Tuesday, December 30, 2014

DMVPN - phase two - EIGRP

The phase two allows me on spoke-to-spoke communication. Please read my previous post (EIGRP phase one): http://myitmicroblog.blogspot.com/2014/12/dmvpn-phase-one-eigrp.html
dmvpn-1-1.jpg

You should know the phase two is not recommended because the phase three solves many issues like scalability. I will describe the differences between them in my next post.

From the configuration perspective I need to change:

R1 (hub):
 
interface Tunnel0
  no ip next-hop-self eigrp 1

Let’s check the settings on R2 before we send traffic:
 
R2#sh ip route eigrp
     33.0.0.0/24 is subnetted, 1 subnets
D       33.33.33.0 [90/310172416] via 10.10.10.3, 00:22:35, Tunnel0
D    11.0.0.0/8 [90/297372416] via 10.10.10.1, 00:22:37, Tunnel0
R2#

As you see the next hop for Lan3 (33.33.33.33) is R3 not R1 like with the phase one.
 
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:40:18, never expire
  Type: static, Flags: nat used
  NBMA address: 5.5.5.1
R2#
 
R2#sh ip cef | i 33
33.33.33.0/24       10.10.10.3           Tunnel0
R2#
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         5.5.5.1      10.10.10.1    UP 01:43:00 S

R2#
 
R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

 -------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
   Source addr: 6.6.6.1, Dest addr: MGRE
  Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""

NHRP Details: NHS:         10.10.10.1 RE

Type:Spoke, NBMA Peers:1
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1         5.5.5.1      10.10.10.1    UP 01:43:05 S         10.10.10.1/32

  IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
  Crypto Session Status: UP-ACTIVE
  fvrf: (none)
  IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
        Active SAs: 2, origin: crypto map
   Outbound SPI : 0x20F7240B, transform : esp-3des esp-sha-hmac
    Socket State: Open

Pending DMVPN Sessions:

R2#

Now I send traffic from 22.22.22.22 to 33.33.33.33:
 
R2#traceroute 33.33.33.33 source 22.22.22.22

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.10.10.1 92 msec 64 msec 84 msec
  2 10.10.10.3 116 msec 128 msec 124 msec
R2#
R2#
R2#
R2#traceroute 33.33.33.33 source 22.22.22.22

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.10.10.3 40 msec 64 msec 88 msec
R2#

So, the traffic initiated building a new NHRP entry:
 
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:44:33, never expire
  Type: static, Flags: nat used
  NBMA address: 5.5.5.1
10.10.10.3/32 via 10.10.10.3, Tunnel0 created 00:00:19, expire 01:59:39
  Type: dynamic, Flags: router nat
  NBMA address: 7.7.7.1
R2#

and a new dynamic tunnel:
 
R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

 -------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
   Source addr: 6.6.6.1, Dest addr: MGRE
  Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""

NHRP Details: NHS:         10.10.10.1 RE

Type:Spoke, NBMA Peers:2
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1         5.5.5.1      10.10.10.1    UP 01:45:51 S         10.10.10.1/32

  IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
  Crypto Session Status: UP-ACTIVE
  fvrf: (none)
  IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
        Active SAs: 2, origin: crypto map
   Outbound SPI : 0x20F7240B, transform : esp-3des esp-sha-hmac
    Socket State: Open
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1         7.7.7.1      10.10.10.3    UP 00:01:40 D         10.10.10.3/32

  IKE SA: local 6.6.6.1/500 remote 7.7.7.1/500 Active
  Crypto Session Status: UP-ACTIVE
  fvrf: (none)
  IPSEC FLOW: permit 47 host 6.6.6.1 host 7.7.7.1
        Active SAs: 2, origin: crypto map
   Outbound SPI : 0xF6648969, transform : esp-3des esp-sha-hmac
    Socket State: Open

Pending DMVPN Sessions:

R2#

As you see I can build spoke-to-spoke tunnels but you should remember following limitations:
  • you can’t summarize so all spokes need to keep in their routing tables all spokes (phase three fixes this issue)
  • you can’t have different routing protocol on hub-spoke and spoke-spoke routers (phase three resolve the issue)
In my next hop I will test the phase three.

No comments:

Post a Comment