DMVPN Phase 3 with EIGRP

Expand all



Contents

DMVPN Phase 3 with EIGRP

Last updated: March 21, 2015

You must load the initial configuration files for the section, DMVPN, which can be found in CCIE R&S v5 Topology Diagrams & Initial Configurations.

Task

  • Create a DMVPN Phase 3 network between R1 and R5 as follows:
    • R1 - R4 are the DMVPN spokes.
    • R5 is the DMVPN Hub, and the NHRP Next-Hop Server (NHS).
    • Source the tunnel from the routers' GigabitEthernet1.100 interface.
    • Use IP addressing in the format 155.1.0.Y/24, where Y is the router number.
    • Use an NHRP network ID of 1.
    • Use an NHRP authentication string of NHRPAUTH.
    • Use GRE tunnel key of 2.
    • Configure the DMVPN Hub to redirect NHRP requests for spoke-to-spoke resolutions.
    • Configure the DMVPN Spokes to be able to install NHRP shortcut routes for spoke-to-spoke routing.
    • Ensure that the spokes can send multicast traffic to the hub, and vice versa.
    • To prevent the tunnel endpoints from having to do IPsec fragmentation, configure the GRE tunnel's IP MTU to 1400 bytes, and set them to adjust the TCP MSS accordingly.
  • Configure IGP routing over the DMVPN tunnel as follows:
    • Enable EIGRP in Multi-AF mode using AS 100 on the DMVPN tunnel on R1 - R5.
    • All links should be passive interfaces except the DMVPN tunnel.
    • Advertise the routers' Loopback0 networks into EIGRP.
    • Configure R5 to advertise only a default route out the DMVPN tunnel.
  • Configure IPsec over the DMVPN tunnels as follows:
    • Use an ISAKMP Policy with the following options:
      • Pre-Shared Key: DMVPN_PSK
      • Encryption: AES 128 Bit
      • Hash: SHA 256 Bit
      • Diffie-Hellman Group: 16
      • Use a single wildcard Pre-Shared Key for all DMVPN peers.
    • Use a Crypto IPsec Profile named DMVPN_PROFILE with the following options:
      • Encrypt the traffic using AES 256 Bit.
      • Authenticate the traffic using SHA 512 Bit.
      • Use ESP Transport mode to save additional encapsulation overhead.
  • When complete, ensure that R1 - R5 can reach each other's Loopback0 networks over the DMVPN network.
  • Additionally, ensure that spoke-to-spoke traffic does not transit the hub after initial NHRP mappings are formed.

Configuration

R1:
crypto isakmp policy 10
 encr aes 128
 hash sha256
 authentication pre-share
 group 16
!
crypto isakmp key DMVPN_PSK address 0.0.0.0   
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512
!
interface Tunnel0
 ip address 155.1.0.1 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRPAUTH
 ip nhrp map 155.1.0.5 169.254.100.5
 ip nhrp map multicast 169.254.100.5
 ip nhrp network-id 1 
 ip nhrp nhs 155.1.0.5
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.100
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE
 ip nhrp shortcut
 no shutdown
!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R2:
crypto isakmp policy 10
 encr aes 128
 hash sha256
 authentication pre-share
 group 16
!
crypto isakmp key DMVPN_PSK address 0.0.0.0   
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512
!
interface Tunnel0
 ip address 155.1.0.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRPAUTH
 ip nhrp map 155.1.0.5 169.254.100.5
 ip nhrp map multicast 169.254.100.5
 ip nhrp network-id 1 
 ip nhrp nhs 155.1.0.5
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.100
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE
 ip nhrp shortcut
 no shutdown

!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R3:
crypto isakmp policy 10
 encr aes 128
 hash sha256
 authentication pre-share
 group 16
!
crypto isakmp key DMVPN_PSK address 0.0.0.0   
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512
!
interface Tunnel0
 ip address 155.1.0.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRPAUTH
 ip nhrp map 155.1.0.5 169.254.100.5
 ip nhrp map multicast 169.254.100.5
 ip nhrp network-id 1 
 ip nhrp nhs 155.1.0.5
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.100
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE
 ip nhrp shortcut
 no shutdown

!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R4:
crypto isakmp policy 10
 encr aes 128
 hash sha256
 authentication pre-share
 group 16
!
crypto isakmp key DMVPN_PSK address 0.0.0.0   
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512
!
interface Tunnel0
 ip address 155.1.0.4 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRPAUTH
 ip nhrp map 155.1.0.5 169.254.100.5
 ip nhrp map multicast 169.254.100.5
 ip nhrp network-id 1 
 ip nhrp nhs 155.1.0.5
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.100
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE
 ip nhrp shortcut
 no shutdown
!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R5:
crypto isakmp policy 10
 encr aes 128
 hash sha256
 authentication pre-share
 group 16
!
crypto isakmp key DMVPN_PSK address 0.0.0.0   
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512
!
interface Tunnel0
 ip address 155.1.0.5 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRPAUTH
 ip nhrp map multicast dynamic
 ip nhrp network-id 1 
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.100
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE
 ip nhrp redirect
 no shutdown
!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
 summary-address 0.0.0.0 0.0.0.0
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family

Verification

DMVPN Phase 3 increases scalability of the network by minimizing the amount of routing information that the spokes need to maintain, while still allowing for on-demand spoke-to-spoke tunnels. In this example, R5, the DMVPN Hub, sends only a default route over the tunnel to the spokes via EIGRP, as seen below.

R1#show ip route eigrp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 155.1.0.5 to network 0.0.0.0

D*    0.0.0.0/0 [90/76800640] via 155.1.0.5, 00:18:49, Tunnel0

Currently, the spokes do not have specific routes to each other, nor do they have active IPsec tunnels formed between each other.

R1#show ip route 150.1.2.2
% Subnet not in table

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
169.254.100.5   169.254.100.1   QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

When spoke-to-spoke traffic is initiated, the hub redirects the NHRP request from the source to destination spoke. The result is that a more specific shortcut route is installed for spoke-to-spoke traffic, and an on-demand IPsec tunnel is formed, as seen below.

R1#ping 150.1.2.2 source 150.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/31/68 ms

R1#show crypto isakmp sa          
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
169.254.100.5   169.254.100.1   QM_IDLE           1001 ACTIVE
169.254.100.2   169.254.100.1   QM_IDLE           1003 ACTIVE
169.254.100.1   169.254.100.2   QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show ip route 150.1.2.2        
Routing entry for 150.1.2.2/32
  Known via "nhrp", distance 250, metric 1
  Last update from 155.1.0.2 on Tunnel0, 00:00:17 ago
  Routing Descriptor Blocks:
  * 155.1.0.2, from 155.1.0.2, 00:00:17 ago, via Tunnel0
      Route metric is 1, traffic share count is 1
      MPLS label: none
^ back to top