brksec-4052-2011_advanced concepts of dmvpn
TRANSCRIPT
BRKSEC-4052
Advanced Concepts of Dynamic Multipoint VPN(DMVPN)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 2
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPN
Recent and New Features
Agenda
DMVPN Overview
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 4
DMVPN is a Cisco IOS software solution for building IPsec+GRE VPNs in an easy, dynamic and scalable manner
Relies on two proven technologiesNext Hop Resolution Protocol (NHRP)
Creates a distributed mapping database of VPN(tunnel interface) to real (public interface) addresses
Multipoint GRE Tunnel Interface
Single GRE interface to support multiple GRE/IPsec tunnels and endpoints
Simplifies size and complexity of configuration
Supports dynamic tunnel creation
What is Dynamic Multipoint VPN?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 5
Configuration reduction and no-touch deployment
Supports:
Passenger protocols:
IP(v4/v6) unicast, multicast and dynamic Routing Protocols.
Transport protocols (NBMA):
IPv4 and IPv6 (new)
Remote peers with dynamically assigned transport addresses.
Spoke routers behind dynamic NAT; Hub routers behind static NAT.
Dynamic spoke-spoke tunnels for partial/full mesh scaling.
Can be used without IPsec Encryption
Works with MPLS; GRE tunnels and/or data packets in VRFsand MPLS switching over the tunnels
Wide variety of network designs and options.
DMVPN: Major Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 6
Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server (hub).
When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke.
Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address).
The dynamic spoke-to-spoke tunnel is built over the mGRE interface.
When traffic ceases then the spoke-to-spoke tunnel is removed.
DMVPN: How it works
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 7
DMVPN: Example
Dynamic Spoke-to-spoke tunnels
Spoke A
Spoke B
192.168.2.0/24
.1
192.168.1.0/24
.1
192.168.0.0/24
.1
. . .
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: dynamic
Tunnel0: 10.0.0.11
Physical: dynamic
Tunnel0: 10.0.0.12
Static Spoke-to-hub tunnels
Static known
IP address
Dynamicunknown
IP addresses
LANs can have
private addressing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 8
NHRP RegistrationsSpoke (NHC) dynamically register its VPN to NBMA address mapping with hub (NHS).
Static NHRP mappings on spokes for Hub (NHS)
Needed to ―start the game‖
Builds hub-and-spoke control plane network
NHRP ResolutionsDynamically resolve spoke to spoke VPN to NBMA mapping to build spoke-spoke tunnels.
Single instead of multiple tunnel hops across NBMA network
NHRP Resolution requests/replies sent via hub-and-spoke control plane path
NHRP Main Functionality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 9
IPsec integrated with DMVPN, but not required
Packets Encapsulated in GRE, then Encrypted with IPsec
NHRP controls the tunnels, IPsec does encryption
Bringing up a tunnelNHRP signals IPsec to setup encryption
ISAKMP authenticates peer, generates SAs
IPsec responds to NHRP and the tunnel is activated
All NHRP and data traffic is Encrypted
Bringing down a tunnelNHRP signals IPsec to tear down tunnel
IPsec can signal NHRP if encryption is cleared or lost
ISAKMP Keepalives monitor state of spoke-spoke tunnels
DMVPN and IPsec
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 10
Spokes are only routing neighbors with hubs, not with other spokesSpokes advertise local network to hubs
Hubs are routing neighbors with spokesCollect spoke network routes from spokes
Advertise spoke and local networks to all spokes
All Phases:
Turn off split-horizon (EIGRP, RIP)
Single area and no summarization when using OSPF
Phase 1 & 3:
Hubs can not preserve original IP next-hop; Can Summarize
EIGRP, iBGP (next-hop-self); RIP, ODR, eBGP (default)
OSPF (network point-multipoint); # hubs not limited
Phase 2:
Hubs must preserve original IP next-hop; Cannot summarize
EIGRP, eBGP (no ip next-hop-self); iBGP (default)
OSPF (network broadcast); Only 2 hubs
Hubs are routing neighbors with other hubsPhase 1 & 3: Can use different routing protocol than hub-spoke tunnels
Phase 2: Must use same routing protocol as hub-spoke tunnels
Routing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 12
Active-active redundancy model – two or more hubs per spokeAll configured hubs are active and are routing neighbors with spoke
Routing protocol routes are used to determine traffic forwarding
Single route: one tunnel (hub) at a time – primary/backup mode
Multiple routes: both tunnels (hubs) – load-balancing mode
ISAKMP/IPsecCannot use IPsec Stateful failover (NHRP isn‘t supported)
ISAKMP invalid SPI recovery is not useful with DMVPN
ISAKMP keepalives on spokes for timely hub recoverycrypto isakmp keepalives initial retry
Can use single or multiple DMVPNs for redundancyEach mGRE interface is a separate DMVPN network using
different tunnel key, NHRP network-id and IP subnet
Can ―glue‖ mGRE interfaces into same DMVPN network(*)
same tunnel source, NHRP network-id and authentication; no tunnel key and different IP subnet (Phase 3 only)
If using same tunnel source (must use tunnel key)
tunnel protection ipsec profile name shared
Redundancy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 13
Spokes – at least two hubs (NHSs)Phase 1: (Hub-and-spoke)
p-pGRE interfaces two DMVPN networks, one hub on each
Phase 1, 2 or 3: (Hub-and-spoke or Dynamic Mesh)mGRE interface one DMVPN network, two hubs
Hubs – interconnect and routingPhase 1: (Hub and spoke only)
Interconnect hubs directly over physical link, p-pGRE or mGRE
Hubs can exchange routing through any of these paths
Phase 2: (Dynamic Mesh)Interconnect hubs over same mGRE, daisy-chain as NHSs
Hubs must exchange routing over DMVPN network
Phase 3: (Dynamic Mesh)Interconnect hubs over same or different mGRE (same DMVPN)
Hubs must exchange routing over DMVPN network
Redundancy (cont)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 14
Network Designs
Hub-and-spoke – Order(n)
Spoke-to-spoke traffic via hubPhase 1: Hub bandwidth and CPU limit VPN
SLB: Many ―identical‖ hubs increase CPU limit
Spoke-to-spoke – Order(n) « Order(n2)
Control traffic — Hub and spoke; Hub to hubPhase 2: (single)
Phase 3: (hierarchical)
Unicast Data traffic — Dynamic meshSpoke routers support spoke-hub and spoke-spoke tunnels currently in use.
Hub supports spoke-hub traffic and overflow from spoke-spoke traffic.
Network VirtualizationVRF-lite – Multiple DMVPNs
MPLS over DMVPN (2547oDMVPN) – Single DMVPN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 15
Network Designs
Hub and spoke
(Phase 1)
Spoke-to-spoke
(Phase 2)
Server Load Balancing Hierarchical (Phase 3)
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
2547oDMVPN tunnels
VRF-lite
2547oDMVPN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 16
GRE, NHRP and IPsec configurationp-pGRE or mGRE on spokes; mGRE on hubs
ISAKMP Authentication
Certificate, (Pairwise/Wildcard) Pre-shared Key
NHRP RegistrationStatic NHRP mapping for Hub on Spoke
Dynamically learn NHRP mapping for Spoke on Hub
Dynamically addressed spokes (DHCP, NAT , …)
NAT detection support
Hub-and-SpokeFunctionality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 17
mGRE/NHRP+IPsec configurationOn both hub and spokes
ISAKMP authentication information
Certificates, Wildcard Pre-shared Keys
Spoke-spoke data traffic direct Reduced load on hub
Reduced latency
Single IPsec encrypt/decrypt
NAT support
NHRP Resolutions (Phase 2)
NHRP Redirect and Resolutions (Phase 3)Double forwarding lookup
Modify Routing Table (ASR – now; ISR – 15.2(1)T)
Dynamic Mesh (Spoke-Spoke Tunnels)Functionality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 18
ResiliencyNo monitoring of spoke-spoke tunnel (use ISAKMP keepalives)
crypto isakmp keepalives initial retry
Path SelectionNHRP will always build spoke-spoke tunnel
No latency or performance measurement of spoke-spoke vs spoke-hub-spoke paths
Overloading spoke routersCPU or memory IKE Call Admission Control (CAC)
crypto call admission limit ike {sa | in-negotiation } max-SAs
call admission limit percent
show crypto call admission statistics
Bandwidth Design for expected traffic
Hub-spoke versus Spoke-spoke
Spoke-spoke availability is best effort
Dynamic Mesh (Spoke-Spoke Tunnels)Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 19
Separate DMVPN mGRE tunnel per VRF
Hub routers handle all DMVPNsMultiple Hub routers for redundancy and load
IGP used for routing protocol outside of and over DMVPNs on Spokes and Hubs
Address family per VRF
Routing neighbor per spoke per VRF
BGP used only on the hubRedistribute between IGP and BGP for import/export of routes between VRFs
―Internet‖ VRF for Internet access and routing between VRFs
Global routing table for routing DMVPN tunnel packets
Network VirtualizationSeparate DMVPNs – VRF-lite
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 20
Single DMVPN (Hub-and-spoke Only)MPLS VPN over DMVPN
Single mGRE tunnel on all routers
MPLS configurationHub and Spoke routers are MPLS PEs
Multiple Hub routers for redundancy and load
IGP is used for routing outside of DMVPN network
BGP used for routing protocol over DMVPNRedistribute between IGP and BGP for transport over DMVPN
Import/export of routes between VRFs and Internet VRF
―Internet‖ VRF for Internet access and routing between VRFs
Routing neighbor per spoke
Global routing table for routing DMVPN tunnel packets
Network VirtualizationMPLS over DMVPN – 2547oDMVPN
NHRP Details
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 22
Agenda
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 23
NHRP Message Types
RegistrationBuild base hub-and-spoke network for control traffic(single layer – Phase 1&2, hierarchical – Phase 3)Also used for data traffic
ResolutionGet mapping to build dynamic spoke-spoke tunnels
Traffic Indication (Redirect) – Phase 3Trigger resolution requests at previous GRE tunnel hop
PurgeClear out stale dynamic NHRP mappings
ErrorSignal error conditions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 24
Responder Address Extension:Address mapping for Responding node (Reply messages)
Forward Transit NHS Record Extension:List of NHSs that NHRP request message traversed
– copied to reply message
Reverse Transit NHS Record Extension:List of NHSs that NHRP reply message traversed
Authentication Extension:NHRP Authentication
NAT Address Extension: (12.4(6)T)
Address mapping for peer (Registration message)
Address mapping for self (Resolution request/reply)
NHRP Message Extension Types
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 25
NHRP Mapping Entries
StaticBoth host (/32) and network (/<x>) mappings
DynamicRegistered (/32)
From NHRP Registration
NAT – record both inside and outside NAT address
Learned (/32 or /<x>)
From NHRP Resolution
NAT – record both inside and outside NAT address
Incomplete (/32) (also see Temporary)Rate-limit sending of NHRP Resolution Requests
Process-switching of data packet while building spoke-spoke tunnels.
Local (/32 or /<x>)Mapping for local network sent in an NHRP Resolution Reply
Record which nodes were sent this mapping
Temporary (/32) (12.4(22)T – Phase 2 only)
Same as ―Incomplete‖ mapping except that NBMA is set to Hub
CEF-switching of data packets while building spoke-spoke tunnels.
(no socket)Not used to forward data packets
Do not trigger IPsec encryption
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 26
NHRP Mapping Entries
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:20:10, never expire Type: static, Flags: used NBMA address: 172.17.0.9
10.0.0.19/32 via 10.0.0.19, Tunnel0 created 01:20:08, expire 00:05:51Type: dynamic, Flags: unique registered used NBMA address: 172.16.3.1
10.0.0.18/32 via 10.0.0.18, Tunnel0 created 00:16:09, expire 00:05:50Type: dynamic, Flags: unique registered used NBMA address: 172.18.0.2 (Claimed NBMA address: 172.16.2.1)
10.0.0.18/32 via 10.0.0.18, Tunnel0 created 00:09:04, expire 00:00:22Type: dynamic, Flags: router implicit NBMA address: 172.18.0.2 (Claimed NBMA address: 172.16.2.1)
192.168.23.0/24 via 10.0.0.19, Tunnel0 created 00:00:11, expire 00:05:48Type: dynamic, Flags: router used NBMA address: 172.16.3.1
10.0.0.45/32, Tunnel0 created 00:00:21, expire 00:02:43Type: incomplete, Flags: negative Cache hits: 2
10.0.0.17/32 via 10.0.2.17, Tunnel0 created 00:00:09, expire 00:02:55Type: dynamic, Flags: used temporary NBMA address: 172.17.0.9
192.168.15.0/24 via 10.0.0.11, Tunnel0 created 00:05:39, expire 00:05:50Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1(no-socket)
Spoke to Hub
NAT
Registered
Resolution
Incomplete
Local,
(no-socket)
Temporary
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 27
NHRP Mapping flags
unique Mapping entry is unique, don‘t allow overwrite with new NBMA
registered Mapping entry from an NHRP registration
authoritative Mapping entry can be used to answer NHRP resolution requests
used Mapping entry was used in last 60 seconds to forward data traffic
router Mapping entry for remote router
implicit Mapping entry from source information in NHRP packet
local Mapping entry for a local network, record remote requester
nat(added 12.4(6)T, removed 12.4(15)T)
Remote peer supports the NHRP NAT extension
rib(12.2(33)XNE – ASR1k)
Routing Table entry created
nho(12.2(33)XNE – ASR1k)
Next-Hop-Override Routing Table entry created
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 28
Used to clear invalid NHRP mapping information from the network
NHRP ―local‖ mapping entriesCreated when sending an NHRP resolution reply
Copy of mapping information sent in reply
Entry tied to corresponding entry in routing table
Keeps list of nodes where resolution reply was sent
To see use ‗show ip nhrp detail‘
If routing table changes so that local mapping entry is no longer valid
Purge message is sent to each NHRP node in list
NHRP nodes clear that mapping from their table
Purge messages forwarded over direct tunnel if available, otherwise sent via routed path
NHRP Purge Messages
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 29
Agenda
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 30
Builds base hub-and-spoke networkHub-and-spoke data traffic
Control traffic; NHRP, Routing protocol, IP multicast
Phase 2 – Single level hub-and-spoke
Phase 3 – Hierarchical hub-and-spoke (tree).
Next Hop Client (NHC) has static mapping for Next Hop Servers (NHSs)
NHC dynamically registers own mapping with NHSSupports spokes with dynamic NBMA addresses or NAT
Supplies outside NAT address of Hub
NHRP-group for per-Tunnel QoS (12.4(22)T)
NHS registration reply gives liveliness of NHSSupplies outside NAT address of spoke
NHRP Registration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 31
NHRP Registration Building Spoke-Hub Tunnels
Spoke1 Hub Spoke2
Encrypted
NHRP Regist. Req.
Host1 Host2
IKE/IPsec Established
IKE Initialization
NHRP Regist. Rep.
IKE Initialization
IKE/IPsec Established
Encrypted
NHRP Regist. Rep.
NHRP Regist. Req.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 32
NHRP RegistrationBuilding Spoke-Hub Tunnels
Spoke A192.168.1.1/24
= Dynamic permanent IPsec tunnels
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 Conn.192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
172.16.1.1
172.16.2.1
NHRP Registration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 33
NHRP Registration Request
Spoke to hub
Every ⅓ ‗ip nhrp holdtime‘ or ‗ip nhrp registration timeout‘
If no reply, retransmit after 1, 2, 4, 8, 16, 32, 64, 64 ,… sec., mark Hub down after 3rd retransmit
Contains Spoke‘s VPN to NBMA mapping
Extension headers
Responder Address, Forward and Reverse Transit NHS, Authentication, NAT
NHRP: Send Registration Request via Tunnel0 vrf 0, src: 10.0.0.11, dst: 10.0.0.1
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "unique nat", src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.1
(C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360
Responder Address Extension(3):
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 34
NHRP Registration Reply
Hub to spoke
Liveliness of Hub
Contains
Spoke‘s VPN to NBMA mapping
Hub‘s VPN to NBMA mapping as responder
Extension headers
Responder Address, Forward and Reverse Transit NHS, Authentication,NAT
NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.11
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "unique nat", src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.1
(C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360
Responder Address Extension(3):
(C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 35
NHRP Mapping TablesAfter Registration
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:11:03, expire 00:04:52
Type: dynamic, Flags: unique registered
NBMA address: 172.16.1.1
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 01:03:31, expire 00:05:46
Type: dynamic, Flags: unique registered
NBMA address: 172.16.2.1
. . .
Hub
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:02:21, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
Spoke B
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 36
NHRP Registration (cont)Routing Adjacency
Spoke1 Hub Spoke2
Encrypted
Host1 Host2
Encrypted
Routing Update
Routing Adjacency
Routing Update
Routing Adjacency
Routing Update
Routing Update
NHRP Regist. Req.
IKE/IPsec Established
IKE Initialization
NHRP Regist. Rep.
IKE Initialization
IKE/IPsec Established
NHRP Regist. Rep.
NHRP Regist. Req.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 37
NHRP Registration (cont)Routing Adjacency
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical:
Tunnel0: 10.0.0.11
Physical:
Tunnel0: 10.0.0.12
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
= Dynamic permanent IPsec tunnels
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.1.0/24 Conn. 192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
172.16.1.1
172.16.2.1
Routing packet
192.168.0.0/16 Summ.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 38
Hub-and-SpokeData Packet Forwarding
Process-switchingRouting table selects outgoing interface and IP next-hop
NHRP looks up packet IP destination to select IP next-hop, overriding IP next-hop from routing table.
Could attempt to trigger spoke-spoke tunnel
‗tunnel destination …‘ Can only send to hub
‗ip nhrp server-only‘ Don‘t send NHRP resolution request
If no matching NHRP mapping then send to NHS (hub)
CEF switchingIP Next-hop from FIB table (Routing table)
IP Next-hop Hub data packets send to Hub
Adjacency will be complete so CEF switch packet to hub
NHRP not involved
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 39
Agenda
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 40
IP Data packet is forwarded out tunnel interface to IP next-hop from routing table
NHRP looks in mapping table for IP destinationIf (socket) Entry Found
Forward to NBMA from mapping table – overriding IP next-hop
If (no socket) Entry Found
If arriving interface is not tunnel interface – convert entry to (socket)
Trigger IPsec to bring up crypto socket
Forward to IP next-hop (if in NHRP table) otherwise to NHS
If No Entry Found
Forward to IP next-hop (if in NHRP table) otherwise to NHS
If arriving interface was not tunnel interface
Initiate NHRP Resolution Request for IP destination
Phase 2 – Process switchingTriggering NHRP Resolutions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 41
CEF FIB table has IP next-hop of tunnel IP address of remote spoke for network behind remote spoke
Triggered by IP next-hop from FIB pointing to glean or incomplete adjacency entry (no valid adjacency entry)
Send resolution request for IP next-hop (tunnel IP address) of remote Spoke
Resolution request forwarded via NHS path
Phase 2 – CEF-switchingTriggering NHRP Resolutions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 42
When:12.4(6)T, 12.4(7), 12.2(33)XNE and later (not on 6500/7600 yet)
Why:To Support spoke-spoke tunnels when spokes are behind NAT
How:Registered NHRP mappings on hub are not marked Authoritative
Effect:Resolution request will be forwarded via NHS path all the way to the remote spoke
Resolution request is answered by the remote spoke
Spoke-spoke tunnel is built
Resolution reply forwarded back via spoke-spoke tunnel
Phase 2NHRP Resolution process changes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 43
Phase 2NHRP Resolution Request
Spoke1 Hubs Spoke2Host1 Host2
NHRP Res. Request
NHRP Res. RequestNHRP Res. Request
NHRP Res. Request
IKE Initialization
IKE Initialization
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 44
Phase 2NHRP Resolution Request
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.12 ???10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12
192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
10.0.0.12 incomplete10.0.0.11 incomplete
10.0.0.11 172.16.1.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 45
Phase 2NHRP Resolutions Request Message
NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104
(F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "router auth src-stable nat ", reqid: 164
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12
(C-1) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360
Responder Address Extension(3):
Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT address Extension(9):
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "router auth src-stable nat ", reqid: 164
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12
(C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360
Responder Address Extension(3):
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT address Extension(9):As Sent
As Rcvd
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 46
Phase 2NHRP Resolution Reply
Spoke1 Hubs Spoke2Host1 Host2
NHRP Res. Request
NHRP Res. Request
IKE/IPsec Established
NHRP Res. Request
NHRP Res. Request
Encrypted
IKE Initialization
IKE Initialization
NHRP Resolution Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 47
Phase 2NHRP Resolution Reply
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.12 ???10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 incomplete10.0.0.12 172.16.2.1 10.0.0.11 incomplete 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
10.0.0.12 172.16.2.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
10.0.0.11 172.16.1.1
10.0.0.12 172.16.2.1 (l)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 48
Phase 2NHRP Resolution Reply Message
Lookup protocol destination in routing table directly connected
Create NHRP local mapping entry for protocol destination address with mask-length of 32 to NBMA address
Create NHRP Resolution Response with protocol destination, NBMA address and mask-length of 32
Delay Resolution response to send via direct spoke-spoke tunnel
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.12, dst: 10.0.0.11
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12
(C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360,
client NBMA: 172.16.2.1, client protocol: 10.0.0.12
Responder Address Extension(3):
(C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360
client NBMA: 172.16.2.1, client protocol: 10.0.0.12
Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT address Extension(9):
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 49
Phase 2NHRP Resolution Response Processing
Receive NHRP Resolution reply
If using IPsec (tunnel protection …) then
Trigger IPsec to setup ISAKMP and IPsec SAs for tunnel
Data packets still forwarded via spoke-hub-…-hub-spoke path
IPsec triggers back to NHRP when done
Install new mapping in NHRP mapping table
Send trigger to CEF to complete corresponding CEFadjacency
Data packets now forwarded via direct spoke-spoke tunnel by CEF, NHRP no longer involved
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 50
Phase 2NHRP Mapping Tables
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:03:38, expire 00:04:18
Type: dynamic, Flags: unique registered
NBMA address: 172.16.1.1
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 01:02:15, expire 00:05:44
Type: dynamic, Flags: unique registered
NBMA address: 172.16.2.1
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:53:25, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:10, expire 00:05:50
Type: dynamic, Flags: router unique local
NBMA address: 172.16.1.1 (no-socket)
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:10, expire 00:05:49
Type: dynamic, Flags: router used
NBMA address: 172.16.2.1
Hub1
Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:56:12, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:11, expire 00:05:49
Type: dynamic, Flags: router used
NBMA address: 172.16.1.1
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:11, expire 00:05:48
Type: dynamic, Flags: router unique local
NBMA address: 172.16.2.1 (no-socket)
Spoke B
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 51
Phase 2: Dynamic mappingsRefresh or Remove
Dynamic NHRP mapping entries have finite lifetimeControlled by ‗ip nhrp holdtime …‘ on source of mapping (spoke)
Background process checks mapping entry every 60 seconds
Process-switchingUsed flag set each time mapping entry is used
If used flag is set and expire time < 120 seconds, then refresh entry, otherwise clear used flag
CEF-switchingIf expire time < 120 seconds, CEF Adjacency entry marked ―stale‖
If CEF Adjacency entry is used, signal to NHRP to refresh entry
Another resolution request is sent to refresh entryResolution request via NHS path; reply via direct tunnel
If entry expires it is removedIf using IPsec Trigger IPsec to remove IPsec/ISAKMP SAs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 52
Phase 2: CEF SwitchingData Packet Forwarding
IP Data packet is forwarded out tunnel interface to IP next-hop from CEF FIB table
If adjacency is of type ValidPacket is encapsulated and forwarded by CEF out tunnel interface – NHRP is not involved
If adjacency is of type Glean or IncompletePunt packet to process switching
If original arriving interface was not this tunnel interface
Initiate NHRP Resolution Request for IP next-hop
Resolution reply is used to create NHRP mappingand to complete the Adjacency
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 53
Agenda
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 54
Originating spokeIP Data packet is forwarded out tunnel interface to destination via Hub (NHS)
Hub (NHS)Receives and forwards data packet on tunnel interfaces with same NHRP Network-id.
Sends NHRP Redirect message to originating spoke.
Originating spokeReceives NHRP redirect message
Sends NHRP Resolution Request for Data IP packet destination via NHS
Destination spokeReceives NHRP Resolution Request
Builds spoke-spoke tunnel
Sends NHRP Resolution Reply over spoke-spoke tunnel
Phase 3Building Spoke-spoke Tunnels
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 55
Phase 3NHRP Redirects
Spoke1 Hubs Spoke2Host1 Host2
NHRP RedirectNHRP Redirect
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 56
Phase 3NHRP Redirects
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 57
Phase 3NHRP Redirect Message
NHRP: inserting (172.16.1.1/192.168.2.1) in redirect table
NHRP: Attempting to send packet via DEST 192.168.1.1
NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.1.1
NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 96, src: 10.0.0.1, dst: 192.168.1.1
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) traffic code: redirect(0)
src NBMA: 172.17.0.1, src protocol: 10.0.0.1, dst protocol: 192.168.1.1
Contents of nhrp traffic indication packet:
45 00 00 64 00 19 00 00 FD 01 25 2D C0 A8 01 01 C0 A8 02 01 08 00 A8 E3 0B 78 0C
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT Address Extension(9):
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 58
SenderInsert (GRE IP header source, packet destination IP address) in NHRP redirect table – used to rate-limit NHRP redirect messages
Send NHRP redirect to GRE/IP header source
Time out rate-limit entries from the NHRP redirect table
ReceiverCheck data IP source address from data IP header in redirect
If routing to the IP source is out:
• A GRE tunnel interface with the same NHRP Network-idthen drop redirect
• Another interface, the IP destination is permitted by‗ip nhrp interest <ACL>‘ and ‗ip nhrp shortcut‘ is configured
Trigger an NHRP resolution request to IP destination
• Otherwise drop redirect
Phase 3NHRP Redirect Processing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 59
Phase 3NHRP Resolution Request
Spoke1 Hubs Spoke2Host1 Host2
NHRP Res. Request NHRP Res. Request
IKE Initialization
IKE Initialization
NHRP RedirectNHRP Redirect
NHRP Res. RequestNHRP Res. Request
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 60
Phase 3NHRP Resolution Request
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.110.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
10.0.0.11 172.16.1.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 61
Phase 3NHRP Resolution Request Message
NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104
(F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "router auth src-stable nat ", reqid: 10599
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1
(C-1) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360
Responder Address Extension(3):
Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT address Extension(9):
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84,
src: 10.0.0.11, dst: 192.168.2.1
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "router auth src-stable nat ", reqid: 10599
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1
(C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360
Responder Address Extension(3):
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT address Extension(9): As Sent
As Rcvd
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 62
Spoke (NHC) routing table has Hub (NHS) as IP next-hop for networks behind remote Spoke
Note, if routing table has IP next-hop of remote spoke then process as in Phase 2
Data packets are forwarded (CEF-switched) via routed path
Redirect message sent by next tunnel hop on routed path
Redirect for data packet triggers resolution request
Send resolution request for IP destination from data packet header in redirect message
Resolution requests forwarded via routed path
Resolution replies forwarded over direct tunnel
Direct tunnel initiated from remote local spoke
NHRP forwards data packets over direct tunnel when resolution reply is received
Phase 3 NHRP Resolution Processing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 63
Phase 3 NHRP Resolution Reply
Spoke1 Hubs Spoke2Host1 Host2
IKE/IPsec Established
NHRP Res. Request NHRP Res. Request
Encrypted
IKE Initialization
IKE Initialization
NHRP RedirectNHRP Redirect
NHRP Res. RequestNHRP Res. Request
NHRP Resolution Reply
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 64
Phase 3NHRP Resolution Reply
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
172.16.2.1 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
192.168.2.0/24 172.16.2.110.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 65
Phase 3NHRP Resolution Reply Message
Lookup protocol destination in routing table for matching network, subnet mask and IP next-hop.
Create NHRP local mapping entry for protocol destination network with mask-length to NBMA address
Create NHRP Resolution Response with protocol destination, NBMA address and mask-length
Delay Resolution response to send via direct spoke-spoke tunnel
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 132, src: 10.0.0.12, dst: 10.0.0.11(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)(M) flags: "router auth dst-stable unique src-stable nat ", reqid: 10599
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1(C-1) code: no error(0), prefix: 24, mtu: 1514, hd_time: 360,
client NBMA: 172.16.2.1, client protocol: 10.0.0.12Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360
client NBMA: 172.16.2.1, client protocol: 10.0.0.12Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1Reverse Transit NHS Record Extension(5):Authentication Extension(7): type:Cleartext(1), data:testNAT address Extension(9):
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 66
Phase 3 NHRP Mapping Tables
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:54
Type: dynamic, Flags: router implicit used
NBMA address: 172.16.2.1
192.168.1.0/24 via 10.0.0.11, Tunnel0 created 00:00:06, expire 00:05:54
Type: dynamic, Flags: router unique local
NBMA address: 172.16.1.1 (no-socket)
192.168.2.0/24 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:53
Type: dynamic, Flags: router
NBMA address: 172.16.2.1
Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:04:46, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:13, expire 00:05:46
Type: dynamic, Flags: router implicit used
NBMA address: 172.16.1.1
192.168.1.0/24 via 10.0.0.11, Tunnel0 created 00:00:11, expire 00:05:48
Type: dynamic, Flags: router
NBMA address: 172.16.1.1
192.168.2.0/24 via 10.0.0.12, Tunnel0 created 00:00:13, expire 00:05:46
Type: dynamic, Flags: router unique local
NBMA address: 172.16.2.1 (no-socket)
Spoke B
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 67
IP Data packet is forwarded out tunnel interface
1. IP next-hop from CEF FIB mapped to Adjacency
If adjacency is:
Glean or Incomplete Punt to process switching
Valid Select adjacency for the packet
2. NHRP in CEF Feature path
Look up packet IP destination in NHRP mapping table
Matching entry– reselect adjacency use direct spoke-spoke tunnel
No matching entry– leave CEF adjacency packet goes to hub
If packet arrived on and is forwarded out the same tunnel interface
Forward data packet
If ‗ip nhrp redirect‘ is on inbound tunnel then send NHRP redirect
Packet is encapsulated, encrypted and forwarded
Phase 3: CEF SwitchingData Packet Forwarding (Current – ISR, 7200)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 68
Phase 3: NHRP and Routing TableData Packet Forwarding (ASR1k; 15.2(1)T – ISR, 7200)
When NHRP resolution is received
Insert mapping information in mapping table replacing Incomplete/Temporary mapping
Insert NHRP routing entry in Routing Table (RT)
• NHRP NET/Mask is more specific than RT Net/Mask
Add new route owned by NHRP (Type = H)
Monitor parent route
If parent route changes outbound interface then remove NHRP route.
• NHRP Net/Mask is equal to RT Net/Mask
Add Override Alternate Next-hop (% flag)
Route still owned by original owner
• NHRP Net/Mask is less specific than RT Net/Mask
Reduce NHRP mask to = RT Mask
Add Override Alternate Next-hop (% flag)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 69
Phase 3: NHRP and RTRouting Table (ASR1k; 15.2(1)T – ISR, 7200)
Routing entry for 192.168.128.0/24Known via "eigrp 1", distance 90, metric 3200000, type internalRedistributing via eigrp 1Last update from 10.0.2.16 on Tunnel0, 00:43:44 agoRouting Descriptor Blocks:* 10.0.2.16, from 10.0.2.16, 00:43:44 ago, via Tunnel0
Route metric is 3200000, traffic share count is 1…
#show ip route next-hop-override | section H|%
D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:50:56, Tunnel0
#show ip route
D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:50:56, Tunnel0
EIGRP
Routes
NHRP
Routes
Next-Hop-Override
Entries
H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02
H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02
Routing entry for 192.168.11.0/24Known via "nhrp", distance 250, metric 1Last update from 10.0.1.11 00:05:29 agoRouting Descriptor Blocks:* 10.0.1.11, from 10.0.1.11, 00:05:29 ago
Route metric is 1, traffic share count is 1
H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02
H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02
Routing entry for 192.168.11.0/24Known via "nhrp", distance 250, metric 1Last update from 10.0.1.11 00:05:29 agoRouting Descriptor Blocks:* 10.0.1.11, from 10.0.1.11, 00:05:29 ago
Route metric is 1, traffic share count is 1
%
%[NHO][90/1] via 10.0.0.1, 00:00:40, Tunnel0
[NHO]10.0.0.1, from 10.0.0.1, 00:05:57 ago, via Tunnel0Route metric is 1, traffic share count is 1
…
%
%[NHO][90/1] via 10.0.0.1, 00:00:40, Tunnel0
[NHO]10.0.0.1, from 10.0.0.1, 00:05:57 ago, via Tunnel0Route metric is 1, traffic share count is 1
…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 70
Phase 3: Dynamic MappingsRefresh or Remove
Dynamic NHRP mapping entries have finite lifetimeControlled by ‗ip nhrp holdtime …‘ on source of mapping (spoke)
Two types of mapping entries
Master entry – Remote Spoke Tunnel IP address
Child entries – Remote Network address(es)
Background process checks mapping entries every 60 secondsChild entry: Marked used and timing out refresh Child entry
Master entry: Timing out mark CEF adjacency stale
If CEF adjacency is used refresh Master entry
Refreshing entriesSend another Resolution request and reply
Resolution request/reply sent over direct tunnel
If entry expires it is removedIf using IPsec and last entry using NBMA address
Trigger IPsec to remove IPsec and ISAKMP SAs
Use Case:iBGP over DMVPN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 72
Agenda
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPNLoad-balancing Hubs
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 73
iBGP over DMVPNBase Physical Topology
Spoke1
192.168.1.0/24
.1
192.168.0.0/24
.1.2
.3
.2
RS1
.1
192.168.11.0/24
Hub1 Hub2
Spoke4
192.168.4.0/24
.1
.2
.1
192.168.14.0/24
R2
Spoke2
192.168.2.0/24
.1
.2
.1192.168.12.0/24
Spoke3
192.168.3.0/24
.1
.2
.1 192.168.13.0/24
RS2 RS3
RS4
InternetBGP 2
.2 .6
.2.2 .2
172.17.0.0/30
.2
172.16.1.1/30
172.16.2.1/30 172.16.3.1/30
172.16.4.1/30
.1 .5
.1
19
2.1
68.1
0.0
/24
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 74
iBGP over DMVPNBase Logical Topology
192.168.1.0/24
.1
192.168.0.0/24
.1.2
.3
.2
RS1
EIGRP 1.1
192.168.4.0/24
.1
.2
.1
.1
192.168.2.0/24
.1
.2
RS2
BGP 1
192.168.3.0/24
.1
.2
19
2.1
68.1
0.0
/24
Spoke1
BGP 1
Hub1
BGP 1
Hub2
BGP 1
Spoke4
BGP 1
R2
BGP 1
Spoke2
BGP 1
Spoke3
BGP 1
192.168.11.0/24 192.168.14.0/24
.1192.168.12.0/24
.1192.168.13.0/24
RS3
OSPF 1
RS4
EIGRP 1
InternetBGP 2
.1 .2
.11
.12 .13
.14
192.168.10.0/24
DMVPN10.0.0.0/24
BGP 1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 75
Hubs:
interface Tunnel0bandwidth 1000ip address 10.0.0.(w) 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp map 10.0.0.(x) 172.17.0.(y)ip nhrp map multicast 172.17.0.(y)ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectip tcp adjust-mss 1360delay 1000tunnel source Serial2/0tunnel mode gre multipointtunnel key 100000tunnel protection ipsec profile vpnprof
!interface Ethernet0/0
ip address 192.168.0.(w) 255.255.255.0!interface Serial2/0
ip address 172.17.0.(z) 255.255.255.252
iBGP over DMVPNBase Interface configurations
Spokes:
interface Tunnel0bandwidth 1000ip address 10.0.0.(x) 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map 10.0.0.2 172.17.0.5ip nhrp map multicast 172.17.0.5ip nhrp map 10.0.0.1 172.17.0.1ip nhrp map multicast 172.17.0.1ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp nhs 10.0.0.2ip nhrp shortcutip tcp adjust-mss 1360delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000tunnel protection ipsec profile vpnprof
!interface Ethernet0/0
ip address 192.168.(y).1 255.255.255.0!interface Serial1/0
ip address 172.16.(y).1 255.255.255.252
Hub 1 2(w) 1 2(x) 2 1(y) 5 1
(z) 1 5
Spoke 1 2 3 4(x) 11 12 13 14(y) 1 2 3 4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 76
Hubs:Dynamic Neighbors (15.1(2)T)
Route-reflector for spokes (client)
Regular neighbor between hubs
Add to MED when advertising between hubs
Spokes:Route-reflector-client
Both:Set next-hop to self/peer; DMVPN Phase 3
Use same BGP AS over DMVPN on all nodesDynamic Neighbors, Route Reflection
Block ISP routes from advertising over DMVPN and LANUse Community 1:10
Accept only local LAN routes from LANUse Community 1:20 for BGP and route-tag 225 for IGP
iBGP over DMVPN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 77
router bgp 1bgp log-neighbor-changesbgp listen range 10.0.0.0/24 peer-group spokesnetwork 192.168.0.0timers bgp 10 30
neighbor spokes peer-groupneighbor spokes remote-as 1neighbor spokes route-reflector-clientneighbor spokes route-map DMVPN-OUT out
neighbor 10.0.0.(2,1) remote-as 1neighbor 10.0.0.(2,1) route-map H2H-IN inneighbor 10.0.0.(2,1) route-map DMVPN-OUT out
neighbor 172.17.0.(2,6) remote-as 2neighbor 172.17.0.(2,6) route-map ISP-IN inneighbor 172.17.0.(2,6) route-map ISP-OUT out
neighbor 192.168.0.3 remote-as 1neighbor 192.168.0.3 route-map LAN-IN inneighbor 192.168.0.3 route-map LAN-OUT out
maximum-paths ibgp 4distance bgp 20 160 160
iBGP over DMVPNHub Routing Configuration
ip bgp-community new-format
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10ip community-list 11 permit
ip community-list 21 deny 1:20ip community-list 21 permit!route-map DMVPN-OUT permit 10
match community 11set ip next-hop 10.0.0.(1,2)
route-map LAN-OUT permit 10match community 11set ip next-hop 192.168.0.(1,2)
route-map H2H-IN permit 10set metric +10000
route-map ISP-IN permit 10set community 1:10
route-map ISP-OUT permit 10match community 10
route-map LAN-IN permit 10match community 21
Dynamic Neighbors Change MED
Next-hop setting Route Filtering
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 78
router eigrp 1default-metric 1000 0 255 100 1500network 192.168.1.0redistribute bgp 1 route-map BGP2IGP
!router bgp 1
bgp log-neighbor-changesbgp redistribute-internaltimers bgp 10 30redistribute eigrp 1 route-map IGP2BGP
neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs next-hop-selfneighbor hubs route-map DMVPN-OUT outneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs
neighbor 172.16.1.2 remote-as 2neighbor 172.16.1.2 route-map ISP-IN inneighbor 172.16.1.2 route-map ISP-OUT out
maximum-paths ibgp 4distance bgp 20 160 160
iBGP over DMVPNSpoke1 Routing (IGP) Configuration
ip bgp-community new-format
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10ip community-list 11 permit!
route-map ISP-IN permit 10set community 1:10
route-map ISP-OUT permit 10match community 10
route-map DMVPN-OUT permit 10match community 11
route-map BGP2IGP permit 10match community 11set tag 225
route-map IGP2BGP deny 10match tag 225
route-map IGP2BGP permit 20
Neighbors BGP IGP
Next-hop setting Route Filtering
Spokes 3,4
are similar
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 79
router bgp 1bgp log-neighbor-changestimers bgp 10 30
neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs route-map DMVPN-OUT outneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs
neighbor 172.16.1.2 remote-as 2neighbor 172.16.1.2 route-map ISP-IN inneighbor 172.16.1.2 route-map ISP-OUT out
neighbor 192.168.2.2 remote-as 1neighbor 192.168.2.2 route-reflector-clientneighbor 192.168.2.2 route-map LAN-IN inneighbor 192.168.2.2 route-map LAN-OUT out
maximum-paths ibgp 4distance bgp 20 160 160
iBGP over DMVPNSpoke2 Routing (iBGP) Configuration
ip bgp-community new-format
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10ip community-list 11 permit
ip community-list 21 deny 1:20ip community-list 21 permit!route-map DMVPN-OUT permit 10
match community 11set ip next-hop 10.0.0.12
route-map LAN-OUT permit 10match community 11set ip next-hop 192.168.2.1
route-map ISP-IN permit 10set community 1:10
route-map ISP-OUT permit 10match community 10
route-map LAN-IN permit 10match community 21
Neighbors
Next-hop settingRoute Filtering
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 80
R2 (behind hubs)
router bgp 1…network 192.168.0.0network 192.168.10.0
neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs route-reflector-clientneighbor hubs next-hop-selfneighbor hubs send-communityneighbor hubs route-map FROM-DMVPN inneighbor 192.168.0.1 peer-group hubsneighbor 192.168.0.2 peer-group hubsmaximum-paths ibgp 4…
ip bgp-community new-format
route-map FROM-DMVPN permit 10set community 1:20
iBGP over DMVPNR2, RS2 Routing (iBGP) Configuration
RS2 (behind Spoke2)
router bgp 1…network 192.168.2.0network 192.168.12.0
neighbor 192.168.2.1 remote-as 1
neighbor 192.168.2.1 next-hop-selfneighbor hubs send-communityneighbor 192.168.2.1 route-map FROM-DMVPN in
maximum-paths ibgp 4…
ip bgp-community new-format
route-map FROM-DMVPN permit 10set community 1:20
Next-hop setting Route Filtering
RS1, 3 ,4 use
standard IGP
configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 81
Hub1, 2...
B 172.16.1.0 [20/0] via 172.17.0.(2,6), B 172.16.2.0 [20/0] via 172.17.0.(2,6), B 172.16.3.0 [20/0] via 172.17.0.(2,6),B 172.16.4.0 [20/0] via 172.17.0.(2,6),...
C 172.17.0.0/30 is directly connected, Serial2/0L 172.17.0.1/32 is directly connected, Serial2/0
B 172.17.0.4/30 [20/0] via 172.17.0.2, ...
B 172.17.0.0/30 [20/0] via 172.17.0.6,
C 172.17.0.4/30 is directly connected, Serial2/0L 172.17.0.5/32 is directly connected, Serial2/0...
iBGP over DMVPNISP Routes
Spoke1, 2...
C 172.16.1.0/30 is directly connected, Serial1/0L 172.16.1.1/32 is directly connected, Serial1/0
B 172.16.2.0/30 [20/0] via 172.16.1.2...
B 172.16.1.0/30 [20/0] via 172.16.2.2,
C 172.16.2.0/30 is directly connected, Serial1/0L 172.16.2.1/32 is directly connected, Serial1/0...
B 172.16.3.0/30 [20/0] via 172.16.(1,2).2B 172.16.4.0/30 [20/0] via 172.16.(1,2).2
B 172.17.0.0 [20/0] via 172.16.(1,2).2, B 172.17.0.4 [20/0] via 172.16.(1,2).2, ...
Internet Router(NO INTERNAL ROUTES!)
C 172.17.0.4 is directly connected, Serial2/0C 172.17.0.0 is directly connected, Serial1/0
C 172.16.4.0 is directly connected, Serial6/0C 172.16.1.0 is directly connected, Serial3/0C 172.16.2.0 is directly connected, Serial4/0C 172.16.3.0 is directly connected, Serial5/0
RS(x), R2...
(NO ISP ROUTES!)
...
Spokes 3,4
are similar
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 82
# show ip bgp
Network Next Hop Metric LocPrf W P
*> i 192.168.10.0 192.168.0.3 0 100 0 i
*m i 192.168.11.0 10.0.0.2 307200 100 0 ?
*> i 10.0.0.11 307200 100 0 ?
*> i 192.168.12.0 10.0.0.12 0 100 0 i
*m i 10.0.0.2 0 100 0 i
*m i 192.168.13.0 10.0.0.2 20 100 0 ?
*> i 10.0.0.13 20 100 0 ?
*> i 192.168.14.0 10.0.0.14 307200 100 0 ?
*m i 10.0.0.2 307200 100 0 ?
# show ip bgp
Network Next Hop Metric LocPrf W P
*> i 192.168.10.0 192.168.0.3 0 100 0 i
* i 192.168.11.0 10.0.0.2 317200 100 0 ?
*> i 10.0.0.11 307200 100 0 ?
*> i 192.168.12.0 10.0.0.12 0 100 0 i
* i 10.0.0.2 10000 100 0 i
* i 192.168.13.0 10.0.0.2 10020 100 0 ?
*> i 10.0.0.13 20 100 0 ?
*> i 192.168.14.0 10.0.0.14 307200 100 0 ?
* i 10.0.0.2 317200 100 0 ?
# show ip bgp
Network Next Hop Metric LocPrf W P
*> i 192.168.10.0 192.168.0.3 0 100 0 i
*> i 192.168.11.0 10.0.0.11 307200 100 0 ?
*m i 10.0.0.1 307200 100 0 ?
*m i 192.168.12.0 10.0.0.1 0 100 0 i
*> i 10.0.0.12 0 100 0 i
*m i 192.168.13.0 10.0.0.1 20 100 0 ?
*> i 10.0.0.13 20 100 0 ?
*m i 192.168.14.0 10.0.0.1 307200 100 0 ?
*> i 10.0.0.14 307200 100 0 ?
# show ip bgp
Network Next Hop Metric LocPrf W P
*> i 192.168.10.0 192.168.0.3 0 100 0 i
*> i 192.168.11.0 10.0.0.11 307200 100 0 ?
* i 10.0.0.1 317200 100 0 ?
* i 192.168.12.0 10.0.0.1 10000 100 0 i
*> i 10.0.0.12 0 100 0 i
* i 192.168.13.0 10.0.0.1 10020 100 0 ?
*> i 10.0.0.13 20 100 0 ?
* i 192.168.14.0 10.0.0.1 317200 100 0 ?
*> i 10.0.0.14 307200 100 0 ?
Hub1#show ip route
B 192.168.10.0/24 [160/0] via 192.168.0.3,
B 192.168.11.0/24 [160/307200] via 10.0.0.11,
[160/307200] via 10.0.0.2,
B 192.168.12.0/24 [160/0] via 10.0.0.12,
[160/0] via 10.0.0.2,
B 192.168.13.0/24 [160/20] via 10.0.0.13,
[160/20] via 10.0.0.2,
B 192.168.14.0/24 [160/307200] via 10.0.0.14,
[160/307200] via 10.0.0.2,
iBGP over DMVPNHub internal routes (192.168.1x.0/24)
Hub2#show ip route
B 192.168.10.0/24 [160/0] via 192.168.0.3,
B 192.168.11.0/24 [160/307200] via 10.0.0.11,
[160/307200] via 10.0.0.1,
B 192.168.12.0/24 [160/0] via 10.0.0.12,
[160/0] via 10.0.0.1,
B 192.168.13.0/24 [160/20] via 10.0.0.13,
[160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.14,
[160/307200] via 10.0.0.1,
MED +10000 via other Hub
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 83
Spoke1#show ip route
B 192.168.10.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
D 192.168.11.0/24 [90/307200] via 192.168.1.2,
B 192.168.12.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
B 192.168.13.0/24 [160/20] via 10.0.0.2,
[160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.2,
[160/307200] via 10.0.0.1,
iBGP over DMVPNSpoke1,2 internal routes (192.168.1x.0/24)
Spoke2#show ip route
B 192.168.10.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
B 192.168.11.0/24 [160/307200] via 10.0.0.2,
[160/307200] via 10.0.0.1,
B 192.168.12.0/24 [160/0] via 192.168.2.2,
B 192.168.13.0/24 [160/20] via 10.0.0.2,
[160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.2,
[160/307200] via 10.0.0.1,
Spokes 3,4
are similar
# show ip bgp
Network Next Hop Metric LocPrf W P
*m i 192.168.10.0 10.0.0.2 0 100 0 i
*> i 10.0.0.1 0 100 0 i
*> 192.168.11.0 192.168.1.2 307200 32768 ?
*m i 192.168.12.0 10.0.0.2 0 100 0 i
*> i 10.0.0.1 0 100 0 i
*m i 192.168.13.0 10.0.0.2 20 100 0 ?
*> i 10.0.0.1 20 100 0 ?
*m i 192.168.14.0 10.0.0.2 307200 100 0 ?
*> i 10.0.0.1 307200 100 0 ?
# show ip bgp
Network Next Hop Metric LocPrf W P
*> i 192.168.10.0 10.0.0.1 0 100 0 i
*m i 10.0.0.2 0 100 0 i
*m i 192.168.11.0 10.0.0.2 307200 100 0 ?
*> i 10.0.0.1 307200 100 0 ?
*> i 192.168.12.0 192.168.2.2 0 100 0 i
*> i 192.168.13.0 10.0.0.1 307200 100 0 ?
*m i 10.0.0.2 307200 100 0 ?
*> i 192.168.14.0 10.0.0.1 20 100 0 ?
*m i 10.0.0.2 20 100 0 ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 84
R2#show ip route
C 192.168.10.0/24 is directly connected, Ethernet1/0
B 192.168.11.0/24 [200/307200] via 192.168.0.1,
[200/307200] via 192.168.0.2,
B 192.168.12.0/24 [200/0] via 192.168.0.2,
[200/0] via 192.168.0.1,
B 192.168.13.0/24 [200/20] via 192.168.0.1,
[200/20] via 192.168.0.2,
B 192.168.14.0/24 [200/307200] via 192.168.0.2,
[200/307200] via 192.168.0.1,
iBGP over DMVPNR2, RS(x) internal routes (192.168.1x.0/24)
RS1#show ip route
D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1,
C 192.168.11.0/24 is directly connected, Ethernet1/0
D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1,
D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1,
D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,
RS(3,4) are
similar
RS2#show ip route
B 192.168.10.0/24 [200/0] via 192.168.2.1,
B 192.168.11.0/24 [200/307200] via 192.168.2.1,
C 192.168.12.0/24 is directly connected, Ethernet1/0
B 192.168.13.0/24 [200/307200] via 192.168.2.1,
B 192.168.14.0/24 [200/20] via 192.168.2.1,
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.2.1 0 100 1:20
*> i 192.168.11.0 192.168.2.1 307200 100 1:20
*> 192.168.12.0 0.0.0.0 0
*> i 192.168.13.0 192.168.2.1 20 100 1:20
*> i 192.168.14.0 192.168.2.1 307200 100 1:20
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> 192.168.10.0 0.0.0.0 0
*m i 192.168.11.0 192.168.0.2 307200 100 1:20
*> i 192.168.0.1 307200 100 1:20
*> i 192.168.12.0 192.168.0.1 0 100 1:20
*m i 192.168.0.2 0 100 1:20
*m i 192.168.13.0 192.168.0.2 20 100 1:20
*> i 192.168.0.1 20 100 1:20
*> i 192.168.14.0 192.168.0.1 307200 100 1:20
*m i 192.168.0.2 307200 100 1:20
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 85
Agenda
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPNLoad-balancing Hubs
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 86
Hubs:Use Communities to add to MED when learning from Spokes
Hub1 – Community 1:1 (+0), Community 1:2 (+5000), Other (+7500)
Hub2 – Community 1:2 (+0), Community 1:1 (+5000), Other (+7500)
+5000 for other community < +10000 via other hub
Spokes:Multiple spokes at a spoke site
Can use communities to add to IGP metric when advertising to LAN
Can use communities to add to MED when learning from Hubs
BothSet Community when learning routes from LAN
Odd Spokes; Hub1 – Community 1:1
Even Spokes; Hub2 – Community 1:2
iBGP over DMVPN – Load balancing Hubs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 87
iBGP over DMVPN – Load balancing HubsHub Routing Configuration changes
router bgp 1…neighbor spokes send-communityneighbor spokes route-map CMNTY in…neighbor 10.0.0.(x) send-community…
!ip bgp-community new-format
ip community-list 1 permit 1:1ip community-list 2 permit 1:2
route-map CMNTY permit 10match community (y)
route-map CMNTY permit 20match community (x)set metric +5000
route-map CMNTY permit 30set metric +7500
route-map LAN-IN permit 10
match community 21
set community 1:(y)
Send communities
to DMVPN Neighbors
Routes with different
community from Hub
Routes with same
community as Hub
Other Routes
Hub 1 2(x) 2 1(y) 1 2
Set community on
inbound from LAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 88
Spoke1router bgp 1
…neighbor hubs peer-group…neighbor hubs send-communityneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs
!ip bgp-community new-format
route-map IGP2BGP deny 10match tag 225
route-map IGP2BGP permit 20set community 1:1
iBGP over DMVPN – Load balancing Hubs Spoke Routing Configuration changes
Set community on
inbound from LAN
Spoke2router bgp 1
…neighbor hubs peer-group…neighbor hubs send-communityneighbor 10.0.0.1 peer-group hubsneighbor 10.0.0.2 peer-group hubs
!ip bgp-community new-format
route-map LAN-IN permit 10match community 21set community 1:2
Spoke 3
is similar
Send communities
to DMVPN Neighbors
Spoke 4
is similar
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 89
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.0.3 0 100
* i 192.168.11.0 10.0.0.2 317200 100
*> i 10.0.0.11 307200 100
*> i 192.168.12.0 10.0.0.12 0 100
* i 10.0.0.2 10000 100
* i 192.168.13.0 10.0.0.2 10020 100
*> i 10.0.0.13 20 100
*> i 192.168.14.0 10.0.0.14 307200 100
* i 10.0.0.2 317200 100
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.0.3 0 100
*> i 192.168.11.0 10.0.0.11 307200 100
* i 10.0.0.1 317200 100
* i 192.168.12.0 10.0.0.1 10000 100
*> i 10.0.0.12 0 100
* i 192.168.13.0 10.0.0.1 10020 100
*> i 10.0.0.13 20 100
* i 192.168.14.0 10.0.0.1 317200 100
*> i 10.0.0.14 307200 100
Hub2#show ip route
B 192.168.10.0/24 [160/0] via 192.168.0.3,
B 192.168.11.0/24 [160/307200] via 10.0.0.11,
B 192.168.12.0/24 [160/0] via 10.0.0.12,
B 192.168.13.0/24 [160/20] via 10.0.0.13,
B 192.168.14.0/24 [160/307200] via 10.0.0.14,
Hub1#show ip route
B 192.168.10.0/24 [160/0] via 192.168.0.3,
B 192.168.11.0/24 [160/307200] via 10.0.0.11,
B 192.168.12.0/24 [160/0] via 10.0.0.12,
B 192.168.13.0/24 [160/20] via 10.0.0.13,
B 192.168.14.0/24 [160/307200] via 10.0.0.14,
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.0.3 0 100 1:1
* i 192.168.11.0 10.0.0.2 322200 100 1:1
*> i 10.0.0.11 307200 100 1:1
*> i 192.168.12.0 10.0.0.12 5000 100 1:2
* i 10.0.0.2 10000 100 1:2
* i 192.168.13.0 10.0.0.2 15020 100 1:1
*> i 10.0.0.13 20 100 1:1
*> i 192.168.14.0 10.0.0.14 312200 100 1:2
* i 10.0.0.2 317200 100 1:2
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.0.3 0 100 1:2
*> i 192.168.11.0 10.0.0.11 312200 100 1:1
* i 10.0.0.1 317200 100 1:1
* i 192.168.12.0 10.0.0.1 15000 100 1:2
*> i 10.0.0.12 0 100 1:2
* i 192.168.13.0 10.0.0.1 10020 100 1:1
*> i 10.0.0.13 5020 100 1:1
* i 192.168.14.0 10.0.0.1 322200 100 1:2
*> i 10.0.0.14 307200 100 1:2
Hub2 (Cmnty 1:2)
#show ip route
B 192.168.10.0/24 [160/0] via 192.168.0.3,
B 192.168.11.0/24 [160/312200] via 10.0.0.11,
B 192.168.12.0/24 [160/0] via 10.0.0.12,
B 192.168.13.0/24 [160/5020] via 10.0.0.13,
B 192.168.14.0/24 [160/307200] via 10.0.0.14,
Hub1 (Cmnty 1:1)
#show ip route
B 192.168.10.0/24 [160/0] via 192.168.0.3,
B 192.168.11.0/24 [160/307200] via 10.0.0.11,
B 192.168.12.0/24 [160/5000] via 10.0.0.12,
B 192.168.13.0/24 [160/20] via 10.0.0.13,
B 192.168.14.0/24 [160/312200] via 10.0.0.14,
iBGP over DMVPN – Load balancing Hubs Hub internal routes (192.168.1x.0/24)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 90
Spoke2#show ip route
B 192.168.10.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
B 192.168.11.0/24 [160/307200] via 10.0.0.2,
[160/307200] via 10.0.0.1,
B 192.168.12.0/24 [160/0] via 192.168.2.2,
B 192.168.13.0/24 [160/20] via 10.0.0.2,
[160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.2,
[160/307200] via 10.0.0.1,
Spoke1#show ip route
B 192.168.10.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
D 192.168.11.0/24 [90/307200] via 192.168.1.2,
B 192.168.12.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
B 192.168.13.0/24 [160/20] via 10.0.0.2,
[160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.2,
[160/307200] via 10.0.0.1,
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*m i 192.168.10.0 10.0.0.2 0 100
*> i 10.0.0.1 0 100
*> 192.168.11.0 192.168.1.2 307200
*m i 192.168.12.0 10.0.0.2 0 100
*> i 10.0.0.1 0 100
*m i 192.168.13.0 10.0.0.2 20 100
*> i 10.0.0.1 20 100
*m i 192.168.14.0 10.0.0.2 307200 100
*> i 10.0.0.1 307200 100
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 10.0.0.1 0 100
*m i 10.0.0.2 0 100
*m i 192.168.11.0 10.0.0.2 307200 100
*> i 10.0.0.1 307200 100
*> i 192.168.12.0 192.168.2.2 0 100
*> i 192.168.13.0 10.0.0.1 307200 100
*m i 10.0.0.2 307200 100
*> i 192.168.14.0 10.0.0.1 20 100
*m i 10.0.0.2 20 100
iBGP over DMVPN – Load balancing Hubs Spoke1,2 internal routes (192.168.1x.0/24)
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 10.0.0.1 0 100 1:1
*m i 10.0.0.2 0 100 1:2
* i 192.168.11.0 10.0.0.2 312200 100 1:1
*> i 10.0.0.1 307200 100 1:1
*> i 192.168.12.0 192.168.2.2 0 100 1:2
*> i 192.168.13.0 10.0.0.1 20 100 1:1
* i 10.0.0.2 5020 100 1:1
* i 192.168.14.0 10.0.0.1 312200 100 1:2
*> i 10.0.0.2 307200 100 1:2
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*m i 192.168.10.0 10.0.0.2 0 100 1:2
*> i 10.0.0.1 0 100 1:1
*> 192.168.11.0 192.168.1.2 307200 1:1
*> i 192.168.12.0 10.0.0.2 0 100 1:2
* i 10.0.0.1 5000 100 1:2
* i 192.168.13.0 10.0.0.2 5020 100 1:1
*> i 10.0.0.1 20 100 1:1
*> i 192.168.14.0 10.0.0.2 307200 100 1:2
* i 10.0.0.1 312200 100 1:2
Spoke1 (Cmnty 1:1)
#show ip route
B 192.168.10.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
D 192.168.11.0/24 [90/307200] via 192.168.1.2,
B 192.168.12.0/24 [160/0] via 10.0.0.2,
B 192.168.13.0/24 [160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.2,
Spoke2 (Cmnty 1:2)
#show ip route
B 192.168.10.0/24 [160/0] via 10.0.0.2,
[160/0] via 10.0.0.1,
B 192.168.11.0/24 [160/307200] via 10.0.0.1,
B 192.168.12.0/24 [160/0] via 192.168.2.2,
B 192.168.13.0/24 [160/20] via 10.0.0.1,
B 192.168.14.0/24 [160/307200] via 10.0.0.2,
Spoke 3
is similar
Spoke 4
is similar
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 91
RS2#show ip route
B 192.168.10.0/24 [200/0] via 192.168.2.1,
B 192.168.11.0/24 [200/307200] via 192.168.2.1,
C 192.168.12.0/24 is directly connected, Ethernet1/0
B 192.168.13.0/24 [200/307200] via 192.168.2.1,
B 192.168.14.0/24 [200/20] via 192.168.2.1,
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.2.1 0 100 1:20
*> i 192.168.11.0 192.168.2.1 307200 100 1:20
*> 192.168.12.0 0.0.0.0 0
*> i 192.168.13.0 192.168.2.1 20 100 1:20
*> i 192.168.14.0 192.168.2.1 307200 100 1:20
RS1#show ip route
D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1,
C 192.168.11.0/24 is directly connected, Ethernet1/0
D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1,
D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1,
D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,
RS2 (no change)
#show ip route
B 192.168.10.0/24 [200/0] via 192.168.2.1,
B 192.168.11.0/24 [200/307200] via 192.168.2.1,
C 192.168.12.0/24 is directly connected, Ethernet1/0
B 192.168.13.0/24 [200/307200] via 192.168.2.1,
B 192.168.14.0/24 [200/20] via 192.168.2.1,
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> i 192.168.10.0 192.168.2.1 0 100 1:20
*> i 192.168.11.0 192.168.2.1 307200 100 1:20
*> 192.168.12.0 0.0.0.0 0
*> i 192.168.13.0 192.168.2.1 20 100 1:20
*> i 192.168.14.0 192.168.2.1 307200 100 1:20
RS1 (no change)
#show ip route
D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1,
C 192.168.11.0/24 is directly connected, Ethernet1/0
D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1,
D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1,
D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> 192.168.10.0 0.0.0.0 0
*m i 192.168.11.0 192.168.0.2 307200 100 1:20
*> i 192.168.0.1 307200 100 1:20
*> i 192.168.12.0 192.168.0.1 0 100 1:20
*m i 192.168.0.2 0 100 1:20
*m i 192.168.13.0 192.168.0.2 20 100 1:20
*> i 192.168.0.1 20 100 1:20
*> i 192.168.14.0 192.168.0.1 307200 100 1:20
*m i 192.168.0.2 307200 100 1:20
# show ip bgp
Network Next Hop Metric LocPrf Cmnty
*> 192.168.10.0 0.0.0.0 0
* i 192.168.11.0 192.168.0.2 312200 100 1:20
*> i 192.168.0.1 307200 100 1:20
* i 192.168.12.0 192.168.0.1 5000 100 1:20
*> i 192.168.0.2 0 100 1:20
* i 192.168.13.0 192.168.0.2 5020 100 1:20
*> i 192.168.0.1 20 100 1:20
* i 192.168.14.0 192.168.0.1 312200 100 1:20
*> i 192.168.0.2 307200 100 1:20
R2#show ip route
C 192.168.10.0/24 is directly connected, Ethernet1/0
B 192.168.11.0/24 [200/307200] via 192.168.0.1,
[200/307200] via 192.168.0.2,
B 192.168.12.0/24 [200/0] via 192.168.0.2,
[200/0] via 192.168.0.1,
B 192.168.13.0/24 [200/20] via 192.168.0.1,
[200/20] via 192.168.0.2,
B 192.168.14.0/24 [200/307200] via 192.168.0.2,
[200/307200] via 192.168.0.1,
iBGP over DMVPN – Load balancing Hubs R2, RS(x) internal routes (192.168.1x.0/24)
R2#show ip route
C 192.168.10.0/24 is directly connected, Ethernet1/0
B 192.168.11.0/24 [200/307200] via 192.168.0.1,
B 192.168.12.0/24 [200/0] via 192.168.0.2,
B 192.168.13.0/24 [200/20] via 192.168.0.1,
B 192.168.14.0/24 [200/307200] via 192.168.0.2,
RS(3,4) are
similar
Recent and New Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 93
Agenda
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPN
Recent and New FeaturesIKEv2 with DMVPN
Tunnel Health Monitoring
Backup and FQDN NHS
DHCP over DMVPN
DMVPN IPv6 Transport
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 94
IKEv2 with DMPVN
DMVPN can work with ISAKMP (IKEv1) and/or IKEv2Transparent to DMVPN
Node can be responder for both ISAKMP and IKEv2
Both ISAKMP and IKEv2 are configured.
Node can be Initiator for either ISAKMP or IKEv2 not both
Configure under the ‗crypto ipsec profile ...‘
crypto isakmp policy 2encr aesauthentication pre-sharegroup 2
crypto ikev2 keyring DMVPNpeer DMVPN
address 0.0.0.0 0.0.0.0pre-shared-key cisco123
crypto ikev2 profile DMVPNmatch identity remote address 0.0.0.0 authentication local pre-shareauthentication remote pre-sharekeyring DMVPN
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmacmode transport [require]
crypto ipsec profile DMVPNset transform-set DMVPN set ikev2-profile DMVPN
interface Tunnel0...tunnel protection ipsec profile DMVPN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 95
Tunnel Health MonitoringInterface State – 15.0(1)M
Issue
mGRE tunnel Interface is always ―up‖
Can‘t use standard backup/recovery mechanismsbackup interface, static interface routes, …
interface Tunnel0ip address 10.0.0.11 255.255.255.0…ip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp map multicast 172.17.0.5ip nhrp map 10.0.0.2 172.17.0.5…ip nhrp nhs 10.0.0.1ip nhrp nhs 10.0.0.2…if-state nhrp…
Solution
New Command ‗if-state nhrp‘
Monitor NHRP registration replies
If all NHSs are ―down‖ then set tunnel interface up/down
Continue to send NHRPregistration requests
If a single NHS is ―up‖ thenset tunnel interface up/up
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 96
Tunnel Health MonitoringInterface State (cont)
#show ip nhrp nhs detail10.0.0.1 RE req-sent 100 req-failed 0 repl-recv 90 (00:01:38 ago)10.0.0.2 RE req-sent 125 req-failed 0 repl-recv 79 (00:01:38 ago)
#show interface tunnel0Tunnel0 is up, line protocol is up
*Apr 19 21:32:52 NHRP: NHS-DOWN: 10.0.0.1*Apr 19 21:32:52 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'E' from 'RE' *Apr 19 21:32:53 NHRP: NHS-DOWN: 10.0.0.2*Apr 19 21:32:53 NHRP: NHS 10.0.0.2 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'E' from 'RE'
*Apr 19 21:33:02 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down*Apr 19 21:33:02 NHRP: if_down: Tunnel0 proto IPv4
#show ip nhrp nhs detail10.0.0.1 E req-sent 105 req-failed 0 repl-recv 90 (00:02:12 ago)10.0.0.2 E req-sent 130 req-failed 0 repl-recv 79 (00:02:12 ago)
#show interface tunnel0Tunnel0 is up, line protocol is down
*Apr 19 21:33:12 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92*Apr 19 21:33:13 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92…*Apr 19 21:34:36 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E' *Apr 19 21:34:36 NHRP: NHS-UP: 10.0.0.1*Apr 19 21:34:42 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up*Apr 19 21:34:42 NHRP: if_up: Tunnel0 proto 0
#show ip nhrp nhs detail10.0.0.1 RE req-sent 110 req-failed 0 repl-recv 96 (00:00:19 ago)10.0.0.2 E req-sent 135 req-failed 0 repl-recv 79 (00:04:09 ago)
#show interface tunnel0Tunnel0 is up, line protocol is up
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 97
IssueBackup NHSs only needed when primary NHSs are down
Backup NHSs can be over subscribed
SolutionSet NHS ‗max-connections‘
Can set NHS priority (default=0 (best))Can have multiple hubs at the same priority
Can group NHSs into clusters (default=0)Separate max-connection value per cluster
Configuration reductionSingle line NHS configuration and FQDN NHS
Functionality• NHSs are brought up in priority order, until cluster max-connections
• Down NHS at same priority is probed if not at max-connections
• Down NHS at a lower priority than an active NHS is probed even when max-connections is reached
• FQDN resolved when bringing up NHS
Backup and FQDN NHS – 15.1(2)T
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 98
Backup and FQDN NHS (cont)
interface Tunnel0…ip nhrp nhs 10.0.0.1 nbma Hub1.cisco.com multicast priority 10 cluster 1ip nhrp nhs 10.0.0.2 nbma 172.17.0.5 multicast priority 20 cluster 1ip nhrp nhs 10.0.0.3 nbma 172.17.0.9 multicast priority 10 cluster 2ip nhrp nhs 10.0.0.4 nbma 172.17.0.13 multicast priority 10 cluster 2ip nhrp nhs cluster 1 max-connections 1ip nhrp nhs cluster 2 max-connections 1
#show ip nhrp nhsLegend: E=Expecting replies, R=Responding, W=WaitingTunnel0:10.0.0.1 RE NBMA Address: 172.17.0.1 (Hub1.Cisco.com) priority = 10 cluster = 110.0.0.2 W NBMA Address: 172.17.0.5 priority = 20 cluster = 110.0.0.3 RE NBMA Address: 172.17.0.9 priority = 10 cluster = 210.0.0.4 W NBMA Address: 172.17.0.13 priority = 10 cluster = 2
interface Tunnel0…ip nhrp map 10.0.0.1 172.17.0.1ip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.2 172.17.0.5ip nhrp map multicast 172.17.0.5ip nhrp map 10.0.0.3 172.17.0.9ip nhrp map multicast 172.17.0.9ip nhrp map 10.0.0.4 172.17.0.13ip nhrp map multicast 172.17.0.13…ip nhrp nhs 10.0.0.1ip nhrp nhs 10.0.0.2ip nhrp nhs 10.0.0.3ip nhrp nhs 10.0.0.4ip nhrp nhs cluster 0 max-connections 2…
#show ip nhrp10.0.0.1/32 via 10.0.0.1 Tunnel0 Type: static, Flags: used
NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 Type: static, Flags: used
NBMA address: 172.17.0.510.0.0.3/32 via 10.0.0.3 Tunnel0 Type: static, Flags: used
NBMA address: 172.17.0.9 (no-socket) 10.0.0.4/32 via 10.0.0.4 Tunnel0 Type: static, Flags: used
NBMA address: 172.17.0.13 (no-socket)
#show ip nhrp nhsLegend: E=Expecting replies, R=Responding, W=WaitingTunnel0:10.0.0.1 RE priority = 0 cluster = 010.0.0.2 RE priority = 0 cluster = 010.0.0.3 W priority = 0 cluster = 010.0.0.4 W priority = 0 cluster = 0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 99
DHCP over DMVPN – 15.1(3)T
IssueMust pre-configure tunnel interface IP Address and Subnet on Spokes
SolutionUse DHCP to allocate Spoke‘s Tunnel IP Address/Subnet
ip address dhcp
ip dhcp client broadcast-flag clear
Hub is DHCP Relay Agent
Global
ip dhcp support tunnel unicast
Tunnel Interface
ip helper-address <ip-dhcp-server>
Functionality
DHCP request broadcast to all NHSs, replies unicast back to Spoke
Sticky until tunnel interface goes down
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 100
DHCP and FQDN NHSExample:
Spoke:
interface Tunnel0ip dhcp client broadcast-flag clearip address dhcp…ip nhrp network-id 100000…ip nhrp nhs dynamic nbma Hub1-NBMA multicast…ip nhrp shortcuttunnel source Serial1/0tunnel key 100000tunnel protection ipsec profile vpnprof
Hub:
ip dhcp support tunnel unicast!interface Tunnel0
ip address 10.0.0.1 255.255.255.0ip helper-address 192.168.0.3…ip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp redirecttunnel source Serial2/0tunnel key 100000tunnel protection ipsec profile vpnprof
DHCP:
22:52:32.658: DHCP: Starting DHCP discover on Tunnel022:52:32.658: DHCP: SDiscover attempt # 1 for entry:22:52:32.658: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0
22:52:32.738: DHCP: Offer Message, Offered Address: 10.0.0.1322:52:32.738: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 75600
22:52:32.738: DHCP: SRequest attempt # 1 for entry:22:52:32.738: Temp IP addr: 10.0.0.13 for peer on Interface: Tunnel022:52:32.738: Temp sub net mask: 255.255.255.022:52:32.738: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0
22:52:32.818: DHCP: Ack Message Offered Address: 10.0.0.1322:52:32.818: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 7560022:52:32.818: DHCP: Host Name Option: Spoke1.cisco-test.com
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 101
NHRP:
22:52:32.242: NHRP: Resolved FQDN Hub1-NBMA to 172.17.0.122:52:32.242: NHRP: Supressing registration requests (Tunnel0) has invalid address . . .
22:52:32.818: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 10422:52:32.818: src NBMA: 172.16.1.1, src proto: 10.0.0.13, dst proto: 10.0.0.1322:52:32.818: NAT address Extension(9): client NBMA: 172.17.0.1, client protocol: 10.0.0.13. . .
22:52:32.870: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 12422:52:32.870: src NBMA: 172.16.1.1, src proto: 10.0.0.13, dst proto: 10.0.0.122:52:32.870: Responder Address Extension(3): client NBMA: 172.17.0.1, client protocol: 10.0.0.122:52:32.870: NAT address Extension(9): client NBMA: 172.17.0.1, client protocol: 10.0.0.1
22:52:32.870: NHRP: Tu0: Creating nhs mapping for 10.0.0.1/32 NBMA: 172.17.0.122:52:32.870: NHRP: Tunnel0: Cache add for target 10.0.0.1/32 next-hop 10.0.0.1, 172.17.0.1
22:52:32.870: NHRP: Adding Tunnel Endpoints (VPN: 10.0.0.1, NBMA: 172.17.0.1)
Tunnel:
22:52:29.618: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up22:52:29.622: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up . . .
22:52:32.870: Tunnel0: Linking endpoint 10.0.0.1/172.17.0.122:52:32.870: FIBtunnel: Tu0:TED: Adding adj for 10.0.0.1, conn_id 022:52:32.870: FIBtunnel: Tu0: stacking IP 10.0.0.1 to Default:172.17.0.1. . .
22:52:32.902: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.1 (Tunnel0) is up: new adjacency
DHCP and FQDN NHSExample: (cont)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 102
IPv6 and IPv4 packets over DMVPN IPv6 tunnels
Introducing in IOS release 15.2(1)T
IPv6 infrastructure network
IPv6 and/or IPv4 data packets over same IPv6 GRE tunnel
NHRP modifies Routing Table – like on ASR1k routers
Can run both DMVPN IPv4 and DMVPN IPv6
Separate DMVPNs (mGRE tunnel interfaces)
DMVPN IPv4 DMVPN IPv6 spoke to spoke via hub
Configuration
Standard IPv6 configuration on Outside (WAN) interface
Small change on mGRE tunnel interface
Must use IKEv2 to setup IPsec encryption
Split-tunneling
Enterprise versus ISP assigned IPv6 addresses at spoke
No NAT66
DMVPN over IPv6 Transport15.2(1)T (August 2011)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 103
DMVPN over IPv6 TransportConfiguration
crypto ikev2 keyring DMVPNpeer DMVPNv6
address ::/0pre-shared-key cisco123v6
crypto ikev2 profile DMVPNmatch identity remote address ::/0authentication local pre-shareauthentication remote pre-sharekeyring DMVPN
crypto ipsec profile DMVPNset transform-set DMVPNset ikev2-profile DMVPN
…interface Tunnel0
ip address 10.0.0.1 255.255.255.0...ip nhrp map multicast dynamicip nhrp network-id 100000...ipv6 address 2001:DB8:0:100::1/64...ipv6 nhrp map multicast dynamicipv6 nhrp network-id 100006...tunnel source Serial2/0tunnel mode gre multipoint ipv6tunnel protection ipsec profile DMVPN
!interface Serial2/0
ip address 172.17.0.1 255.255.255.252ipv6 address 2001:DB8:0:FFFF:1::1/126
!ipv6 route ::/0 Serial2/0
crypto ikev2 keyring DMVPNpeer DMVPNv6
address ::/0pre-shared-key cisco123v6
crypto ikev2 profile DMVPNmatch identity remote address ::/0authentication local pre-shareauthentication remote pre-sharekeyring DMVPNdpd keepalive 30 5 on-demand
crypto ipsec profile DMVPNset transform-set DMVPNset ikev2-profile DMVPN
…interface Tunnel0
ip address 10.0.0.11 255.255.255.0ip nhrp network-id 100000ip nhrp nhs 10.0.0.1 nbma 2001:DB8:0:FFFF:1::1 multicast...ipv6 address 2001:DB8:0:100::B/64...ipv6 nhrp network-id 100006ipv6 nhrp nhs 2001:DB8:0:100::1 nbma 2001:DB8:0:FFFF:1::1 multicast...tunnel source Serial1/0tunnel mode gre multipoint ipv6tunnel protection ipsec profile DMVPN
!interface Serial1/0
ip address 172.16.1.1 255.255.255.252ipv6 address 2001:DB8:0:FFFF:0:1:0:1/126
!ipv6 route ::/0 Serial1/0
SpokeHub
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 104
DMVPN over IPv6 TransportData Structures
Hub1#show ipv6 nhrp
2001:DB8:0:100::B/128 via 2001:DB8:0:100::B
Tunnel0 created 22:27:52, expire 00:03:39
Type: dynamic, Flags: unique registered
NBMA address: 2001:DB8:0:FFFF:0:1:0:1
FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B
Tunnel0 created 22:27:52, expire 00:03:39
Type: dynamic, Flags: unique registered
NBMA address: 2001:DB8:0:FFFF:0:1:0:1
Hub1#show ip nhrp
10.0.0.11/32 via 10.0.0.11
Tunnel0 created 22:26:55, expire 00:03:37
Type: dynamic, Flags: unique registered used
NBMA address: 2001:DB8:0:FFFF:0:1:0:1
Hub1#show crypto session
Interface: Tunnel0; Session status: UP-ACTIVE
Peer: 2001:DB8:0:FFFF:0:1:0:1 port 500
IKEv2 SA: local 2001:DB8:0:FFFF:1::1/500
remote 2001:DB8:0:FFFF:0:1:0:1/500 Active
IPSEC FLOW: permit 47 host 2001:DB8:0:FFFF:1::1 host 2001:DB8:0:FFFF:0:1:0:1
Active SAs: 2, origin: crypto map
DMVPN Futures
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 106
Q4 CY2011iBGP ‗local-as‘
Routing Protocol Scalability/Convergence
EEM with DMVPN integration – Smart Spoke
DHCP over DMVPN IPv4
Retrieve LAN IP Subnet for Spoke to serve addresses to Hosts
Q1 CY2012DHCP over DMVPN IPv6
Per-tunnel QoS on ASR
FutureDMVPN native multicast
GRE per-tunnel Keepalives
Per-tunnel QoS IPv6 over DMVPN on Hub
DMVPN Futures
Q & A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 108
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press®
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company StoreSM
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 109
Complete Your OnlineSession Evaluation
Receive 25 Cisco Preferred Access points for each session evaluation you complete.
Give us your feedback andyou could win fabulous prizes. Points are calculated on a daily basis. Winners will be announced by email after July 22nd.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live
and Networkers Virtual account for access
to all session materials, communities, and
on-demand and live activities throughout
the year. Activate your account at any
internet station or visit
www.ciscolivevirtual.com.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 110
Visit the Cisco Store for Related Titles
http://theciscostores.com
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 111
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 112
Thank you.
Appendix
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 114
Appendix
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 115
Dynamic Multipoint VPN—Example
Spoke A
Spoke B
192.168.2.0/24
.1
192.168.1.0/24
.1
192.168.0.0/24
.1
. . .
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: dynamic
Tunnel0: 10.0.0.11
Physical: dynamic
Tunnel0: 10.0.0.12
Static known
IP address
Dynamicunknown
IP addresses
LANs can have
private addressing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 116
Dynamic Multipoint VPN—Example(Step 1)
Spoke A
Spoke B
192.168.2.0/24
.1
192.168.1.0/24
.1
192.168.0.0/24
.1
. . .
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: dynamic
Tunnel0: 10.0.0.11
Physical: dynamic
Tunnel0: 10.0.0.12
Static Spoke-to-hub tunnels
BuildSpoke-Hub
Tunnels
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 117
Dynamic Multipoint VPN—Example(Step 2)
Dynamic Spoke-to-spoke tunnels
Spoke A
Spoke B
192.168.2.0/24
.1
192.168.1.0/24
.1
192.168.0.0/24
.1
. . .
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: dynamic
Tunnel0: 10.0.0.11
Physical: dynamic
Tunnel0: 10.0.0.12
Static Spoke-to-hub tunnels
BuildDynamic
Spoke-spoke Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 118
Dynamic Multipoint VPN—Example(Step 3)
Dynamic Spoke-to-spoke tunnels
Spoke A
Spoke B
192.168.2.0/24
.1
192.168.1.0/24
.1
192.168.0.0/24
.1
. . .
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: dynamic
Tunnel0: 10.0.0.11
Physical: dynamic
Tunnel0: 10.0.0.12
Static Spoke-to-hub tunnels
RemoveDynamic
Spoke-spokeTunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 119
Appendix
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 120
NHRP Registration Building Hub-and-Spoke Tunnels
Spoke1 Hub Spoke2Host1 Host2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 121
NHRP RegistrationBuilding Hub-and-Spoke Tunnels (Step 1)
Spoke1 Hub Spoke2
Encrypted
Host1 Host2
IKE/IPsec Established
IKE InitializationIKE Initialization
IKE/IPsec Established
Encrypted
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 122
NHRP Registration Building Hub-and-Spoke Tunnels (Step 2)
Spoke1 Hub Spoke2
Encrypted
NHRP Regist. Req.
Host1 Host2
NHRP Regist. Rep.
Encrypted
NHRP Regist. Rep.
NHRP Regist. Req.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 123
NHRP RegistrationRouting Adjacency (Step 3)
Spoke1 Hub Spoke2
Encrypted
Host1 Host2
Encrypted
Routing Update
Routing Adjacency
Routing Update
Routing Adjacency
Routing Update
Routing Update
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 124
NHRP RegistrationBuilding Hub-and-Spoke Tunnels
Spoke A192.168.1.1/24
= Dynamic permanent IPsec tunnels
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
192.168.0.1/24
192.168.1.0/24 Conn.192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
NHRP Registration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 125
NHRP RegistrationBuilding Hub-and-Spoke Tunnels (Step 1&2)
Spoke A192.168.1.1/24
= Dynamic permanent IPsec tunnels
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.1192.168.0.1/24
192.168.1.0/24 Conn.192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
172.16.1.1
NHRP Registration
1
2
4
5
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 126
NHRP RegistrationBuilding Hub-and-Spoke Tunnels (Step 1&2)
Spoke A192.168.1.1/24
= Dynamic permanent IPsec tunnels
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 Conn.192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
172.16.1.1
172.16.2.1
NHRP Registration
1
2
4
5 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 127
NHRP RegistrationRouting Adjacency (Step 3a)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
= Dynamic permanent IPsec tunnels
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.1.0/24 Conn. 192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
172.16.1.1
172.16.2.1
Routing packet
192.168.0.0/16 Summ.
1
2
4
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 128
NHRP RegistrationRouting Adjacency (Step 3b)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
= Dynamic permanent IPsec tunnels
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.1.0/24 Conn. 192.168.2.0/24 Conn.
192.168.0.0/24 Conn.
NHRP mapping
Routing Table
172.16.1.1
172.16.2.1
Routing packet
192.168.0.0/16 Summ.
2
3 3
2
1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 129
Appendix
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 130
Phase 2 NHRP Resolution Request (Step 1)
Spoke1 Hubs Spoke2Host1 Host2
NHRP Res. Request NHRP Res. Request
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 131
Phase 2 NHRP Resolution Reply (Step 2)
Spoke1 Hubs Spoke2Host1 Host2
IKE/IPsec Established
Encrypted
IKE Initialization
Encrypted
NHRP Resolution Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 132
Phase 2 NHRP Resolution Request
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12
192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
10.0.0.12 incomplete10.0.0.11 incomplete
10.0.0.11 172.16.1.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 133
Phase 2 NHRP Resolution Request (Step 1a)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.12 ???
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12
192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
10.0.0.12 incomplete10.0.0.11 incomplete
10.0.0.11 172.16.1.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
1
2
4
5
67
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 134
Phase 2 NHRP Resolution Request (Step 1b)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.12 ???10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12
192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.110.0.0.1 172.17.0.1
10.0.0.12 incomplete10.0.0.11 incomplete
10.0.0.11 172.16.1.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
1
2
4
5
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 135
Phase 2 NHRP Resolution Reply (Step 2a)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.12 ???10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 incomplete 10.0.0.11 incomplete 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
10.0.0.11 172.16.1.1
1
2
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 136
Phase 2 NHRP Resolution Reply (Step 2b)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 172.16.2.1 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
10.0.0.12 172.16.2.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
10.0.0.11 172.16.1.1
10.0.0.12 172.16.2.1 (l)1
24
5
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 137
Phase 2 NHRP Resolution Reply (Step 2c)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
172.16.1.1
172.16.2.1
192.168.0.0/24 10.0.0.1192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
192.168.0.0/24 10.0.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1 (*)
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.2.0/24 10.0.0.12192.168.1.0/24 10.0.0.11
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.110.0.0.12 172.16.2.1 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
10.0.0.12 172.16.2.1
CEF FIB Table
NHRP mapping
CEF Adjacency
Data packet
NHRP Resolution
10.0.0.12 172.16.2.1
10.0.0.11 172.16.1.1
10.0.0.12 172.16.2.1 (l)
1
2
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 138
Appendix
DMVPN Overview
NHRP DetailsNHRP Overview
NHRP Registrations
NHRP Resolutions/Redirects
Phase 2
Phase 3
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 139
Phase 3NHRP Redirect (Step 1)
Spoke1 Hubs Spoke2Host1 Host2
NHRP Redirect
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 140
Phase 3NHRP Resolution Request (Step 2)
Spoke1 Hubs Spoke2Host1 Host2
NHRP Res. Request NHRP Res. Request
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 141
Phase 3 NHRP Resolution Reply (Step 3)
Spoke1 Hubs Spoke2Host1 Host2
IKE/IPsec Established
Encrypted
IKE Initialization
NHRP Resolution Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 142
Phase 3 NHRP Resolution Redirect
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 143
Phase 3NHRP Resolution Redirect (Step 1a)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
1
2
4
5
67
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 144
Phase 3 NHRP Resolution Redirect (Step 1b)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.11
2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 145
Phase 3NHRP Resolution Request (Step 2)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
3
4
5
6
2
1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 146
Phase 3NHRP Resolution Reply (Step 3a)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.110.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
10.0.0.11 172.16.1.11
2
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 147
Phase 3NHRP Resolution Reply (Step 3b)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
172.16.2.1 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
192.168.2.0/24 172.16.2.110.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
1
2
4
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 148
Phase 3NHRP Resolution Reply (Step 3c)
Spoke A192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.11192.168.2.0/24 10.0.0.12
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.0.1
CEF Adjacency
10.0.0.1 172.17.0.1
172.16.2.1 10.0.0.11 172.16.1.1
10.0.0.11 172.16.1.1
192.168.2.0/24 172.16.2.110.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16.2.1
3
2
1
5
4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 149
Appendix
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 150
iBGP over DMVPNBase Logical Topology
192.168.1.0/24
.1
192.168.0.0/24
.1.2
.3
.2
RS1
EIGRP 1.1
192.168.4.0/24
.1
.2
.1
.1
192.168.2.0/24
.1
.2
RS2
BGP 1
192.168.3.0/24
.1
.2
19
2.1
68.1
0.0
/24
Spoke1
BGP 1
Hub1
BGP 1
Hub2
BGP 1
Spoke4
BGP 1
R2
BGP 1
Spoke2
BGP 1
Spoke3
BGP 1
192.168.11.0/24 192.168.14.0/24
.1192.168.12.0/24
.1192.168.13.0/24
RS3
EIGRP 1
RS4
OSPF 1
InternetBGP 2
.1 .2
.11
.12 .13
.14
192.168.10.0/24
DMVPN10.0.0.0/24
BGP 1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 151
version 15.1
!
hostname Hub1
!
ip cef
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set t3 esp-des esp-md5-hmac
mode transport require
!
crypto ipsec profile vpnprof
set transform-set t3
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp map multicast 172.17.0.5
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp redirect
iBGP over DMVPNHub1 Configuration
…ip tcp adjust-mss 1360
delay 1000
tunnel source Serial2/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
!
interface Serial2/0
ip address 172.17.0.1 255.255.255.252
!
router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group spokes
timers bgp 10 30
neighbor spokes peer-group
neighbor spokes remote-as 1
neighbor spokes route-reflector-client
neighbor spokes send-community
neighbor spokes route-map CMNTY in
neighbor spokes route-map DMVPN-OUT out
neighbor 10.0.0.2 remote-as 1
neighbor 10.0.0.2 send-community
neighbor 10.0.0.2 route-map H2H-IN in
neighbor 10.0.0.2 route-map DMVPN-OUT out
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 152
…neighbor 172.17.0.2 remote-as 2
neighbor 172.17.0.2 route-map ISP-IN in
neighbor 172.17.0.2 route-map ISP-OUT out
neighbor 192.168.0.3 remote-as 1
neighbor 192.168.0.3 route-map LAN-IN in
neighbor 192.168.0.3 route-map LAN-OUT out
maximum-paths ibgp 4
distance bgp 20 160 160
no auto-summary
!
ip bgp-community new-format
ip community-list 1 permit 1:1
ip community-list 2 permit 1:2
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10
ip community-list 11 permit
ip community-list 21 deny 1:20
ip community-list 21 permit
!
route-map H2H-IN permit 10
set metric +10000
!
route-map LAN-OUT permit 10
match community 11
set ip next-hop 192.168.0.1
!
iBGP over DMVPNHub1 Configuration (cont)
route-map DMVPN-OUT permit 10
match community 11
set ip next-hop 10.0.0.1
!
route-map ISP-OUT permit 10
match community 10
!
route-map CMNTY permit 10
match community 1
!
route-map CMNTY permit 20
match community 2
set metric +5000
!
route-map CMNTY permit 30
set metric +7500
!
route-map ISP-IN permit 10
set community 1:10
!
route-map LAN-IN permit 10
match community 21
set community 1:1
!
control-plane
!
end
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 153
version 15.1
!
hostname Hub2
!
ip cef
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set t3 esp-des esp-md5-hmac
mode transport require
!
crypto ipsec profile vpnprof
set transform-set t3
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp redirect
iBGP over DMVPNHub2 Configuration
…ip tcp adjust-mss 1360
delay 1000
tunnel source Serial2/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0/0
ip address 192.168.0.2 255.255.255.0
!
interface Serial2/0
ip address 172.17.0.5 255.255.255.252
!
router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group spokes
timers bgp 10 30
neighbor spokes peer-group
neighbor spokes remote-as 1
neighbor spokes route-reflector-client
neighbor spokes send-community
neighbor spokes route-map CMNTY in
neighbor spokes route-map DMVPN-OUT out
neighbor 10.0.0.1 remote-as 1
neighbor 10.0.0.1 send-community
neighbor 10.0.0.1 route-map H2H-IN in
neighbor 10.0.0.1 route-map DMVPN-OUT out
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 154
…neighbor 172.17.0.6 remote-as 2
neighbor 172.17.0.6 route-map ISP-IN in
neighbor 172.17.0.6 route-map ISP-OUT out
neighbor 192.168.0.3 remote-as 1
neighbor 192.168.0.3 route-map LAN-IN in
neighbor 192.168.0.3 route-map LAN-OUT out
maximum-paths ibgp 4
distance bgp 20 160 160
no auto-summary
!
ip bgp-community new-format
ip community-list 1 permit 1:1
ip community-list 2 permit 1:2
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10
ip community-list 11 permit
ip community-list 21 deny 1:20
ip community-list 21 permit
!
route-map H2H-IN permit 10
set metric +10000
!
route-map LAN-OUT permit 10
match community 11
set ip next-hop 192.168.0.2
!
iBGP over DMVPNHub2 Configuration (cont)
route-map DMVPN-OUT permit 10
match community 11
set ip next-hop 10.0.0.2
!
route-map ISP-OUT permit 10
match community 10
!
route-map CMNTY permit 10
match community 2
!
route-map CMNTY permit 20
match community 1
set metric +5000
!
route-map CMNTY permit 30
set metric +7500
!
route-map ISP-IN permit 10
set community 1:10
!
route-map LAN-IN permit 10
match community 21
set community 1:2
!
control-plane
!
end
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 155
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke1
!
ip cef
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
!
crypto ipsec transform-set t2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set t2
iBGP over DMVPNSpoke1 Configuration
interface Tunnel0
bandwidth 1000
ip address 10.0.0.11 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp map multicast 172.17.0.5
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.1.1 255.255.255.252
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 156
router eigrp 1
default-metric 1000 0 255 100 1500
network 192.168.1.0
redistribute bgp 1 route-map BGP2IGP
!
router bgp 1
bgp log-neighbor-changes
bgp redistribute-internal
timers bgp 10 30
redistribute eigrp 1 route-map IGP2BGP
neighbor hubs peer-group
neighbor hubs remote-as 1
neighbor hubs next-hop-self
neighbor hubs send-community
neighbor hubs route-map DMVPN-OUT out
neighbor 10.0.0.1 peer-group hubs
neighbor 10.0.0.2 peer-group hubs
neighbor 172.16.1.2 remote-as 2
neighbor 172.16.1.2 route-map ISP-IN in
neighbor 172.16.1.2 route-map ISP-OUT out
maximum-paths ibgp 4
distance bgp 20 160 160
no auto-summary
!
ip bgp-community new-format
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10
ip community-list 11 permit
iBGP over DMVPNSpoke1 Configuration (cont)
route-map DMVPN-OUT permit 10
match community 11
!
route-map ISP-OUT permit 10
match community 10
!
route-map IGP2BGP deny 10
match tag 225
!
route-map IGP2BGP permit 20
set community 1:1
!
route-map BGP2IGP permit 10
match community 11
set tag 225
!
route-map ISP-IN permit 10
set community 1:10
!
control-plane
!
end
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 157
version 15.1
!
hostname Spoke2
!
ip cef
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
!
crypto ipsec transform-set t2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set t2
iBGP over DMVPNSpoke2 Configuration
interface Tunnel0
bandwidth 1000
ip address 10.0.0.12 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp map multicast 172.17.0.5
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.2.1 255.255.255.252
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 158
router bgp 1
bgp log-neighbor-changes
bgp redistribute-internal
timers bgp 10 30
neighbor hubs peer-group
neighbor hubs remote-as 1
neighbor hubs send-community
neighbor hubs route-map DMVPN-OUT out
neighbor 10.0.0.1 peer-group hubs
neighbor 10.0.0.2 peer-group hubs
neighbor 172.16.2.2 remote-as 2
neighbor 172.16.2.2 route-map ISP-IN in
neighbor 172.16.2.2 route-map ISP-OUT out
neighbor 192.168.2.2 remote-as 1
neighbor 192.168.2.2 route-reflector-client
neighbor 192.168.2.2 route-map LAN-IN in
neighbor 192.168.2.2 route-map LAN-OUT out
maximum-paths ibgp 4
distance bgp 20 160 160
no auto-summary
!
ip bgp-community new-format
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10
ip community-list 11 permit
ip community-list 21 deny 1:20
ip community-list 21 permit
iBGP over DMVPNSpoke2 Configuration (cont)
route-map LAN-OUT permit 10
match community 11
set ip next-hop 192.168.2.1
!
route-map DMVPN-OUT permit 10
match community 11
set ip next-hop 10.0.0.12
!
route-map ISP-OUT permit 10
match community 10
!
route-map ISP-IN permit 10
set community 1:10
!
route-map LAN-IN permit 10
match community 21
set community 1:2
!
control-plane
!
end
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 159
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke(3,4)
!
ip cef
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
!
crypto ipsec transform-set t2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set t2
iBGP over DMVPN(Spoke3, Spoke4) Configuration
interface Tunnel0
bandwidth 1000
ip address 10.0.0.(13,14) 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp map multicast 172.17.0.5
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0/0
ip address 192.168.(3,4).1 255.255.255.0
!
interface Serial1/0
ip address 172.16.(3,4).1 255.255.255.252
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 160
router ospf 1
redistribute bgp 1 subnets route-map BGP2IGP
network 192.168.3.0 0.0.0.255 area 1
!
router eigrp 1
default-metric 1000 0 255 100 1500
network 192.168.4.0
redistribute bgp 1 route-map BGP2IGP
!
router bgp 1
bgp log-neighbor-changes
bgp redistribute-internal
timers bgp 10 30
redistribute ospf 1 route-map IGP2BGP
redistribute eigrp 1 route-map IGP2BGP
neighbor hubs peer-group
neighbor hubs remote-as 1
neighbor hubs next-hop-self
neighbor hubs send-community
neighbor hubs route-map DMVPN-OUT out
neighbor 10.0.0.1 peer-group hubs
neighbor 10.0.0.2 peer-group hubs
neighbor 172.16.(3,4).2 remote-as 2
neighbor 172.16.(3,4).2 route-map ISP-IN in
neighbor 172.16.(3,4).2 route-map ISP-OUT out
maximum-paths ibgp 4
distance bgp 20 160 160
no auto-summary
iBGP over DMVPN(Spoke3, Spoke4) Configuration (cont)
ip bgp-community new-format
ip community-list 10 permit 1:10
ip community-list 11 deny 1:10
ip community-list 11 permit
!
route-map DMVPN-OUT permit 10
match community 11
!
route-map ISP-OUT permit 10
match community 10
!
route-map IGP2BGP deny 10
match tag 225
!
route-map IGP2BGP permit 20
set community 1:1
!
route-map BGP2IGP permit 10
match community 11
set tag 225
!
route-map ISP-IN permit 10
set community 1:10
!
control-plane
!
end
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 161
version 12.3
!
hostname Internet
!
interface Serial1/0
ip address 172.17.0.2 255.255.255.252
!
interface Serial2/0
ip address 172.17.0.6 255.255.255.252
!
interface Serial3/0
ip address 172.16.1.2 255.255.255.252
!
interface Serial4/0
ip address 172.16.2.2 255.255.255.252
!
interface Serial5/0
ip address 172.16.3.2 255.255.255.252
!
interface Serial6/0
ip address 172.16.4.2 255.255.255.252
iBGP over DMVPNInternet Configuration
router bgp 2
no synchronization
bgp log-neighbor-changes
network 172.16.1.0 mask 255.255.255.252
network 172.16.2.0 mask 255.255.255.252
network 172.16.3.0 mask 255.255.255.252
network 172.16.4.0 mask 255.255.255.252
network 172.17.0.0 mask 255.255.255.252
network 172.17.0.4 mask 255.255.255.252
neighbor 172.16.1.1 remote-as 1
neighbor 172.16.2.1 remote-as 1
neighbor 172.16.3.1 remote-as 1
neighbor 172.16.4.1 remote-as 1
neighbor 172.17.0.1 remote-as 1
neighbor 172.17.0.5 remote-as 1
no auto-summary
!
end
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 162
hostname R2!interface Loopback0
ip address 172.20.0.1 255.255.255.0!interface Ethernet0/0
ip address 192.168.0.3 255.255.255.0!interface Ethernet1/0
ip address 192.168.10.1 255.255.255.0!router bgp 1
no synchronizationbgp log-neighbor-changesnetwork 172.20.0.0 mask 255.255.255.0network 192.168.0.0network 192.168.10.0neighbor hubs peer-groupneighbor hubs remote-as 1neighbor hubs route-reflector-clientneighbor hubs next-hop-selfneighbor hubs send-communityneighbor hubs route-map FROM-DMVPN inneighbor 192.168.0.1 peer-group hubsneighbor 192.168.0.2 peer-group hubsmaximum-paths ibgp 4no auto-summary
!ip bgp-community new-format!route-map FROM-DMVPN permit 10
set community 1:20
iBGP over DMVPNR2 (behind hubs), RS2 (behind Spoke2) Configuration
hostname RS2!interface Loopback0
ip address 172.20.2.1 255.255.255.0!interface Ethernet0/0
ip address 192.168.2.2 255.255.255.0!interface Ethernet1/0
ip address 192.168.12.1 255.255.255.0!router bgp 1
no synchronizationbgp log-neighbor-changesnetwork 172.20.2.0 mask 255.255.255.0network 192.168.2.0network 192.168.12.0neighbor 192.168.2.1 remote-as 1neighbor 192.168.2.1 next-hop-selfneighbor 192.168.2.1 send-communityneighbor 192.168.2.1 route-map FROM-DMVPN inno auto-summary
!ip bgp-community new-format!route-map FROM-DMVPN permit 10
set community 1:20
R2 RS2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 163
hostname (RS1,RS4)
!
interface Loopback0
ip address 172.20.(1,4).1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.(1,4).2 255.255.255.0
!
interface Ethernet1/0
ip address 192.168.(11,14).1 255.255.255.0
!
router eigrp 1
network 172.20.(1,4).0 0.0.0.255
network 192.168.(1,4).0
network 192.168.(11,14).0
no auto-summary
!
iBGP over DMVPN(RS1,RS4); RS3 Configuration
hostname RS3
!
interface Loopback0
ip address 172.20.3.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.3.2 255.255.255.0
!
interface Ethernet1/0
ip address 192.168.13.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 172.20.3.0 0.0.0.255
network 192.168.3.0
network 192.168.13.0
!
RS1,RS4 RS3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 164
Appendix
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 165
Hierarchical Design
Multiple layers of ―Hub-and-Spoke‖ control planeCan use single mGRE subnet across all nodes
Best to use multiple mGRE subnets
Spokes and Central hub have single mGRE interface
Distribution hubs have two mGRE interfaces
Use ‗nhrp network-id <id>‘ to ―glue‖ together mGRE interfaces into a single DMVPN cloud.
Still preserve any-to-any spoke-spoke tunnels
Region 1 mGRE subnet
Region 2 mGRE subnet
Region 3 mGRE subnet
Central mGRE subnet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 166
Hierarchical Design
Multiple Hub routers at each layer for redundancyHub routers in a layer/region
Configured similar to each other
Interconnected as NHSs to each other
Interconnected as NHSs to next lower layer hubs
RoutingSummarize routes toward spokes (leaves)
No summarization of routes toward root (central hub)
Routes for other mGRE subnets learned over tunnel interface
IP MulticastMulticast source behind hub can use single mGRE subnet
Multicast source behind spoke must use multiple mGRE subnets/interfaces
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 167
DMVPN Hierarchical Hub(Phase 3)
192.168.19.0/24
.1
192.168.11.0/24
.1
192.168.1.0/24
.1
.1
Physical: 172.17.0.5
Tunnel0: 10.0.0.16
Physical: 172.16.1.1
Tunnel1: 10.0.1.11
Physical: 172.16.3.1
Tunnel2: 10.0.2.19Physical: 172.17.0.1
Tunnel0: 10.0.0.8
Spoke 1
Spoke 3
192.168.8.0/24
.1
192.168.16.0/24
Physical: 172.17.0.9
Tunnel0: 10.0.0.1
Physical: 172.16.2.1
Tunnel2: 10.0.2.18
Spoke 2
192.168.18.0/24.1
Hub 1
Hub 0Hub 2
Loopback: 172.18.0.1
Tunnel1: 10.0.1.8
Loopback: 172.18.0.5
Tunnel2: 10.0.2.16
= mGRE subnet 10.0.0.0/24
= mGRE subnet 10.0.1.0/24
= mGRE subnet 10.0.2.0/24
= Dynamic spoke to spoke
192.168.128.0/24
.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 168
interface Tunnel0bandwidth 1000ip address 10.0.0.1 255.255.255.0no ip redirectsip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp shortcutip nhrp redirectno ip split-horizon eigrp 1ip summary-address eigrp 1 192.168.0.0 255.255.192.0delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000
DMVPN Hierarchical HubCentral Hub Configuration
version 12.2!hostname Hub0!ip cef!interface Loopback0
ip address 192.168.100.1 255.255.255.0!interface Loopback1
ip address 192.168.128.1 255.255.255.0!interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0!interface Serial1/0
ip address 172.17.0.9 255.255.255.252!router eigrp 1
network 10.0.0.0 0.0.0.255network 192.168.0.0network 192.168.100.0network 192.168.128.0 0.0.0.255
!ip route 0.0.0.0 0.0.0.0 172.17.0.10
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 169
version 12.2!hostname Hub1!ip cef! interface Loopback0
ip address 192.168.101.1 255.255.255.0!interface Loopback1
ip address 172.18.0.1 255.255.255.252!interface Ethernet0/0
ip address 192.168.8.1 255.255.255.0!interface Serial1/0
ip address 172.17.0.1 255.255.255.252!router eigrp 1
network 10.0.0.0 0.0.0.255network 10.0.1.0 0.0.0.255network 192.168.8.0network 192.168.101.0
!ip route 0.0.0.0 0.0.0.0 172.17.0.2
DMVPN Hierarchical HubRegional Hub1 Configuration
interface Tunnel0bandwidth 1000ip address 10.0.0.8 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast 172.17.0.9ip nhrp map 10.0.0.1 172.17.0.9ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp shortcutip nhrp redirectip summary-address eigrp 1 192.168.8.0 255.255.248.0delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000
!interface Tunnel1
bandwidth 1000ip address 10.0.1.8 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectno ip split-horizon eigrp 1ip summary-address eigrp 1 192.168.8.0 255.255.248.0ip summary-address eigrp 1 192.168.100.0 255.255.252.0delay 1000tunnel source Loopback1tunnel mode gre multipointtunnel key 100000
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 170
version 12.2!hostname Hub2!ip cef!interface Loopback0
ip address 192.168.102.1 255.255.255.0!interface Loopback1
ip address 172.18.0.5 255.255.255.252!interface Ethernet0/0
ip address 192.168.16.1 255.255.255.0!interface Serial1/0
ip address 172.17.0.5 255.255.255.252!router eigrp 1
network 10.0.0.0 0.0.0.255network 10.0.2.0 0.0.0.255network 192.168.16.0network 192.168.102.0
!ip route 0.0.0.0 0.0.0.0 172.17.0.6
DMVPN Hierarchical HubRegional Hub2 Configuration
interface Tunnel0bandwidth 1000ip address 10.0.0.16 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast 172.17.0.9ip nhrp map 10.0.0.1 172.17.0.9ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp shortcutip nhrp redirectip summary-address eigrp 1 192.168.16.0 255.255.248.0delay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000
!interface Tunnel2
bandwidth 1000ip address 10.0.2.16 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectno ip split-horizon eigrp 1ip summary-address eigrp 1 192.168.16.0 255.255.248.0ip summary-address eigrp 1 192.168.100.0 255.255.252.0delay 1100tunnel source Loopback1tunnel mode gre multipointtunnel key 100000
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 171
version 12.2!hostname Spoke1!ip cef!interface Ethernet0/0
ip address 192.168.11.1 255.255.255.0!interface Serial1/0
ip address 172.16.1.1 255.255.255.252!router eigrp 1
network 10.0.1.0 0.0.0.255network 192.168.11.0
!ip route 0.0.0.0 0.0.0.0 172.16.1.2
DMVPN Hierarchical HubSpoke1 Configuration
interface Tunnel0bandwidth 1000ip address 10.0.1.11 255.255.255.0no ip redirectsip mtu 1400ip nhrp authentication testip nhrp map 10.0.1.8 172.18.0.1ip nhrp map multicast 172.18.0.1ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.1.8ip nhrp shortcutdelay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 172
version 12.2!hostname Spoke2!ip cef!interface Ethernet0/0
ip address 192.168.18.1 255.255.255.0!interface Serial1/0
ip address 172.16.2.1 255.255.255.252!router eigrp 1
network 10.0.2.0 0.0.0.255network 192.168.18.0
!ip route 0.0.0.0 0.0.0.0 172.16.2.2
DMVPN Hierarchical HubSpoke2 Configuration
interface Tunnel0bandwidth 1000ip address 10.0.2.18 255.255.255.0no ip redirectsip mtu 1400ip nhrp authentication testip nhrp map 10.0.2.16 172.18.0.5ip nhrp map multicast 172.18.0.5ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.2.16ip nhrp shortcutdelay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 173
version 12.2!hostname Spoke3!ip cef!interface Ethernet0/0
ip address 192.168.19.1 255.255.255.0!interface Serial1/0
ip address 172.16.3.1 255.255.255.252!router eigrp 1
network 10.0.2.0 0.0.0.255network 192.168.19.0
!ip route 0.0.0.0 0.0.0.0 172.16.3.2
DMVPN Hierarchical HubSpoke3 Configuration
interface Tunnel0bandwidth 1000ip address 10.0.2.19 255.255.255.0no ip redirectsip mtu 1400ip nhrp authentication testip nhrp map 10.0.2.16 172.18.0.5ip nhrp map multicast 172.18.0.5ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.2.16ip nhrp shortcutdelay 1000tunnel source Serial1/0tunnel mode gre multipointtunnel key 100000
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 174
DMVPN Heirarchical Hub (12.4T)Spoke2 – Before spoke-spoke tunnels
10.0.2.16/32 via 10.0.2.16
Tunnel0 created 1d01h, never expire
Type: static, Flags: used
NBMA address: 172.18.0.5
D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0
C 192.168.18.0/24 is directly connected, Ethernet0/0
D 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0
D 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0
192.168.0.0/18 10.0.2.16 Tunnel0
192.168.16.0/21 10.0.2.16 Tunnel0
192.168.18.0/24 attached Ethernet0/0
192.168.128.0/24 10.0.2.16 Tunnel0
IP Tunnel0 10.0.2.16(16)
NHRP
Routing Table
CEF
Adjacency
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 175
DMVPN Heirarchical Hub (12.4T)Spoke2 – Ping to Spoke1 and Hub0
#ping 192.168.11.1 source 192.168.18.1
Sending 10, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 16/54/80 ms
#traceroute 192.168.11.1 source 192.168.18.1 numeric
Tracing the route to 192.168.11.1
1 10.0.1.11 32 msec * 28 msec
#ping 192.168.128.1 source 192.168.18.1 repeat 10
Sending 10, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 20/28/48 ms
#traceroute 192.168.128.1 source 192.168.18.1 numeric
Tracing the route to 192.168.128.1
1 10.0.0.1 24 msec * 28 msec
Spoke2 to Spoke1
Spoke2 to Hub0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 176
DMVPN Heirarchical Hub (12.4T)Spoke B – After spoke-spoke tunnels
10.0.0.1/32 via 10.0.0.1
Tunnel0 created 00:00:25, expire 00:05:34
Type: dynamic, Flags: router implicit
NBMA address: 172.17.0.9
10.0.1.11/32 via 10.0.1.11
Tunnel0 created 00:00:06, expire 00:05:53
Type: dynamic, Flags: router implicit
NBMA address: 172.16.1.1
10.0.2.16/32 via 10.0.2.16
Tunnel0 created 1d01h, never expire
Type: static, Flags: used
NBMA address: 172.18.0.5
192.168.11.0/24 via 10.0.1.11
Tunnel0 created 00:00:06, expire 00:05:53
Type: dynamic, Flags: router used
NBMA address: 172.16.1.1
192.168.18.0/24 via 10.0.2.18
Tunnel0 created 00:00:25, expire 00:05:53
Type: dynamic, Flags: router unique local
NBMA address: 172.16.2.1
(no-socket)
192.168.128.0/24 via 10.0.0.1
Tunnel0 created 00:00:25, expire 00:05:34
Type: dynamic, Flags: router
NBMA address: 172.17.0.9
NHRP
Mappings fortunnel to Hub0
Mappings for
tunnel to Spoke1
Local entry
Static Mapping
to NHS (Hub2)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 177
DMVPN Heirarchical Hub (12.4T)Spoke2 – After spoke-spoke tunnels (cont)
D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0
C 192.168.18.0/24 is directly connected, Ethernet0/0
D 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0
D 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0
192.168.0.0/18 10.0.2.16 Tunnel0
192.168.16.0/21 10.0.2.16 Tunnel0
192.168.18.0/24 attached Ethernet0/0
192.168.128.0/24 10.0.2.16 Tunnel0
IP Tunnel0 10.0.0.1(5)
IP Tunnel0 10.0.1.11(5)
IP Tunnel0 10.0.2.16(16)
Adjacency for Hub0
Adjacency for Spoke1
Adjacency for Hub2
Routing Table(no change)
CEF(no change)
Adjacency
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 178
DMVPN Hierarchical Hub (12.2(33)XNE)Changes for ASR1K
Routes for other mGRE subnets must be directly connected for CEF switching to work
Currently must use static connected routes.
Hub0:
ip route 10.0.1.0 255.255.255.0 Tunnel0ip route 10.0.2.0 255.255.255.0 Tunnel0
Hub1:
ip route 10.0.2.0 255.255.255.0 Tunnel0
Hub2:
ip route 10.0.1.0 255.255.255.0 Tunnel0
Spoke1:
ip route 10.0.0.0 255.255.255.0 Tunnel0ip route 10.0.2.0 255.255.255.0 Tunnel0
Spoke2:
ip route 10.0.0.0 255.255.255.0 Tunnel0ip route 10.0.1.0 255.255.255.0 Tunnel0
Spoke3:
ip route 10.0.0.0 255.255.255.0 Tunnel0ip route 10.0.1.0 255.255.255.0 Tunnel0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 179
DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – Before spoke-spoke tunnels
10.0.2.16/32 via 10.0.2.16Tunnel0 created 1w0d, never expire Type: static, Flags: used NBMA address: 172.18.0.5
S 10.0.0.0/24 is directly connected, Tunnel0S 10.0.1.0/24 is directly connected, Tunnel0C 10.0.2.0/24 is directly connected, Tunnel0L 10.0.2.18/32 is directly connected, Tunnel0D 192.168.0.0/18 [90/3635200] via 10.0.2.16, 5d21h, Tunnel0D 192.168.16.0/21 [90/3123200] via 10.0.2.16, 5d21h, Tunnel0C 192.168.18.0/24 is directly connected, Ethernet0/0L 192.168.18.1/32 is directly connected, Ethernet0/0D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1w0d, Tunnel0
10.0.0.0/24 attached Tunnel010.0.1.0/24 attached Tunnel010.0.2.0/24 attached Tunnel010.0.2.16/32 attached Tunnel010.0.2.18/32 receive Tunnel0192.168.0.0/18 10.0.2.16 Tunnel0192.168.16.0/21 10.0.2.16 Tunnel0192.168.18.0/24 attached Ethernet0/0192.168.18.1/32 receive Ethernet0/0192.168.128.0/24 10.0.2.16 Tunnel0
IP Tunnel0 10.0.2.16(15)
NHRP
Routing Table
CEF
Adjacency
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 180
DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – Ping to Spoke1 and Hub0
#ping 192.168.11.1 source 192.168.18.1 repeat 20
Sending 20, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 20/41/85 ms
#traceroute 192.168.11.1 source 192.168.18.1 numeric
Type escape sequence to abort.Tracing the route to 192.168.11.1
1 10.0.1.11 24 msec * 28 msec
#ping 192.168.128.1 source 192.168.18.1 repeat 20
Sending 20, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds:Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 16/25/64 ms
#traceroute 192.168.128.1 source 192.168.18.1 numeric
Type escape sequence to abort.Tracing the route to 192.168.128.1
1 10.0.0.1 40 msec * 20 msec
Spoke2 to Spoke1
Spoke2 to Hub0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 181
DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – After spoke-spoke tunnels
10.0.0.1/32 via 10.0.0.1
Tunnel0 created 00:01:17, expire 00:04:42
Type: dynamic, Flags: router implicit
NBMA address: 172.17.0.9
10.0.1.11/32 via 10.0.1.11
Tunnel0 created 00:00:38, expire 00:05:21
Type: dynamic, Flags: router implicit used
NBMA address: 172.16.1.1
10.0.2.16/32 via 10.0.2.16
Tunnel0 created 00:06:24, never expire
Type: static, Flags: used
NBMA address: 172.18.0.5
192.168.11.0/24 via 10.0.1.11
Tunnel0 created 00:00:36, expire 00:05:23
Type: dynamic, Flags: router used rib
NBMA address: 172.16.1.1
192.168.18.0/24 via 10.0.2.18
Tunnel0 created 00:01:17, expire 00:05:21
Type: dynamic, Flags: router unique local
NBMA address: 172.16.2.1
(no-socket)
192.168.128.0/24 via 10.0.0.1
Tunnel0 created 00:01:16, expire 00:04:43
Type: dynamic, Flags: router rib nho
NBMA address: 172.17.0.9
Mappings fortunnel to Hub0
Mappings for
tunnel to Spoke1
Local entry
Static Mapping
to NHS (Hub2)
Entered in
Routing
Table
rib
rib nho
NHRP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 182
DMVPN Heirarchical Hub (12.2(33)XNE)Spoke2 – After spoke-spoke tunnels (cont)
S 10.0.0.0/24 is directly connected, Tunnel0S 10.0.1.0/24 is directly connected, Tunnel0C 10.0.2.0/24 is directly connected, Tunnel0L 10.0.2.18/32 is directly connected, Tunnel0D 192.168.0.0/18 [90/3635200] via 10.0.2.16, 00:06:28, Tunnel0H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:00:47D 192.168.16.0/21 [90/3123200] via 10.0.2.16, 00:06:28, Tunnel0C 192.168.18.0/24 is directly connected, Ethernet0/0L 192.168.18.1/32 is directly connected, Ethernet0/0D % 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:06:28, Tunnel0
[NHO][90/1] via 10.0.0.1, 00:01:27, Tunnel0
10.0.0.0/24 attached Tunnel010.0.0.1/32 attached Tunnel010.0.1.0/24 attached Tunnel010.0.1.11/32 attached Tunnel010.0.2.0/24 attached Tunnel010.0.2.16/32 attached Tunnel010.0.2.18/32 receive Tunnel0192.168.0.0/18 10.0.2.16 Tunnel0192.168.11.0/24 10.0.1.11 Tunnel0192.168.16.0/21 10.0.2.16 Tunnel0192.168.18.0/24 attached Ethernet0/0192.168.18.1/32 receive Ethernet0/0192.168.128.0/24 10.0.0.1 Tunnel0
Routing Table
CEF
IP Tunnel0 10.0.0.1(11)IP Tunnel0 10.0.1.11(10)IP Tunnel0 10.0.2.16(14)
Adjacency
NHRP
Next-hop-override
%
10.0.0.1
H 192.168.11.0/24 [250/1] via 10.0.1.11, 00:00:47
192.168.11.0/24 10.0.1.11 Tunnel0
[NHO][90/1] via 10.0.0.1, 00:01:27, Tunnel0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 183
Appendix
DMVPN Overview
NHRP Details
Use Case: iBGP over DMVPN
Phase 3 Hierarchical Design
Interaction with other FeaturesIPv6 Phase 1, NAT, Per-Tunnel QoS, MIBs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 184
IPv6 Phase 1
IPv6 packets over DMVPN IPv4 tunnelsIntroduced in IOS release 12.4(20)T
IPv4 infrastructure network
IPv6 and/or IPv4 data packets over same IPv4 GRE tunnel
Configure IPv6 just like on other interfacesComplete set of NHRP commands
network-id, holdtime, authentication, map, etc.
NHRP registers two addressesLink-local for routing protocol (Automatic or Manual)
Unicast Global for packet forwarding (Mandatory)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 185
IPv6 Phase 1Configuration
ipv6 unicast-routingipv6 cef…interface Tunnel0
ip address 10.0.0.1 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast dynamicip nhrp network-id 100000ip nhrp holdtime 360ip nhrp redirectip tcp adjust-mss 1360no ip split-horizon eigrp 1ipv6 address 2001:DB8:0:100::1/64ipv6 mtu 1400ipv6 eigrp 1no ipv6 split-horizon eigrp 1ipv6 nhrp authentication testv6ipv6 nhrp map multicast dynamicipv6 nhrp network-id 100006ipv6 nhrp holdtime 300ipv6 nhrp redirecttunnel source Serial2/0tunnel mode gre multipointtunnel protection ipsec profile vpnprof
!interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0ipv6 address 2001:DB8::1/64ipv6 eigrp 1
!interface Serial2/0
ip address 172.17.0.1 255.255.255.252!ipv6 router eigrp 1
no shutdown
ipv6 unicast-routingipv6 cef…interface Tunnel0
ip address 10.0.0.11 255.255.255.0ip mtu 1400ip nhrp authentication testip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp network-id 100000ip nhrp holdtime 360ip nhrp nhs 10.0.0.1ip nhrp shortcutip tcp adjust-mss 1360ipv6 address 2001:DB8:0:100::B/64ipv6 mtu 1400ipv6 eigrp 1ipv6 nhrp authentication testv6ipv6 nhrp map multicast 172.17.0.1ipv6 nhrp map 2001:DB8:0:100::1/128 172.17.0.1ipv6 nhrp network-id 100006ipv6 nhrp holdtime 300ipv6 nhrp nhs 2001:DB8:0:100::1ipv6 nhrp shortcuttunnel source Serial1/0tunnel mode gre multipointtunnel protection ipsec profile vpnprof
!interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0ipv6 address 2001:DB8:0:1::1/64ipv6 eigrp 1
!interface Serial1/0
ip address 172.16.1.1 255.255.255.252!ipv6 router eigrp 1
no shutdown
SpokeHub
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 186
IPv6 Phase 1‘show ipv6 nhrp’
2001:DB8:0:100::1/128 via 2001:DB8:0:100::1
Tunnel0 created 1d16h, never expire
Type: static, Flags: used
NBMA address: 172.17.0.1
FE80::A8BB:CCFF:FE00:6400/128 via FE80::A8BB:CCFF:FE00:6400
Tunnel0 created 1d16h, expire 00:04:59
Type: dynamic, Flags:
NBMA address: 172.17.0.1
Spoke
Hub2001:DB8:0:100::B/128 via 2001:DB8:0:100::B
Tunnel0 created 1d16h, expire 00:04:58
Type: dynamic, Flags: unique registered used
NBMA address: 172.16.1.1
FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B
Tunnel0 created 1d16h, expire 00:04:58
Type: dynamic, Flags: unique registered
NBMA address: 172.16.1.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 187
DMVPN and NAT-T Spoke-SpokePhase 2 & 3 (12.4(6)T)
Spoke-spoke dynamic tunnels are now supported to/from NAT translated spokes
Hub reports spoke‘s outside NAT IP address back to spoke in NHRP registration reply.
Spoke‘s outside NAT IP address passed in NHRP resolution request and reply packets
Spokes use remote spoke‘s outside NAT IP address to build spoke-to-spoke tunnel.
Two spokes behind the same NAT nodeMust be NAT translated to unique outside NAT IP address
NAT node must support spokes using outside IP NAT address for each other—traffic loops through NAT node
If spoke-spoke tunnel will not come up, traffic will continue to be forwarded via the hub.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 188
DMVPN and NAT-T
Spoke A192.168.1.1/24
192.168.3.1/24Spoke C
Physical: (dynamic)
Tunnel0: 10.0.0.11
10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1
10.0.0.11 172.16.1.110.0.0.13 172.18.0.3* (172.16.3.1)
192.168.0.1/24
Peer – 172.17.0.1Peer – 172.17.0.1
NHRP mapping *(NAT-T)
Crypto Map Table
172.16.1.1 Physical: (dynamic)
Tunnel0: 10.0.0.13
172.16.3.1
10.0.0.13 ?10.0.0.13 172.18.0.3* (172.16.3.1) 10.0.0.11 172.16.1.1
Peer – 172.16.1.1
Peer – 172.18.0.3
NAT: 172.16.3.1 172.18.0.3
Peer – 172.18.0.3 Peer – 172.16.1.1
10.0.0.13 172.18.0.3* (172.16.3.1)
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 189
DMVPN and NAT-TRegistrations
NHRP: Send Registration Request via Tunnel0 vrf 0, src: 10.0.0.13, dst: 10.0.0.1
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "unique nat", src NBMA: 172.16.3.1, src protocol: 10.0.0.13, dst protocol: 10.0.0.1
(C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360
Responder Address Extension(3):
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.13
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)
(M) flags: "unique nat", src NBMA: 172.16.3.1, src protocol: 10.0.0.13, dst protocol: 10.0.0.1
(C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360
Responder Address Extension(3):
(C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7): type:Cleartext(1), data:test
NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
(C-2) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 190
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.13, dst: 10.0.0.11(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)(M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13(C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360,
client NBMA: 172.16.3.1, client protocol: 10.0.0.13Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360
client NBMA: 172.16.3.1, client protocol: 10.0.0.13Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1Reverse Transit NHS Record Extension(5):Authentication Extension(7): type:Cleartext(1), data:testNAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13
DMVPN and NAT-TPhase 3 – Resolutions
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP)(M) flags: "router auth src-stable nat ", reqid: 164
src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13(C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360
Responder Address Extension(3):Forward Transit NHS Record Extension(4):Reverse Transit NHS Record Extension(5):Authentication Extension(7): type:Cleartext(1), data:testNAT address Extension(9):
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 191
Per-tunnel QoS – 12.4(22)T
QoS per tunnel (spoke) on hubDynamically selected Hierarchical (parent/child) QoS Policy
Spoke: Configure NHRP group name
Hub: NHRP group name mapped to QoS template policy
Multiple spokes with same NHRP group mapped to individual instances of same QoS template policy
QoS policy applied at outbound physical interfaceClassification done before GRE encapsulation by tunnel
ACL match against Data IP packet
‗qos pre-classify‘ not configured on tunnel interface
Shaping/policing done on physical after IPsec encryption
Can‘t have separate aggregate QoS policy on physical
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 192
Per-tunnel QoSConfigurations
class-map match-all typeA_voicematch access-group 100
class-map match-all typeB_voicematch access-group 100
class-map match-all typeA_Routingmatch ip precedence 6
class-map match-all typeB_Routingmatch ip precedence 6
policy-map typeAclass typeA_voice
priority 1000class typeA_Routing
bandwidth percent 20
policy-map typeBclass typeB_voice
priority percent 20class typeB_Routing
bandwidth percent 10
policy-map typeA_parentclass class-default
shape average 3000000service-policy typeA
policy-map typeB_parentclass class-default
shape average 2000000service-policy typeB
interface Tunnel0ip address 10.0.0.1 255.255.255.0…ip nhrp map group typeA service-policy output typeA_parentip nhrp map group typeB service-policy output typeB_parent…ip nhrp redirectno ip split-horizon eigrp 100ip summary-address eigrp 100 192.168.0.0 255.255.192.0 5…
interface Tunnel0ip address 10.0.0.11 255.255.255.0…ip nhrp group typeAip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp nhs 10.0.0.1…
Spoke1
Hub Hub (cont)
interface Tunnel0ip address 10.0.0.12 255.255.255.0…ip nhrp group typeBip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp nhs 10.0.0.1…
Spoke2
interface Tunnel0ip address 10.0.0.13 255.255.255.0…ip nhrp group typeAip nhrp map multicast 172.17.0.1ip nhrp map 10.0.0.1 172.17.0.1ip nhrp nhs 10.0.0.1…
Spoke3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 193
Per-tunnel QoSQoS Output
Hub#show ip nhrp
10.0.0.11/32 via 10.0.0.11Tunnel0 created 21:24:03, expire 00:04:01Type: dynamic, Flags: unique registeredNBMA address: 172.16.1.1Group: typeA
10.0.0.12/32 via 10.0.0.12Tunnel0 created 21:22:33, expire 00:05:30Type: dynamic, Flags: unique registeredNBMA address: 172.16.2.1Group: typeB
10.0.0.13/32 via 10.0.0.13Tunnel0 created 00:09:04, expire 00:04:05Type: dynamic, Flags: unique registeredNBMA address: 172.16.3.1Group: typeA
Hub#show ip nhrp group-map
Interface: Tunnel0NHRP group: typeA
QoS policy: typeA_parentTunnels using the QoS policy:Tunnel destination overlay/transport address10.0.0.11/172.16.1.110.0.0.13/172.16.3.1
NHRP group: typeBQoS policy: typeB_parentTunnels using the QoS policy:Tunnel destination overlay/transport address10.0.0.12/172.16.2.1
Hub#show policy-map multipoint tunnel 0 <spoke> output
Interface Tunnel0 172.16.1.1
Service-policy output: typeA_parentClass-map: class-default (match-any)19734 packets, 6667163 bytesshape (average) cir 3000000, bc 12000, be 12000
Service-policy : typeAClass-map: typeA_voice (match-all) 3737 packets, 4274636 bytesClass-map: typeA_Routing (match-all) 14424 packets, 1269312 bytesClass-map: class-default (match-any) 1573 packets, 1123215 bytes
Interface Tunnel0 172.16.2.1
Service-policy output: typeB_parentClass-map: class-default (match-any)11420 packets, 1076898 bytesshape (average) cir 2000000, bc 8000, be 8000
Service-policy : typeBClass-map: typeB_voice (match-all) 1005 packets, 128640 bytesClass-map: typeB_Routing (match-all) 10001 packets, 880088 bytesClass-map: class-default (match-any) 414 packets, 68170 bytes
Interface Tunnel0 172.16.3.1
Service-policy output: typeA_parentClass-map: class-default (match-any)5458 packets, 4783903 bytesshape (average) cir 3000000, bc 12000, be 12000
Service-policy : typeAClass-map: typeA_voice (match-all) 4914 packets, 4734392 bytesClass-map: typeA_Routing (match-all) 523 packets, 46004 bytesClass-map: class-default (match-any) 21 packets, 14995 bytes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 194
Per-tunnel QoSScaling – 7200 NPE-G1/VAM2+
Key
1) Tunnels/Active = Number of tunnels versus number of active shapers
2) "Unstable" corresponds to detaching and re-attaching service policy on the tunnels
3) All CPU values are observed steady state values (99%) within braces means CPU was 99% for a while before stabilization.
4) Original EC = 700/210 @ 47.6 Mbps <= 80% CPU under unstable conditions (presumably)
5) For 7200 NPE-G2/VSA low scale numbers, CSCsu73714 filed.
Stable CPU Utilization
Tunnels/Active No traffic 28 Mbps 38 Mbps 47.6 Mbps
500/150 9% 41% 52% 64%
600/180 12% 49% 62% 75%
700/210 14% 53% 73% 85%
Unstable CPU Utilization
Tunnels/Active N/A 28 Mbps 38 Mbps 47.6 Mbps
500/150 43% 52% 64%
600/180 51% 68%(99%) 78%(99%)
700/210 53%(99%) 76%(99%) 99%(flapping)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 195
NHRP MIB and SYSLog Extensions 15.0(1)M
NHRP Extension MIBAn extension of the NHRP MIB (RFC-2677)
Defines notifications for critical events in NHRP (RFC 2332)
NHServer and NHClient (up/down); NHPeer (up/down);RateLimitExceeded; NHRP Errors
Cisco proprietary enhancements to the protocol
NHRP Redirect
SYSLog ExtensionNHServer, NHClient, NHPeer (up/down)
DMVPN Crypto Session (up/down)
NHRP Resolution (receive/reply/timeout/fail)
NHRP Max Send
NHRP Errors: (Send, Multicast , Encap)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-4052 196
Thank you.