Skip to main content

DMVPN phase 3 OSPF.

I’ve recently tested the different phases (1-3) of a DMVPN for EIGRP and OSPF. I found one strange thing for phase 3 and OSPF. According to official Cisco documentation (IOS 15.2) for OSPF, you should apply the following configurations for the Tunnel interface:

Phase 1 – no direct communication between spoke routers
HUB & SPOKE: ip ospf network point-to-multipoint

Phase 2 – direct communication between spokes is allowed
HUB & SPOKE: ip ospf network broadcast
SPOKE: ip ospf priority 0

Phase 3 – improved Phase 2
HUB: ip nhrp redirect
     ip ospf network point-to-multipoint 
SPOKE: ip nhrp shortcut
       ip ospf network point-to-multipoint

I discovered that while using phase 3 configuration traffic between Spoke routers is always sent through the Hub (just like for phase 1) and this seems to be caused by a problem with the NHRP:


                                 HUB

                         /----\
                        |  R1  |
                         \----/

                       [10.0.0.1]

      SPOKE1               |               SPOKE2

      /----\ [10.0.0.2]  -----  [10.0.0.3] /----\
     |  R2  |-----------| sw1 |-----------|  R3  |
      \----/             -----             \----/

        |                                    |

   22.22.22.22                          33.33.33.33


 R2#debug dmvpn all nhrp
DMVPN all level debugging is on
R2#tra
R2#traceroute 33.33.33.33
Type escape sequence to abort.
Tracing the route to 33.33.33.33
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.1 132 msec 128 msec 108 msec
  2 10.0.0.3 176 msec 200 msec 176 msec
R2#
*Apr  4 21:11:49.142: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.278: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.414: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.522: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.702: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.902: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
R2#traceroute 33.33.33.33
Type escape sequence to abort.
Tracing the route to 33.33.33.33
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.1 132 msec 128 msec 108 msec
  2 10.0.0.3 176 msec 200 msec 176 msec
R2#
R2#sh ver | i IOS
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
R2#
I completed the same test with IOS 12.4 and the traffic was sent directly to the spoke, as it should be:
R2#debug dmvpn all nhrp
DMVPN all level debugging is on
R2#tra
R2#traceroute 33.33.33.33

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.0.0.1 72 msec 72 msec 96 msec
  2 10.0.0.3 124 msec 152 msec 244 msec
R2#
*Apr  4 21:20:49.823: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 100
*Apr  4 21:20:49.823:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Apr  4 21:20:49.823:      shtl: 4(NSAP), sstl: 0(NSAP)
*Apr  4 21:20:49.823:  (M) traffic code: redirect(0)
*Apr  4 21:20:49.827:      src NBMA: 7.7.7.1
*Apr  4 21:20:49.827:      src protocol: 10.0.0.1, dst protocol: 10.0.0.2
*Apr  4 21:20:49.827:      Contents of nhrp traffic indication packet:
*Apr  4 21:20:49.827:         45 00 00 1C 00 BF 00 00 02 11 6B CF 0A 00 00 02
*Apr  4 21:20:49.831:         21 21 21 21 C0 05 82 9D 00 08 70
*Apr  4 21:20:49.831: Forward Transit NHS Record Extension(4):
*Apr  4 21:20:49.831: Reverse Transit NHS Record Extension(5):
*Apr  4 21:20:49.831: Authentication Extension(7):
*Apr  4 21:20:49.831:   type:Cleartext(1), data:donttell
*Apr  4 21:20:49.835: NAT address Extension(9):
*Apr  4 21:20:49.835: NHRP: netid_in = 99, to_us = 1
*Apr  4 21:20:49.835: NHRP: netid_out
R2# 0, netid_in 99
*Apr  4 21:20:49.835: NHRP: Tunnel0: Cache add for target 33.33.33.33/32 next-hop 33.33.33.33
*Apr  4 21:20:49.839:
*Apr  4 21:20:49.883: NHRP: Checking for delayed event 0.0.0.0/33.33.33.33 on list (Tunnel0).
*Apr  4 21:20:49.883: NHRP: No node found.
*Apr  4 21:20:49.899: NHRP: Checking for delayed event 0.0.0.0/33.33.33.33 on list (Tunnel0).
*Apr  4 21:20:49.899: NHRP: No node found.
*Apr  4 21:20:49.903: NHRP: Attempting to send packet via DEST 33.33.33.33
*Apr  4 21:20:49.903: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.7.7.1
*Apr  4 21:20:49.903: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88
*Apr  4 21:20:49.907:  src: 10.0.0.2, dst: 33.33.33.33
*Apr  4 21:20:49.907:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Apr  4 21:20:49.907:      shtl: 4(NSAP), sstl: 0(NSAP)
*Apr  4 21:20:49.907:  (M) flags: "router auth src-stable nat ", reqid: 6
*Apr  4 21:20:49.911:      src NBMA: 7.7.7.2
*Apr  4 21:20:49.911:
R2#    src protocol: 10.0.0.2, dst protocol: 33.33.33.33
*Apr  4 21:20:49.911:  (C-1) code: no error(0)
*Apr  4 21:20:49.911:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:49.915:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Apr  4 21:20:49.915: Responder Address Extension(3):
*Apr  4 21:20:49.915: Forward Transit NHS Record Extension(4):
*Apr  4 21:20:49.915: Reverse Transit NHS Record Extension(5):
*Apr  4 21:20:49.915: Authentication Extension(7):
*Apr  4 21:20:49.915:   type:Cleartext(1), data:donttell
*Apr  4 21:20:49.919: NAT address Extension(9):
*Apr  4 21:20:49.919: NHRP: 88 bytes out Tunnel0
*Apr  4 21:20:49.919: NHRP-RATE: Sending initial Resolution Request for 33.33.33.33, reqid 6
*Apr  4 21:20:50.703: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 156
*Apr  4 21:20:50.707:  (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1
*Apr  4 21:20:50.707:      shtl: 4(NSAP), sstl: 0(NSAP)
*Apr  4 21:20:50.707:  (M
R2#) flags: "router auth dst-stable unique src-stable nat ", reqid: 6
*Apr  4 21:20:50.707:      src NBMA: 7.7.7.2
*Apr  4 21:20:50.707:      src protocol: 10.0.0.2, dst protocol: 33.33.33.33
*Apr  4 21:20:50.711:  (C-1) code: no error(0)
*Apr  4 21:20:50.711:        prefix: 24, mtu: 1514, hd_time: 7199
*Apr  4 21:20:50.711:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.711:        client NBMA: 7.7.7.3
*Apr  4 21:20:50.715:        client protocol: 10.0.0.3
*Apr  4 21:20:50.715: Responder Address Extension(3):
*Apr  4 21:20:50.715:  (C) code: no error(0)
*Apr  4 21:20:50.715:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:50.715:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.715:        client NBMA: 7.7.7.3
*Apr  4 21:20:50.719:        client protocol: 10.0.0.3
*Apr  4 21:20:50.719: Forward Transit NHS Record Extension(4):
*Apr  4 21:20:50.719:  (C-1) code: no error(0)
*Apr  4 21:2
R2#0:50.719:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:50.719:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.723:        client NBMA: 7.7.7.1
*Apr  4 21:20:50.723:        client protocol: 10.0.0.1
*Apr  4 21:20:50.723: Reverse Transit NHS Record Extension(5):
*Apr  4 21:20:50.723:  (C-1) code: no error(0)
*Apr  4 21:20:50.723:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:50.727:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.727:        client NBMA: 7.7.7.1
*Apr  4 21:20:50.727:        client protocol: 10.0.0.1
*Apr  4 21:20:50.727: Authentication Extension(7):
*Apr  4 21:20:50.727:   type:Cleartext(1), data:donttell
*Apr  4 21:20:50.731: NAT address Extension(9):
*Apr  4 21:20:50.731: NHRP: netid_in = 0, to_us = 1
*Apr  4 21:20:50.731: NHRP: Checking for delayed event 0.0.0.0/33.33.33.33 on list (Tunnel0).
*Apr  4 21:20:50.731: NHRP: No node found.
*Apr  4 21:2
R2#0:50.735: NHRP: No need to delay processing of resolution event nbma src:7.7.7.2 nbma dst:7.7.7.3
*Apr  4 21:20:50.735: NHRP: Tunnel0: Cache add for target 33.33.33.0/24 next-hop 10.0.0.3
*Apr  4 21:20:50.739:            7.7.7.3
*Apr  4 21:20:50.739: NHRP: Converted internal dynamic cache entry for 33.33.33.0/24 interface Tunnel0 to external
*Apr  4 21:20:50.743: NHRP: Found adjacency for nhop 10.0.0.3
*Apr  4 21:20:50.743: NHRP: Deleting incomplete entry for 33.33.33.33/32 interface Tunnel0
*Apr  4 21:20:50.747: NHRP: Deleting delayed event for NBMA 0.0.0.0 on list (Tunnel0).
*Apr  4 21:20:51.819: NHRP-RATE: Tunnel0: Used 1
R2#traceroute 33.33.33.33

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.0.0.3 56 msec 84 msec 84 msec
R2#sh ver | i IOS
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(11)T1, RELEASE SOFTWARE (fc5)
R2#
When we change the tunnel setting from ‘point-to-multipoint’ to ‘broadcast’ in 15.2, everything works fine: the traffic is sent directly between spokes. For those who are not aware of this problem, and upgrade the software on their routers to 15.2, it can be an unexpected surprise when the traffic is sent via the Hub router. So, the correct settings are:
Phase 3* – improvement Phase 2
HUB: ip nhrp redirect
     ip ospf network point-to-multipoint (ver 12.X)
     ip ospf network broadcast (ver 15.2)

SPOKE: ip nhrp shortcut
       ip ospf network point-to-multipoint (ver 12.X)
       ip ospf network broadcast (ver 15.2)
  • ‘point-to-multipoint’ does not work on 15.2, only 12.4
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more