Today I would like to implement DMVPN with EIGRP. This protocol is
very popular because of its scalability. Please read this post before
you start because I’m not going to implement it from scratch:
http://myitmicroblog.blogspot.com/2014/12/dmvpn-phase-one-ospf.html
I assume you have your hub and spoke router configured (IP addressing, hub and spoke configuration, firewall rules).
I have to add following configuration:
R1:
R2:
R3:
As you know the phase 1 allows only on hub-spoke communication. I’m going now to test connectivity between R2 and R3.
Now I send traffic from R2 to R3:
Traffic is sent over the hub (as expected) and any dynamic tunnels are created:
In some cases companies prefer to use only hub-spoke communication and for them the phase one is the best option. For those who want to save their hub resources and allow on spoke-to-spoke communication the phase 2 (not recommended) and phase 3 are a good option. In my next post I will implement the phase 2 for EIGRP.
http://myitmicroblog.blogspot.com/2014/12/dmvpn-phase-one-ospf.html
I assume you have your hub and spoke router configured (IP addressing, hub and spoke configuration, firewall rules).
I have to add following configuration:
R1:
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 11.11.11.0 0.0.0.255
auto-summary
!
interface Tunnel0
no ip split-horizon eigrp 1
!
R2:
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 22.22.22.0 0.0.0.255
no auto-summary
!
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 5.5.5.1
ip nhrp map 10.10.10.1 5.5.5.1
ip nhrp network-id 12
ip nhrp nhs 10.10.10.1
ip nhrp cache non-authoritative
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12
tunnel protection ipsec profile IPSEC-PRF
!
R3:
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 33.33.33.0 0.0.0.255
no auto-summary
!
interface Tunnel0
ip address 10.10.10.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 5.5.5.1
ip nhrp map 10.10.10.1 5.5.5.1
ip nhrp network-id 12
ip nhrp nhs 10.10.10.1
ip nhrp cache non-authoritative
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12
tunnel protection ipsec profile IPSEC-PRF
!
As you know the phase 1 allows only on hub-spoke communication. I’m going now to test connectivity between R2 and R3.
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:03:18, never expire
Type: static, Flags: nat used
NBMA address: 5.5.5.1
R2#
R2#sh ip route eigrp
33.0.0.0/24 is subnetted, 1 subnets
D 33.33.33.0 [90/310172416] via 10.10.10.1, 00:03:36, Tunnel0
D 11.0.0.0/8 [90/297372416] via 10.10.10.1, 00:03:36, Tunnel0
R2#
R2#sh ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.10.10.1 Tu0 13 00:03:54 132 5000 0 27
R2#
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 5.5.5.1 10.10.10.1 UP 00:04:08 S
R2#
R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
Source addr: 6.6.6.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 10.10.10.1 RE
Type:Spoke, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 5.5.5.1 10.10.10.1 UP 00:04:47 S 10.10.10.1/32
IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
Active SAs: 2, origin: crypto map
Outbound SPI : 0x72F083DD, transform : esp-3des esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
R2#
Now I send traffic from R2 to R3:
R2#traceroute 33.33.33.33 source 22.22.22.22
Type escape sequence to abort.
Tracing the route to 33.33.33.33
1 10.10.10.1 76 msec 36 msec 100 msec
2 10.10.10.3 88 msec 88 msec 72 msec
R2#
R2#traceroute 33.33.33.33 source 22.22.22.22
Type escape sequence to abort.
Tracing the route to 33.33.33.33
1 10.10.10.1 68 msec 44 msec 60 msec
2 10.10.10.3 100 msec 96 msec 64 msec
R2#
Traffic is sent over the hub (as expected) and any dynamic tunnels are created:
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:06:29, never expire
Type: static, Flags: nat used
NBMA address: 5.5.5.1
R2#
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 5.5.5.1 10.10.10.1 UP 00:06:33 S
R2#
In some cases companies prefer to use only hub-spoke communication and for them the phase one is the best option. For those who want to save their hub resources and allow on spoke-to-spoke communication the phase 2 (not recommended) and phase 3 are a good option. In my next post I will implement the phase 2 for EIGRP.
Comments
Post a Comment