Since DMVPN has been added to the CCIE v5 BluePrint (http://www.cisco.com/web/learning/exams/docs/ccieRS_Lab5.pdf) I figured that now was just as good of a time as any to write this blog.
DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks.
DMVPN is combination of the following technologies:
- Multipoint GRE (mGRE)
- Next-Hop Resolution Protocol (NHRP)
- Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
- Dynamic IPsec encryption
- Cisco Express Forwarding (CEF)
Topology that we will be starting with:
First thing will be to complete the base configurations on R1, R2 & R3. This will consist of configuring the IP addresses on the above interfaces and setting up the routing protocol to distribute the routes. In this case we will use EIGRP 123.
R1:
Rack1R1(config)#int s0/0/0
Rack1R1(config-if)#no shut
Rack1R1(config-if)#encap ppp
Rack1R1(config-if)#
Aug 1 19:22:33.379: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Rack1R1(config-if)#ip address 204.186.13.1 255.255.255.0
Rack1R1(config-if)#router eigrp 123
Rack1R1(config-router)# network 204.186.13.1 0.0.0.0
R2:
Rack1R2(config)#interface Serial0/0/0
Rack1R2(config-if)# no shutdown
Rack1R2(config-if)# ip address 204.186.23.2 255.255.255.0
Rack1R2(config-if)# encapsulation ppp
Rack1R2(config-if)#
Aug 1 19:28:56.915: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Rack1R2(config-if)#router eigrp 123
Rack1R2(config-router)# network 204.186.23.2 0.0.0.0
R3:
Rack1R3(config)#interface Serial0/0/0
Rack1R3(config-if)# no shutdown
Rack1R3(config-if)# ip address 204.186.13.3 255.255.255.0
Rack1R3(config-if)# encapsulation ppp
Rack1R3(config-if)#interface Serial0/1/0
Rack1R3(config-if)# no shutdown
Rack1R3(config-if)# ip address 204.186.23.3 255.255.255.0
Rack1R3(config-if)# encapsulation ppp
Rack1R3(config-if)#router eigrp 123
Rack1R3(config-router)# network 204.186.13.3 0.0.0.0
Rack1R3(config-router)# network 204.186.23.3 0.0.0.0
Looks like the neighbors have come up correctly, now lets just verify that the correct routes are showing up:
R1:
Rack1R1(config)#do sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override
Gateway of last resort is not set
204.186.23.0/24 is variably subnetted, 2 subnets, 2 masks
D 204.186.23.0/24 [90/2681856] via 204.186.13.3, 00:03:36, Serial0/0/0
D 204.186.23.2/32 [90/2681856] via 204.186.13.3, 00:03:36, Serial0/0/0
R2:
Rack1R2(config-router)#do sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override
Gateway of last resort is not set
204.186.13.0/24 is variably subnetted, 2 subnets, 2 masks
D 204.186.13.0/24 [90/2681856] via 204.186.23.3, 00:04:31, Serial0/0/0
D 204.186.13.1/32 [90/2681856] via 204.186.23.3, 00:04:31, Serial0/0/0
Looks like the routes are populating correctly, I did not include the output from R2 because it will not need to learn any routes from EIGRP as both R1 and R3 are directly connected. Now that we have full reachability we can begin the actual DMVPN configuration. Here is what the new topology will look like once complete:
Next we will create the Tunnel interfaces on each router:
R1:
Rack1R1(config)#interface Tunnel0
Rack1R1(config-if)# ip address 173.1.123.1 255.255.255.0
Rack1R1(config-if)# no ip redirects
Rack1R1(config-if)# ip nhrp map multicast dynamic
Rack1R1(config-if)# ip nhrp network-id 99
Rack1R1(config-if)# ip nhrp holdtime 300
Rack1R1(config-if)# tunnel source Serial0/0/0
Rack1R1(config-if)# tunnel mode gre multipoint
Rack1R1(config-if)# tunnel key 100000
R2:
Rack1R2(config-router)#interface Tunnel0
Rack1R2(config-if)# ip address 173.1.123.2 255.255.255.0
Rack1R2(config-if)# no ip redirects
Rack1R2(config-if)# ip nhrp map 173.1.123.1 204.186.13.1
Rack1R2(config-if)# ip nhrp map multicast 204.186.13.1
Rack1R2(config-if)# ip nhrp network-id 99
Rack1R2(config-if)# ip nhrp nhs 173.1.123.1
Rack1R2(config-if)# tunnel source Serial0/0/0
Rack1R2(config-if)# tunnel mode gre multipoint
Rack1R2(config-if)# tunnel key 100000
R3:
Rack1R3(config-router)#interface Tunnel0
Rack1R3(config-if)# ip address 173.1.123.3 255.255.255.0
Rack1R3(config-if)# no ip redirects
Rack1R3(config-if)# ip nhrp map 173.1.123.1 204.186.13.1
Rack1R3(config-if)# ip nhrp map multicast 204.186.13.1
Rack1R3(config-if)# ip nhrp network-id 99
Rack1R3(config-if)# ip nhrp nhs 173.1.123.1
Rack1R3(config-if)# tunnel source Serial0/0/0
Rack1R3(config-if)# tunnel mode gre multipoint
Rack1R3(config-if)# tunnel key 100000
Now lets verify that the Tunnels have come up correctly:
R1:
Rack1R1(config-if)#do sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 204.186.23.2 173.1.123.2 UP 00:39:58 D
1 204.186.13.3 173.1.123.3 UP 00:38:51 D
R2:
Rack1R2(config-if)#do sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 204.186.13.1 173.1.123.1 UP 00:41:20 S
1 204.186.13.3 173.1.123.3 UP 00:08:43 D
R3:
Rack1R3(config-if)#do sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 204.186.13.1 173.1.123.1 UP 00:40:34 S
1 204.186.23.2 173.1.123.2 UP 00:09:05 D
Last we need to verify connectivity across the tunnel:
R1:
Rack1R1(config-if)#do ping 173.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.2, timeout is 2 seconds:
!!!!!
Rack1R1(config-if)#do ping 173.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/16 ms
R2:
Rack1R2(config-if)#do ping 173.1.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack1R2(config-if)#do ping 173.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3:
Rack1R3(config-if)#do ping 173.1.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack1R3(config-if)#do ping 173.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.1.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Alright, everything looks good. Next lets look at a few show commands:
R1:
Rack1R1(config-if)#do sh ip nhrp
173.1.123.2/32 via 173.1.123.2
Tunnel0 created 00:16:27, expire 01:43:33
Type: dynamic, Flags: unique registered nhop
NBMA address: 204.186.23.2
173.1.123.3/32 via 173.1.123.3
Tunnel0 created 00:15:20, expire 01:44:39
Type: dynamic, Flags: unique registered nhop
NBMA address: 204.186.13.3
R2:
Rack1R2(config-if)#do sh ip nhrp
173.1.123.1/32 via 173.1.123.1
Tunnel0 created 00:17:55, never expire
Type: static, Flags: used
NBMA address: 204.186.13.1
R3:
Rack1R3(config-if)#do sh ip nhrp
173.1.123.1/32 via 173.1.123.1
Tunnel0 created 00:17:00, never expire
Type: static, Flags: used
NBMA address: 204.186.13.1
Adding an additional spoke (similar to R2/R3) in this case would be very simple. Once the connection is established just adding the route map to go through the hub (R1).
You can follow me on Twitter at @ipv4freely
CONNECT WITH CISCO
LET US HELP
Call us: 1.800.553.6387 - Ext 118
US/Can | 5am-5pm Pacific Other Countries