DMVPN Phase3 with OSPF
Phase 3 ・Hub and Spokes make multipoint GRE tunnels each other. ・Spokes have only Hub's address as Next-Hop. ・Spokes make multipoint GRE tunnel into other spoke
using ip nhrp redirect packet sent from Hub, they can transit their traffic to other spoke directly.
Both HUB and SPOKE set OSPF network type to point-to-multipoint.
R1 interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123
ip ospf network point-to-multipoint
tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0
interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
Vefify
R1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 0 FULL/ - 00:01:34 10.0.0.3 Tunnel0 2.2.2.2 0 FULL/ - 00:01:51 10.0.0.2 Tunnel0
R2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 0 FULL/ - 00:01:57 10.0.0.1 Tunnel0
R3#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 0 FULL/ - 00:01:45 10.0.0.1 Tunnel0
R2#sh ip route ospf (omit) Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:04:30, Tunnel0 O 10.0.0.3/32 [110/2000] via 10.0.0.1, 00:02:28, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:04:30, Tunnel0 O 192.168.3.0/24 [110/2001] via 10.0.0.1, 00:02:28, Tunnel0
R3#sh ip route ospf (omit) Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:05:02, Tunnel0 O 10.0.0.2/32 [110/2000] via 10.0.0.1, 00:03:32, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:05:02, Tunnel0 O 192.168.2.0/24 [110/2001] via 10.0.0.1, 00:05:02, Tunnel0
Next-Hop is the address of the HUB.
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 128/162/200 ms
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 148 msec 168 msec 152 msec 2 10.0.0.3 208 msec 152 msec 112 msec
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:29:01, never expire Type: static, Flags: used NBMA address: 155.0.0.1
SPOKE can communicate with each other,
however it will be via HUB.
In Phase 3, the HUB set ip nhrp redirect command,
and transmits more efficient next-hop information.
SPOKE adopts the information of Next-Hop transmitted from the HUB if ip nhrp shortcut command is set.
R1 interface Tunnel0 ip nhrp redirect
R2/R3 interface Tunnel0 ip nhrp shortcut
Communicate SPOKE to SPOKE.
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/252/536 ms
A HUB configured with ip nhrp redirect sends an NHRP Traffic Indication packet
indicating that there is a better Next-Hop to the destination IP address: 192.168.3.3.
R2 receiving the NHRP Traffic Indication packet sends an NHRP Resolution Request to R1.
Since ip nhrp shortcut is also set for R3,
it receives NHRP Traffic Indication packet from HUB
and sends NHRP Resolution Request.
The packet is transferred to R2 via the HUB.
NHRP Resolution Reply will be replied from the HUB. This packet also includes information on the address of the Tunnel interface of R3: 10.0.0.3.
With this, R2 can learn the address of the Tunnel interface of R3 and the NBMA address.
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:07:03, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:09, expire 01:59:50 Type: dynamic, Flags: router implicit NBMA address: 155.0.0.3
192.168.2.0/24 via 10.0.0.2 Tunnel0 created 00:00:09, expire 01:59:50 Type: dynamic, Flags: router unique local NBMA address: 155.0.0.2 (no-socket)
192.168.3.0/24 via 10.0.0.3 Tunnel0 created 00:00:09, expire 01:59:49 Type: dynamic, Flags: router used rib nho NBMA address: 155.0.0.3
R2#sh ip route ospf (omit) + - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:19:19, Tunnel0 O 10.0.0.3/32 [110/2000] via 10.0.0.1, 00:19:19, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:19:19, Tunnel0 O % 192.168.3.0/24 [110/2001] via 10.0.0.1, 00:19:19, Tunnel0
"%" Indicating override is displayed on the routing table.
R2#sh ip cef Prefix Next Hop Interface (omit)
192.168.3.0/24 10.0.0.3 Tunnel0
On CEF, Next-Hop is 10.0.0.3 which is Tunnel address of R3.
R2 will also respond with NHRP Resolution Reply.
This packet also includes the information of R2: Tunnel interface address: 10.0.0.2. R3 can learn the tunnel address of R2.
R3#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:04:10, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:01:40, expire 01:58:19 Type: dynamic, Flags: router implicit NBMA address: 155.0.0.2
192.168.2.0/24 via 10.0.0.2 Tunnel0 created 00:01:40, expire 01:58:19 Type: dynamic, Flags: router used rib nho NBMA address: 155.0.0.2
192.168.3.0/24 via 10.0.0.3 Tunnel0 created 00:01:40, expire 01:58:19 Type: dynamic, Flags: router unique local NBMA address: 155.0.0.3 (no-socket)
R3#sh ip route ospf (omit) + - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:26:10, Tunnel0 O 10.0.0.2/32 [110/2000] via 10.0.0.1, 00:26:10, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:26:10, Tunnel0 O % 192.168.2.0/24 [110/2001] via 10.0.0.1, 00:26:10, Tunnel0
R3#sh ip cef Prefix Next Hop Interface (omit) 192.168.2.0/24 10.0.0.2 Tunnel0
On CEF of R3, Next-Hop is R2.
After that, SPOKE can communicate directly with each other.
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 204 msec 168 msec 152 msec
Eneble IPsec Protection.
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport
crypto ipsec profile PROFILE set transform-set TRANS
interface Tunnel0 tunnel protection ipsec profile PROFILE
R1/R2/R3 clear ip nhrp clear ip route *
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:31:23, never expire Type: static, Flags: used NBMA address: 155.0.0.1
R2#sh ip route ospf
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:00:54, Tunnel0 O 10.0.0.3/32 [110/2000] via 10.0.0.1, 00:00:54, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:00:54, Tunnel0 O 192.168.3.0/24 [110/2001] via 10.0.0.1, 00:00:54, Tunnel0
Communicate SPOKE to SPOKE.
R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 288/508/800 ms
R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:33:10, never expire Type: static, Flags: used NBMA address: 155.0.0.1
10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:09, expire 01:59:53 Type: dynamic, Flags: router implicit NBMA address: 155.0.0.3
192.168.2.0/24 via 10.0.0.2 Tunnel0 created 00:00:06, expire 01:59:53 Type: dynamic, Flags: router unique local NBMA address: 155.0.0.2 (no-socket)
192.168.3.0/24 via 10.0.0.3 Tunnel0 created 00:00:06, expire 01:59:53 Type: dynamic, Flags: router rib nho NBMA address: 155.0.0.3
R2#sh ip route ospf (omit) + - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.1/32 [110/1000] via 10.0.0.1, 00:02:05, Tunnel0 O 10.0.0.3/32 [110/2000] via 10.0.0.1, 00:02:05, Tunnel0 O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:02:05, Tunnel0 O % 192.168.3.0/24 [110/2001] via 10.0.0.1, 00:02:05, Tunnel0
R2#sh ip cef Prefix Next Hop Interface (omit) 192.168.3.0/24 10.0.0.3 Tunnel0
R2#sh crypto engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+SHA256 0 1 1 155.0.0.2 2 IPsec 3DES+SHA256 1 0 0 155.0.0.2 5 IPsec 3DES+SHA256 0 25 25 155.0.0.2 6 IPsec 3DES+SHA256 21 0 0 155.0.0.2 9 IPsec 3DES+SHA256 0 0 0 155.0.0.2 10 IPsec 3DES+SHA256 0 0 0 155.0.0.2 11 IPsec 3DES+SHA256 0 3 3 155.0.0.2 12 IPsec 3DES+SHA256 3 0 0 155.0.0.2 1001 IKE SHA256+3DES 0 0 0 155.0.0.2 1003 IKE SHA256+3DES 0 0 0 155.0.0.2 1005 IKE SHA256+3DES 0 0 0 155.0.0.2 1006 IKE SHA256+3DES 0 0 0 155.0.0.2
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 155.0.0.2 155.0.0.1 QM_IDLE 1003 ACTIVE 155.0.0.2 155.0.0.3 QM_IDLE 1005 ACTIVE 155.0.0.3 155.0.0.2 QM_IDLE 1006 ACTIVE 155.0.0.1 155.0.0.2 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.3 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.3 Active SAs: 4, origin: crypto map
Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 4, origin: crypto map
R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 432 msec 556 msec 396 msec
R2#sh crypto ipsec sa
interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 155.0.0.2
protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.3/255.255.255.255/47/0) current_peer 155.0.0.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 155.0.0.2, remote crypto endpt.: 155.0.0.3 path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xD13DB3C5(3510481861) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x8B7A62B(146253355) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 9, flow_id: SW:9, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3454) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) spi: 0x4CEA2C31(1290415153) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 11, flow_id: SW:11, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4267379/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7123DD61(1898175841) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 10, flow_id: SW:10, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3454) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) spi: 0xD13DB3C5(3510481861) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 12, flow_id: SW:12, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4267379/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.1/255.255.255.255/47/0)
(omit)
SPOKE creat IPsec tunnel not only with HUB but also with other SPOKE.
