DMVPN Phase2 with OSPF - 2
Phase 2 ・Hub and Spokes make multipoint GRE tunnels each other. ・Spokes have other spoke's address as Next-Hop. ・Spokes can transit traffic to other spoke directly.
Additional requirement ・HUB can send multicast packets, but SPOKEs can not send it.
R1 : HUB interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 123
tunnel source FastEthernet0/0 tunnel mode gre multipoint interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0 speed auto duplex auto interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 speed auto duplex auto
R2 : SPOKE
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
R3 : SPOKE
interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
Enable OSPF single area.
R1 interface Tunnel0 ip ospf network broadcast
router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2 interface Tunnel0 ip ospf network broadcast
router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 interface Tunnel0 ip ospf network broadcast
router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
HUB establishes Ajenseny once with each SPOKE.
R1# *Jun 12 12:11:42.671: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 12 12:11:43.675: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from LOADING to FULL, Loading Done
R1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 1 FULL/DROTHER 00:00:39 10.0.0.2 Tunnel0 3.3.3.3 1 FULL/BDR 00:00:34 10.0.0.3 Tunnel0
However, neighbors of HUB and SPOKE repeat DOWN / UP.
R1# *Jun 12 12:12:32.823: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from FULL to DOWN, Neighbor Down: Dead timer expired *Jun 12 12:12:37.731: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from FULL to DOWN, Neighbor Down: Dead timer expired
*Jun 12 12:12:45.455: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 12 12:12:50.619: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from LOADING to FULL, Loading Done
*Jun 12 12:13:36.259: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from FULL to DOWN, Neighbor Down: Dead timer expired *Jun 12 12:13:40.611: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from FULL to DOWN, Neighbor Down: Dead timer expired
*Jun 12 12:13:44.127: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 12 12:13:53.603: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from LOADING to FULL, Loading Done
Debug and capture.
The HUB dynamically maps multicast packets.
The NBMA address of SPOKE is used as the destination IP address of the GRE packet.
SPOKEs return a Hello packet to the HUB with unicast,
and a neighbor relationship is established.
R1#debug ip ospf hello OSPF hello debugging is on
R1# *Jun 12 12:17:38.251: OSPF-123 HELLO Tu0: Send hello to 224.0.0.5 area 0 from 10.0.0.1 *Jun 12 12:17:47.283: OSPF-123 HELLO Tu0: Send hello to 224.0.0.5 area 0 from 10.0.0.1 *Jun 12 12:17:56.643: OSPF-123 HELLO Tu0: Send hello to 224.0.0.5 area 0 from 10.0.0.1 *Jun 12 12:18:06.099: OSPF-123 HELLO Tu0: Send hello to 224.0.0.5 area 0 from 10.0.0.1 *Jun 12 12:18:15.147: OSPF-123 HELLO Tu0: Send hello to 224.0.0.5 area 0 from 10.0.0.1
*Jun 12 12:18:19.939: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from FULL to DOWN, Neighbor Down: Dead timer expired *Jun 12 12:18:19.947: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from FULL to DOWN, Neighbor Down: Dead timer expired
HUB does not seem to have received Hello packets from SPOKE.
Because the SPOKE router does not perform multicast mapping with NHRP, As the destination IP address of the GRE packet, 224.0.0.5 is used as it is.
The HUB determines that no hello packet comes from SPOKE. It becomes a neighbor down after the Dead timer.
The OSPF network type "Broadcast" returns a unicast Hello after receiving a multicast hello at the time of neighbor establishment.
After establishing the neighbor, the Hello packet for maintaining the neighbor uses multicast packets destined for 224.0.0.5
from both sides.
Since SPOKE can not transmit multicast, it is necessary to apply OSPF network type that does not use multicast packets
to maintain neighbor.
Non-Broadcast uses unicast for Hello packets for maintaining the neighbor.
Change the OSPF network type of SPOKEs to Non-broadcast.
R2/R3 interface Tunnel0 ip ospf network non-broadcast
Because the value of Hello interval is different between Broadcast and Non-broadcast,
it is necessary to match.
This time we will change the Hello timer value of HUB.
R1 interface Tunnel0 ip ospf hello-interval 30
R1# *Jun 12 14:47:29.478: %OSPF-5-ADJCHG: Process 123, Nbr 2.2.2.2 on Tunnel0
from LOADING to FULL, Loading Done *Jun 12 14:47:36.050: %OSPF-5-ADJCHG: Process 123, Nbr 3.3.3.3 on Tunnel0
from LOADING to FULL, Loading Done
*Jun 12 14:47:53.518: OSPF-123 HELLO Tu0: Rcv hello from 2.2.2.2 area 0 10.0.0.2 *Jun 12 14:47:54.414: OSPF-123 HELLO Tu0: Rcv hello from 3.3.3.3 area 0 10.0.0.3
*Jun 12 14:47:58.346: OSPF-123 HELLO Tu0: Send hello to 224.0.0.5 area 0 from 10.0.0.1
*Jun 12 14:48:21.838: OSPF-123 HELLO Tu0: Rcv hello from 3.3.3.3 area 0 10.0.0.3 *Jun 12 14:48:22.686: OSPF-123 HELLO Tu0: Rcv hello from 2.2.2.2 area 0 10.0.0.2
Since SPOKEs send Hello packets for maintaining neighbor by unicast, it can maintain a neighbor.
In order to correctly calculate route information, HUB needs to be elected to DR, so adjust the priority.
R1 interface Tunnel0 ip ospf priority 255
R2/R3 interface Tunnel0 ip ospf priority 0
R1/R2/R3 clear ip ospf process
R1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 0 FULL/DROTHER 00:01:58 10.0.0.2 Tunnel0 3.3.3.3 0 FULL/DROTHER 00:01:58 10.0.0.3 Tunnel0
R2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 255 FULL/DR 00:01:41 10.0.0.1 Tunnel0
R3#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 255 FULL/DR 00:01:56 10.0.0.1 Tunnel0
R2#sh ip route ospf (omit) Gateway of last resort is not set
O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:01:00, Tunnel0 O 192.168.3.0/24 [110/1001] via 10.0.0.3, 00:01:00, Tunnel0
R3#sh
Gateway of last resort is not set
O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:01:17, Tunnel0 O 192.168.2.0/24 [110/1001] via 10.0.0.2, 00:01:07, Tunnel0
Spokes have other SPOKE's address as Next-Hop.
Communicate SPOKE to SPOKE.
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 01:06:22, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 .!!!. Success rate is 60 percent (3/5), round-trip min/avg/max = 60/180/364 ms
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 01:06:58, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:08, expire 01:59:52 Type: dynamic, Flags: router used NBMA address: 155.0.0.3
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 156 msec 172 msec 124 msec
SPOKE can transit traffic to other SPOKE directly.
Eneble IPsec Protection.
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport
crypto ipsec profile PROFILE set transform-set TRANS
interface Tunnel0 tunnel protection ipsec profile PROFILE
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:40:13, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2
!.... Success rate is 20 percent (1/5), round-trip min/avg/max = 908/908/908 ms
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 196/219/252 ms
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 01:14:44, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:01:41, expire 01:58:30 Type: dynamic, Flags: router used NBMA address: 155.0.0.3
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 248 msec 352 msec 312 msec
R2#sh crypto engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 5 IPsec 3DES+SHA256 0 41 42 155.0.0.2 6 IPsec 3DES+SHA256 48 0 0 155.0.0.2 7 IPsec 3DES+SHA256 0 9 9 155.0.0.2 8 IPsec 3DES+SHA256 8 0 0 155.0.0.2 1001 IKE SHA256+3DES 0 0 0 155.0.0.2 1002 IKE SHA256+3DES 0 0 0 155.0.0.2
R2#sh crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.3 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.3 Active SAs: 2, origin: crypto map
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 4, origin: crypto map
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 155.0.0.2 155.0.0.3 QM_IDLE 1002 ACTIVE 155.0.0.1 155.0.0.2 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 155.0.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.3/255.255.255.255/47/0)
current_peer 155.0.0.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 155.0.0.2, remote crypto endpt.: 155.0.0.3 path mtu 1500, ip mtu 1500, ip mtu idb (none) current outbound spi: 0x34101A4A(873470538) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x51F82B43(1375218499) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 7, flow_id: 7, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4157966/3434) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x34101A4A(873470538) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 8, flow_id: 8, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4157967/3434) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.1/255.255.255.255/47/0)
(omit)
SPOKE creat IPsec tunnel not only with HUB but also with other SPOKE.
-Reference-
■Cisco OSPF の LSA タイプとネットワークタイプ - CCIE チャレンジャーの必須知識 https://supportforums.cisco.com/ja/video/13189116
