DMVPN Phase1 with OSPF
Phase 1 ・Hub makes multipoint GRE tunnels into each Spokes. ・Spokes make GRE tunnel only with Hub. ・Spokes must transit their traffic via Hub.
R1 : HUB interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 123 tunnel source FastEthernet0/0 tunnel mode gre multipoint interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0 speed auto duplex auto interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 speed auto duplex auto
R2 : SPOKE interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel destination 155.0.0.1 interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0 speed auto duplex auto interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0 speed auto duplex auto
R3 : SPOKE interface Tunnel0 ip address 10.0.0.3 255.255.255.0 ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel destination 155.0.0.1 interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0 speed auto duplex auto interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0 speed auto duplex auto
R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 132/156/196 ms
R2#ping 10.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/184/236 ms
R2#traceroute 10.0.0.3 Type escape sequence to abort. Tracing the route to 10.0.0.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 180 msec 168 msec 180 msec 2 10.0.0.3 212 msec 188 msec 172 msec
R1#sh ip nhrp 10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:04:47, expire 01:55:12 Type: dynamic, Flags: unique registered used NBMA address: 155.0.0.2 10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:04:33, expire 01:55:26 Type: dynamic, Flags: unique registered NBMA address: 155.0.0.3
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:06:55, never expire Type: static, Flags: NBMA address: 155.0.0.1
Enable OSPF single area.
R1 router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2 router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
R1# *Jun 9 12:51:19.019: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 9 12:51:30.087: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from FULL to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:30.391: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from INIT to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:30.847: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 9 12:51:32.379: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from FULL to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:32.707: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:33.039: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:33.055: %OSPF-4-NONEIGHBOR: Received database description
from unknown neighbor 2.2.2.2 *Jun 9 12:51:33.311: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:33.531: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset *Jun 9 12:51:33.631: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
Repeat neighbor up / down.
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 0 FULL/ - 00:00:39 10.0.0.2 Tunnel0
R1#sh ip ospf int bri Interface PID Area IP Address/Mask Cost State Nbrs F/C Fa0/1 123 0 192.168.1.1/24 1 DR 0/0 Tu0 123 0 10.0.0.1/24 1000 P2P 0/0
The default OSPF network type of the tunnel interface is Point-to-Pint.
The easiest way is to set all routers to point-to-multipoint. However, this time we only set the HUB.
Change HUB OSPF Network Type point-to-multipoint.
R1 interface Tunnel0 ip ospf network point-to-multipoint
R1#sh ip ospf int tun0 Tunnel0 is up, line protocol is up Internet Address 10.0.0.1/24, Area 0, Attached via Network Statement Process ID 123, Router ID 1.1.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 1000 Topology-MTID Cost Disabled Shutdown Topology Name 0 1000 no no Base Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
R2#sh ip ospf int tun0 Tunnel0 is up, line protocol is up Internet Address 10.0.0.2/24, Area 0, Attached via Network Statement Process ID 123, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 1000 Topology-MTID Cost Disabled Shutdown Topology Name 0 1000 no no Base Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Change Hello interval on HUB.
R1 interface Tunnel0 ip ospf hello-interval 10
R1# *Jun 9 13:02:53.947: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 9 13:03:18.463: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from LOADING to FULL, Loading Done
R1#sh ip ospf int bri Interface PID Area IP Address/Mask Cost State Nbrs F/C Fa0/1 123 0 192.168.1.1/24 1 DR 0/0 Tu0 123 0 10.0.0.1/24 1000 P2MP 2/2
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 0 FULL/ - 00:00:32 10.0.0.3 Tunnel0 2.2.2.2 0 FULL/ - 00:00:37 10.0.0.2 Tunnel0
R1#sh ip route ospf (omit) Gateway of last resort is not set
O 192.168.2.0/24 [110/1001] via 10.0.0.2, 00:01:32, Tunnel0 O 192.168.3.0/24 [110/1001] via 10.0.0.3, 00:02:28, Tunnel0
R2#sh ip route ospf (omit) Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:05:48, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:02:16, Tunnel0 O 192.168.3.0/24 [110/2001] via 10.0.0.1, 00:02:48, Tunnel0
R3#sh ip route ospf (omit) Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:05:50, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:02:43, Tunnel0 O 192.168.2.0/24 [110/2001] via 10.0.0.1, 00:02:20, Tunnel0
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/140/160 ms
Packets are encapsulated in GRE.
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 164 msec 152 msec 148 msec 2 10.0.0.3 176 msec 208 msec 140 msec
Spokes must transit their traffic via HUB.
Eneble IPsec Protection.
R1 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport
crypto ipsec profile PROFILE set transform-set TRANS
interface Tunnel0 tunnel protection ipsec profile PROFILE
R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2
crypto isakmp key CCIE address 155.0.0.1
crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport
crypto ipsec profile PROFILE set transform-set TRANS
interface Tunnel0 tunnel protection ipsec profile PROFILE
R1# *Jun 9 13:49:12.019: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 9 13:49:13.687: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from LOADING to FULL, Loading Done
R1#sh crypto engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+SHA256 0 1 1 155.0.0.1 2 IPsec 3DES+SHA256 0 0 0 155.0.0.1 3 IPsec 3DES+SHA256 0 9 9 155.0.0.1 4 IPsec 3DES+SHA256 12 0 0 155.0.0.1 5 IPsec 3DES+SHA256 0 1 1 155.0.0.1 6 IPsec 3DES+SHA256 0 0 0 155.0.0.1 7 IPsec 3DES+SHA256 0 0 0 155.0.0.1 8 IPsec 3DES+SHA256 1 0 0 155.0.0.1 9 IPsec 3DES+SHA256 0 11 11 155.0.0.1 10 IPsec 3DES+SHA256 12 0 0 155.0.0.1 11 IPsec 3DES+SHA256 0 0 0 155.0.0.1 12 IPsec 3DES+SHA256 0 0 0 155.0.0.1 13 IPsec 3DES+SHA256 0 2 2 155.0.0.1 14 IPsec 3DES+SHA256 3 0 0 155.0.0.1 1001 IKE SHA256+3DES 0 0 0 155.0.0.1 1002 IKE SHA256+3DES 0 0 0 155.0.0.1 1003 IKE SHA256+3DES 0 0 0 155.0.0.1 1004 IKE SHA256+3DES 0 0 0 155.0.0.1
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 216/296/380 ms
Packets are encrypted by IPsec.
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 01:14:14, never expire Type: static, Flags: NBMA address: 155.0.0.1
R2#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 155.0.0.2 155.0.0.1 QM_IDLE 1002 ACTIVE 155.0.0.1 155.0.0.2 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R2#show crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 8, origin: crypto map
SPOKE configures IPsec tunnel only with HUB.
