CCNP ENTERPRISE - ENARSI 300-410 CAAT aOR CLR ota Ce A Chay KK Sikandar Shaik CCIEX3 (RS/SP/SEO) Serer CACO TURTable of Contents ‘About the Author. Virtual Private Networks - VPN. 4 LAB — Default Initial Config Setup for VPN labs ~10S..... GRE ~ Site to Site Tunnels .. LAB : GRE POINT TO POINT TUNNELS 1B LAB: DMVPN Basic Example... LAB: DMVPN Basic Example - with EIGRP Routing. a2 LAB: DMVPN phase 1. LAB : DMVPN PHASE 1 - With EIGRP Routing... LAB: DMVPN Phase-1 ( Routing with OSPF ). 61 DMVPN ~ Phase 2 65 LAB: DMVPN phase 2— With OSPF Routing 67 DMVPN PHASE-2—EIGRP ROUTING .nonnsnennonnn TB DMVPN ~ Phase-3. = a ER, 78 LAB: DMVPN — Phase 3- EIGRP LAB- DMVPN Phase-3 with OSPF IPSec VPN LAB: IPsec Site-Site VPN DMVPN —with IPSEC... ae ie... a 115 LAB - IPSEC over DMVPN Tunnels... 17 VPN Overview. 124 Multi-Protocol Label Switching... 134 LAB: CONFIUGURING LDP. 145. LAB : MPLS LOP Troubleshooting, 153 LAB. MPLS LDP PEERING.. 158 MPLS L3 VPN 173 LAB: MPLS L3 VPN Support for Static Routing 177 LAB: MPLS L3 VPN Support for RIPv2. 187 evn 192 LAB: MPLS [3 VPN Support for EIGRP.. LAB: MPLS 13 VPN Support for OSPF 199 LAB: MPLS [3 VPN Support for EBGP 210 Overlap VPN:.... 220 LAB: Overlap VPN 221About the Author Sikandar Shaik, a Triple CCIE (RS/SP/SEC # 35012), is a highly experienced and extremely driven senior technical instructor and network consultant. He has been training networking courses for more than 15 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addifion, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and implementing changes to various aspects of multi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. Acknowledgment First and foremost | would like to thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence fo believe in myself and pursue my dreams. | could never have done this without the faith I have in you. Secondly | would like to thank my family for understanding my long nights at the computer. | have spent a lot of fime on preparing workbooks and this workbook would not have been possible without their support and encouragement. I would also like to recognize the cooperation of my students who took my trainings and workbooks. I believe my workbooks have helped them in upskilling themselves with respect to the subject and technologies and | will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 3 (RS/SP/SEC) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions af info@noasolutions.comTraditional Router-Based Networks NPA, Traditional router-based networks connect customer sites through routers connected via dedicated point-to- inks (leased lines). Customer A Leased lines Advantages > Complete Secure \ Site B > High Bandwidth Customer A > Superior Quality > Rellable Site A Site C Disadvantages > Expensive » Permanent Physical connection » Not scalable Site D Virtual Private Network NPA. » VPNs replace dedicated point-to-point links with emulated point-to-point links that share common infrastructure. » Customers use VPNs primatily to reduce their operational costs Internet VPN » X.25, Frame-relay, ATM , MPLS , L2TPv3, GRE, DMPVN , IPsec, FlexVPN, Remote VPN Remote/roaming usersXM OA, Main office VPN — Types Remote Regional once gt a Internet Site to Site VPN ‘Small office! home office Remote access VPN Site to Site VPN ~ (LAN ~ LAN) NA, LAN to LAN Communication between branch ofes. Each ste needs to have public IP to identify remote sites. » VPN Gateways can be Router or Firewall » GRE, DMVPN, IPSEC, Fle'VPN, GETVPN. Rernole Main office Regional office d ‘Small office/ home officeRemote Access VPN NA, > User/device connecting remote place accessing resources on Corporate LAN. » allow remote users to securely access the corporate network wherever and whenever they need to. > Utilizes SSL VPNor KEv2 (IPSEC) coxporate ee ‘able er o> VPN - Logical Topologies a - a NA, Point-to-Point tunnel » Can be site-o-site or remote access Point to Point » Control Plane/tunnel negotiation directly between peers Hub & Spoke VPN » Set of point ro point VPN tunnels ( with one common Headend) » Can be site-to-site or remote access Full Mesh VPN > Can be site-to-site tunnelsLAB - Defaui Config Setup for VPN labs - 105 loop 0 2222/32 pp 192.168.2.0/24 95.0.0.2/24 loop 0 Via, is loop 3333/32 22 an s2/0 192.7683.0/24 BP Rt 150.0.1/24 ( 82/0 192.168.1.0/24 35.0.0.3/24 R3 loop 0 4aaa72 2/0 45.0.0.4/24 Pe 92.168.4.0/24 ure IP addressing as per the given Diagram. igure Default Route on R1/R2/R3/R4 to provide end to end Reachability between them. RI config} # int 52/0 Ri(config-if}# ip address 15. Ri(config-if}# no shutdown Ri(config-if}# exit 1 255.255.255.0 RI (config)# int loop 0 RI (config-if}# ip address 1.1.1.1 255.255.255.255 Ri (configeif}## exit RI (config)# int £0/0 RI (config-if}#ip address 192.168.1.1 255.255.255.0 RI (config-if}# no shutdown Ri (config-if}# exit R2{configh# int EO/O R2{config-if}# ip address 192.168.2.2 255.255.255.0 R2{config-if}# no shutdown R2{config-if}# exit Ra{config)# int s2/0 R2{config-if}# ip address 25.0.0.2 255.255.255.0 R2{config-if}# no sh R2{config-if}# exit R2{config)# int loop 0 Raconfig-if}# ip address 2.2.2.2 255.255.255.255 Ra{config-if}#end wren ssa, Dneeetar meats" Page 7R3(config)# R3{config-if}#t ip address 192.168.3.3 255.255.255.0 R3{config-if}# no shutdown R3{config-if}#t exit 1 £0/0 R3{config)# int loop 0 R3{config-if}# ip address 3.3.3.3 255.255.255.255 R3(config-if}# exit R3{config)# int 52/0 R3(config-if}# ip address 35.0.0.3 255.255.255.0 R3{config-if}# no shutdown R3(config-if}#end RA{configh# int E0/0 Ré(config-if}# ip address 192.168.4.4 255.255.255.0 Ré(config-if}# no shutdown Ré{config-if}# exit RA(config)# int loop 0 RA(config-ifj#t ip address 4.4.4.4 255.255.255.255 Ré(configh# int s2/0 Ré(config-if}# ip address 45.0.0.4 255.255.255.0 R(config-if}# no shutdown RA(config-if}# end ip address 15.0.0.5 255.255.255.0 no shutdown int 52/2 ip address 25. no shutdown exit 0.5 255.255.255.0 R5(config)# int 52/3 R5(config-if}#t ip address 35. # no shutdown 0.5 255.255.255.0 RS(config)# int 52/0 RS{config-if}# ip address 45.0.0.5 255.255.255.0 Configure Defaut route on all routers to provide end to end reachability R1/R2/R3/R4 Rx(configi#fip route 0.0.0.0 0.0.0.0 $2/0 Rx(confightfexit Ri#show jp int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/O _192.168.1.1_ YES NVRAM up vp Seriall /O 15.0.0.1 ” YESNVRAM up “ Seriall /1 unassigned YES NVRAM_ administratively down down wroteon ss tosbas, ot Yaeeeiar memnomeaioassom Page 8Serialt /2 unassigned YES NVRAM administratively down down, Serial1 /3 unassigned YES NVRAM administratively down down, LoopbackO 1.1.1 YESNVRAM up up Ri#ping 25.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 25.0.0.2, timeout is 2 seconds: itt ‘Success rate is 100 percent (5/5), round-trip min/avg/max = 104/464/1652 ms Ri#ping 35.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 35.0.0.3, timeout is 2 seconds: Success rate is 100 percent (5/5), round ip min/ovg/max = 64/88/128 ms Ri#ping 45.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 45.0.0.4, timeout is 2 seconds: wm Success rate fs 100 percent (5/5), rounds min/ovg/mex = 128/148/168 msSite to site IPsec VPN - Drawbacks NA, » Same exit interface used for both Internet and Lal traffic. » ACL to define interesting traffic to Send over VPN. » NAT Exception to deny interesting Traffic if Psec & NAT on same Router. » No Dynamic Routing allowed. » No support for multicast trafic over VPN. joop0 11132 5979 sa.0/24 \oop0 22222 3070 2502/26 RI -_ 192:168.1.0/24 too Internet 192.168.2.0/24 Generic Routing Encapsulation(GRE) XA, » Tunneling protocol developed by Cisco Allow to have virtually point-to-point tunnel. » Is used when packets need to be sent from one network to another over the Internet or an insecure network. > Much easier to configure > Support encapsulation of a wide variety of network layer protocols inside point-to-point inks. (multicast and [Pv ) » GRE tunnels are not encrypted by default. = » The 47 is IP protocol number of GRE and not a port number inside TCP or UDP header. a A Internet ra O im OGRE Tunnel - Configuration Ri(configh interface tunnel 12 Ri(configifitip address 10.0.12.1 255.255.255.0 Ri(configfetunnel source 15.0.0.1 Ri(configiffstunnel destination 25.0.0.2 ‘Rsship int bref ex unass Innertace IP-Address OK? Method Status FustEthemetoe —t926822 YES manualup up Serialo 2so02 YES manualup » Loopbacko 2222 YES manual up » Turneh2 roor22 YES manual up » GRE Tunnel - Configuration Ri(confighrrouter elgrp 100 Ri(config-routerjyno auto-summary Ri(config-routeryinetwork 10.0.12.0 0.0.0.255 Ri(config-routernetwork 192.168.1.0 0 an seta ssaienior® Re(configh? int tunnel 12 Ra(configifie Ip address 10.0.12.2 255.255.255.0 Re(configifle tunnel source 25.0.0.2 Ra(configi tunnel destination 15.0.0.1 maison LBB oe » GRE tunnel uses a ‘tunnel’ interface » a logical interface configured on the router with an IP address > Where packets are encapsulated and decapsulated as they enter or exit the GRE tunnel. Ronping 190.121 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0121, timeout Is 2 seconds ‘Succes rates 100 percent (5/5), round-trip min/avg/max = 60/74/84 ms Ra(confighrrouter elgrp 100 R2(config-routerjeno auto-summary Ra(config-routerjenetwork 10.0.12.0.0.0.0.255 Ro(config-routerjynetwork 192.168.20 Rezsh ip route elgrp D__192.166:.0/24 [907297270016 va 100.121, 00:00:25, Tunnel? Rassh ip elgrp neighbors IP-EIGRP neighbors fr process 100 H Address Inerface Hold Uptime SRTT RTO Q Sea eq) ms) Cat Num © 100121 Twa 2000.20 158 5000 0 3Drawbacks of GRE NPA.. (lassi GRE tunnels poincto-pone afm > Manual tunnels » Not scalable. (100 end points we need to build 99 tunnels) » No encryption, > Static IP on all end points. toop0 » TOS Based ( not ASA) was for s92168-20/2¢ 500274 aaa ae 310 ss2i683.072 #000 a sadn assessor aang 0 0236840724 NOTE: GRE Is supported only on Cisco Routers. ASA Firewalls do not support GRE VPN.LAB : GRE POINT TO POINT TUNNELS © Generic Routing Encapsulation (GRE) was originally developed by Cisco but later on was standardized and is now being used by many other vendors. © GRE encapsulates packets info an extra IP header (with extra IP address and 4-bytes extra GRE header) and sends this new packet across the network. «Ifyou have two separated LAN networks with private IP addresses, you can create a GRE VPN tunnel between them over the Intemet and allow the two private LAN subnets to communicate. + The private IP packets will be encapsulated inside a new GRE IP packet (which will use the public IP address as a new header of the private IP packets) and thus the two private LAN subnets can communicate over the Intemet. NOTE: GRE is supported only on Cisco Routers. ASA Firewalls do not support GRE VPN. GRE funnel uses a ‘tunnel interface - a logical interface configured on the router with an IP address where packets are encapsulated and decapsulated as they enfer or exit the GRE funnel. loop 0 2222/32 fo/0 192.168.2.0/24 Re So/0 25.0.0.2/24 loop 0 111/32, Joop 0 3333/32 40/0 192168.3.0/24 £000 at 15.0.0.1/246 192.168.1.0/24 ana 35.00.3/24 R3 loop 0 4aaapz 0/0 45.00.4/24 f0/0 192.168.4.0/24 RI#ping 25.0.0.2 source 15.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 25.0.0.2, timeout is 2 seconds: Packet sent with a source address of 5.0.0.1 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/36/88 ms RI (config) #interface tunnel 12 RI (config-if) #ip address 10.0.12.1 255.255.255.0 RI (config-if} #ip mtu 1400 RI (config-if}#ip tcp adjust-mss 1360 RI (config-if)#unnel source 15.0.0.1 RI {config-if] #tunnel destination 25.0.0.2 Ri (config-if) #exit when Saroniehonscsin meamaseahtonesam® Page 15* All Tunnel interfaces of participating routers must always be configured with an IP address that is not used anywhere else in the network. * Each Tunnel interface is assigned an IP address within the same network as the other Tunnel interfaces. * Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must reduce the MTU fo account for the extra overhead. * setting of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept fo a minimum. We define the Tunnel source, which is R1’s public IP address, and destination - R2's public IP address R2(config) # int tunnel 12 R2(config-if} # ip address 10.0.12.2 255.255.255.0 R2(config-if} # ip mtu 1400 R2(config-i)# ip tcp adjust-mss 1360 R2(configrf} # tunnel source 25.0.0.2 R2(config-i# tunnel destination 15.0.0.1 R2(config-if}# exit R2#ping 10.0.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds: HU! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/74/84 ms R2#sh ip int brief | ex unass Interface IP-Address__ OK? Method Status Protocol Fastethemet0/0 192,168.22 YES manual up up Seriaio/1 25.0.0.2_ YES manual up up Loopbacko 2.2.2.2 YES manual up up Tunnell2 10.0.12.2. YES manual up up TASK: Configure EIGRP Routing to provide LAN fo LAN Connectivity R1 (config) #router eigrp 100 RI (config-router] #ne auto-summary RI (config-router] #nefwork 10.0.12.0 0.0.0.255 RI [config-router) #nefwork 192.168.1.0 RI [config-router) #exit R2(config] #router eigrp 100 R2(config-router) #no auto-summary R2(config-router) #nefwork 10.0.12.0 0. R2(config-router] #network 192.168.2.0 R2(config-router) texit 255 R24sh ip eigrp neighbors IP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRIT RTO Q Seq (sec) (ms) CntNum 0 10.0.12.1 Tul2 1200:00:20 158 5000 0 3 R24sh ip route ei Br aioa68 orek90/207270016} via 10.0.12.1, 00:00:23, TUAREIZ R2#ping 192.168.1.1 source (0/0 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192. 168.1. 1, timeout is 2 seconds: Packet sent with a source adatess of 192.168.2.2 Success rate is 100 percent (5/5), round-trip min/avg/max = 32/95/200 ms + Now both networks are able fo freely communicate with each over the GRE Tunnel. * GRE is an encapsulation protocol and does not perform any encryption. * Creating a point-to-point GRE tunnel without any encryption is extremely risky as sensitive data can easily be extracted from the tunnel and viewed by others. * For this purpose, we use IPSec to add an encryption layer and secure the GRE funnel. This provides us with the necessary military-grade encryption and peace of mind. TASK: configure Point to point GRE tunnels between R1-R3 & RI-R4 Rl#ping 35.0.0.3 source 15.0.0.1 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 35.0.0.3, timeout is 2 seconds: Packet sent with a source adaress of 15.0.0.1 Success rate is 100 percent (5/5), round-trip min/avg/max = 12/40/72 ms RI (config) #int tunnel 23 RI (config-if} #ip address 10.0.13.1 255.255.255.0 RI [config-if} # jp mtu 1400 RI [config-if} # jp tcp adjust-mss 1360 RI (config-if] # tunnel source 15.0.0.1 RI (config-if}# tunnel destination 35.0.0.3 RI (config) # int tunnel 14 RI (config-if}# ip address 10.0. RI (config-f} # tunnel source 1/0 RI (config-if]# tunnel destination 45.0.0.4 RI (config-if}# ip mtu 1400 Ri (config-if} # ip tep adjust-mss 1360 RI (config-i) #end 1 255.255.255.0 RI4sh ip int brief | ex unassign Interface (P-Address OK? Method Status ProtocolFastétherneto/0 192.168.1.1_ YES manual up up Serialo/1 15.0.0.) YES manual up up Loopbacko 1.1.1.1 YES manual up up Tunnell2 10.0.12.1. YES manual up up Tunnell4 10.0.14.1 YES manual up up Tunnel23 10.0.13.1 YES manual up up R3(config) #int tunnel 31 R3{config-i# tunnel source s1/0 R3{config-if} # tunnel destination 15.0.0.1 R3{config-if]# ip address 10.0.13.3 255.255.255.0 R3{config-if]# ip mtu 1400 R3(config-if] # ip tep adjust-mss 1360 Ra (config) # int tunnel 41 Ré(config-if}# ip address 10.0.14.4 255.255.255.0 R4(config-if]# funnel source s1/0 R4(config-if] # tunnel destination 15.0.0.1 Ré(config-if}# ip mtu 1400 Ra(config-if) # ip tep adjust-mss 1360 Ra(config-if}#end Ish ip int brief | ex unassign Interface IP-Address _OK# Method Status Protocol Fastethernet0/0 192.168.1.1_ YES manual up up Serialo/1 15.0.0.1 YES manual up up Loopbacko 1.1.1.1 YES manual up up Tunnel 10.0.12.1 YES manual up up Tunnell4 10.0.14.1 YES manual up up Tunnel23 1.0.13.) YES manual up up Ri#ping 10.0.12.2 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 10.0.12.2, tineout is 2 seconds: Success rate Is 100 percent (5/5), round-trip min/avg/max = 52/78/92 ms Ri#ping 10.0.13.3 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 10.0.13.3, timeout is 2 seconds Success rate is 100 percent (5/5), round-trip min/avg/max = 4/79/14 ms Ridping 10.0.14.4 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 10.0.14.4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 4/81/132 ms R1 (config) #router eigrp 100 RI [config-router] #nefwork 10.0.13.0 0.0.0.255 RI (config-router] #network 10.0.14.0 0.RI [config-router) texit R3(config] #router eigrp 100 R3(contig-router] #no auto-summary R3{config-router] #nefwork 192.168.3.0 R3{contig-router) #network 10.0.13.0 0.0.0.255 R3(config-router) #exit Ré (config) #router eigrp 100 Ré(config-router] #no auto-summary R4(config-router) network 192.168.4.0 R4(config-router] tnefwork 10.0.14.0 0.0.0.255 Ré(config-router) texit R1itsh ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface — Hold Uptime SRIT RTO Q Seq (sec) (ms) CntNum 2 10.0.14.4 Tul4 11 00:00:13 151 5000 0 3 1 10.0.13.3 1023 14 00:00:38 250 5000 0 3 0 10.0.12.2 Tul2 13.00:05:55 284 5000 0 8 RI ish ip route eigrp D 192.168.4.0/24 [90/297270016] via 10.0.14.4, 00:00:26, Tunnell4 D 192.168.2.0/24 (90/297270016] via 10.0.12.2, 00:06:09, Tunnell2 D 192.168.3.0/24 [90/297270016] via 10.0.13.3, 00:00:51, Tunnel23 Ritping 192.168.2.2 source 192.168.1.1 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: Packet sent with a source adaress of 192.168.1.1 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/48/96 ms Ri #ping 192.168.3.3 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source adatess of 192.168.1.1 Success rate Is 100 percent (5/5), round-trip min/avg/max = 16/53/112 ms Ri#ping 192.168.4.4 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192. 168.4.4, timeout is 2 seconds: Packet sent with a source adatess of 192.168.1.1 Success rate is 100 percent (5/5), round-trip min/avg/max = 20/76/124 ms R4itsh ip route eigrp 10.0.0.0/24 is subnetted, 3 subnets D — 10.0.12.0 [90/310044416] via 10.0. 14.1, 00:00:43, Tunnel41 D _10.0.13.0 [90/310044416] via 10.0.14.1, 00:00:43, Tunnel4!D 192.168.1.0/24 [90/297270016] via 10.0.14.1, 00:00:43, Tunnel41 D 192.168.2.0/24 [90/310070016] via 10.0.14.1, 00:00:43, Tunnel41 D _ 192.168.3.0/24 [90/310070016] via 10.0.14.1, 00:00:43, Tunnel41 Ré#tping 192.168.3.3 source 192.168.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192. 168.3.3, timeout is 2 seconds: Packet sent with a source adatess of 192.168.4.4 mt Success rate is 100 percent (5/5), round-trip minjavg/max = 1/87/172 ms RatHrace 192.168.3.3 source 192.168.4.4 Type escape sequence to abort. Tracing the route to 192.168.3.3 1 10.0.14.1 100 msec 72 msec 36 msec 2 10.0.13.3 88 msec * 120 msec Réittrace 192,168.2.2 source 192.168.4.4 Type escape sequence fo abort. Tracing the route to 192.168.2.2 1 10.0.14.1 80 msec 140 msec 4 msec 2 10.0.12.2 148 msec * 60 msecDynamic Multi-point VPN ofSRbp } a DMVPN - Protocols CCNP P a mGRE ECURITY a NHRP a DMVPN Phases -1 23 Sikandar Shaik CCIExd (RS/SP)/SEC # 35012 Senior Technical Instructor Facebook.com/sikandardall2/ cisco cisco. ees cBEB%o | Sie) eSlfFRo outube.conv/ sikandarshal CCIE )} (ccie) —— (cote) cor) Gore Linkedin.com/in/sikandarshaik/ ~ Www. Noasolutions.com Dynamic Multi Point VPN NOA, Introduced by Cisco in late 2000. Developed to address needs for automatically created VPN tunnels (Full mesh) > Supports Full mesh Tunnels build dynamically (using mGRE) » Peers discovers each other dynamically using NHRP) > Spokes can be dynamic IP on exit interfaces. > Keeping costs low, minimizing configuration complexity and increasing flexibility & Scalability. Ein 22 veing an tooo = wath ent : a aDMVPN - Protocols MEA, DMVPN is combination of the following technologies: > Multipoint GRE (mGRE) ~ Allows P2M tunnels full mesh > Next-Hop Resolution Protocol (NHRP) ~ Learn peer information dynamically » Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)- LAN to LAN Communication » Dynamic IPsec encryption ~ to Secure tunnel traffic aEEinz ee nase airing, po 255m ay saiersont i 2 exis DMVPN ~ mGRE NOA NERWONE OHNE Acad » Tunnels can have many end points( using single tunnel interface (P2M) » No tunnel destination command. (instead uses tunnel mode gre multlpoint) Interface tunnel 0 ‘Tunnel source s0/0 ‘Tunnel mode gre multipoint » The other end points can be configured as gre or mgre op » Mapping is done by NHRP protocol. eee ee swaterzore BB 0 waiersont BO missin | seaiesiont =@DMVPN — NHRP protocol NPA. » When two branch routers want to tunnel some traffic, how do they know what IP addresses to use? » Resolves the tunnel IP with NBMA address (public IP) » Similar to ARP_on Ethernet networks (MAC ~ IP) » Build a dynamic database stored on the hub with information about spokes’ IP Addresses. er ees S ez 10/0-—— DMVPN — NHRP protocol NPA, > Routers can be configured as Next hop servers (NHS) Next hop Clients (NHC) > NHRP clients register themselves with the NHRP server and report thelr public IP address » The NHRP server keeps track of all public IP addresses in its cache. » NHC send query to the NHS if they want to communicate with another NHC. » NHS reply to queries made by NHC. 3e == .@ NHR Cache 192.168.1.2- 22.22 192168.13-3333DMVPN — NHRP Messages JM CA, [NHRP Registration Request » Spoke register with NBMA and tunnel IP to NHS. » Required to build spoke to Hub Tunnels NHRP Registration Reply » Hub Acknowledges the registration request. » Required to tell spokes that tunnel with Hub was formed Gomme T (NHRP Cache “o—, 192.168.12-2.222 192.168.13-33.33 DMVPN — NHRP Messages HRP Resolution Request » Spoke query for NBMA and tunnel IP of other spokes. » Required to build spoke to spoke Tunnels. NHRP Resolution Reply > Quetied Device reply to the resolution request » Required to build spoke to spoke Tunnels. ‘NHRP Cache 192368.2-2222 19236813-3333 [sete sete [ i ARP Cache "MHP Coche 192.168.12-22.22 192.168.1.3-23.23 192.168.12-2222 19268.13-3333DMVPN — NHRP Messages XA, NHRP Redirect ( used in Phase-3) » Hub(NHS) answers spoke to spoke data plane packet through it » Used in DMVPN phasea to build spoke to spoke tunnels(needed if we have spoke to spoke traffic) ZB 2 Ri(configh Ine 270 ] Ri(configify ip address 15.00.1 255.255.2550 Ri(contigiy no shutdown | Rutconf | Rr(configyt_ int loop o Ri(configif ip address 1.1.1.1 258.255.255.255 gaan o7 Ri(configifhy exit : Ri(confighs int Eo/0 Ri(config-ftlp address 192.168.1.1 255.255.2550 Ri(configif}y_no shutdown Rx(confighip route 0.0.0.0 0.0.0.0 2/0 x Ri(configeifr exit aT Re Rx(confightexit,DMVPN ~ Configuration Example ‘On SPOKES ( R2/R/R4) Rx(confight interface tunnel 0 Rx(config-if}# ip address 10.0.0.X 255.255.255.0 Rx(config-if# tunnel source s2/0 HUB ROUTER (Rt Ri(confighs int tunnel 0 Ri(config-i ip address 10.0.0.1 255.255.255.0 Ri(config-i tunnel source 52/0 Ri(config-f tunnel mode gre multipoint Rx(config-fr tunnel mode gre multipoint Ri(config-ftp nhrp network-id 1 Re(config-if# Ip mhrp network-ld 2 Ru(config-ixip nhrp map multicast dynamic Be Rx(config-if# ip nhrp map 10.0.0.115.0.0.1 Rx(config-i ip nhrp nhs 10.0.0.1 Rx(config-ftip nhrp map multicast 15.0.0.1 nag on ‘On all Routers (confight Router eigrp 100 (config-touter j¢ No auto-summary (config-router jy Network 192.168.X.0 (config-router Ww Network 10.0.0.0 BO mt eosin seaieeto/e Ri(config-if#ip nhrp network-id 1 NA, » Used to define the NHRP domain for an NHRP interface > Differentiate between multiple NHRP domains or networks, when two or more NHRP domains » NHRP network ID is used to help keep two NHRP networks (clouds) separate from each other when both are configured ‘on the same router. » significant only to the local router and it is not transmitted in NHRP packets to other NHRP nodes » NHRD network ID configured on a router need not match the same NHRP network ID on another router where both of these routers are in the same NHRP domain. Sono ZEB atingRi(config-iftip nhrp map multicast dynamic NA. » The tunnel itself does not support multicast. » For this purpose, the ip nhrp map multicast dynamic command on the hub is used to dynamically create mappings in the NHEP multicast table for each spoke that registers with it + Ri(config-fip nhrp map multicast dynamic » You are telling the hub to create a multicast mapping for each spoke that registers with it » Usually required by routing protocols such as OSPF and EIGRP op | satet zane op op we watessarne waiatiad Ri(configif ip nhrp map multicast 15.0.0.1 eaieenarnt » Ensures mufticast traffic is sent only from spokes to the hub and not from spoke to spoke. » All multicast traffic should be received by the hub, processed and then updates are sent out to the spokes. DMVPN ~ Verification NOA veo oe Abbr Rrashow Ip ep Resshow dmvpn 00.02/32 ia 10.002, Tunneo created 0:16:26, expire O1:s6:46 Legend: Actrb > S- Stati, D- Dynamic, - Incomplete Type: dynamic, Flags: unique registered N= NATed, L = Local, X - No Socket BMA addres: 25.002 Ent -> Number of NHRP ents with same NBMA peer 100203/32 la 10.003, Tunnelo created 011-42, explre 01:48:17 Type: dynamic, Flags: unique registered | Tunnelo, Type:Spoke, NHRP Peers3, NOMA address 25002 ‘Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Att yo0.04/22 va 10.004, Tunneo created o:10:4, expire 01:89:12 Lae Es Type: dynamic, Flags: unique registered 1 18901 10001 UP ono26S NBMA addres: 45.004 | 125002 10002 UP never as 135003 10003 UP never Type escape sequence to abort. Sending 5, 10obyte ICMP Echos to 10.002, timeout is 2 seconds nn ‘Success rate Is 100 percent (5/5), round-trip minavg-max Roping 12.003 Type escape sequence to abort Sending 5, 100byte ICMP Echos to 10.003, tmeout 2 seconds Rutping 10.004 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.004, timeouts 2 seconds: wsnt6/212 ms Success rate Is 100 percent (55), round-trip miavavg/max = 440/288 ms Success rate s 100 percent (5), round-trip min/avgrmax ~ 8/136/316 msRouting over DMVPN ~ Verification Rrsshow ip rp y0002/32 via 10.002, Tunneo created 0:16:28, expire o1s6:66 Type: dynam, Flags: unique reglstered NBMA address: 25.002 10.003/32 via 10.003, Tunneo created a Type: dynamic, Flags: unique vegstered NOMA address: 25002 yo004/32 via 10.0.0, Tunneo created 0:10:47, expire 01:89:12 Type: dynam, Flags: unique reglstered NBMA address 45.004 expire 010.17 Rrsping 10002 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.02, timeout ls 2 seconds Success rate s 100 percent (5/9), round-trip min/avem. Rising 10.003 Type escape sequence to abort. Sending 5, 100byte ICMP Echos o 10.003, tmeout ls 2 seconds Succes rat Is 100 percent (5/9), ound-ep min/avgrmax = 8/136/316 ms Mi OA. Ravshow dmvpn Legend: Artrb ~> S Stati, D- Dynamic, = Incompletea N-NATed, L - Local, X= No Socket ‘Ent —> Number of NHRP entries with same NBMA peer Tunnelo, Type-Spoke, NHRP Peers, ‘Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Att 1 15001 10001 UP onoateS 125002 10002 UP. never 135003 10003 UP never D Riping 10.004 ‘Type escape sequence to abort Sending 5, 100byte ICMP Echos to 100.04, timeout 2 seconds: Success rate Is 10 percent (5/5), round-trip min/avg/ma = 4/140/268 ms NETWORK ONLINE ACADEMYDMVPN Phase 3 ~ EIGRP RoutingDMVPN - Phase 3 — Configuration [Confeacon on tunel neice sane we dine hse fina 0 ai saa waierions' 00% —__7im HUB ROUTER (Ri) Ri(configh int tu 1234 Ritconfig-if ip address 10.0.0.1 255.255.2550 Riiconfig-f tunnel source 50/0 Ri(config-if}* tunnel mode gre multipoint Ri(config-fsip nhrp network-id 1 Ri(config-If}lp nhrp map multicast dynamic DMVPN Phase 3 ~ EIGRP ROUTING ON HUB~ Ri Riconfigh Int tunnel 0 Ritconfg'no Ip split horzon erp 109 Ri(configiDt ip nexthop-selfeigrp 100 RiconfigiNs ip nhrp redirect Ri(config-ip exit in Ting lg ‘On SPOKES ( R2/R3/Ra) Rx(configh Interface tunnel 1234 Ra(config-ifle ip address 10.0.0.X 255.255.255.0 Rx(config-}# tunnel source s0/0 Rx(config-i}® tunnel mode gre multipoint Rx(config-i}t Ip nhrp networkeid 2 Rx(config-i Ip nhrp map 10.0.0.1 15.0.0.1 Rx(config-i Ip nhrp nhs 10.0.0.1 Rx(config-f} ip nhrp map multicast 1 iM OA. on SPOKES (R2/R3/R4) Ra(confighe Int cunnel o R2(config-f)" Ip nhrp shortcut R2(config-f exit sneer > NHRP Redirect is a special NHRP message sent by the Hub to vthe spoke to tell the spoke that there is a better path to the remote spoke than through the Hub. » Allie does is enforces the spoke to trigger an NHRP resolution request to IP destination. The “ip nhrp redirect” command should be configured on the Hub only: » Note that we do not need “no ip next-hop-self eigrp”” command in the DMVPN Pahse 3. » The only difference on the spoke is that the spoke has NHRP Shortcut configured. » This will work together with NHRP Redirect on the Hub to send a new Resolution Request NHRP message and overwrite CEF entry to use direct spoke to spoke tunnel instead of the Hub. » This command should be configured on spokes onlyDMVPN Phase 3 ~ EIGRP ROUTING JM OA. oop) Rershow Ip route elgrp Gateway of lat resorts 0.000 t0 newwork 0.20.0 D__192:168.1.0/24 907269086001 via 1000.1, 09:00:18, Tunnelo D__192:168.2.0/240/28185600] via 1000.1, 09:00:18, Tunnels D__192:1683.0/24{90/281856001 via 100.0.1,09:0018, Tunnelo Restraceroute 192:16822 source 192.168.4.4 ‘Type escape sequence to abort. “Tracing the route to 19215822 RF info: (rf in named, vf out name‘) 1 10.00.19 msec 0 msec 18 msec 2 10.0.0.239 msec 36 msec34 msec Restraceroute 192.168.22 source 192.1844 ‘Type escape seauence to abort. ‘Tracing the route to 192.168.22 VRE info: (vIn names, vef out names) 1 40.002 19 msec 23 msec 21 msec DMVPN Phase 3 — OSPF Routing Next-hop to reach all other spokes routes Next hop is HUB ROUTER. > This is beacause of “ip nip redirect” Command on Hub « “IP Nhrp shortcut” on spokes. They override the entries in the routing table ON Hub & Spokes) eet, Rx(config int tunnel 0 a Rx(config-iNs ip ospf network point-to-multipoint ee ON Hut Ri(config)+ int tunnel 0 Ri(config-ipt ip nhrp redirect Ritconfig-ipy exit ‘on SPOKES (R2/R3/Ra) Ra(configh int tunnel 0 R2(config-ifs ip nhrp shortcut Ra(config-ipe exitDMVPN Phase 3 — OSPF Routing OA, ah ip route ea Rovship route ospt aim Gateway of last resorts 0000 to network 0000 1000018 s variably subnetted, 5 subnets, 2 masks 10.00.132 110/1000 via 100.01, 00:01:18, Tunnelo 10.00.3/32 1110/2000 via 10.0.0, 09-0053, Tunnelo 1004/32 110/2000 via 100.03, 00-0043, Tunnelo 192:168.10/2¢110/1010] va 1000.1, 00-01-15, TunnelO 192:18.3.0/2¢ [110/2010| va 10.0.0, 00:00:53, Tunnelo 192.168 40/2 [110/2010] va 100.01, 00:00:43, Tunnelo ° ° ° ° ° ° Retraceroute 192:168.2.2 source 19216844 Type escape sequence to abort. Traclng the route to 192168.22 > Next-hop to reach all other spokes routes Next hop is HUB ROUTER, VRE info: (fin named, vf out named) + This is beacause of “Ip nhrp redirect” Command on Hub & “IP Nhrp 1 10.10: 19 msec 20 msec 18 msec shortcut” on spokes 2 1000.2 39 msec 36 msec 34 msec » They override the entries in the routing table Restraceroute 192.168.2.2 source 19216844 Type escape sequence to abort. Tracing the route to 192.168.22 \VRE info: (fin named, vf out name td) 110.002 19 msec 25 msec 21 msec [NETWORK ONLINE ACADEMY DMPVN with IPSec (IKEv1)DMVPN and IKEv1 IPsec NOA NETWORK ONGWE ACADEMY Previous LAN-to-LAN IPsec used Crypto Maps » Requires manual peer and proxy ACL definitions » Not scalable. IPsec over DMVPN. » _DMVPN uses IPsec Crypto Profile applied on tunnel interfaces. » Configuration identical to GRE with IPsec Profile. =@ [Psec Profile protects all traffic inside GRE tunnel » Both control-plane and data-plane > NHRP/IGP/BGP traffic is protected. IPsec over DMVPN — Configuration steps NOA, 1. Configure matching IKE ( ISAKMP) Policy attributes 2m 2 Configure Pre-shared key used for Authenticating remote peers wiiadons 3. Configure IP transform set. 4. Create IPsec Profile & attach transformset. toon an 5. Apply IPsec Profile on tunnel Interface. a: =IPsec over DMVPN — Configuration MA,, Ri(configeryptoisakmp policy 10 Ena | | crater este ata Ri(config-isakmp)sencryption aes 256 Ri(config-isakmp)shash sha | Ri(configisakmpigroup 5 ite 9 ai seaas/a4 ssaTonLon Ri(configle crypto isakmp key cisco123 address 0.0.0.0 Ri(confightcrypto psec transformset IP_SET esp-aes 256. esp-sha-hmac Rxiconfghy erypto Ipsec profile TN_PR | Rulpsecprofien set transormsetIP_SET | Rapseerofien ext Rx(config)+ interface tunnel 0 ‘Rx(config-it tunnel protection ipsec profile TN_PR Re(contfig-ifh exit JM OA.J | OA, wpe ota ap toate zoe =e ing = 252 — Be - waiebore BP kh wane q 192.168.1.0/28 \ Internet Rs s50.03/24 23 te ‘cop in an e2ieeare Dynamic Multi-point VPN oG!$S25 ) a DMVPN - Protocols CN P a--mGRE ‘SECURITY a NHRP a DMVPN Phases -1 23 Sikandar Shaik CCIExd (RS/SP)/SEC # 35012 Senior Technical Instructor Facebook.com/sikandar3al!2/ Youtube.con/sikandarshaik (Ccie) (ccre) (ce) i CCIE) Ss, 9 Linkedin.com/in/sikandarshaik/ Www.NoasolDMVPN and IKEv1 IPsec NOA [NETWORK ONDE ACADEMY > DMVPN is a “routing technique” that relles on multipoint GRE and NHRP (Without Encryption) > Mostly we use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. » With IPSec Over DMVPN Tunnels, we can encrypt tunnel traffic between sites. DMVPN + IPSEC emg IPsec Profile protects all traffic inside DMVPN GRE tunnels » Both controkplane and data-plane > NHRP/IGP/BGP traffic is protected IPsec over DMVPN ~ Configuration steps NOA NETWORK ONCE ACADEMY 1. Configure matching IKE ( ISAKMP) Policy attributes 2. Configure Pre-shared key used for Authenticating remote peers 3. Configure IP transform set. 4. Create IPsec Profile & attach transfornrset. Apply IPsec Profile on tunnel interface. ang, SBA at saan seaten oeIPsec over DMVPN — Configuration NOA NETWORK ONEHE ACADEMY Ri(configyscrypto isakmp policy 10 se r(config-sakmp)sauthentication pre-share sette2ar Ri(configisalanp)eencryption aes 256 “oo Rr(configsakmpshash sha ‘e000 as Rr(config-sakmp)sgroup 5 mg esp. ieiesney 332 a ssaiensor ‘0 foo mi ssaat/as rr) aeaeniors sats Riconfight crypto isakmp key cisco123 address 0.0.0.0 ra adnan Ri(confightcrypto ipsec transform-set IP_SET esp-aes 256 esp-sha-hmac oe naran Ry(config crypto Ipsec profile TN_PR Rx(confighy Interface tunnel 0 | Ripsec-profile set transform-set IP_SET Rxiconfig tunnel protection ipsee profile TN_PR Rotipsec-profiley extt Reccontig-s ext | IPsec over DMVPN ~ Configuration NOA ONTINE ACADEMY fe ss2Tee2.004 ‘saan loop son vii cop 135 oe ap ee, satan werensont "02" Regshow crypto isakmp 53 IPs Crypto ISAKMP SA ease de ate comm status W001 45904 © QMLIDLE. 1001 ACTIVE 45004 15003 QMIDLE 1603 ACTIVE 35002 45004 QMLIDLE 1002 ACTIVE a 45004 25002 QMLIDLE —_1¢04 ACTIVE 45004 35003 QMLIDLE 1605 ACTIVE Basie vio Ewe. 3800345004 QMIDLE 1606 ACTIVE SO a IPve Crypto ISAKMP SAKE Phase 1 — Configuration NOA NETWORK ONTINE ACADEMY > Configure matching IKE (ISAKMP) Policy attributes ina » Configure Pre-shared key used for Authenticating remote peers seateeeae > Configure IP transform set. @ ‘ana Ri(configcrypto isakmp policy 10 eee a topo Rr(confg-sakmp)sauthentication pre-share 3322? Ri(config-sakmpWencryption aes 256 at lt a0 ane Ri(contfg-sakmp)ehash sha Ri(config-sakmp)#group 5 aaa Rr(confgye erypto Isakmp key lscor23 address 0.0.0.0 eres Riconflgjrerypto Ipsec transform-set IP_SET esp-aes 256 esp-sha-hmac DMVPN and Crypto IPsec Profiles NOA NETWORK ONCWE ACADEMY (Order of operation > NBMA routing has to work first > DPsec is after > GRE/NHRP is after > Overlay IGP/BGP is after =oDMVPN and IKEv1 IPsec NOA NETWORK ONGWE ACADEMY Previous LAN-to-LAN IPsec used Crypto Maps » Requires manual peer and proxy ACL definitions » Not scalable. IPsec over DMVPN, > DMVPN uses IPsec Crypto Profile applied on tunnel interfaces. » Configuration identical to GRE with IPsec Profile. z IPsec Profile protects all trafic inside GRE tunnel » Both control-plane and dataplane > NHRP/IGP/BGP traffic is protectedLAB: DMVPN Basic Example oop0 on 1iaa3z won 2509, oop 0 aun 2013 333572 49 192.683.0724 RI 10.0124 Ty 192.168.1.0/24 Internet RS, 95.0.0.3/24 RI ooo sdaapsz a aso.aaize {0/0 9268.4.0/24 Re TASK: Configure Hub-and-Spoke GRE tunnels between R1, R2 R3, R4 where Rlis acting as a Hub. Traffic originated from every Spoke's FO/0 interface should be transmitted directly to the other spokes. Use EIGRP dynamic routing protocol to let other spokes know about protected networks. Use Ip addressing 10.0.0.x/24 and ensure that all tunnel end points should be able to reach each other. Ri#ping 25.0.0.2 Type escape sequence to abort. iz 19 5, 100-byte ICMP Echos to 25.0.0.2, timeout is 2 seconds: Success rate fs 100 percent (5/5), rouncl-trip Ri#ping 35.0.0.3 Type escape sequence to abort, i ing 5, 100-byte ICMP Echos to 35.0.0.3, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/mex = 1/36/76 ms Riffping 45.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 45.0.0.4, timeout is 2 seconds: favg/max = 1/37/88 ms ‘Success rate is 100 percent (5/5), round-trip min/avg/max = 4/54/144 ms Ri (config)# int tunnel 0 Ri(config-if}# ip address 10.0.0.1 255.255.255.0 Ri(config-if}# tunnel source 15.0.0.1 Ri(config-if}# tunnel mode gre multipoint ip nhrp network-id 1 © R1 will be configured os hub. ‘© Ip nhrp network ID enables NHRP on tunnel interface.> Used to define the NHRP domain for an NHRP interface > Differentiate between multiple NHRP domains or networks, when two er more NHRP domains > NHRP network ID is used to help keep two NHRP networks (clouds) separate from each other when both are configured fon the some router. > significant only to the local router and itis not transmitted in NHRP packets to other NHRP nodes > NHRP network ID configured on a router need not match the same NHRP network ID on another router where both of ‘these routers are in the same NHRP domain. jint: Sets the GRE tunnel to behave as @ multipoint wnnel. # interface tunnel 0 # ip address 10.0.0.2 255.255.255.0 # tunnel source s1/0 R2{config-if}# tunnel mode gre multipoint # ip nhrp network-id 2 R2{config-if}## exit R3(config)# interface tunnel 0 R3lconfig-if}# ip address 10.0.0.3 255.255.255.0 R3{config-if}# tunnel source s1/0 R3(config-if}# tunnel mode gre multipoint R3{config-if}# ip nhrp network-id 3 R3(config-if}# exit Ré(config)# interface tunnel 0 Ré(config-if}# ip address 10.0.0.4 255.255.255.0 Ré(config-if}# tunnel source $1/0 # tunnel mode gre multipoint Ré{config-if}# ip nhrp network-id 4 Ralconfig-if}# exit int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down Serial0/1 45.0.0.4 YES manvol up vp FastEthernet0/1 unassigned YES unset ccminstratively down down Serial0/3 unassigned YES unset ccminstratively down down FastEthernet] fo veasiored YES unset cabs down down R4#sh ip nhrp 10.0.0.1/32 vie 10.0.0.1, Tunnel created 00:00:12, never expire Type: stati, Flags: used NBMA address: 15.0.0.1 Ri#tshow ip nhep 10.0.0.2/32 vie 10.0.0.2, Tumel0 created 00:1 4:28, expire 01:48:46 Type: dynamic, Flags: unique registered NBMA address: 25.0.0.2 10.0.0.3/32 vie 10.0.0.3, Tumel0 created 00:1 1:42, expire 01:48:17Type: dynamic, Flags: unique registered NBMA address: 25.0.0.2 10.0.0.4/32 vie 10.0.0.4, TunnelO created 00:10:47, expire 01:49:12 Type: dynamic, Flags: unique registered NBMA address: 45.0.0.4 Ri#ping 10.0.0.2 Type escape sequence to abort. Sendling 5, 100-byte ICMP Echos 10 10.0.0.2, timeout is 2 seconds: ‘my ‘Success rate is 100 percent (5/5), round-trip min/avg/max = 44/114/212 ms Ri #ping 10.0.0.3, Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: inh Success rae is 100 percent (5/5), round-trip min/avg/max = 8/136/316 ms Ri#ping 10.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds: Success rate is 100 percent (5/5), round ip minfovg/max = 4/140/268 ms Ra#ftraceroute 10.0.0.2 Type escape sequence to abort. Tracing the route to 10.0.0.2 1 10.0.0.1 156 msec 148 msec 10.0.0.2 208 msec Ra#Htraceroute 10.0.0.2 Type escape sequence to abort. Tracing the route to 10.0.0.2 1 10.0.0.2 148 msec * 104 msec RA#traceroute 10.0.0.3 Type escape sequence to abort. Tracing the route to 10.0.0.3 1 10.0.0.1 132 msec 200 msec 10.0.0.3 212 msec RA#Htraceroute 10.0.0.3 Type escape sequence to abort. Tracing the route to 10.0.0.3 1 10.0.0.3 168 msec * 140 msec R4##show ip nhtp detail 10.0.0.1/32 vie 10.0.0.1, Tunnel0 created 00:02:37, never expire Type: stati, Flags: used NBMA address: 15.0.0.1 10.0.0.2/32 vie 10.0.0.2, Tunnel0 created 00:00:35, expire 01:59:24 Type: dynamic, Flags: router NBMA acidress: 25.0.0.2 10.0.0.3/32 vie 10.0.0.3, Tunnel0 created 00:00:18, expire 01:59:41 Types dynamic, Flags: router usedNBMA address: 35.0.0.3, R4#tshow dmvpn Legend: Attr --> S - Static, D - Dynamic, | - Incompletea N- NATed, L - Local, X = No Socket # Ent > Number of NHRP entries with some NBMA peer Tunnel, Type:Spoke, NHRP Peer # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Att 15.0.0.1 1 28.0.0.2 never D 1 3.0.0.3 never D Ri#show dmvpn Legend: Attrb --> $ - Static, D - Dynamic, | - Incompletea N- NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with some NBMA peer TunnelO, Type:Hub, NHRP Peers:3, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attr 25.0.0.2 never D 1 38.0.0.3 never D 1 4.0.0.4 never DLAB: DMVPN Basic Example RP Routing loop 0 22 1/32, won 2898. oop 0 : 20/3 3533/82 10.03/88 32 to r927683.0/24 RI 150.0.1/24 a0 192.168:1.0/24 Internet Rs: 350.0.3/24 RS oop 0 42a4pz 313 45.0.0.4/28 eo 92.768.4.0/24 Re TASK: © Continue with same DMVPN tunnel configurations based on the previous lab ‘© Configure EIGRP 100 on all routers to provide LAN to LAN Connectivity beween Hub and Spokes. 19 protocol over the tunnel. this protocol will be used to car ‘when configuring it as there is a chance to get into ‘recursive loop”. © This means we shouldn't use the same dynamic routing protocol instance for prefixes available over the tunnel and fo achieve underlaying connectivity between Hub and Spokes. the info about networks behind the Spokes (or Hub). Be careful Ri(config)# router eigrp 100 RI (config-router)# no auto-summary Ri(config-router)#t. network 10.0.0.0 Ri (config-router)# network 192.168.1.0 Ri(config-router)# exit R2|config)# router eigrp 100 R2{config-router)# no auto-summary R2{config-router}# network 10.0.0.0 R2{config-router}# network 192.168.2.0 R2{config-router)#t exit R3{config)# router eigrp 100 R3{config-router}# no auto-summary R3{config-router}# network 10.0.0.0 R3{config-router}# network 192.168.3.0 R3(config-router)# exit Ra(config)# router eigrp 100 Rad(config-router}# no auto-summary Rd\config-router}# network 10.0.0.0 Rd(config-router}# network 192.168.4.0 Rd(config-router)# exitIP-EIGRP neighbors for process 100 Ri #tshow ip eigrp neighbors IP-EIGRP neighbors for process 100 IP ohep map multicast X.XX.X * This command aiso enables routing protocols to work over the mGRE. rmubicost will not be sent across the MGRE tunnel by default in DMVPN. * Ip.ahrp map multicast X.X.X.X command enables forwarding of multicast traffic across the tunnel to dynamic spokes (required by most routing protocols). * Normally on the Hub Reuters we can configure IP NHRP MAP MULTCAST DYNAMIC to allow NHRP to automatically add routers to the mubicast NHRP mappings 50 @ static mapping is not required ony more for each of the spokes. tunnel 0 ‘nhrp map multicast dynamic RI (config) # RI (configeif}# oR st 25.0.0.2 ‘nhrp map multicast 35.0.0.3 Ri (config-if}# ip nhrp map multicast 45.0.0.4 RI (config-if}#exit R2{configh# int tunnel 0 i R2{config-if}#exit R3(configh# int tunnel 0 R3{config-if}# ip nhep map multicast 25.0.0.2 R3{config-if}# ip nhrp map multicast 35.0.0.3 R3{config-if}# ip nhrp map multicast 45.0.0.4 R3lconfigrif}#exit Ra(configl## int tunnel 0 Ra(config-if}# ip nhrp map multi Rd(config-if}#t ip nhrp map multicast 35.0.0.3 Ré(config-if}# ip nhrp map multicast 45.0.0.4 Rd(config-if}#exit Ri#sh ip route eigrp Codes: L - local, C - connected, § - static, R - RIP, M- mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area NI - OSPF NSSA extemal type 1, N2 - OSPF NSSA extemal type 2 E1 - OSPF external type 1, 2 - OSPF extemal type 2 1 ISAS, su -IS-IS summary, L1 - ISIS level-1, L2 - IS-IS level-2 jal -IS-IS inter areo, * - candidate default, U - per-user static route © - ODR, P - periodic downloaded static route, H - NHRP, | - LISP + + replicated route, % - next hop override Gateway of lost resort is 0.0.0.0 to network 0.0.0.0R1#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO @ Seq (sec) (ms) Crt Num 2 10.0.0.2 wo 1106 1434 0 10 1 10.0.0.3 0 55 158 1434 0 10 0 10.0.0.4 T0 4 108 1434 0 10 R1#sh ip route etgrp Gateway of last resort is 0.0.0.0 to network 0.0.0.0 D 192.168.2.0/24 [90/26882560] vio 10.0.0.2, 00:00:07, TumelO D 192.168.3.0/24 [90/26882560] via 10.0.0.3, 00:00:11, TumelO D 192.168.4.0/24 [90/26882560]} via 10.0.0.4, 00:00:07, TunnelO Raitsh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address: Interface Hold Uptime SRTT RTO @ Seq (sec) (ms) Crt Num 2 10.0.0.1 10 1400.01.05 727 4362 0 10 1 10.0.0.2 10 1400:01:05 576 3456 0 10 © 10.0.0.3 10 14.0001:19 381 2286 0 10 Ra#tsh ip route eigrp Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:00:41, TumelO D 192.168.2.0/24 [90/26882560] vio 10.0.0.2, 00:00:31, Tumel0 D 192.168.3.0/24 [90/26882560] via 10.0.0.3, 00:00:35, TunnelO Ra#tping 192.168.2.2 source f0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168,2.2, timeout is 2 seconds: Paicker sent with a source address of 192.168.4.1 rh Success rate fs 100 percent (5/5), rounds ip min/ovg/max = 84/116/168 ms Ra#tping 192.168.3.3 source f0/0 Type escape sequence to abort. Sendling 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.4.1 fi Success rate fs 100 percent (5/5), round-trip min/avg/max = 100/112/128 ms RA#Htraceroute 192.168.3.3 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRE infor (vrf in name/id, vrf out name id) 1 10.0.0.3 108 msec 160 msec 144 msecLAB: DMVPN phase 1 oop 0 2 irae teopo a2 a 192.7683.0/24 ai isanive8 aa 192.168.1.0/24 Internet RS, 95.0.0.3/24 RI ‘cope Bene a 45.0.0.4/24 20 e268 40/28 Re TASK * Configure Hub-and-Spoke GRE tunnels between R1, R2 R3, R4 where Rlis acting as a Hub. * Traffic inated from every Spoke's FO/0 interface should be transmitted directly to the other spokes. + Use EIGRP dynamic routing protocol to let ather spokes know about protected networks. © Use Ip addressing 10.0.0.x/24 and ensure that all tunnel end points should be able to reach each other. Ri ping 25.0.0.2 Type escape sequence to abort. apc 5, 10Obye ICMP Eos 25.202, tne 2 sce ‘Success rate is 100 percent (5/5), round-trip favg/max = 1/37/88 ms Ri#ping 35.0.0.3, Type escape sequence to abort. a ing 5, 100-byte ICMP Echos to 35.0.0.3, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip fag /max = 1/36/76 ms Ri#ping 45.0.0.4 ‘Type escape sequence to abort. nl ing 5, 100-byte ICMP Echos to 45.0.0.4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/evg/men 4/54/44 ms Ri (configh#int tunnel O RI (config-if}#tip address 10.0.0.1 255.255.255.0 RI (config-if}#tunnel source s1/0 RI (config-if}#tunnel mode gre multi R2{config)# int tunnel 0 R2{config-iN# ip add 10. R2{contig-if}#t R2{configif}#t nihep network-id 2 nihep nhs 10.0.0.1R2{config-if}# ip nhrp map 10.0.0.1 15.0.0.1 R2{config-if}# exit R3(config)# int tunnel 0 R3lconfig-if}# ip add 10.0.0.3 255.255.255.0 R3(config-if}# ip nhrp nhs 10.0.0.1 R3{config-if}# ip nhrp map 10.0.0.1 15.0.0.1 R3(config-if}#t exit Ra(config)# int tunnel 0 Ra(config-if}# ip add 10.0.0.4 255.255.255.0 Ra(config-if}# tunnel source s1/0 4(config-if}# tunnel Destination 15.0.0.1 Ra(config-if}# ip nhrp network-id 4 Ra(config-if}# ip nhrp nhs 10.0.0.1 Ré(config-if}# ip nhrp map 10.0.0.1 15.0.0.1 Ra(configeif}#_exit Ra#show ip nhrp 10.0.0.1/32 vie 10.0.0.1 TunnelO created 00:00:16, never expire Type: static, Flag NBMA address: 15.0.0.1 Raifshow dmvpn Legend: Antrb --> $ - Static, D - Dynamic, | - Incomplete N-NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with some NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W > Wei UpDn Time --> Up or Down Time for ¢ Tunnel Interface: TunnelO, IPv4 NHRP Details Type:Spoke, NHRP Peer # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrs 1 15.0.0.1 104 Ri#show dmvpn Legend: Attrb --> $ - Static, D - Dynamic, - Incomplete N-NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting Interface: Tunnel0, IPv4 NHRP Details TypesHub, NHRP Peers:3, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attr 1 25.0.0.21 35.0.0.3 1 45.0.0.4 R1#fshow ip nhtp detail 10.0.0.2/32 vie 10.0.0.2 Tunnel0 created 00:02:34, expire 01:57: Type: dynamic, Flags: unique registered used NBMA address: 25.0.0.2 10.0.0.3/32 vie 10.0.0.3 TunnelO created 0:02.09, expire 01:57:51 Type: dynamic, Flags: unique registered used NBMA address: 35.0.0.3 10.0.0.4/32 vie 10.0.0.4 Tunnel0 created 00:01:43, expire 01:58:16 Type: dynamic, Flags: unique registered used NBMA address: 45.0.0.4 Ri#ping 10.0.0.2 Type escape sequence to abort. Sendling 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: nf ‘Success rate is 100 percent (5/5), round-trip min/avg/max = 104/129/148 ms Ri#ping 10.0.0.3, Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: mi Success rate is 100 percent (5/5), round-trip min/evg/max = 104/128/144 ms Ri fping 10.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds: a Success rate fs 100 percent (5/5), round-trip min/avg/max = 108/128/1.44 ms R2#tping 10.0.0.3, Type escape sequence to abort. Sendling 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: ‘Success rate is 100 percent {5/5}, round-trip min/avg/max = 132/148/180 ms Ra#tping 10.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds: Success rate fs 100 percent (5/5), round min/avg/max = 144/157/176 ms R2#Htraceroute 10.0.0.4 Type escape sequence to abort. Tracing the route to 10.0.0.4 VRF info: (vr in ict vef out ie R2#Htraceroute 10.0.0.4 Type escape sequence to abort. Tracing the route to 10.0.0.4 VRF info: (vrf in nome, mele= bf NETWORK ONLINE ACAGEMYLAB : DMVPN PHASE 1 - With EIGRP Routing 25.0.0.2/24 teopo aa ing woop aE “eg 19276830708 etrid we 192768.1 0/24 \ Internet Rs 950.0:3/24 RS teopo abuse a 45.0.0.4/24 0 2 eb. Rt TASK: Configure EIGRP 100 on all routers to provide End to end reachability between LAN to LAN. Ri (configh# router eigrp 100 RI (config-router)# no auto-summary RI (config-router)## network 192.168.1.0 RI (config-router)# network 10.0.0.0 Ri (config-router)# exit R2(config)#router eigrp 100 R2{config-router)##no auto-summary R2{config-router]# network 10.0.0.0 R2{config-router)# network 192.168.2.0 R2{config-router)# exit R3(config)#router eigrp 100 R3{config-router}# no auto-summary R3{config-router)# network 10.0.0.0 R3{config-router)# network 192.168.3.0 R3{config-router)# exit RaA(config)#rovter eigrp 100 RA{config-router)#no auto R4(config-router)## network 10.0.0.0 R4(config-router)## network 192.168.4.0 Ra(config-router)# exit Réitsh ip eigrp neighbors ‘©The ip nhrp map multicast dynamic command enables the forwarding of multicast traffic across the tunnel to dynamic spokes. © This is usually required by routing protocols such as OSPF and EIGRP. ‘© Inmost cases, DMVPN is accompanied by a routing protocol to send and receive dynamic updates about the private networks. ©The ip nhrp map multicast dynamic command is not required if we are usi‘On HUB ROUTERS R1 RI (config-ifj#t i RI (config-if}# Ri (config-ifj#t exit tunnel O| nhrp map multicast Dynamic ‘On SPOKES (R2/R3/R4) Rx(config-if) tunnel 0 Rx(config-if)# ip nhep map multicast 15.0.0.1 Rx(config-if)# exit R1#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO @ Seq (sec) (ms) Crt Num 1 10.0.0.3 10 11 00:05:04 133 1434 0 3 2 10.0.0.4 10 12.0005:53 156 1434 0 3 © 10.0.0.2 Two 14 00:05:56 164 1434 0 3 Ri#sh ip route eigrp. Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 4, TonnelO 6, TunnelO 5:06, Tunnel D — 192.168.2.0/24 [90/26882560] vio 10.0.0.2, 0 D 192.168.3.0/24 [90/26882560] vio 10.0.0.3, 0 D — 192.168.4.0/24 [90/26882560] vio 10.0.0.4, 00: R4#show ip eigtp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO @ Seq (sec) (ms) Crt Num 0 10.0.0.1 10 12.00:0438 868 5000 0 15 Raitsh ip route eigrp Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:04:38, TunnelO R2itsh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO @ Seq (sec) (ms) Crt Num 0 10.0.0.1 T0 11 00:05:33 315 1890 0 15 R2#sh ip route eigrp Gateway of last resort i 0.0.0.0 10 network 0.0.0.0 D 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:05:34, TumelO Note: If there is no neighborship coming, try shutting down and use no shutdown tunnel interface. Here R2 advertises RI the routes and RI will not be advertising back on the same interface to R3/R4 because of split horizon rule the split horizon rule prohibits a router from advertising @ route through an interface that the router itself uses fo reach the destination. In order to disable the split horizon behavior, use the no ip split-horizon eigrp as-number interface command. me important points to remem! HEIGRP. 1. Split horizon behavior is turned on by default. 2. When you change the EIGRP split horizon setting on an interface, it resets all adjacencies with EIGRP neighbors reachable over that interface. wretnnhar sasiie, ss onaests amnsanitinssam” Page 50 it hori3. Split horizon should only be disabled on a hub site in a hub-and-spoke network. 4. Disabling split horizon on the spokes radically increases EIGRP memory consumption on the hub router, as well as the amount of traffic generated on the spoke routers. 5. The EIGRP split horizon behavior is not controlled or influenced by the ip split-horizon command. 6. This is because split horizon is preventing R2 from di ing the routes from a spoke router back to the other spoke routers. This can easily be fixed by disabling split horizon on the tunnel interface on the hub router. Ri (config)#int tunnel 0 RI (config-if}##no ip split-horizon eigrp 100 RI (config-if}#exi Ra#tsh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO @ Seq (sec) (ms) Crt Num 0 10.0.0.1 10 14 00:06:40 661 3966 0 18 Ra##sh ip route elgrp Gateway of last resort is 0.0.0.0 to network 0.0.0.0 D — 192.168.1.0/24 [90/26882560] via 10.0.0.1, 00:06:41, TumelO D 192.168.2.0/24 [90/28162560] via 10.0.0.1, 00:00:14, TunnelO D 192.168.3.0/24 [90/28162560] via 10.0.0.1, 00:00:14, TumelO R2#sh ip route eigrp Gateway of last resort is 0.0.0.0 to network 0.0.0.0, D 10.0.0.1, 00:06:58, TunnelO D 10.0.0.1, 00:00:22, TunnelO D — 192.168.4.0/24 [90/28162560]} via 10.0.0.1, 00:00:22, TunnelO R2#traceroute 192.168.4.4 source 192.168.2.2 Type escape sequence to abort. Tracing the route to 192.168.4.4 YVRF info: (rf in name/id, vrf out name id) 1 10.0.0.1 100 msec 132 msec 144 msec 2 10.0.0.4 156 msec 176 msec 148 msec R2#Htraceroute 192.168.4.4 source 192.168.2.2 Type escape sequence to abort. Tracing the route to 192.168.4.4 VRF info: (vrf in name/id, veF out name/id) 110.0.0.1 108 msec 152 msec 128 msec 2.10.0.0.4 156 msec 172 msec 172 msec R2#Htraceroute 192.168.3.3 source 192.168.2.2 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, veF out name/id) 1 10.0.0.1 120 msec 128 msec 88 msec 2.10.0.0.3 184 msec 184 msec 168 msec TASK: Reconfigure IP Splithorizaon rule and ensure that spoke to spoke have reachability ( use Summarzation) RL Int tunnel O Ip spli-horizon eigrp 100 Ip summary-address eigrp 100 0.0.0.0 0.0.0.0DMVPN ~ Phases 1, 2, 3 NPA. > When Cisco did major changes to DMVPN ~ introduces in terms of Phases (1, 2, 3) > Inevery phase added new features, more scalability & different behavior. BOB saatae seaisn ore DMVPN — Phase 1 Spoke-to-spoke GRE tunnels cannot be build 2EEn > mGRE interface on the hub > Point-to-point GRE interfaces on the spokes > All datacplane trafic between spokes routed via the hub... NHRP Role 1B » Builds the static spoke-to-hub GRE tunnel oo x, eit > Builds the dynamic hub-to-spoke GRE tunnel ssa ¥er ort ‘Overiay Routing >On spokes all routes have a nexthop the hub >» Summarization/default routing at hub is allowed (Limit Routes on spokes) soit ane o/s i92.168.128.1DMVPN — Phase 2 NA, ‘Spoke-to-spoke GRE tunnels can be build Be » mGRE interface on the hub and spokes rears » Data-plane traffic between spokes routed via the hub initially > Re-routed spoke-to-spoke if spoke-to-spoke GRE is formed, =! NHRP Role fa swans > Same ke In Phase 1 woathagt ian = he » Additionally it builds dynamic spoke-to-spoke GRE tunnels ~ a el B...i2 a Ly Overlay Routing % STi ted preeivertthe next-hop: » On spokes routes have a next-hop of the hub for hub prefixes » On spokes routes have a next-hop of remote spokes for remote spokes prefixes > Summarization/defaule routing at hub is NOT allowed. DMVPN Phase 1 — Tunnel Configuration NOA, ey) ‘On SPOKES ( R2/R3/R4) HUB ROUTER (Ry) ‘On SPOKES. nam Ri(config) int tunnel 0 Rx(configyr Interface tunnel 0 Or @? ‘eam Ri(config-f# Ip address 10.0.0.1 255.255.255.0 Rotconfig-the. Ip address 10..0.X 255.255.255.0 Ri(config.if tunnel source s2/0 Ra(config-i)* tunnel source 52/0 Riconfig-ife tunnel mode gre multipoint Ra(configi tunnel Destination 15.0.0.1 Rr(config-)sip nhrp networkid 1 Recconfige ip nhrp networkid 2 Ri(confg-sip nlarp map multicast dynamic Ra(config-fs ip nhrp map 10.0.1 15.0.0.1 Rr(config-fsno IP Split-horizon eigrp 100 Ratconfigife ip nhrp nhs 10.0.0.1 El iy Riconfig-ilp nhrp map multicast 15.0.0.1 sateen lia toes feaeine (confight. Router elgrp 100 Binz = (config-router )¥ No auto-summary “ a = (config-router )# Network 192.168.X.0 athed waitSane (config-outer jt Network 100.00IGP - Split Horizon Rule NOA NETWORK ONRE ACADEMY » Method of preventing routing loops in distance-vector routing protocols eS > Prohibiting a router from advertising a route back onto the interface from aes which it was leamed. Hillier ‘Spokes must receive specific routes for all remote spoke subnets. » By defaule Split Horizon in IGP prevent Spokes to learn routes from other spokes in Phase-1 » Solution - Disable Split Horizon Rule on Hub Router. @= = outBae joa seazaa wae eaten DMVPN Phase -1 — Disable Split Horizon NEA, Rovsh ip route else non Gateway of lst resort 0.9.0 to network 0000 eaiereere D_192.168.1.0726[9/2s082560 via 10.001, 00:05:24, Tunnelo im EIGRP / RIPv2 ROUTING (HUB) ela waiter Ri(confighsine tunnel 0 a Ri(config-fino ip split-hortzon elgrp 100 i Ricconfig-ifrextt > ee ——__—_——, Rapiraceroute 192.168.44 source 19216822 Reish ip route elzp ] Gateway of last resorts 0009 to network 0.0.00 D__192.168.1.0724 [90/26882560] via 10.01, c:06'58, Ture D_192.1683.0/24[90/281625601 via 10.001, c:00:22, Tunnelo D 192.168.4072 [90/28162560] via 10.001, c:00:22, Ture ‘Type escape sequence to abort. “racing the route to 192.1844 RF info: (rf in named, vf out named) 1 1000.1 108 mee 152 msec 128 msce 2 100.04 156 msec 172 msec 172 msecDMVPN Phas with OSPF Routing NA, > By default OSPF treats tunnel interface as Point to point (even if we configure Multipoint GRE). » hence you will be so many console messages on routers saying neighbor ship established and then goes down repeatedly 2M 07 5: WOSPESADJCHG: Proce, NBr4a on Tunnel fom INT w DOWN, Neier Down: Ademney fred w ret] ish ip ospfint tunnel o Tunnel i up, fine protocol is up Internet Address 100.126, Area o, Attached via Network Statement Process ID 1, Router ID 1.1.1.2, Network Type POINT_TO_POINT, Cost: 1000 ‘Topology-MTID Cost Disabled Shutdown Topology Name © 100 mae Lh ‘Transmit Delay Is 1 se, State POINT_TO_POINT = » To fix this, we need to change the network type on all routers to OSPF Point to Multipoint » OSPF Neighbor wil not come up , until it matches the network type( technically Spokes are P2P) “ OSPF ROUTING (Hub & Spokes) Rx(configl? int tunnel 0 Rx(config-istp ospf network point-to-multipoint Rx(config-isend DMVPN ~Phase 2 ~ Tunnel Configuration NEA. HUB ROUTER (81) ‘On SPOKES ( R2/R3/R4) Ra(confight interface tunnel 0 Re(config-ile Ip address 10.0.0.X 255.255.255.0 Riconfigh int tu 0 Ru(configify Ip address 10.0.0.1 255,255.255.0 Ri(configif™ tunnel source s2/0 Rodcontgtfa)- {tunnel soumee 52/0) Ri(config.f tunnel mode gre multipoint Ra(config-if tunnel mode gre multipoint Ri(config-)sip nhrp network-id 1 Recconfigie Ip nhrp networkid 2 Rr(config-sip nhrp map multicast dynamic Racconfigif Ip nhrp map 10.001 15.001 Rx(config-if ip mhrp nhs 10.0.1 Rx(config-f Ip nhrp map multicast Dynamic ing iamDMVPN Phase 2 — OSPF Routing » By default OSPF treats tunnel interface as Point to point (even if we configure Multipoint GRE). » Hence you will be so many console messages on routers saying Neighborship established and then goes down repeatedly. ‘*Mar_109:1007 535: SOSPF-S-ADICHG: Process 1, Nbr 4444 on Tunnel 0 from INIT to DOWN, Neighbor Down: Adlacency forced to reset_] OSPF ROUTING (Hub & Spokes) Re(configh int tunnel 0 Re(config-rip ospf network Broadcast Re(config:iffrend Fi 28m ‘OSPF ROUTING (on all spokes Rx(config)+ int tunnel 0 Rx(config-INsIp spf priority 0 Rx(config-Ivend » To fix this, we need to change the network type to OSPF Point to Multipoint or broadcast networks on all routers. » Also ensure that R1- HUB should become DR and R2/R3/Ré Spokes should be DRother. DMVPN Phase 2 — EIGRP ROUTING EIGRP ROUTING (HUB) Rr(confighint wunnelo Rr(config'fsno Ip splithortzonelgrp 100 Rr(configifverit Reash ip route elgsp Gateway of last resort Is 0.0.00 t0 neqwork 000 D__192:168.1.0/24 (90/26905600] via 1000.1, 00:08:08, Tunnelo D__192:1683.0/24 [0728185600] via 100.0.,00:0:38, Tunnelo ae wafer D__192.168.4.0/24 [90/28185600 via 100.01, 00:00:38, Tunnelo | 2768187 ‘Ravtraceroute 192-16833 source 192.1682 ‘Type escape sequence to abort. Tracing the route 10 192.6833 VRF info: (fin named, vrfout name‘id) | > 1 19.0.01 29 msec 20 msec 19 msec By default for all routes learned on spokes from other spokes has next-hop of Ri. As spokes advertises routers to Ri(hub) R1, changes nexthop and send back to spokes That's why all the trafic between spoke to spoke LAN is going via Hub here ‘we are using phase-2 and all traffic between spokes need to go directly after the first packet.DMVPN Phase 2~ EIGRP ROUTING Mi DA. » By defaule for all routes learned on spokes from other spokes has next-hop of Ri. » As spokes advertises routers to Ri(hub) R1, changes next-hop and send back to spokes. » That's why all the traffic between spoke to spoke LAN is going via Hub( here we are using phase-2 and all traffic between spokes need to go directly after the first packet » To change the behavior we can tell EIGRP Hub router not to change the next-hop and advertise with same next-hop to spokes. Ri(configy* interface tunnel o = Ri(configrif* no ip next-hop-self elgrp 100 ee ae D__192:168.1.0/24[90/28505600] via 1000.1, 00:00:18, Tunmelo |p ay yadaiae D__192:1683.0/24[90/28185600) via 10003, c0-0:12, Tunnelo | "16187 * trtemets D__192:1684.0/24 [90728185600] via 10004, 00:00:14, Tunnelo Reashow ip route eigrp Gareway of as resorts 0000 to neqwork 0.00 Raver 192.6893 our 19316822 Type escape sequence o abort. Ditton ‘Tracing the route to 192.168.3.3 VRE ine of name yr ou name) DMVPN Phase 1 & 2 — Limitations NPA,, Phase -1 eo, Fim » No Spoke to Spoke Tunnels built (all Trafic goes via HUB) enteone > Summartzation/default routing at hub is allowed (Limit Routes on spokes) Bim, Phase -2 » Spoke to Spoke Tunnels built. > » All Traffic goes via HUB intially only ( Re-routed spoke-to-spoke if spoke-to-spoke GRE is formed) “°**** GB aiertone » On spokes routes have a nexthop of remote spokes for remote spokes prefixes. > Summarization/default routing at hub is NOT allowed ¢ Routing scalability issues) Phase -3 » Spoke to Spoke Tunnels built. > Spokes with next-hop as HUB in Routing table (allow Summarization/Default Routes) » Uses NHRP redirect / Shortcut Messages for better path selection.DMVPN Phase 3 MPA. using NHRP Redirects. > Spoke to Spoke direct communication allowed with better scalabil » Uses NHRP redirect / Shortcut Messages for better path selection, Sie Rem ‘=, SB vom » mGRE interface on the hub and spokes.( like Phase 2) loop > Spoke-to-spoke GRE tunnels can be build (tke Phase 2) > Data-plane trafic between spokes routed via the hub o Initially Recrouted spoke-tospoke if spoke-tospoke GRE is formed, > NHRP Role - Same like in Phase 2 » Overlay Routing lke in Phase 1) On spokes all routes have a next-hop the hub Summarization/default routing at hub is allowed DMVPN Phase 3 — Tunnel Configuration NOA NETWONR OWE ACABENY SPOKES ( R2/R3/Ra) Rx(configle interface tunnel 0 Rx(config-if ip address 10.0.0.X 255.255.255.0 Rx(config-it tunnel source s2/0 HUB ROUTER i Ra(configy+ int tu 0 Ri(config.it tp address 10.0.0. 255.255.255.0 Ri(configit tunnel source s2/0 | Reon tunnel mode re mio Ragcongin tunnel mode gre mutpoint Ri(config-)atp nhrp networkid 1 Rosie ee 2 Ritconlg help RANI cast eer tl Ra(config.it ip nhrp map 10.0.0.115.0.01 J Ra(config.iD* ip nhrp nhs 10.00.1 Re(config-it fp nhrp map multicast 15.0.0.1 Configuration on tunnel interface is same we did in the Phase-2 whee sereeio, sh nse maramsahitinsson Page 58DMVPN Phase 3 EIGRP ROUTING ON HuB~ Ry Ri(confighs int tunnel 0 Ri(config-ifno ip split-horizon elgrp 100 Ru(configifit ip next-hop-selfeigrp 100 Ruconfig- ‘ip nhrp redirect | Ru(config-if exit sing NHRP Redirect is a special NHRP message sent by the Hub to the spoke to tell the spoke that there is a better path to the remote spoke than through the Hub. > Allit does is enforces the spoke to trigger an NHRP. resolution request to IP destination, » The “ip nhrp redirect” command should be configured on the Hub only! » Note that we do not need “no ip nexthop-self elgrp” command in the DMVPN Pahse 3. DMVPN Phase 3 — EIGRP ROUTING Resshow Ip route elgrp Gateway of lat resort is 0.000 to network 0.000 D__192.168.1.0/24 '90/26905500 va 10.0.1, 00-008, Tunnelo D__192.168.2.0/24[90/28165500 la 1000.1, 00:00"8, Tunnelo D__192.1683.0/24('0/28185600 via 10.001, 00:00:18, Tunnelo ‘on SPOKES (R2/R3/Ra) Raconfigh int tunnel o Ra(config-ie ip nhrp shortcut Ra(config-ie exit in saitt bor ‘The only difference on the spoke is that the spoke hhas NHRP Shortcut configured. » This will work together with NHRP Redirect on the Hub to send a new Resolution Request NHRP message and overwrite CEF entry to use direct spoke ‘to spoke tunnel instead of the Hub. » This command should be configured on spokes only fin rwedeazont estraceroute 192:168.22 source 192:168.4.4 Type escape sequence to abort. Tracing the route 1 192.1682.2 VRE info: (ein named, vrf out named) 1 10.00: 19 msec 20 msec 18 msec 2 10.002 39 msec 36 msec 34 msec ‘Restraceroute 192.16822 source 192.16844 ‘Type escape sequence to abort. “Tracing the route to 192.1682. RF info: (rn named, vif out name/id) > Next-hop to reach all other spokes routes Next hop is HUB ROUTER. » This is beacause of “ip nhrp redirect” Command on Hub & “1P Nhrp shortcut” on spokes. » They override the entries in the routing table 119.002 19 msee 25 msee21 msecDMVPN Phase 3 — OSPF Routing neTWor OA. -ON Hub & Spokes) 2000 Reiconfigh int tunnel 0 ee Rxiconfigi ip ospf network point-tomultipoint mo o— © ran04-32 1116/2001 via 70.093, 980043,Tunneo nes © 192.168.1.0/24 1110/1010] via 10.0.0.1, 00:02:15, Tunnel aoe © yo21683.024 171020101 via 10003, 02008, Tunnel © _yo2see4.724 (1102001 va 10003, 00004, Tunnel Ravraceroute 19216822 sour 192.1604 Type escape sequence abort = Trac the route to 19216622 > Nextshop to reach all other spokes routes Next hop is HUB ROUTER {VRE ino: (tn nares, ef eu names >This is beacause of "ip nhrp redirect” Command on Hub & IP Nhrp 1 10.01 19 msec 29 msec msec shortcut" on spokes. 210.02 39 mec 36 msec 34 meee > They override the entries in the routing table Revtraceroute 192.168.22 souree 192.1684 Type escape sequence to abort. Tracing the route to 192.168.22 VRE info: (ef namerid, vf out named) 17000219 msec 23 msec21 msecoop 0 173g \eop 0 353382 ay 1927683.0/24 RI 6001/24 7 192.168.1.0/24 Internet RS, 35.0.0.3/24 RI toopo ainapz a as0.04/28 foo o2T65..0/24 Re TASK: ‘© Continue with Phase-1 DMVPN configurations , Remove EIGRP 100 on all routers to Reconfigure OSPF. R2#tsh run | s ei router eigrp 100 network 10.0.0.0 network 192.168.2.0 R2#conf t mall routers RILR2,R3.R4 [= Raleonfigine router eigrp 100 RI (config)##do sh run int tu 0 Building configuration, Current configuration : 248 bytes ! interface Tunnel ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhep map multicast dynamic ip nhrp networkeid 1 tunnel source Seriall /O tunnel mode gre multipoint end R2(config)##do sh run int tu 0 Building configuration. Current configuration : 221 bytes ' Interface Tunnel ip address 10.0.0.2 255.255.255.0 ip nhrp map 10.0.0.1 15.0.0.1 ip nhrp map multicast 15.0.0.1 whet Sarasin neater mrameattinnsam "ge 61ip hyp networkeid 2 ip hyp nhs 10.0.0.1 tunnel source Seriall /O tunnel destination 15.0.0.1 end On all routers Re-configure OSPF Area 0 R1 (config) #router ospf 1 RI (config-router)##network 10.0.0.0 0.0.0.255 area 0 1 (config-router)#network 192.168.1.0 0.0.0.255 area 0 Ri (config-router) #exit R2{config)#router ospf T R2{config-router}#network 10.0.0.0 0.0.0.255 area 0 R2{config-router)#network 192.168.2.0 0.0.0.255 area 0 R2{config-router)#exit R3(config)# router ospF 1 R3lconfig-router}# network 10.0.0.0 0.0.0.255 area 0 R3lconfig-router)# network 192.168.3.0 0.0.0.255 area 0 R3{config-router)i# exit Ra(config)# router ospF 1 RA(config-router)# network 10. RA(config-router)# network 192.168.4.0 0.0.0.255 area 0 RA(config-router)i# exit Ra##sh run int tunnel 0 Building configurat Current configuration : 221 bytes ' interface Tunnel0 ip address 10.0.0.4 255.255.255.0 ip nhrp map 10.0.0.1 15.0.0.1 ip ahrp network-id 4 ip nhrp nhs 10.0.0.1 tunnel source Serial /O tunnel destination 15.0.0.1 end Building configuratio Current configuration : 258 bytes ' interface TunnelO ip address 10.0.0.1 255.255.255.0 pate ip ahep networeid 1 tunnel source Seriall /O tunnel mode gre multipoint end NHRP map multicast commands are already pre-cofingured in the previous lab to allow OSPF hello messages.© By default OSPF treates tunnel interface as Point to point (even if we configure Multipoint GRE). + hence you will be so many conosle messages on routers saying neighborship established and then goes down repeatedly Ri#sh ip ospf int tunnel 0 Tunnel0 is up, line protocol is up Imemet Address 10.0.0.1/24, Area 0, Attached via Network Statement Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1000 Topology-MTID Cost Disabled Shutdown Topology Name ) 1000 no no Base Transmit Delay is 1 sec, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 ‘oob-resync timeout 40 Hello due in 00:00:07 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queve length 0 Next 0x0{0]/0x0(0) Lost flood scan length is 1, maximum is 1 Lost flood scan time is 0 msec, maximum is O msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor's) To fix this, we need to change the network type on all routers to OSPF Point to Multipoint. OSPF Neighbor wil not come up , until it matches the network type.( technically Spokes are P2P) n all router Rx(config)#interface tunnel O Rx(config-if}# ip ospF network point-to-multipoint Rx(config-if}# end Ri fclear ip ospF process Reset ALL OSPF processes? [no]: yes R1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address _ Interface 2.2.2.2 0 FULL/- 00:01:52 10.0.0.2TumnelO 3.3.3.3 0 FULL/- 00:01:58 10.0.3 TumnelO Add 0 FULL/- 00:01:58 10.0.0.4 —TumnelO R1#sh ip route ospF Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/8 is voriably subnetted, 5 subnets, 2 mosks © 10.0.0.2/32 [110/100] vie 10.0.0.2, 00:00:07, TunnelO 10.3, 00:00:07, TunnelO .0.4, 00:00:17, TunnelO R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface Val 0 FULL/- 00:01:34 10.0.0.1__TunnelOR2##sh ip route ospF Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks 192.168.1.0/24 [110/101] via 10.0.0.1, 00:00:34, TunnelO 192.168.3.0/24 [110/201] via 10.0.0.1, 00:00:34, Tunnel © 192.168.4.0/24 [10/2001] via 10.0.0.1, 00:00:34, Tunneld © 10.0.0.1/32 [110/1009} via 10.0.0.1, 00:00:34, TunnelO © — 10.0.0.3/32 [110/2000} via 10.0.0.1, 00:00:34, TunnelO © 10.0.0.4/32 [110/2000} vie 10.0.0.1, 00:00:34, TunnelO ° ° R2#tping 192.168.3.3 source 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Paicket sent with a source address of 192.168.2.2 ‘Success rate is 100 percent (5/5), round-trip min/avg/max = 140/168/184 ms R2#Hping 192.168.4.4 source 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 Success rate fs 100 percent (5/5), round-trip min/avg/max = 120/160/184 ms R2#Htraceroute 192.168.4.4 source f0/0 Type escape sequence to abort. Tracing the route to 192.168.4.4 \VRF infos (rf in mt vif out "eo R2#ftraceroute 192.168.4.4 source f0/0 Type escape sequence to abort. Tracing the route to 192.168.4.4 VRF info: (rf in name/id, vrf out ‘enDMYPN — Phase 2 DMVPN - Configuration Example — Phase 2 HUB ROUTER (Rt) Riconfigh int tu 1234 Ri(configifys ip address 10.0.0.1 255.255.255.0 Ri(config'ffs tunnel source so/0 Ri(config'f® tunnel mode gre multipoint Ri(config'ifaip mrp network-id 1 Ri(configisip nfirp map multicast dynamic oop 0 aaa 9 a aeaatae seaeaion’ DMVPN Phase 2 — OSPF Routing ‘OWLINE ACADEMY ‘On SPOKES ( R2/R3/R4) Rx(configh interface tunnel 1234 Ra(configrife ip address 10.0.0.X 255.255.255.0 Rx(config-i'e tunnel source s0/0 Rx(config-f}e tunnel mode gre multipoint Rx(config:ifft Ip nhrp networkeid 2 Rx(config-if* ip nhrp map 10.0.0.115.0.01 Rx(config-if ip mhrp nhs 10.0.0. Rx(config-if ip nhrp map multicast 15.0.0.1 asaierzons ssri6es.ore MOA. » By default OSPF treats tunnel interface as Point to point (even if we configure Multipoint GRE). » Hence you will be so many console messages on routers saying Neighborship established and then goes down repeatedly. *Mar_1 0010-07535: 8OSPF-s-ADJCHG: Process 1, Nbr 44.44 on Tunnel o_ffom INIT to DOWN, Neighbor Down: Adjacency forced to reset ‘OSPF ROUTING (Hub & Sj Re(configh int tunnel 0 ‘OSPF ROUTING (on all spokes Rx(config)+ int tunnel 0 Rx(config-ivIp ospf priority 0 so Rx(config-ieend » To fix this, we need to change the network type to OSPF Point to Multipoint or broadcast networks on all routers. » Also ensure that Ri HUB should become DR and R2/R3/Ré- Spokes should be DRother.DMVPN Phase 2 — EIGRP ROUTING NEA, EIGRP ROUTING (HUB) Ri(configyrint tunnel 0 Ri(config-ifsno ip split-horizon elgrp 100 Ema “os sssieztant Ru(configifsexit RaIsh ip route eigrp Gateway of ast resort ls 09.00 t network 9.99 wee D__192168:10/2690/26505600 via 10.003, 0003.08, Tunnelo 7 D__192.168:30/2690/28188600 via 10.003, o-e0-38, Tunnelo arial D__192.16840/2490/26r48¢00 via 100031, 0000-38, Tunnelo | “SO Rantraceroute 19216833 source 192.168.22 “Type escape sequence to abort. aes “Tracing the route to 19216833 “ VRE inf: (uf in named vf out name/id) » By default for all routes feared on spokes from other spokes has next-hop 110.00. 20 msec 20 see 19 msee of Ri 2 100.03 36 msec 40 msec 39 msec > As spokes advertises routers to Ri(hub) Ri, changes nextchop and send back to spokes. » That's why all the traffic between spoke to spoke LAN is going via Hub( here we are using phase-2 and all traffic between spokes need to go directly after the first packet. DMVPN Phase 2 - EIGRP ROUTING NA, » By default forall routes learned on spokes from other spokes has next-hop of R1. + As spokes advertises routers to Rihub) Ri, changes next-hop and send back to spokes. + That's why all the traffic between spoke to spoke LAN is going via Hub here we are using phase-2 and all trafic between spokes need to go directly after the frst packet. » To change the behavior we can tell EIGRP Hui router not to change the next-hop and advertise with same next-hop to spokes. one Ri(configh interface tunnel 0 =< Ri(config-fht no ip next-hop-selfeigrp 100 waitttene 1B 0 Raishow ip route eigrp sim Gateway of last resort is 0.0.00 to network 0.0.00 ae ssoimiaore aoittladtt ithe D__192:168.1.0/2 90/26908600] via 10.0.1, 0000-74, Tunnelo D__192:1683.0/2 [90/28185800] via 10.003, 00:00:12, Tunnelo ila D__192:168.4.0/2 [90/28185800] via 10.0.0, 00:00:74, Tunnelo Eero eeaeenyeeee ea ea Type escape sequence to abort. ‘Tracing te route to 192.1833 VRE info: (rf in named, vr out name/id) 130.003 20 msse 19 msec 20 meeLAB: _DMVPN phase 2 - With OSPF Routing oop0 on 1iaa3z won 2509, oop 0 aun 2013 333572 49 192.683.0724 RI 10.0124 Ty 192.168.1.0/24 Internet RS, 95.0.0.3/24 RI ooo sdaapsz a aso.aaize {0/0 9268.4.0/24 Re TASK: Configure Hub-and-Spoke GRE tunnels between R1, R2 R3, R4 where Rlis acting as a Hub. Traffic originated from every Spoke's FO/0 interface should be transmitted directly to the other spokes. Use OSPF dynat protocol to let other spokes know about protected networks. Use Ip addressing 10.0.0.x/24 and ensure that all tunnel end points should be able to reach each other. Ri ping 25.0.0.2 Type escape sequence to abort. apc 5, 10Obye ICMP Eos 25.202, tne 2 sce ‘Success rate is 100 percent (5/5), round-trip favg/max = 1/37/88 ms Ri#ping 35.0.0.3 Type escape sequence 10 abort. a ing 5, 100-byte ICMP Echos to 35.0.0.3, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/36/76 ms Riffping 45.0.0.4 Type escape sequence to abort. i ing 5, 100-byte ICMP Echos to 45.0.0.4, timeout is 2 seconds: Success rate is 100 percent (5/5), rounch ip min/avg/max = 4/54/14 ms Ri (config)# int tunnel 0 Ri(config-if}# ip address 10.0.0.1 255.255.255.0 Ri(config-if}# tunnel source s2/0 Ri (config-if}# tunnel mode gre multipoint RI (config-if}# ip nhrp network-id 1 Ri (configcif}# exit R2{config-if}# interface tunnel 0 R2[config-if}# ip address 10.0.0.2 255.255.255.0 R2{config-if}# tunnel source s2/0 R2(config-if}#t R2{config-if}# ip nhrp network-id 2 R2{config-if}# ip nhrp nhs 10.0.0.1 wns Saroeio st neat mmrameahitimsson "Page 67R2{config-if}# ip nhrp map 10.0.0.1 15.0.0.1 R2{config-if}# exit terface tunnel 0 ip address 10.0.0.3 255.255.255.0 tunnel source s2/0 R3(config)# R3{config-if}# ip nhrp network-id 3 R3{config-if}# ip nhrp map 10.0.0.1 15.0.0.1 R3{config-if}# ip nhrp nhs 10.0.0.1 # exit # ip nhrp map 10.0.0.1 15.0.0.1 # ip nhrp nhs 10.0.0.1 RA##sh ip int brief Interface IP-Address OK? Method Status Protocol FastEtherne10/0 unassigned YES unset administratively down down Serial0/1 45.0.0.4 YES manval up up FastBtherne10/1 unassigned YES unset cdministratively down down Serial0/1 unassigned YES unset administratively down down Serial0/2 unassigned YES unset ccministratively down down Serial0/3 unassigned YES unset ccministratively down down FastEthernet1 /O unassigned YES unset_aciministra Ra#sh ip nhrp 10.0.0.1/32 vie 10.0.0.1, TunnelO created 00:00:12, never expire Type: stati, Flags: used NBMA address: 15.0.0.1 Ri#tshow ip nhep 10.0.0.2/32 via 10.0.0.2, Tumel0 created 00:1 4:28, expire 01:48:46 Types dynamic, Flags: unique registered NBMA address: 25.0.0.2 10.0.0.3/32 vie 10.0.0.3, Tumel0 created 00:1 1:42, expire 01:48:17 Type: dynamic, Flags: unique registered NBMA address: 25.0.0.2 10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:10:47, expire 01:49:12 Type: dynamic, Flags: unique registered NBMA address: 45.0.0.4 Ri#ping 10.0.0.2 Type escape sequence to abort. Sendling 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: ‘Success rate is 100 percent {5/5}, round-trip min/ava/max = 44/114/212 ms Ri#fping 10.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:‘Success rate is 100 percent (5/5), round Ri#ping 10.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds: im Success rate is 100 percent (5/5), round min/ovg/max = 8/136/316 ms min/ovg/max = 4/140/268 ms RA#ftraceroute 10.0.0.2 Type escape sequence to abort. Tracing the route to 10. Ra#Htraceroute 10.0.0.2 Type escape sequence to abort. Tecre the route to 10.0.0.2 RA#Htraceroute 10.0.0.3 Type escape sequence to abort. Tih the route to 10.0.0.3 Ra#ftraceroute 10.0.0.3 Type escape sequence to abort. Tracing the route to 10.0.0.3 1 10.0.0.3 168 msec * 140 msec Réitshow ip nhrp detail 10.0.0.1/32 vie 10.0.0.1, TunnelO created 00:02:37, never expire Typer static, Flags: used NBMA cddress: 15.0.0.1 10.0.0.2/32 vie 10.0.0.2, Tumel0 created 00400:35, expire 01:59:24 Type: dynamic, Flag NEMA address: 25.0.0.2 10.0.0.3/32 vie 10.0.0.3, Tumel0 created 00:00:18, expire 01:59:41 Type: dynamic, Flags: router used NBMA orddres: 35.0.0.3 Ra#tshow dmvpn Legend: Antrb --> § - Static, D - Dynamic, | - Incompletea N- NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with some NBMA peer Tunnel0, Type:Spoke, NHRP Peers:3, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attr> 15.0.0.1 . UP 00:02:46 1 28.0.0.2 never D 1 38.0.0.3 never D Ri#show dmvpn Legend: Attrb --> § - Static, D - Dynamic, | - Incompletea N-NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel0, Type:Hub, NHRP Peers:3,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Att 1 28.0.0.2 1 3.0.0.3 1 -45.0.0.4 Ri (config) # router ospF 1 R1 (config-rovter}# network 10.0.0.0 0.0.0.255 area 0 RI (config-router)# network 192.168.1.0 0.0.0.255 area 0 RI (config-router)## exit R2{config)# router ospF 1 R2{config-router)i# network 10.0.0.0 0.0.0.255 area 0 R2{config-router}# network 192.168.2.0 0.0.0.255 area 0 R2{config-routerl# exit R3(config)# router ospF 1 R3(config-router)# network 10.0.0.0 0.0.0.255 area 0 R3lconfig-router)# network 192.168.3.0 0.0.0.255 area 0 R3{config-router}# exit RA(config)# router ospF 1 RA(config-router# network 10.0.0.0 0.0.0.255 area 0 router)# network 192. 168.4.0 0.0.0.255 area 0 router)# exit # int tunnel 0 # ip nhrp map multicast dynamic }# ip nhrp map multicast 15.0.0.1 Hexit * By default OSPF treates tunnel interface as Point to point (even if we configure Multipoint GRE). * hence you will be so many conosle messages on routers saying neighborship established and then goes down repeatedly _— eee RA#sh ip ospf int tunnel 0 TunnelO is up, line protocol is up Internet Address 10.0.0.4/24, Area 0, Attached via Network Statement Process ID 1, Router ID 4.4.4.4, Network Type POINT. TO_POINT, Cost: 1000 Topology-MTID Cost Disabled Shutdown Topology Name ° 1000 no no Bose Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 ‘oob-resyne timeout 40 Hello due in 00:00:04 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queve length 0Next 0x0{0}/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) * To fix this, we need fo change the network type to OSPF Point to Multipoint or broadcast networks on alll routers. * Also ensure that R1- HUB should become DR and R2/R3/R4- Spokes. should be DRother.. On HUB Router Ri (config}# interface tunnel 0 1 (config-if}# shutdown RI (config-if}#t ip ospf priority 255 RI (config-if}## ip ospf network broadcast RI (config-if}#_no shutdown RI (config- On SPOKES ( R2,R3.R4) Rx(config}# int tunnel 0 Rx(config-if}# shutdown Rx(config-if}# ip ospF pri Rx(config-if}# ip ospf network broadcast Rx(config-if}# no shutdown Rxlconfig-if}# end OSPF network type and priority of 0. The priority disables the router participation in DR/BDR election. R1#fshow ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.2.2 0 FULL/DROTHER 00:00:38 10.0.0.2 —TumelO 192.168.3.3 0 FULL/DROTHER 00:00:38 1.0.0.3 —TunnelO 192,168.44 0 FULL/DROTHER 00:00:38 10.0.0.4 —TumelO R1#fsh ip route ospF Gateway of last resort is 0.0.0.0 to network 0.0.0.0 © 192.168.2.0/24 [10/1001] via 10.0.0.2, 00:01:27, TunnelO © 192.168.3.0/24 [10/1001] via 10.0.0.3, 00:01:27, TunnelO © 192.168.4.0/24 [10/1001] via 10.0.0.4, 00:01:27, Tunneld R2#tshow ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 255 FULL/DR 00:00:31 10.0.0. Tunnel R2#show ip route ospF Gateway of last resort is 0.0.0.0 to network 0.0.0.0 © 192.168.1.0/24 [10/1010] via 10.0.0.1, 00:00:38, TunnelO © 192.168.3.0/24 [10/1010] via 10.0.0.3, 00:00:28, TunnelO © 192.168.4.0/24 [10/1010] via 10.0.0.4, 00:00:18, TunnelO R2ittraceroute 192.168.4.4 source 192.168.2.2 Type escape sequence to abort. Tracing the route to 192.168.4.4 RF info: (vrf in nome id, vrf out name/ic) 1 10.0.0.4 20 msec 20 msec 18 msec R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 255 FULL/DR 00:00:39 10.0.0.1_—Tunnel0R3#sh ip route ospF Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 © 192.168.1.0/24 [10/1010] via 10.0.0.1, 00:01:41, TunnelO © 192.168.2.0/24 [10/1010] via 10.0.0.2, 00:01:31, Tunneld © 192.168.4.0/24 [10/1010] via 10.0.0.4, 00:00:30, TunnelO R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 255 FULL/DR 00:00:38 10.0.0.1 Tunnel R3#show ip route ospF Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 © 192.168.1.0/24 [10/1010] via 10.0.0.1, 00:03:06, TunnelO © 192.168.2.0/24 [10/1010] via 10.0.0.2, 00:02:56, TunnelO © 192.168.4.0/24 [110/1010] via 10.0.0.4, 00:01:55, TunnelO RG#Htraceroute 192.168.4.4 Type escape sequence to abort. Tracing the route to 192.168.4.4 VRF info: (vrf in name/id, veF out name/id) 1 10.0.0.4 19 msec 22 msec 20 msec © We need to know that OSPF does not change next hop when operating (OSPF elects DR/BDR on broadcast networks like Ethernet. Every router DR/BDR and then that router advertises that information to other router * Since, all routers are connected to the same media on broadcast networks, itis assumed that they have access * to each other. Hence, there is no reason to change the next hop in the advertisements. This protocol behavior perfectly suits in this situation. ‘Another thing is that we still have Hub and Spoke physical topology. Since, the OSPF must elect DR/BDR and all routers must have adjacency with DR/BDR router we need to ensure this role will be taken by the Hub. © We use OSPF priorities to do that. The priority of 255 is the highest and 0 is the lowest. © Practically, har otity of 0 disables the router from election process. Thus, we set 255 on the Hub and 0 on the Spokes. “broadcast” type network. This is because that network sends routing information toDMVPN PHASE-2 - EIGRP ROUTING loop 0 22 1/32, won 2898. oop 0 : 20/3 3533/82 10.03/88 32 to r927683.0/24 RI 150.0.1/24 a0 192.168:1.0/24 Internet Rs: 350.0.3/24 RS oop 0 42a4pz 313 45.0.0.4/28 eo 92.768.4.0/24 Re ‘© Continue with same DMVPN configurations ‘© Remove OSPF Routing & reconfigure with EIGRP Routing protocol. On all routers Ré(config)# no router ospf 1 (config) # interface tunnel 0 4(Config-if]# no ip ospf network a(Config-if]# no ip ospf priority Rédtsh run int tu 0 Building configuratio Current configuration : 236 bytes ' Interface Tunnel Ip address 10.0.0.4 255.255.255.0 redirects ip hyp map 10.0.0.1 15.0.0.1 ip nhrp networkeid 4 ip nhep nhs 10.0.0.1 tunnel source Seriall /O tunnel mode gre multipoin Building configuration, Current configuration Interface Tunnel Ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp network-id 1 tunnel source 15.0.0.1 tunnel mode gre multipoint end when saronie tonsa mearaseahtonesam® Page 75RI (config) #router eigrp 100 RI (config-router)# no auto-summary RI (config-router)i# network 10.0.0.0 Ri (config-router)# network 192.168.1.0 Ri (config-router)# end R2(config-ifj## router eigep 100 R2{config-router)# no auto-summary R2{config-router)# network 10.0.0.0 R2{config-router)i# network 192.168.2.0 R2{config-router)i# end # router eigrp 100 router)# no auto-summary router)# network 10.0.0.0 R3{config-router)# network 192.168.3.0 R3{config-router)# end RA(config)# router eigrp 100 Ré(config-router}# no auto-summary Ré(config-router}# network 10.0.0.0 outer)# network 192.168.4.0 Ré#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRIT RTO @ Seq (sec) (ms) Crt Num 0 10.0.0.1 10 14000011 24 1470 0 8 Raitshow ip route eigrp Gateway of lost resort is 0.0.0.0 to network 0.0.0.0 D 192.168.1.0/24 [90/26905600] via 10.0.0.1, 00:00:10, TunnelO R1#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRIT RTO @ Seq (sec) (ms) Crt Num 2 10.0.0.4 wo 12.00:00:21 153 1434 0 12 1 10.0.0.3 Two 14.00:00:26 25 1434 0 13 © 10.0.0.2 10 12.00:00:26 206 1434 0 6 R1#sh ip route eigrp Gateway of last resort is 0.0.0.0 to network 0.0.0.0, D — 192.168.2.0/24 [90/26905600] via 10.0.0.2, 00:00:27, TumelO D — 192.168.3.0/24 [90/26905600] via 10.0.0.3, 00:00:25, TunnelO D 192.168.4.0/24 [90/26905600] via 10.0.0.4, 00:00:22, TunelO Here R2 advertises RI the routes and R1 will not be advertising back on the same interface to R3/R4 because of split horizon rule the split horizon rule prohibits a router from advertising a route through an interface that the router itself uses fo reach the destination. In order to disable the split ho: ‘on behavior, use the no ip split-h igrp as-number interface command. Some important points to remember about EIGRP split horizon are: © _ Split horizon behavior is turned on by default. \wretenh ar snosiie, ss onaests amsanitinnsm Page 74