Categories R&S

VPN technologies – DMVPN – Phase 1

Starting a new series about DMVPN.

In this post, I will configure a basic DMVPN network, with one hub and 2 spoke sites.

 

VPN technologies – DMVPN – Phase 1

 

Here is the link for the cisco documentation about DMVPN:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html

 

And the link for everything related with NHRP:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/15-mt/nhrp-15-mt-book/config-nhrp.html

 

And one very good article from INE with very cool explanation about DMVPN phase 1 and 2:

http://blog.ine.com/2008/08/02/dmvpn-explained/

 

VPN technologies – DMVPN – Configuration:

 

Let’s start configuring DMVPN phase 1.

 

R1 is our DMPVN hub.

We configure first the tunnel interface with the minimum option needed.

R1(config)#int tunnel 0
R1(config-if)#ip add 10.10.1.1 255.255.255.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel mode gre multipoint

 

Then under the tunnel interface, we configure NHRP.

R1(config-if)#ip nhrp network-id 10

 

That’s the minimum needed to configure DMVPN phase 1 on the HUB router.

Later, I will configure more option under this tunnel interface.

 

On the two spoke routers, this is the configuration needed.

R2(config)#int tunnel 0
R2(config-if)#ip add 10.10.1.2 255.255.255.0
R2(config-if)#tunnel source 2.2.2.2
R2(config-if)#tunnel dest 1.1.1.1
R2(config-if)#ip nhrp map 10.10.1.1 1.1.1.1
R2(config-if)#ip nhrp nhs 10.10.1.1
R2(config-if)#ip nhrp network-id 10

 

From R2, I can reach R1 tunnel IP address.

R2#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

Here are the two commands to verify NHRP and DMVPN.

R2#sh ip nhrp
10.10.1.1/32 via 10.10.1.1
   Tunnel0 created 00:00:21, never expire
   Type: static, Flags:
   NBMA address: 1.1.1.1

R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.1               10.10.1.1    UP 00:00:27     S

 

The configuration on R3 is basically the same.

R3(config)#interface Tunnel0
R3(config-if)# ip address 10.10.1.3 255.255.255.0
R3(config-if)# ip nhrp map 10.10.1.1 1.1.1.1
R3(config-if)# ip nhrp network-id 10
R3(config-if)# ip nhrp nhs 10.10.1.1
R3(config-if)# tunnel source 3.3.3.3
R3(config-if)# tunnel destination 1.1.1.1

 

R3 is able to reach R2 tunnel IP address. A traceroute shows that we need to go through the HUB in order to reach R2.

R3#ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R3#traceroute 10.10.1.2
Type escape sequence to abort.
Tracing the route to 10.10.1.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.1.1 11 msec 4 msec 1 msec
  2 10.10.1.2 1 msec *  1 msec

 

We now have a basic DMVPN network working.

On the DMVPN hub R1, we can see that both peers are UP.

R1#sh ip nhrp
10.10.1.2/32 via 10.10.1.2
   Tunnel0 created 00:05:19, expire 01:54:40
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 2.2.2.2
10.10.1.3/32 via 10.10.1.3
   Tunnel0 created 00:02:29, expire 01:57:30
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 3.3.3.3
R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 2.2.2.2               10.10.1.2    UP 00:05:21     D
     1 3.3.3.3               10.10.1.3    UP 00:02:31     D

 

If we now want to have R2 loopback communicate with R3 loopback we will need some routing.

I will use EIGRP to route traffic between the two devices.

 

EIGRP configuration on the DMVPN hub is the following.

R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#net 10.10.1.1 0.0.0.0
R1(config-router)#net 192.168.1.1 0.0.0.0

 

On the tunnel interface, we need to disable split-horizon.

We also configure multicast mapping otherwise EIGRP neighbor won’t be able to form.

R1(config-router)#int tu0
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#no ip split-horizon eigrp 10

 

And the EIGRP configuration on the spoke router.

R2(config)#router eigrp 10
R2(config-router)#no auto-summary
R2(config-router)#net 10.10.1.2 0.0.0.0
R2(config-router)#net 192.168.2.2 0.0.0.0
R2(config-if)#ip nhrp map multicast 1.1.1.1

R3(config)#router eigrp 10
R3(config-router)#no auto-summary
R3(config-router)#net 10.10.1.3 0.0.0.0
R3(config-router)#net 192.168.3.3 0.0.0.0
R3(config-router)#int tu0
R3(config-if)#ip nhrp map multicast 1.1.1.1

 

R2 can reach R3 loopback IP address, traceroute shows it goes via the DMVPN HUB.

R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#traceroute 192.168.3.3
Type escape sequence to abort.
Tracing the route to 192.168.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.1.1 0 msec 0 msec 0 msec
  2 10.10.1.3 1 msec

 

 

That’s it for DMVPN phase 1.

We have configure basic DMVPN with minimal option, so in the next post we will go further and configure DMVPN phase 2.

We will also configure more NHRP option.

 

Thank you for reading.

 

 

VPN technologies – DMVPN – Phase 1

Leave a Reply

Your email address will not be published.