DMVPN - phase two - EIGRP
The phase two allows me on spoke-to-spoke communication. Please read my previous post (EIGRP phase one): http://myitmicroblog.svbtle.com/dmvpn-phase-one-eigrp
You should know the phase two is not recommended because the phase three solves many issues like scalability. I will describe the differences between them in my next post.
From the configuration perspective I need to change:
R1 (hub):
interface Tunnel0
no ip next-hop-self eigrp 1
Let’s check the settings on R2 before we send traffic:
R2#sh ip route eigrp
33.0.0.0/24 is subnetted, 1 subnets
D 33.33.33.0 [90/310172416] via 10.10.10.3, 00:22:35, Tunnel0
D 11.0.0.0/8 [90/297372416] via 10.10.10.1, 00:22:37, Tunnel0
R2#
As you see the next hop for Lan3 (33.33.33.33) is R3 not R1 like with the phase one.
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:40:18, never expire
Type: static, Flags: nat used
NBMA address: 5.5.5.1
R2#
R2#sh ip cef | i 33
33.33.33.0/24 10.10.10.3 Tunnel0
R2#
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 5.5.5.1 10.10.10.1 UP 01:43:00 S
R2#
R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
Source addr: 6.6.6.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 10.10.10.1 RE
Type:Spoke, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 5.5.5.1 10.10.10.1 UP 01:43:05 S 10.10.10.1/32
IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
Active SAs: 2, origin: crypto map
Outbound SPI : 0x20F7240B, transform : esp-3des esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
R2#
Now I send traffic from 22.22.22.22 to 33.33.33.33:
R2#traceroute 33.33.33.33 source 22.22.22.22
Type escape sequence to abort.
Tracing the route to 33.33.33.33
1 10.10.10.1 92 msec 64 msec 84 msec
2 10.10.10.3 116 msec 128 msec 124 msec
R2#
R2#
R2#
R2#traceroute 33.33.33.33 source 22.22.22.22
Type escape sequence to abort.
Tracing the route to 33.33.33.33
1 10.10.10.3 40 msec 64 msec 88 msec
R2#
So, the traffic initiated building a new NHRP entry:
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:44:33, never expire
Type: static, Flags: nat used
NBMA address: 5.5.5.1
10.10.10.3/32 via 10.10.10.3, Tunnel0 created 00:00:19, expire 01:59:39
Type: dynamic, Flags: router nat
NBMA address: 7.7.7.1
R2#
and a new dynamic tunnel:
R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
Source addr: 6.6.6.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 10.10.10.1 RE
Type:Spoke, NBMA Peers:2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 5.5.5.1 10.10.10.1 UP 01:45:51 S 10.10.10.1/32
IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
Active SAs: 2, origin: crypto map
Outbound SPI : 0x20F7240B, transform : esp-3des esp-sha-hmac
Socket State: Open
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 7.7.7.1 10.10.10.3 UP 00:01:40 D 10.10.10.3/32
IKE SA: local 6.6.6.1/500 remote 7.7.7.1/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 6.6.6.1 host 7.7.7.1
Active SAs: 2, origin: crypto map
Outbound SPI : 0xF6648969, transform : esp-3des esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
R2#
As you see I can build spoke-to-spoke tunnels but you should remember following limitations:
- you can’t summarize so all spokes need to keep in their routing tables all spokes (phase three fixes this issue)
- you can’t have different routing protocol on hub-spoke and spoke-spoke routers (phase three resolve the issue)
In my next hop I will test the phase three.
9
Kudos
9
Kudos