Avatar

Since DMVPN has been added to the CCIE v5 BluePrint (http://www.cisco.com/web/learning/exams/docs/ccieRS_Lab5.pdf) I figured that now was just as good of a time as any to write this blog.

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks.

DMVPN is combination of the following technologies:

  • Multipoint GRE (mGRE)
  • Next-Hop Resolution Protocol (NHRP)
  • Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
  • Dynamic IPsec encryption
  • Cisco Express Forwarding (CEF)

Topology that we will be starting with:

Colby's Blog Image 1

First thing will be to complete the base configurations on R1, R2 & R3. This will consist of configuring the IP addresses on the above interfaces and setting up the routing protocol to distribute the routes. In this case we will use EIGRP 123.

R1:

Rack1R1(config)#int s0/0/0

Rack1R1(config-if)#no shut

Rack1R1(config-if)#encap ppp

Rack1R1(config-if)#

Aug  1 19:22:33.379: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down

Rack1R1(config-if)#ip address 204.186.13.1 255.255.255.0

Rack1R1(config-if)#router eigrp 123

Rack1R1(config-router)# network 204.186.13.1 0.0.0.0

R2:

Rack1R2(config)#interface Serial0/0/0

Rack1R2(config-if)# no shutdown

Rack1R2(config-if)# ip address 204.186.23.2 255.255.255.0

Rack1R2(config-if)# encapsulation ppp

Rack1R2(config-if)#

Aug  1 19:28:56.915: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down

Rack1R2(config-if)#router eigrp 123

Rack1R2(config-router)# network 204.186.23.2 0.0.0.0

R3:

Rack1R3(config)#interface Serial0/0/0

Rack1R3(config-if)# no shutdown

Rack1R3(config-if)# ip address 204.186.13.3 255.255.255.0

Rack1R3(config-if)# encapsulation ppp

Rack1R3(config-if)#interface Serial0/1/0

Rack1R3(config-if)# no shutdown

Rack1R3(config-if)# ip address 204.186.23.3 255.255.255.0

Rack1R3(config-if)# encapsulation ppp

Rack1R3(config-if)#router eigrp 123

Rack1R3(config-router)# network 204.186.13.3 0.0.0.0

Rack1R3(config-router)# network 204.186.23.3 0.0.0.0

Looks like the neighbors have come up correctly, now lets just verify that the correct routes are showing up:

R1:

Rack1R1(config)#do sh ip route eigrp

Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP

a – application route

+ – replicated route, % – next hop override

Gateway of last resort is not set

204.186.23.0/24 is variably subnetted, 2 subnets, 2 masks

D        204.186.23.0/24 [90/2681856] via 204.186.13.3, 00:03:36, Serial0/0/0

D        204.186.23.2/32 [90/2681856] via 204.186.13.3, 00:03:36, Serial0/0/0

R2:

Rack1R2(config-router)#do sh ip route eigrp

Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP

a – application route

+ – replicated route, % – next hop override

Gateway of last resort is not set

204.186.13.0/24 is variably subnetted, 2 subnets, 2 masks

D        204.186.13.0/24 [90/2681856] via 204.186.23.3, 00:04:31, Serial0/0/0

D        204.186.13.1/32 [90/2681856] via 204.186.23.3, 00:04:31, Serial0/0/0

Looks like the routes are populating correctly, I did not include the output from R2 because it will not need to learn any routes from EIGRP as both R1 and R3 are directly connected. Now that we have full reachability we can begin the actual DMVPN configuration. Here is what the new topology will look like once complete:

Colby's Blog Image 2

Next we will create the Tunnel interfaces on each router:

R1:

Rack1R1(config)#interface Tunnel0

Rack1R1(config-if)# ip address 173.1.123.1 255.255.255.0

Rack1R1(config-if)# no ip redirects

Rack1R1(config-if)# ip nhrp map multicast dynamic

Rack1R1(config-if)# ip nhrp network-id 99

Rack1R1(config-if)# ip nhrp holdtime 300

Rack1R1(config-if)# tunnel source Serial0/0/0

Rack1R1(config-if)# tunnel mode gre multipoint

Rack1R1(config-if)# tunnel key 100000

R2:

Rack1R2(config-router)#interface Tunnel0

Rack1R2(config-if)# ip address 173.1.123.2 255.255.255.0

Rack1R2(config-if)# no ip redirects

Rack1R2(config-if)# ip nhrp map 173.1.123.1 204.186.13.1

Rack1R2(config-if)# ip nhrp map multicast 204.186.13.1

Rack1R2(config-if)# ip nhrp network-id 99

Rack1R2(config-if)# ip nhrp nhs 173.1.123.1

Rack1R2(config-if)# tunnel source Serial0/0/0

Rack1R2(config-if)# tunnel mode gre multipoint

Rack1R2(config-if)# tunnel key 100000

R3:

Rack1R3(config-router)#interface Tunnel0

Rack1R3(config-if)# ip address 173.1.123.3 255.255.255.0

Rack1R3(config-if)# no ip redirects

Rack1R3(config-if)# ip nhrp map 173.1.123.1 204.186.13.1

Rack1R3(config-if)# ip nhrp map multicast 204.186.13.1

Rack1R3(config-if)# ip nhrp network-id 99

Rack1R3(config-if)# ip nhrp nhs 173.1.123.1

Rack1R3(config-if)# tunnel source Serial0/0/0

Rack1R3(config-if)# tunnel mode gre multipoint

Rack1R3(config-if)# tunnel key 100000

Now lets verify that the Tunnels have come up correctly:

R1:

Rack1R1(config-if)#do sh dmvpn

Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete

N – NATed, L – Local, X – No Socket

# Ent –> Number of NHRP entries with same NBMA peer

NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting

UpDn Time –> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

—– ————— ————— —– ——– —–

1 204.186.23.2        173.1.123.2    UP 00:39:58     D

1 204.186.13.3        173.1.123.3    UP 00:38:51     D

R2:

Rack1R2(config-if)#do sh dmvpn

Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete

N – NATed, L – Local, X – No Socket

# Ent –> Number of NHRP entries with same NBMA peer

NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting

UpDn Time –> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

—– ————— ————— —– ——– —–

1 204.186.13.1        173.1.123.1    UP 00:41:20     S

1 204.186.13.3        173.1.123.3    UP 00:08:43     D

R3:

Rack1R3(config-if)#do sh dmvpn

Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete

N – NATed, L – Local, X – No Socket

# Ent –> Number of NHRP entries with same NBMA peer

NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting

UpDn Time –> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

—– ————— ————— —– ——– —–

1 204.186.13.1        173.1.123.1    UP 00:40:34     S

1 204.186.23.2        173.1.123.2    UP 00:09:05     D

Last we need to verify connectivity across the tunnel:

R1:

Rack1R1(config-if)#do ping 173.1.123.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.1.123.2, timeout is 2 seconds:

!!!!!

Rack1R1(config-if)#do ping 173.1.123.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.1.123.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/16 ms

R2:

Rack1R2(config-if)#do ping 173.1.123.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.1.123.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Rack1R2(config-if)#do ping 173.1.123.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.1.123.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R3:

Rack1R3(config-if)#do ping 173.1.123.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.1.123.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Rack1R3(config-if)#do ping 173.1.123.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.1.123.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Alright, everything looks good. Next lets look at a few show commands:

R1:

Rack1R1(config-if)#do sh ip nhrp

173.1.123.2/32 via 173.1.123.2

Tunnel0 created 00:16:27, expire 01:43:33

Type: dynamic, Flags: unique registered nhop

NBMA address: 204.186.23.2

173.1.123.3/32 via 173.1.123.3

Tunnel0 created 00:15:20, expire 01:44:39

Type: dynamic, Flags: unique registered nhop

NBMA address: 204.186.13.3

R2:

Rack1R2(config-if)#do sh ip nhrp

173.1.123.1/32 via 173.1.123.1

Tunnel0 created 00:17:55, never expire

Type: static, Flags: used

NBMA address: 204.186.13.1

R3:

Rack1R3(config-if)#do sh ip nhrp

173.1.123.1/32 via 173.1.123.1

Tunnel0 created 00:17:00, never expire

Type: static, Flags: used

NBMA address: 204.186.13.1

Adding an additional spoke (similar to R2/R3) in this case would be very simple. Once the connection is established just adding the route map to go through the hub (R1).

 

You can follow me on Twitter at @ipv4freely