dependencies, recursive

    next hop 192.168.200.1, Tunnel22 via 5.5.5.5/32

    valid adjacency

    tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 29}

Br12b-PE# show ip cef vrf ENGG_DEPT 192.168.22.0

192.168.22.0/24, version 15, epoch 0

0 packets, 0 bytes

  tag information set

    local tag: VPN-route-head

    fast tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 30}

  via 5.5.5.5, 0 dependencies, recursive

    next hop 192.168.200.1, Tunnel22 via 5.5.5.5/32

    valid adjacency

    tag rewrite with Tu22, 192.168.200.1, tags imposed: {28 30}

IPSec Configuration

No DMVPN configuration is complete without IPSec. A common IPSec configuration applies to all DMVPN routers. All traffic flowing through Tunnel interfaces is encrypted by IPSec.

IPSec Configuration

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0

crypto ipsec transform-set TS esp-3des esp-md5-hmac

 mode transport

crypto ipsec profile DMVPN

 set transform-set TS

interface Tunnel 11 or 22

 ....

 tunnel protection ipsec profile DMVPN [shared]

The below output shows successful IKE Phase 1 and 2 completed between Hub and Branch routers.

IPSec on Hubs

P1-Hub# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.35.1.1       10.68.1.2       QM_IDLE           1002    0 ACTIVE

10.35.1.1       10.67.1.2       QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

P2-Hub# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.46.1.1       10.69.1.2       QM_IDLE           1005    0 ACTIVE

10.46.1.1       10.67.1.2       QM_IDLE           1006    0 ACTIVE

IPv6 Crypto ISAKMP SA

Br11-PE router negotiates IKE over Tunnel 11 and Tunnel 22 due to LDP and OSPF messages flowing over both tunnels.

Successful IKE Phase 1 & 2 on Br11-PE

Br11-PE# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.46.1.1       10.67.1.2       QM_IDLE           1005    0 ACTIVE

10.35.1.1       10.67.1.2       QM_IDLE           1003    0 ACTIVE

IPv6 Crypto ISAKMP SA

Br11-PE# show crypto ipsec sa

interface: Tunnel11

    Crypto map tag: DMVPN-head-1, local addr 10.67.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.57.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.35.1.1/255.255.255.255/47/0)

   current_peer 10.35.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 447, #pkts encrypt: 447, #pkts digest: 447

    #pkts decaps: 471, #pkts decrypt: 471, #pkts verify: 471

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 42, #recv errors 0

     local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.35.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xB568463F(3043509823)

     inbound esp sas:

      spi: 0xDA9D0B33(3667725107)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4487455/2441)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xB568463F(3043509823)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4487458/2441)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.67.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.46.1.1/255.255.255.255/47/0)

   current_peer 10.46.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38

    #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 3, #recv errors 0

     local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.46.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x49D6961C(1238799900)

     inbound esp sas:

      spi: 0x5F199AAD(1595513517)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Transport, }

        conn id: 11, flow_id: SW:11, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4384071/3499)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x49D6961C(1238799900)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Transport, }

        conn id: 12, flow_id: SW:12, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4384070/3499)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel22

    Crypto map tag: DMVPN-head-1, local addr 10.67.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.57.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.35.1.1/255.255.255.255/47/0)

   current_peer 10.35.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 447, #pkts encrypt: 447, #pkts digest: 447

    #pkts decaps: 471, #pkts decrypt: 471, #pkts verify: 471

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 42, #recv errors 0

     local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.35.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xB568463F(3043509823)

     inbound esp sas:

      spi: 0xDA9D0B33(3667725107)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4487455/2441)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xB568463F(3043509823)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4487458/2441)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.67.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.46.1.1/255.255.255.255/47/0)

   current_peer 10.46.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38

    #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 3, #recv errors 0

     local crypto endpt.: 10.67.1.2, remote crypto endpt.: 10.46.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x49D6961C(1238799900)

     inbound esp sas:

      spi: 0x5F199AAD(1595513517)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Transport, }

        conn id: 11, flow_id: SW:11, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4384071/3499)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x49D6961C(1238799900)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Transport, }

        conn id: 12, flow_id: SW:12, crypto map: DMVPN-head-1

        sa timing: remaining key lifetime (k/sec): (4384070/3499)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas: