DMVPN Phase2 with EIGRP
Phase 2 ・Hub and Spokes make multipoint GRE tunnels each other. ・Spokes have other spoke's address as Next-Hop. ・Spokes can transit traffic to other spoke directly.
R1 : HUB interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123
tunnel source FastEthernet0/0 tunnel mode gre multipoint interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0 interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
R2 : SPOKE
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp map 10.0.0.1 155.0.0.1
ip nhrp map multicast 155.0.0.1
ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
R3 : SPOKE
interface Tunnel0 ip address 10.0.0.3 255.255.255.0 ip nhrp map 10.0.0.1 155.0.0.1
ip nhrp map multicast 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
Enable EIGRP AS 123..
R1
router eigrp 123 network 10.0.0.0 network 192.168.1.0
R2
router eigrp 123 network 10.0.0.0 network 192.168.2.0
R3
router eigrp 123 network 10.0.0.0 network 192.168.3.0
R1#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(123) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 10.0.0.3 Tu0 13 00:00:36 327 1962 0 3 0 10.0.0.2 Tu0 12 00:00:52 271 1626 0 4
R1#sh ip route eigrp
Gateway of last resort is not set
D 192.168.2.0/24 [90/26882560] via 10.0.0.2, 00:01:04, Tunnel0 D 192.168.3.0/24 [90/26882560] via 10.0.0.3, 00:00:47, Tunnel0
R1#sh ip eigrp topology EIGRP-IPv4 Topology Table for AS(123)/ID(192.168.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status
P 192.168.3.0/24, 1 successors, FD is 26882560 via 10.0.0.3 (26882560/28160), Tunnel0 P 192.168.2.0/24, 1 successors, FD is 26882560 via 10.0.0.2 (26882560/28160), Tunnel0 P 10.0.0.0/24, 1 successors, FD is 26880000 via Connected, Tunnel0 P 192.168.1.0/24, 1 successors, FD is 28160 via Connected, FastEthernet0/1
R2#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:01:39, Tunnel0
R3#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:01:45, Tunnel0
HUB is learning both SPOKE routes,
but SPOKEs only learn the HUB route.
This is due to split horizon on HUB.
This is because the HUB does NOT advertise routes learned from the Tunnel 0 interface to the Tunnel 0 interface.
Disable EIGRP split-horizon on HUB.
R1
interface Tunnel0
no ip split-horizon eigrp 123
R2#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:44, Tunnel0 D 192.168.3.0/24 [90/28162560] via 10.0.0.1, 00:00:26, Tunnel0
R3#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:59, Tunnel0 D 192.168.2.0/24 [90/28162560] via 10.0.0.1, 00:00:43, Tunnel0
Next-Hop of route learned from other SPOKE is HUB.
It has been changed by HUB's next-hop-self.
Disable next-hop-self on HUB.
R1
interface Tunnel0
no ip next-hop-self eigrp 123
R2#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:06, Tunnel0 D 192.168.3.0/24 [90/28162560] via 10.0.0.3, 00:00:05, Tunnel0
R3#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:21, Tunnel0 D 192.168.2.0/24 [90/28162560] via 10.0.0.2, 00:00:19, Tunnel0
Communicate SPOKE to SPOKE.
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:13:55, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/237/464 ms
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:14:12, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:04, expire 01:59:56 Type: dynamic, Flags: router used NBMA address: 155.0.0.3
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 208 msec 168 msec 204 msec
SPOKE can transit traffic to other SPOKE directly.
Eneble IPsec Protection.
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport
crypto ipsec profile PROFILE set transform-set TRANS
interface Tunnel0 tunnel protection ipsec profile PROFILE
R2#sh ip nhrp
10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:05:56, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#sh crypt engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+SHA256 0 0 0 155.0.0.2 2 IPsec 3DES+SHA256 1 0 0 155.0.0.2 3 IPsec 3DES+SHA256 0 110 110 155.0.0.2 4 IPsec 3DES+SHA256 110 0 0 155.0.0.2 1001 IKE SHA256+3DES 0 0 0 155.0.0.2
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 155.0.0.1 155.0.0.2 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 4, origin: crypto map
Communicate SPOKE to SPOKE.
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 380/469/580 ms
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:09:39, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:00:03, expire 01:59:56 Type: dynamic, Flags: router unique local NBMA address: 155.0.0.2 (no-socket)
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:06, expire 01:59:56 Type: dynamic, Flags: router NBMA address: 155.0.0.3
R2#sh crypt engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+SHA256 0 0 0 155.0.0.2 2 IPsec 3DES+SHA256 1 0 0 155.0.0.2 3 IPsec 3DES+SHA256 0 141 141 155.0.0.2 4 IPsec 3DES+SHA256 140 0 0 155.0.0.2 5 IPsec 3DES+SHA256 0 1 1 155.0.0.2 6 IPsec 3DES+SHA256 1 0 0 155.0.0.2 7 IPsec 3DES+SHA256 0 0 0 155.0.0.2 8 IPsec 3DES+SHA256 0 0 0 155.0.0.2 1001 IKE SHA256+3DES 0 0 0 155.0.0.2 1002 IKE SHA256+3DES 0 0 0 155.0.0.2 1003 IKE SHA256+3DES 0 0 0 155.0.0.2
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 155.0.0.2 155.0.0.3 QM_IDLE 1003 ACTIVE 155.0.0.1 155.0.0.2 QM_IDLE 1001 ACTIVE 155.0.0.3 155.0.0.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.3 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.3 Active SAs: 4, origin: crypto map
Interface: Tunnel0 Session status: UP-ACTIVE
Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 4, origin: crypto map
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 312 msec 276 msec 212 msec
Packet Capture.
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 208/257/320 ms
Packets are encrypted, and SPOKE communicates directly with other SPOKEs.
