DMVPN - phase two - EIGRP

The phase two allows me on spoke-to-spoke communication. Please read my previous post (EIGRP phase one): http://myitmicroblog.svbtle.com/dmvpn-phase-one-eigrp

dmvpn-1-1.jpg

You should know the phase two is not recommended because the phase three solves many issues like scalability. I will describe the differences between them in my next post.

From the configuration perspective I need to change:

R1 (hub):

interface Tunnel0
  no ip next-hop-self eigrp 1

Let’s check the settings on R2 before we send traffic:

R2#sh ip route eigrp
     33.0.0.0/24 is subnetted, 1 subnets
D       33.33.33.0 [90/310172416] via 10.10.10.3, 00:22:35, Tunnel0
D    11.0.0.0/8 [90/297372416] via 10.10.10.1, 00:22:37, Tunnel0
R2#

As you see the next hop for Lan3 (33.33.33.33) is R3 not R1 like with the phase one.

R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:40:18, never expire
  Type: static, Flags: nat used
  NBMA address: 5.5.5.1
R2#

R2#sh ip cef | i 33
33.33.33.0/24       10.10.10.3           Tunnel0
R2#

R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         5.5.5.1      10.10.10.1    UP 01:43:00 S

R2#

R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

 -------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
   Source addr: 6.6.6.1, Dest addr: MGRE
  Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""

NHRP Details: NHS:         10.10.10.1 RE

Type:Spoke, NBMA Peers:1
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1         5.5.5.1      10.10.10.1    UP 01:43:05 S         10.10.10.1/32

  IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
  Crypto Session Status: UP-ACTIVE
  fvrf: (none)
  IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
        Active SAs: 2, origin: crypto map
   Outbound SPI : 0x20F7240B, transform : esp-3des esp-sha-hmac
    Socket State: Open

Pending DMVPN Sessions:

R2#

Now I send traffic from 22.22.22.22 to 33.33.33.33:

R2#traceroute 33.33.33.33 source 22.22.22.22

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.10.10.1 92 msec 64 msec 84 msec
  2 10.10.10.3 116 msec 128 msec 124 msec
R2#
R2#
R2#
R2#traceroute 33.33.33.33 source 22.22.22.22

Type escape sequence to abort.
Tracing the route to 33.33.33.33

  1 10.10.10.3 40 msec 64 msec 88 msec
R2#

So, the traffic initiated building a new NHRP entry:

R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:44:33, never expire
  Type: static, Flags: nat used
  NBMA address: 5.5.5.1
10.10.10.3/32 via 10.10.10.3, Tunnel0 created 00:00:19, expire 01:59:39
  Type: dynamic, Flags: router nat
  NBMA address: 7.7.7.1
R2#

and a new dynamic tunnel:

R2#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

 -------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 10.10.10.2
   Source addr: 6.6.6.1, Dest addr: MGRE
  Protocol/Transport: "multi-GRE/IP", Protect "IPSEC-PRF",
Tunnel VRF "", ip vrf forwarding ""

NHRP Details: NHS:         10.10.10.1 RE

Type:Spoke, NBMA Peers:2
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1         5.5.5.1      10.10.10.1    UP 01:45:51 S         10.10.10.1/32

  IKE SA: local 6.6.6.1/500 remote 5.5.5.1/500 Active
  Crypto Session Status: UP-ACTIVE
  fvrf: (none)
  IPSEC FLOW: permit 47 host 6.6.6.1 host 5.5.5.1
        Active SAs: 2, origin: crypto map
   Outbound SPI : 0x20F7240B, transform : esp-3des esp-sha-hmac
    Socket State: Open
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1         7.7.7.1      10.10.10.3    UP 00:01:40 D         10.10.10.3/32

  IKE SA: local 6.6.6.1/500 remote 7.7.7.1/500 Active
  Crypto Session Status: UP-ACTIVE
  fvrf: (none)
  IPSEC FLOW: permit 47 host 6.6.6.1 host 7.7.7.1
        Active SAs: 2, origin: crypto map
   Outbound SPI : 0xF6648969, transform : esp-3des esp-sha-hmac
    Socket State: Open

Pending DMVPN Sessions:

R2#

As you see I can build spoke-to-spoke tunnels but you should remember following limitations:

In my next hop I will test the phase three.

 
9
Kudos
 
9
Kudos

Now read this

DMVPN & GET VPN

Today I would like to test an integration of DMVPN and GET VPN technologies. DMVPN can be used over the public network like Internet and GET VPN only over private like MPLS (because of IP preservation). As you remember from my previous... Continue →