EVE-NG topology
DMVPN combines mGRE, the Next-Hop Resolution Protocol (NHRP), and optional IPSec. DMVPN can be implemented as Phase 1, Phase 2, or Phase 3.
The two flavors are
- GRE
- mGRE
GRE is a point-to-point logical link configured with a tunnel source and destination. The tunnel source can be an IP address or interface.
Multipoint Generic Routing Encapsulation (mGRE) configuration includes a tunnel source and tunnel mode. The tunnel destination is NOT configured. Therefore, the tunnel can have many endpoints, and only a single tunnel interface is utilized. The endpoints can be configured as a GRE tunnel or mGRE tunnel.
mGRE does NOT have mapping capabilities. This is where the Next-Hop Resolution Protocol is used. NHRP provides Layer 2 address resolution and a caching service similar to ARP.
NHRP is used by the spoke connected to an NBMA network to determine the NBMA IP address of the next-hop router. With NHRP, you can map a tunnel IP address to an NBMA IP address statically or dynamically. The NMBA IP address is the public IP address. The assigned tunnel IP address can be a RFC 1918 address.
In NHRP, a router can be configured as a NHRP client or a NHRP server. The NHS acts as a mapping agent and stores all registered mapping information by the NHC. The NHS can reply to queries made by the NHCs. NHCs send a query to the NHS if they need to communicate with another NHC.
- NHS – Server
- NHC – Client
NHRP’s behavior is similar to ARP, as it allows clients to dynamically register their public IP to a tunnel IP address mapping. This allows the client to join the NBMA network without the server needing to be reconfigured.
Without address discovery, packets must traverse through the hub to reach the spokes. This behavior can negatively impact the router’s CPU and bandwidth.
DMPVN Phase 1 items to remember:
- mGRE is configured on the hub.
- GRE is configured on the spokes.
- Multicast or unicast traffic can only flow between the hub and the spokes, never from spoke to spoke.
- Configuration can be static, or the spokes (clients) can dynamically register with the hub.
- Direct spoke-spoke tunnels do NOT exist.
Reference image: INE
R1 – R5 IP configuration
Verify interface configuration
R5#show ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/0.45 155.1.45.5 YES NVRAM up up
Ethernet0/0.58 155.1.58.5 YES NVRAM up up
Ethernet0/0.100 169.1.100.5 YES manual up up
Loopback0 150.1.5.5 YES NVRAM up up R1#show ip int br | ex unass
Interface IP-Address OK? Method Status Protocol
Ethernet0/0.13 155.1.13.1 YES NVRAM up up
Ethernet0/0.100 169.1.100.1 YES manual up up
Ethernet0/0.146 155.1.146.1 YES NVRAM up up
Loopback0 150.1.1.1 YES NVRAM up up
R2#show ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/0.23 155.1.23.2 YES NVRAM up up
Ethernet0/0.100 169.1.100.2 YES manual up up R3#show ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/0.13 155.1.13.3 YES NVRAM up up
Ethernet0/0.23 155.1.23.3 YES NVRAM up up
Ethernet0/0.37 155.1.37.3 YES NVRAM up up
Ethernet0/0.100 169.1.100.3 YES manual up up
Loopback0 150.1.3.3 YES NVRAM up up R4#show ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/1.45 155.1.45.4 YES NVRAM up up
Ethernet0/1.100 169.1.100.4 YES manual up up
Ethernet0/1.146 155.1.146.4 YES NVRAM up up
Loopback0 150.1.4.4 YES NVRAM up up Verify connectivity on the 169.1.100.0/24 network
- TCL script blog can be found here.
tclsh
foreach VAR {
169.1.100.1
169.1.100.2
169.1.100.3
169.1.100.4
169.1.100.5
} { puts [exec "ping $VAR"] }
tclquit
R5 (HUB) tunnel interface configuration.
interface Tunnel0
ip address 150.1.100.5 255.255.255.0
no ip redirects
ip mtu 1476
ip nhrp map 150.1.100.1 169.1.100.1
ip nhrp map 150.1.100.2 169.1.100.2
ip nhrp map 150.1.100.3 169.1.100.3
ip nhrp map 150.1.100.4 169.1.100.4
ip nhrp network-id 505
ip tcp adjust-mss 1436
tunnel source 169.1.100.5
tunnel mode gre multipoint
endR1 (SPOKE) tunnel interface configuration.
!
interface Tunnel0
ip address 150.1.100.1 255.255.255.0
ip mtu 1476
ip nhrp map 150.1.100.5 169.1.100.5
ip nhrp network-id 101
tunnel source 169.1.100.1
tunnel destination 169.1.100.5
endR2 (SPOKE) tunnel interface configuration.
interface Tunnel0
ip address 150.1.100.2 255.255.255.0
ip mtu 1476
ip nhrp map 150.1.100.5 169.1.100.5
ip nhrp network-id 202
tunnel source 169.1.100.2
tunnel destination 169.1.100.5
endR3(SPOKE) tunnel interface configuration.
interface Tunnel0
ip address 150.1.100.4 255.255.255.0
ip mtu 1476
ip nhrp map 150.1.100.5 169.1.100.5
ip nhrp network-id 404
tunnel source 169.1.100.4
tunnel destination 169.1.100.5
endVerification
R1 – R5 Tunnel interface state
R5#show ip int br | i Tunnel
Tunnel0 150.1.100.5 YES manual up up
R5#
R4#show ip int br | i Tunnel
Tunnel0 150.1.100.4 YES manual up up
R4#
R3#show ip int br | i Tunnel
Tunnel0 150.1.100.3 YES manual up up
R2#show ip int br | i Tunnel
Tunnel0 150.1.100.2 YES manual up up
R2#
R1#show ip int br | i Tunnel
Tunnel0 150.1.100.1 YES manual up up
R1#
R1#show int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 150.1.100.1/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 169.1.100.1, destination 169.1.100.5
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:17:57, output 00:17:57, output hang never
Last clearing of "show interface" counters 01:06:05
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
138 packets input, 16460 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
164 packets output, 19008 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped outNHRP & DMVPN Verification
R5 (HUB)
R5#show ip nhrp
150.1.100.1/32 via 150.1.100.1
Tunnel0 created 00:17:26, never expire
Type: static, Flags: used
NBMA address: 169.1.100.1
150.1.100.2/32 via 150.1.100.2
Tunnel0 created 00:17:26, never expire
Type: static, Flags: used
NBMA address: 169.1.100.2
150.1.100.3/32 via 150.1.100.3
Tunnel0 created 00:17:26, never expire
Type: static, Flags: used
NBMA address: 169.1.100.3
150.1.100.4/32 via 150.1.100.4
Tunnel0 created 00:17:26, never expire
Type: static, Flags:
NBMA address: 169.1.100.4 R5#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:4,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 169.1.100.1 150.1.100.1 NHRP never SC
1 169.1.100.2 150.1.100.2 NHRP never SC
1 169.1.100.3 150.1.100.3 NHRP never SC
1 169.1.100.4 150.1.100.4 NHRP never SCR1 (SPOKE)
R1#show ip nhrp
150.1.100.5/32 via 150.1.100.5
Tunnel0 created 00:17:01, never expire
Type: static, Flags:
NBMA address: 169.1.100.5
R1#show dmv
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 169.1.100.5 150.1.100.5 NHRP never SC
R2, R3, and R4’s NHRP/DMVPN tables are identical. Each device MUST traverse the HUB to communicate with each other.
R1’s ping results to the Hub and Spokes
R1’s traceroute results to the Spokes
R2’s traceroute results to the Spokes
R3’s traceroute results to the Spokes
R4’s traceroute results to the Spokes
All traffic traversed R5 to get to the respective router
Wireshark Capture
