DMVPN Notes – Phase 1 Static Mappings

EVE-NG topology


DMVPN combines mGRE, the Next-Hop Resolution Protocol (NHRP), and optional IPSec. DMVPN can be implemented as Phase 1, Phase 2, or Phase 3.

The two flavors are

  • GRE
  • mGRE

GRE is a point-to-point logical link configured with a tunnel source and destination. The tunnel source can be an IP address or interface.

Multipoint Generic Routing Encapsulation (mGRE) configuration includes a tunnel source and tunnel mode. The tunnel destination is NOT configured. Therefore, the tunnel can have many endpoints, and only a single tunnel interface is utilized. The endpoints can be configured as a GRE tunnel or mGRE tunnel.

mGRE does NOT have mapping capabilities. This is where the Next-Hop Resolution Protocol is used. NHRP provides Layer 2 address resolution and a caching service similar to ARP.

NHRP is used by the spoke connected to an NBMA network to determine the NBMA IP address of the next-hop router. With NHRP, you can map a tunnel IP address to an NBMA IP address statically or dynamically. The NMBA IP address is the public IP address. The assigned tunnel IP address can be a RFC 1918 address.

In NHRP, a router can be configured as a NHRP client or a NHRP server. The NHS acts as a mapping agent and stores all registered mapping information by the NHC. The NHS can reply to queries made by the NHCs. NHCs send a query to the NHS if they need to communicate with another NHC.

  • NHS – Server
  • NHC – Client

NHRP’s behavior is similar to ARP, as it allows clients to dynamically register their public IP to a tunnel IP address mapping. This allows the client to join the NBMA network without the server needing to be reconfigured.

Without address discovery, packets must traverse through the hub to reach the spokes. This behavior can negatively impact the router’s CPU and bandwidth.

DMPVN Phase 1 items to remember:


  • mGRE is configured on the hub.
  • GRE is configured on the spokes.
  • Multicast or unicast traffic can only flow between the hub and the spokes, never from spoke to spoke.
  • Configuration can be static, or the spokes (clients) can dynamically register with the hub.
  • Direct spoke-spoke tunnels do NOT exist.

Reference image: INE

R1 – R5 IP configuration

Verify interface configuration

R5#show ip int br | ex unas
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0.45             155.1.45.5      YES NVRAM  up                    up      
Ethernet0/0.58             155.1.58.5      YES NVRAM  up                    up      
Ethernet0/0.100            169.1.100.5     YES manual up                    up      
Loopback0                  150.1.5.5       YES NVRAM  up                    up      
R1#show ip int br | ex unass
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0.13             155.1.13.1      YES NVRAM  up                    up      
Ethernet0/0.100            169.1.100.1     YES manual up                    up      
Ethernet0/0.146            155.1.146.1     YES NVRAM  up                    up      
Loopback0                  150.1.1.1       YES NVRAM  up                    up      
          
R2#show ip int br | ex unas
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0.23             155.1.23.2      YES NVRAM  up                    up      
Ethernet0/0.100            169.1.100.2     YES manual up                    up      
R3#show ip int br | ex unas
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0.13             155.1.13.3      YES NVRAM  up                    up      
Ethernet0/0.23             155.1.23.3      YES NVRAM  up                    up      
Ethernet0/0.37             155.1.37.3      YES NVRAM  up                    up      
Ethernet0/0.100            169.1.100.3     YES manual up                    up      
Loopback0                  150.1.3.3       YES NVRAM  up                    up      
R4#show ip int br | ex unas
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/1.45             155.1.45.4      YES NVRAM  up                    up      
Ethernet0/1.100            169.1.100.4     YES manual up                    up      
Ethernet0/1.146            155.1.146.4     YES NVRAM  up                    up      
Loopback0                  150.1.4.4       YES NVRAM  up                    up     
Verify connectivity on the 169.1.100.0/24 network
  • TCL script blog can be found here.
tclsh
foreach VAR {

169.1.100.1
169.1.100.2
169.1.100.3
169.1.100.4
169.1.100.5
} { puts [exec "ping $VAR"] }

tclquit

R5 (HUB) tunnel interface configuration.
interface Tunnel0
 ip address 150.1.100.5 255.255.255.0
 no ip redirects
 ip mtu 1476
 ip nhrp map 150.1.100.1 169.1.100.1
 ip nhrp map 150.1.100.2 169.1.100.2
 ip nhrp map 150.1.100.3 169.1.100.3
 ip nhrp map 150.1.100.4 169.1.100.4
 ip nhrp network-id 505
 ip tcp adjust-mss 1436
 tunnel source 169.1.100.5 
 tunnel mode gre multipoint
end
R1 (SPOKE) tunnel interface configuration.
!
interface Tunnel0
 ip address 150.1.100.1 255.255.255.0
 ip mtu 1476
 ip nhrp map 150.1.100.5 169.1.100.5
 ip nhrp network-id 101
 tunnel source 169.1.100.1
 tunnel destination 169.1.100.5
end
R2 (SPOKE) tunnel interface configuration.
interface Tunnel0
 ip address 150.1.100.2 255.255.255.0
 ip mtu 1476
 ip nhrp map 150.1.100.5 169.1.100.5
 ip nhrp network-id 202
 tunnel source 169.1.100.2
 tunnel destination 169.1.100.5
end
R3(SPOKE) tunnel interface configuration.
interface Tunnel0
 ip address 150.1.100.4 255.255.255.0
 ip mtu 1476
 ip nhrp map 150.1.100.5 169.1.100.5
 ip nhrp network-id 404
 tunnel source 169.1.100.4
 tunnel destination 169.1.100.5
end

Verification

R1 – R5 Tunnel interface state


R5#show ip int br | i Tunnel
Tunnel0                    150.1.100.5     YES manual up                    up      
R5#

R4#show ip int br | i Tunnel
Tunnel0                    150.1.100.4     YES manual up                    up      
R4#

R3#show ip int br | i Tunnel
Tunnel0                    150.1.100.3     YES manual up                    up   

R2#show ip int br | i Tunnel
Tunnel0                    150.1.100.2     YES manual up                    up      
R2#

R1#show ip int br | i Tunnel
Tunnel0                    150.1.100.1     YES manual up                    up
R1#

R1#show int tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 150.1.100.1/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 169.1.100.1, destination 169.1.100.5
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 00:17:57, output 00:17:57, output hang never
  Last clearing of "show interface" counters 01:06:05
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     138 packets input, 16460 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     164 packets output, 19008 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

NHRP & DMVPN Verification

R5 (HUB)
R5#show ip nhrp 
150.1.100.1/32 via 150.1.100.1
   Tunnel0 created 00:17:26, never expire 
   Type: static, Flags: used 
   NBMA address: 169.1.100.1 
150.1.100.2/32 via 150.1.100.2
   Tunnel0 created 00:17:26, never expire 
   Type: static, Flags: used 
   NBMA address: 169.1.100.2 
150.1.100.3/32 via 150.1.100.3
   Tunnel0 created 00:17:26, never expire 
   Type: static, Flags: used 
   NBMA address: 169.1.100.3 
150.1.100.4/32 via 150.1.100.4
   Tunnel0 created 00:17:26, never expire 
   Type: static, Flags: 
   NBMA address: 169.1.100.4 
R5#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:4, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 169.1.100.1         150.1.100.1  NHRP    never    SC
     1 169.1.100.2         150.1.100.2  NHRP    never    SC
     1 169.1.100.3         150.1.100.3  NHRP    never    SC
     1 169.1.100.4         150.1.100.4  NHRP    never    SC

R1 (SPOKE)

R1#show ip nhrp 
150.1.100.5/32 via 150.1.100.5
   Tunnel0 created 00:17:01, never expire 
   Type: static, Flags: 
   NBMA address: 169.1.100.5 
R1#show dmv
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 169.1.100.5         150.1.100.5  NHRP    never    SC

R2, R3, and R4’s NHRP/DMVPN tables are identical. Each device MUST traverse the HUB to communicate with each other.

R1’s ping results to the Hub and Spokes

R1’s traceroute results to the Spokes

R2’s traceroute results to the Spokes

R3’s traceroute results to the Spokes

R4’s traceroute results to the Spokes

All traffic traversed R5 to get to the respective router

Wireshark Capture

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.