DMVPN Phase3 with EIGRP
Phase 3 ・Hub and Spokes make multipoint GRE tunnels each other. ・Spokes have only Hub's address as Next-Hop, so they can summarise address. ・Spokes make multipoint GRE tunnel into other spoke
using ip nhrp redirect packet sent from Hub, they can transit their traffic to other spoke directly.
R1 interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123 tunnel source FastEthernet0/0 tunnel mode gre multipoint no ip split-horizon eigrp 123
interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0
interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
router eigrp 123 network 10.0.0.0 network 192.168.1.0
R2 interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
router eigrp 123 network 10.0.0.0 network 192.168.2.0
R3 interface Tunnel0 ip address 10.0.0.3 255.255.255.0 ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
router eigrp 123 network 10.0.0.0 network 192.168.3.0
R1#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(123) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 10.0.0.2 Tu0 13 00:00:15 275 1650 0 11 0 10.0.0.3 Tu0 10 00:00:16 286 1716 0 13
R1#sh ip route eigrp
Gateway of last resort is not set
D 192.168.2.0/24 [90/26882560] via 10.0.0.2, 00:00:33, Tunnel0 D 192.168.3.0/24 [90/26882560] via 10.0.0.3, 00:00:31, Tunnel0
R2#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:04, Tunnel0 D 192.168.3.0/24 [90/28162560] via 10.0.0.1, 00:00:03, Tunnel0
R3#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:06, Tunnel0 D 192.168.2.0/24 [90/28162560] via 10.0.0.1, 00:00:06, Tunnel0
In Phase 3, the HUB ip nhrp redirect command, and transmits more efficient next-hop information.
SPOKE adopts the information of Next-Hop transmitted from the HUB if ip nhrp shortcut command is set.
R1 interface Tunnel0 ip nhrp redirect
R2/R3 interface Tunnel0 ip nhrp shortcut
Communicate SPOKE to SPOKE.
R2#sh ip route eigrp
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:07:15, Tunnel0 D 192.168.3.0/24 [90/28162560] via 10.0.0.1, 00:07:14, Tunnel0
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:13:15, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 140/252/436 ms
Initially, SPOKE sends an ICMP packet to NMBA address: 155.0.0.1 of HUB which is Next - Hop.
A HUB configured with ip nhrp redirect sends an NHRP Traffic Indication packet indicating that there is a better Next-Hop to the destination IP address: 192.168.3.3.
Until the NBMA address of R3 is resolved, ICMP Echo reply is returned via HUB.
R2 receiving the NHRP Traffic Indication packet sends an NHRP Resolution Request to R1.
Since ip nhrp shortcut command is also set for R3, it receives NHRP Traffic Indication packet from HUB and sends NHRP Resolution Request. The packet is transferred to R2 via the HUB.
NHRP Resolution Reply is returned from NBMA address of R3: 155.0.0.3. This packet also includes information on the address of the Tunnel interface of R3: 10.0.0.3.
With this, R2 can learn the address of the Tunnel interface of R3 and the NBMA address.
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:14:15, never expire Type: static, Flags: used NBMA address: 155.0.0.1
192.168.3.0/24 via 10.0.0.3 Tunnel0 created 00:00:05, expire 01:59:54 Type: dynamic, Flags: router rib nho NBMA address: 155.0.0.3
R2#sh ip route eigrp (omit) + - replicated route, % - next hop override Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:53:35, Tunnel0 D % 192.168.3.0/24 [90/28162560] via 10.0.0.1, 00:53:34, Tunnel0
"%" Indicating override is displayed on the routing table.
R2#sh ip route 192.168.3.0 Routing entry for 192.168.3.0/24 Known via "eigrp 123", distance 90, metric 28162560, type internal Redistributing via eigrp 123 Last update from 10.0.0.1 on Tunnel0, 00:55:07 ago Routing Descriptor Blocks: * 10.0.0.1, from 10.0.0.1, 00:55:07 ago, via Tunnel0 Route metric is 28162560, traffic share count is 1 Total delay is 100100 microseconds, minimum bandwidth is 100 Kbit Reliability 255/255, minimum MTU 1476 bytes Loading 2/255, Hops 2
R2#sh ip cef Prefix Next Hop Interface (omit)
192.168.3.0/24 10.0.0.3 Tunnel0
On CEF, Next-Hop is 10.0.0.3 which is Tunnel address of R3.
R2 also returns an NHRP Resolution Reply to the NHRP Resolution Request from R3.
This packet also includes the information of R2: Tunnel interface address: 10.0.0.2. R3 can learn the tunnel address of R2.
R3#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 02:48:50, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.2/32 via 10.0.0.2 Tunnel0 created 02:35:33, expire 00:29:25 Type: dynamic, Flags: router implicit used NBMA address: 155.0.0.2
192.168.2.0/24 via 10.0.0.2 Tunnel0 created 01:30:33, expire 00:29:25 Type: dynamic, Flags: router used rib nho NBMA address: 155.0.0.2
192.168.3.0/24 via 10.0.0.3 Tunnel0 created 02:35:33, expire 00:29:25 Type: dynamic, Flags: router unique local NBMA address: 155.0.0.3 (no-socket)
R3#sh ip route eigrp (omit) + - replicated route, % - next hop override
Gateway of last resort is not set
D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 02:44:46, Tunnel0 D % 192.168.2.0/24 [90/28162560] via 10.0.0.1, 02:44:46, Tunnel0
R3#sh ip cef Prefix Next Hop Interface (omit) 192.168.2.0/24 10.0.0.2 Tunnel0
After that, SPOKE can communicate directly with each other.
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 188 msec 220 msec 276 msec
Address summarize
Since Phase 3 does not depend on the routing table Next-Hop,
SPOKE can aggregate routes.
Advertise the aggregate route on the HUB router.
R1 interface Tunnel0 ip summary-address eigrp 123 192.168.0.0 255.255.0.0
R2#sh ip route eigrp
Gateway of last resort is not set
D 192.168.0.0/16 [90/26882560] via 10.0.0.1, 00:03:56, Tunnel0
R3#sh ip route eigrp
Gateway of last resort is not set
D 192.168.0.0/16 [90/26882560] via 10.0.0.1, 00:04:12, Tunnel0
R2/R3 clear ip nhrp
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 03:10:23, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R3#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 03:09:42, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 136 msec 172 msec 148 msec 2 10.0.0.3 204 msec 232 msec 420 msec
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 03:11:45, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:38, expire 01:59:21 Type: dynamic, Flags: router implicit used NBMA address: 155.0.0.3
192.168.2.0/24 via 10.0.0.2 Tunnel0 created 00:00:38, expire 01:59:21 Type: dynamic, Flags: router unique local NBMA address: 155.0.0.2 (no-socket)
192.168.3.0/24 via 10.0.0.3 Tunnel0 created 00:00:38, expire 01:59:20 Type: dynamic, Flags: router used rib NBMA address: 155.0.0.3
R2#sh ip route (omit) o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override
Gateway of last resort is not set
(omit)
D 192.168.0.0/16 [90/26882560] via 10.0.0.1, 00:09:36, Tunnel0 (omit) H 192.168.3.0/24 [250/1] via 10.0.0.3, 00:04:04, Tunnel0
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 172 msec 204 msec 132 msec
SPOKEs can transit traffic to other SPOKE directly.
Eneble IPsec Protection.
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport
crypto ipsec profile PROFILE set transform-set TRANS
interface Tunnel0 tunnel protection ipsec profile PROFILE
R1/R2/R3 clear ip nhrp clear ip route *
Communicate SPOKE to SPOKE.
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 352/498/684 ms
R2#sh crypto engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+SHA256 0 27 27 155.0.0.2 2 IPsec 3DES+SHA256 23 0 0 155.0.0.2 3 IPsec 3DES+SHA256 0 1 1 155.0.0.2 4 IPsec 3DES+SHA256 2 0 0 155.0.0.2 5 IPsec 3DES+SHA256 0 0 0 155.0.0.2 6 IPsec 3DES+SHA256 0 0 0 155.0.0.2 1001 IKE SHA256+3DES 0 0 0 155.0.0.2 1002 IKE SHA256+3DES 0 0 0 155.0.0.2 1003 IKE SHA256+3DES 0 0 0 155.0.0.2
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 155.0.0.1 155.0.0.2 QM_IDLE 1001 ACTIVE 155.0.0.3 155.0.0.2 QM_IDLE 1002 ACTIVE 155.0.0.2 155.0.0.3 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.3 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.3 Active SAs: 4, origin: crypto map
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 2, origin: crypto map
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 312 msec 276 msec 212 msec
R2#sh crypto ipsec sa
interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 155.0.0.2
protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.3/255.255.255.255/47/0) current_peer 155.0.0.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 155.0.0.2, remote crypto endpt.: 155.0.0.3 path mtu 1500, ip mtu 1500, ip mtu idb (none) current outbound spi: 0x5868990C(1483249932) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x8616E13A(2249646394) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4315668/3267) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) spi: 0xC8C5818D(3368386957) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 5, flow_id: SW:5, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4368711/3276) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x8942F3E7(2302866407) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4315668/3267) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) spi: 0x5868990C(1483249932) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 6, flow_id: SW:6, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4368711/3276) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.1/255.255.255.255/47/0) current_peer 155.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 89, #pkts encrypt: 89, #pkts digest: 89 #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 155.0.0.2, remote crypto endpt.: 155.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb (none) current outbound spi: 0x8D0FAE21(2366615073) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x53EADBE2(1407900642) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4275228/3244) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x8D0FAE21(2366615073) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4275229/3244) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SPOKE creat IPsec tunnel not only with HUB but also with other SPOKE.
