DMVPN phase 3 OSPF.

I’ve recently tested the different phases (1-3) of a DMVPN for EIGRP and OSPF. I found one strange thing for phase 3 and OSPF. According to official Cisco documentation (IOS 15.2) for OSPF, you should apply the following configurations for the Tunnel interface:

Phase 1 – no direct communication between spoke routers

HUB & SPOKE: ip ospf network point-to-multipoint

Phase 2 – direct communication between spokes is allowed

HUB & SPOKE: ip ospf network broadcast
SPOKE: ip ospf priority 0

Phase 3* – improved Phase 2

HUB: ip nhrp redirect
     ip ospf network point-to-multipoint 
SPOKE: ip nhrp shortcut
       ip ospf network point-to-multipoint

I discovered that while using phase 3 configuration traffic between Spoke routers is always sent through the Hub (just like for phase 1) and this seems to be caused by a problem with the NHRP:

                          HUB

                         /----\

                        |  R1  |

                         \----/

                       [10.0.0.1]

      SPOKE1               |               SPOKE2

      /----\ [10.0.0.2]  -----  [10.0.0.3] /----\

     |  R2  |-----------| sw1 |-----------|  R3  |

      \----/             -----             \----/

        |                                    |

   22.22.22.22                          33.33.33.33 

R2#debug dmvpn all nhrp
DMVPN all level debugging is on
R2#tra
R2#traceroute 33.33.33.33
Type escape sequence to abort.
Tracing the route to 33.33.33.33
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.1 132 msec 128 msec 108 msec
  2 10.0.0.3 176 msec 200 msec 176 msec
R2#
*Apr  4 21:11:49.142: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.278: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.414: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.522: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.702: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
*Apr  4 21:11:49.902: NHRP: NHRP successfully mapped '10.0.0.1' to NBMA 7.7.7.1
R2#traceroute 33.33.33.33
Type escape sequence to abort.
Tracing the route to 33.33.33.33
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.1 132 msec 128 msec 108 msec
  2 10.0.0.3 176 msec 200 msec 176 msec
R2#
R2#sh ver | i IOS
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
R2#

I completed the same test with IOS 12.4 and the traffic was sent directly to the spoke, as it should be:

R2#debug dmvpn all nhrp
DMVPN all level debugging is on
R2#tra
R2#traceroute 33.33.33.33

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.0.0.1 72 msec 72 msec 96 msec
  2 10.0.0.3 124 msec 152 msec 244 msec
R2#
*Apr  4 21:20:49.823: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 100
*Apr  4 21:20:49.823:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Apr  4 21:20:49.823:      shtl: 4(NSAP), sstl: 0(NSAP)
*Apr  4 21:20:49.823:  (M) traffic code: redirect(0)
*Apr  4 21:20:49.827:      src NBMA: 7.7.7.1
*Apr  4 21:20:49.827:      src protocol: 10.0.0.1, dst protocol: 10.0.0.2
*Apr  4 21:20:49.827:      Contents of nhrp traffic indication packet:
*Apr  4 21:20:49.827:         45 00 00 1C 00 BF 00 00 02 11 6B CF 0A 00 00 02
*Apr  4 21:20:49.831:         21 21 21 21 C0 05 82 9D 00 08 70
*Apr  4 21:20:49.831: Forward Transit NHS Record Extension(4):
*Apr  4 21:20:49.831: Reverse Transit NHS Record Extension(5):
*Apr  4 21:20:49.831: Authentication Extension(7):
*Apr  4 21:20:49.831:   type:Cleartext(1), data:donttell
*Apr  4 21:20:49.835: NAT address Extension(9):
*Apr  4 21:20:49.835: NHRP: netid_in = 99, to_us = 1
*Apr  4 21:20:49.835: NHRP: netid_out
R2# 0, netid_in 99
*Apr  4 21:20:49.835: NHRP: Tunnel0: Cache add for target 33.33.33.33/32 next-hop 33.33.33.33
*Apr  4 21:20:49.839:
*Apr  4 21:20:49.883: NHRP: Checking for delayed event 0.0.0.0/33.33.33.33 on list (Tunnel0).
*Apr  4 21:20:49.883: NHRP: No node found.
*Apr  4 21:20:49.899: NHRP: Checking for delayed event 0.0.0.0/33.33.33.33 on list (Tunnel0).
*Apr  4 21:20:49.899: NHRP: No node found.
*Apr  4 21:20:49.903: NHRP: Attempting to send packet via DEST 33.33.33.33
*Apr  4 21:20:49.903: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.7.7.1
*Apr  4 21:20:49.903: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88
*Apr  4 21:20:49.907:  src: 10.0.0.2, dst: 33.33.33.33
*Apr  4 21:20:49.907:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Apr  4 21:20:49.907:      shtl: 4(NSAP), sstl: 0(NSAP)
*Apr  4 21:20:49.907:  (M) flags: "router auth src-stable nat ", reqid: 6
*Apr  4 21:20:49.911:      src NBMA: 7.7.7.2
*Apr  4 21:20:49.911:
R2#    src protocol: 10.0.0.2, dst protocol: 33.33.33.33
*Apr  4 21:20:49.911:  (C-1) code: no error(0)
*Apr  4 21:20:49.911:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:49.915:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Apr  4 21:20:49.915: Responder Address Extension(3):
*Apr  4 21:20:49.915: Forward Transit NHS Record Extension(4):
*Apr  4 21:20:49.915: Reverse Transit NHS Record Extension(5):
*Apr  4 21:20:49.915: Authentication Extension(7):
*Apr  4 21:20:49.915:   type:Cleartext(1), data:donttell
*Apr  4 21:20:49.919: NAT address Extension(9):
*Apr  4 21:20:49.919: NHRP: 88 bytes out Tunnel0
*Apr  4 21:20:49.919: NHRP-RATE: Sending initial Resolution Request for 33.33.33.33, reqid 6
*Apr  4 21:20:50.703: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 156
*Apr  4 21:20:50.707:  (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1
*Apr  4 21:20:50.707:      shtl: 4(NSAP), sstl: 0(NSAP)
*Apr  4 21:20:50.707:  (M
R2#) flags: "router auth dst-stable unique src-stable nat ", reqid: 6
*Apr  4 21:20:50.707:      src NBMA: 7.7.7.2
*Apr  4 21:20:50.707:      src protocol: 10.0.0.2, dst protocol: 33.33.33.33
*Apr  4 21:20:50.711:  (C-1) code: no error(0)
*Apr  4 21:20:50.711:        prefix: 24, mtu: 1514, hd_time: 7199
*Apr  4 21:20:50.711:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.711:        client NBMA: 7.7.7.3
*Apr  4 21:20:50.715:        client protocol: 10.0.0.3
*Apr  4 21:20:50.715: Responder Address Extension(3):
*Apr  4 21:20:50.715:  (C) code: no error(0)
*Apr  4 21:20:50.715:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:50.715:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.715:        client NBMA: 7.7.7.3
*Apr  4 21:20:50.719:        client protocol: 10.0.0.3
*Apr  4 21:20:50.719: Forward Transit NHS Record Extension(4):
*Apr  4 21:20:50.719:  (C-1) code: no error(0)
*Apr  4 21:2
R2#0:50.719:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:50.719:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.723:        client NBMA: 7.7.7.1
*Apr  4 21:20:50.723:        client protocol: 10.0.0.1
*Apr  4 21:20:50.723: Reverse Transit NHS Record Extension(5):
*Apr  4 21:20:50.723:  (C-1) code: no error(0)
*Apr  4 21:20:50.723:        prefix: 0, mtu: 1514, hd_time: 7200
*Apr  4 21:20:50.727:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr  4 21:20:50.727:        client NBMA: 7.7.7.1
*Apr  4 21:20:50.727:        client protocol: 10.0.0.1
*Apr  4 21:20:50.727: Authentication Extension(7):
*Apr  4 21:20:50.727:   type:Cleartext(1), data:donttell
*Apr  4 21:20:50.731: NAT address Extension(9):
*Apr  4 21:20:50.731: NHRP: netid_in = 0, to_us = 1
*Apr  4 21:20:50.731: NHRP: Checking for delayed event 0.0.0.0/33.33.33.33 on list (Tunnel0).
*Apr  4 21:20:50.731: NHRP: No node found.
*Apr  4 21:2
R2#0:50.735: NHRP: No need to delay processing of resolution event nbma src:7.7.7.2 nbma dst:7.7.7.3
*Apr  4 21:20:50.735: NHRP: Tunnel0: Cache add for target 33.33.33.0/24 next-hop 10.0.0.3
*Apr  4 21:20:50.739:            7.7.7.3
*Apr  4 21:20:50.739: NHRP: Converted internal dynamic cache entry for 33.33.33.0/24 interface Tunnel0 to external
*Apr  4 21:20:50.743: NHRP: Found adjacency for nhop 10.0.0.3
*Apr  4 21:20:50.743: NHRP: Deleting incomplete entry for 33.33.33.33/32 interface Tunnel0
*Apr  4 21:20:50.747: NHRP: Deleting delayed event for NBMA 0.0.0.0 on list (Tunnel0).
*Apr  4 21:20:51.819: NHRP-RATE: Tunnel0: Used 1
R2#traceroute 33.33.33.33

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.0.0.3 56 msec 84 msec 84 msec
R2#sh ver | i IOS
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(11)T1, RELEASE SOFTWARE (fc5)
R2#

When we change the tunnel setting from ‘point-to-multipoint’ to ‘broadcast’ in 15.2, everything works fine: the traffic is sent directly between spokes. For those who are not aware of this problem, and upgrade the software on their routers to 15.2, it can be an unexpected surprise when the traffic is sent via the Hub router.
So, the correct settings are:

Phase 3* – improvement Phase 2

HUB: ip nhrp redirect
     ip ospf network point-to-multipoint (ver 12.X)
     ip ospf network broadcast (ver 15.2)

SPOKE: ip nhrp shortcut
       ip ospf network point-to-multipoint (ver 12.X)
       ip ospf network broadcast (ver 15.2)
 
34
Kudos
 
34
Kudos

Now read this

FlexVPN - client and server

It’s time to test IKEv2. Cisco introduced the new IKE version 2 together with new configuration “standard” - FlexVPN. The idea was to have one unified way of configuration for all VPN types like site-to-site, client server, DMVPN (GET... Continue →