You are on page 1of 195

Advanced Concepts of Dynamic Multipoint VPN (DMVPN)

BRKSEC-4052

Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

DMVPN Overview

What is Dynamic Multipoint VPN?


DMVPN is a Cisco IOS software solution for building IPsec+GRE VPNs in an easy, dynamic and scalable manner Relies on two proven technologies
Next Hop Resolution Protocol (NHRP)
Creates a distributed mapping database of VPN (tunnel interface) to real (public interface) addresses

Multipoint GRE Tunnel Interface


Single GRE interface to support multiple GRE/IPsec tunnels and endpoints Simplifies size and complexity of configuration Supports dynamic tunnel creation

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

DMVPN: Major Features


Configuration reduction and no-touch deployment Supports:
Passenger protocols:
IP(v4/v6) unicast, multicast and dynamic Routing Protocols.

Transport protocols (NBMA):


IPv4 and IPv6 (new)

Remote peers with dynamically assigned transport addresses. Spoke routers behind dynamic NAT; Hub routers behind static NAT.

Dynamic spoke-spoke tunnels for partial/full mesh scaling. Can be used without IPsec Encryption Works with MPLS; GRE tunnels and/or data packets in VRFs and MPLS switching over the tunnels Wide variety of network designs and options.

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

DMVPN: How it works


Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server (hub). When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke. Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address). The dynamic spoke-to-spoke tunnel is built over the mGRE interface. When traffic ceases then the spoke-to-spoke tunnel is removed.
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

DMVPN: Example
Static Spoke-to-hub tunnels Dynamic Spoke-to-spoke tunnels

192.168.0.0/24 .1

LANs can have private addressing


Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Static known IP address

Physical: dynamic Tunnel0: 10.0.0.12

Dynamic unknown IP addresses

Spoke B

.1 192.168.2.0/24

Physical: dynamic Tunnel0: 10.0.0.11


Spoke A .1 192.168.1.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

...
7

NHRP Main Functionality


NHRP Registrations
Spoke (NHC) dynamically register its VPN to NBMA address mapping with hub (NHS).
Static NHRP mappings on spokes for Hub (NHS) Needed to start the game Builds hub-and-spoke control plane network

NHRP Resolutions
Dynamically resolve spoke to spoke VPN to NBMA mapping to build spoke-spoke tunnels. Single instead of multiple tunnel hops across NBMA network NHRP Resolution requests/replies sent via hub-and-spoke control plane path

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

DMVPN and IPsec


IPsec integrated with DMVPN, but not required Packets Encapsulated in GRE, then Encrypted with IPsec NHRP controls the tunnels, IPsec does encryption Bringing up a tunnel
NHRP signals IPsec to setup encryption ISAKMP authenticates peer, generates SAs IPsec responds to NHRP and the tunnel is activated All NHRP and data traffic is Encrypted

Bringing down a tunnel


NHRP signals IPsec to tear down tunnel IPsec can signal NHRP if encryption is cleared or lost

ISAKMP Keepalives monitor state of spoke-spoke tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Routing
Spokes are only routing neighbors with hubs, not with other spokes
Spokes advertise local network to hubs

Hubs are routing neighbors with spokes


Collect spoke network routes from spokes Advertise spoke and local networks to all spokes All Phases: Turn off split-horizon (EIGRP, RIP) Single area and no summarization when using OSPF Phase 1 & 3: Hubs can not preserve original IP next-hop; Can Summarize EIGRP, iBGP (next-hop-self); RIP, ODR, eBGP (default) OSPF (network point-multipoint); # hubs not limited Phase 2: Hubs must preserve original IP next-hop; Cannot summarize EIGRP, eBGP (no ip next-hop-self); iBGP (default) OSPF (network broadcast); Only 2 hubs

Hubs are routing neighbors with other hubs


Phase 1 & 3: Can use different routing protocol than hub-spoke tunnels Phase 2: Must use same routing protocol as hub-spoke tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Redundancy
Active-active redundancy model two or more hubs per spoke
All configured hubs are active and are routing neighbors with spoke Routing protocol routes are used to determine traffic forwarding Single route: one tunnel (hub) at a time primary/backup mode Multiple routes: both tunnels (hubs) load-balancing mode

ISAKMP/IPsec
Cannot use IPsec Stateful failover (NHRP isnt supported) ISAKMP invalid SPI recovery is not useful with DMVPN ISAKMP keepalives on spokes for timely hub recovery
crypto isakmp keepalives initial retry

Can use single or multiple DMVPNs for redundancy


Each mGRE interface is a separate DMVPN network using different tunnel key, NHRP network-id and IP subnet Can glue mGRE interfaces into same DMVPN network(*) same tunnel source, NHRP network-id and authentication; no tunnel key and different IP subnet (Phase 3 only) If using same tunnel source (must use tunnel key)
tunnel protection ipsec profile name shared
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

12

Redundancy (cont)
Spokes at least two hubs (NHSs)
Phase 1: (Hub-and-spoke)
p-pGRE interfaces two DMVPN networks, one hub on each

Phase 1, 2 or 3: (Hub-and-spoke or Dynamic Mesh)


mGRE interface one DMVPN network, two hubs

Hubs interconnect and routing


Phase 1: (Hub and spoke only)
Interconnect hubs directly over physical link, p-pGRE or mGRE Hubs can exchange routing through any of these paths

Phase 2: (Dynamic Mesh)


Interconnect hubs over same mGRE, daisy-chain as NHSs Hubs must exchange routing over DMVPN network

Phase 3: (Dynamic Mesh)


Interconnect hubs over same or different mGRE (same DMVPN) Hubs must exchange routing over DMVPN network

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Network Designs
Hub-and-spoke Order(n)
Spoke-to-spoke traffic via hub
Phase 1: Hub bandwidth and CPU limit VPN SLB: Many identical hubs increase CPU limit

Spoke-to-spoke Order(n) Order(n2)


Control traffic Hub and spoke; Hub to hub
Phase 2: (single) Phase 3: (hierarchical)

Unicast Data traffic Dynamic mesh


Spoke routers support spoke-hub and spoke-spoke tunnels currently in use. Hub supports spoke-hub traffic and overflow from spoke-spoke traffic.

Network Virtualization
VRF-lite Multiple DMVPNs MPLS over DMVPN (2547oDMVPN) Single DMVPN
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

14

Network Designs

Spoke-to-hub tunnels Spoke-to-spoke tunnels 2547oDMVPN tunnels

Hub and spoke (Phase 1)

Spoke-to-spoke (Phase 2)

VRF-lite

Server Load Balancing


BRKSEC-4052

Hierarchical (Phase 3)
Cisco Public

2547oDMVPN
15

2011 Cisco and/or its affiliates. All rights reserved.

Hub-and-Spoke
Functionality
GRE, NHRP and IPsec configuration
p-pGRE or mGRE on spokes; mGRE on hubs ISAKMP Authentication
Certificate, (Pairwise/Wildcard) Pre-shared Key

NHRP Registration
Static NHRP mapping for Hub on Spoke Dynamically learn NHRP mapping for Spoke on Hub
Dynamically addressed spokes (DHCP, NAT , )

NAT detection support

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

Dynamic Mesh (Spoke-Spoke Tunnels)


Functionality
mGRE/NHRP+IPsec configuration
On both hub and spokes ISAKMP authentication information
Certificates, Wildcard Pre-shared Keys

Spoke-spoke data traffic direct


Reduced load on hub Reduced latency
Single IPsec encrypt/decrypt

NAT support

NHRP Resolutions (Phase 2) NHRP Redirect and Resolutions (Phase 3)


Double forwarding lookup Modify Routing Table (ASR now; ISR 15.2(1)T)

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Dynamic Mesh (Spoke-Spoke Tunnels)


Considerations
Resiliency
No monitoring of spoke-spoke tunnel (use ISAKMP keepalives)
crypto isakmp keepalives initial retry

Path Selection
NHRP will always build spoke-spoke tunnel No latency or performance measurement of spoke-spoke vs spoke-hub-spoke paths

Overloading spoke routers


CPU or memory IKE Call Admission Control (CAC)
crypto call admission limit ike {sa | in-negotiation } max-SAs call admission limit percent show crypto call admission statistics

Bandwidth Design for expected traffic


Hub-spoke versus Spoke-spoke Spoke-spoke availability is best effort
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

18

Network Virtualization

Separate DMVPNs VRF-lite


Separate DMVPN mGRE tunnel per VRF Hub routers handle all DMVPNs
Multiple Hub routers for redundancy and load

IGP used for routing protocol outside of and over DMVPNs on Spokes and Hubs
Address family per VRF Routing neighbor per spoke per VRF

BGP used only on the hub


Redistribute between IGP and BGP for import/export of routes between VRFs Internet VRF for Internet access and routing between VRFs

Global routing table for routing DMVPN tunnel packets

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Network Virtualization

MPLS over DMVPN 2547oDMVPN


Single DMVPN (Hub-and-spoke Only)
MPLS VPN over DMVPN Single mGRE tunnel on all routers

MPLS configuration
Hub and Spoke routers are MPLS PEs

Multiple Hub routers for redundancy and load IGP is used for routing outside of DMVPN network BGP used for routing protocol over DMVPN
Redistribute between IGP and BGP for transport over DMVPN Import/export of routes between VRFs and Internet VRF Internet VRF for Internet access and routing between VRFs Routing neighbor per spoke

Global routing table for routing DMVPN tunnel packets


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

20

NHRP Details

Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

NHRP Message Types


Registration
Build base hub-and-spoke network for control traffic (single layer Phase 1&2, hierarchical Phase 3) Also used for data traffic

Resolution
Get mapping to build dynamic spoke-spoke tunnels

Traffic Indication (Redirect) Phase 3


Trigger resolution requests at previous GRE tunnel hop

Purge
Clear out stale dynamic NHRP mappings

Error
Signal error conditions

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

NHRP Message Extension Types


Responder Address Extension:
Address mapping for Responding node (Reply messages)

Forward Transit NHS Record Extension:


List of NHSs that NHRP request message traversed copied to reply message

Reverse Transit NHS Record Extension:


List of NHSs that NHRP reply message traversed

Authentication Extension:
NHRP Authentication

NAT Address Extension: (12.4(6)T)


Address mapping for peer (Registration message) Address mapping for self (Resolution request/reply)

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

NHRP Mapping Entries


Static
Both host (/32) and network (/<x>) mappings

Dynamic
Registered (/32) From NHRP Registration NAT record both inside and outside NAT address Learned (/32 or /<x>) From NHRP Resolution NAT record both inside and outside NAT address

Incomplete (/32) (also see Temporary)


Rate-limit sending of NHRP Resolution Requests Process-switching of data packet while building spoke-spoke tunnels.

Local (/32 or /<x>)


Mapping for local network sent in an NHRP Resolution Reply Record which nodes were sent this mapping Temporary (/32) (12.4(22)T Phase 2 only) Same as Incomplete mapping except that NBMA is set to Hub CEF-switching of data packets while building spoke-spoke tunnels.

(no socket)
Not used to forward data packets Do not trigger IPsec encryption

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

NHRP Mapping Entries


Spoke to Hub Registered
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:20:10, never expire Type: static, Flags: used NBMA address: 172.17.0.9 10.0.0.19/32 via 10.0.0.19, Tunnel0 created 01:20:08, expire 00:05:51 Type: dynamic, Flags: unique registered used NBMA address: 172.16.3.1 10.0.0.18/32 via 10.0.0.18, Tunnel0 created 00:16:09, expire 00:05:50 Type: dynamic, Flags: unique registered used NBMA address: 172.18.0.2 (Claimed NBMA address: 172.16.2.1) 10.0.0.18/32 via 10.0.0.18, Tunnel0 created 00:09:04, expire 00:00:22 Type: dynamic, Flags: router implicit NBMA address: 172.18.0.2 (Claimed NBMA address: 172.16.2.1)

NAT

Resolution

192.168.23.0/24 via 10.0.0.19, Tunnel0 created 00:00:11, expire 00:05:48 Type: dynamic, Flags: router used NBMA address: 172.16.3.1 10.0.0.45/32, Tunnel0 created 00:00:21, expire 00:02:43 Type: incomplete, Flags: negative Cache hits: 2 10.0.0.17/32 via 10.0.2.17, Tunnel0 created 00:00:09, expire 00:02:55 Type: dynamic, Flags: used temporary NBMA address: 172.17.0.9 192.168.15.0/24 via 10.0.0.11, Tunnel0 created 00:05:39, expire 00:05:50 Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1 (no-socket)

Incomplete
Temporary Local, (no-socket)

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

NHRP Mapping flags


unique
Mapping entry is unique, dont allow overwrite with new NBMA
Mapping entry from an NHRP registration Mapping entry can be used to answer NHRP resolution requests Mapping entry was used in last 60 seconds to forward data traffic

registered authoritative
used router implicit local nat
(added 12.4(6)T, removed 12.4(15)T)

Mapping entry for remote router


Mapping entry from source information in NHRP packet

Mapping entry for a local network, record remote requester


Remote peer supports the NHRP NAT extension Routing Table entry created

rib
(12.2(33)XNE ASR1k)

nho
(12.2(33)XNE ASR1k)

Next-Hop-Override Routing Table entry created

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

NHRP Purge Messages


Used to clear invalid NHRP mapping information from the network NHRP local mapping entries
Created when sending an NHRP resolution reply Copy of mapping information sent in reply Entry tied to corresponding entry in routing table Keeps list of nodes where resolution reply was sent
To see use show ip nhrp detail

If routing table changes so that local mapping entry is no longer valid


Purge message is sent to each NHRP node in list NHRP nodes clear that mapping from their table Purge messages forwarded over direct tunnel if available, otherwise sent via routed path

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

NHRP Registration
Builds base hub-and-spoke network
Hub-and-spoke data traffic Control traffic; NHRP, Routing protocol, IP multicast Phase 2 Single level hub-and-spoke Phase 3 Hierarchical hub-and-spoke (tree).

Next Hop Client (NHC) has static mapping for Next Hop Servers (NHSs) NHC dynamically registers own mapping with NHS
Supports spokes with dynamic NBMA addresses or NAT Supplies outside NAT address of Hub NHRP-group for per-Tunnel QoS (12.4(22)T)

NHS registration reply gives liveliness of NHS


Supplies outside NAT address of spoke

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

NHRP Registration
Building Spoke-Hub Tunnels
Host1 Spoke1 Hub Spoke2 IKE Initialization IKE/IPsec Established Host2

IKE Initialization
IKE/IPsec Established

NHRP Regist. Req.


NHRP Regist. Rep.

NHRP Regist. Req.


NHRP Regist. Rep.

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Encrypted
31

NHRP Registration
Building Spoke-Hub Tunnels
NHRP Registration
192.168.0.1/24

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 192.168.0.0/24 Conn.

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: (dynamic) 172.16.2.1 Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

32

NHRP Registration Request


Spoke to hub
Every ip nhrp holdtime or ip nhrp registration timeout If no reply, retransmit after 1, 2, 4, 8, 16, 32, 64, 64 , sec., mark Hub down after 3rd retransmit

Contains Spokes VPN to NBMA mapping


Extension headers Responder Address, Forward and Reverse Transit NHS, Authentication, NAT
NHRP: Send Registration Request via Tunnel0 vrf 0, src: 10.0.0.11, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "unique nat", src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.1 (C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

NHRP Registration Reply


Hub to spoke
Liveliness of Hub

Contains
Spokes VPN to NBMA mapping Hubs VPN to NBMA mapping as responder Extension headers Responder Address, Forward and Reverse Transit NHS, Authentication,NAT
NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "unique nat", src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.1 (C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360 Responder Address Extension(3): (C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

NHRP Mapping Tables


After Registration

Hub

10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:11:03, expire 00:04:52 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 01:03:31, expire 00:05:46 Type: dynamic, Flags: unique registered NBMA address: 172.16.2.1 ...

Spoke A

10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire Type: static, Flags: used NBMA address: 172.17.0.1

Spoke B

10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:02:21, never expire Type: static, Flags: used NBMA address: 172.17.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

NHRP Registration (cont)


Routing Adjacency
Host1 Spoke1 Hub Spoke2 IKE Initialization IKE/IPsec Established Host2

IKE Initialization
IKE/IPsec Established

NHRP Regist. Req.


NHRP Regist. Rep.

NHRP Regist. Req.


NHRP Regist. Rep.

Routing Adjacency Routing Adjacency Routing Update Routing Update Routing Update Routing Update

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Encrypted
36

NHRP Registration (cont)


Routing Adjacency
Routing packet
192.168.0.1/24

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 192.168.0.0/16 Summ.


Physical: 172.16.2.1 Tunnel0: 10.0.0.12

Physical: 172.16.1.1 Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.0.0/16 10.0.0.1 192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 192.168.0.0/16 10.0.0.1 192.168.2.0/24 Conn.

= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Hub-and-Spoke
Data Packet Forwarding
Process-switching
Routing table selects outgoing interface and IP next-hop NHRP looks up packet IP destination to select IP next-hop, overriding IP next-hop from routing table.
Could attempt to trigger spoke-spoke tunnel tunnel destination Can only send to hub ip nhrp server-only Dont send NHRP resolution request

If no matching NHRP mapping then send to NHS (hub)

CEF switching
IP Next-hop from FIB table (Routing table)
IP Next-hop Hub data packets send to Hub

Adjacency will be complete so CEF switch packet to hub


NHRP not involved

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

Phase 2 Process switching


Triggering NHRP Resolutions
IP Data packet is forwarded out tunnel interface to IP next-hop from routing table NHRP looks in mapping table for IP destination
If (socket) Entry Found
Forward to NBMA from mapping table overriding IP next-hop

If (no socket) Entry Found


If arriving interface is not tunnel interface convert entry to (socket) Trigger IPsec to bring up crypto socket Forward to IP next-hop (if in NHRP table) otherwise to NHS

If No Entry Found
Forward to IP next-hop (if in NHRP table) otherwise to NHS If arriving interface was not tunnel interface
Initiate NHRP Resolution Request for IP destination

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

Phase 2 CEF-switching
Triggering NHRP Resolutions
CEF FIB table has IP next-hop of tunnel IP address of remote spoke for network behind remote spoke Triggered by IP next-hop from FIB pointing to glean or incomplete adjacency entry (no valid adjacency entry) Send resolution request for IP next-hop (tunnel IP address) of remote Spoke Resolution request forwarded via NHS path

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

Phase 2
NHRP Resolution process changes
When:
12.4(6)T, 12.4(7), 12.2(33)XNE and later (not on 6500/7600 yet)

Why:
To Support spoke-spoke tunnels when spokes are behind NAT

How:
Registered NHRP mappings on hub are not marked Authoritative

Effect:
Resolution request will be forwarded via NHS path all the way to the remote spoke Resolution request is answered by the remote spoke Spoke-spoke tunnel is built Resolution reply forwarded back via spoke-spoke tunnel

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Phase 2
NHRP Resolution Request
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Res. Request

NHRP Res. Request


NHRP Res. Request

NHRP Res. Request

IKE Initialization IKE Initialization

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

Phase 2
NHRP Resolution Request
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
44

Phase 2
NHRP Resolutions Request Message
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12 (C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):

As Sent

NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104 (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12 (C-1) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):

As Rcvd
45

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Phase 2
NHRP Resolution Reply
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Res. Request

NHRP Res. Request


NHRP Res. Request

NHRP Res. Request

IKE Initialization IKE Initialization

IKE/IPsec Established NHRP Resolution Response

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

46

Phase 2
NHRP Resolution Reply
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 172.16.2.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete 172.16.2.1
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 (l) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete 172.16.1.1
47

Phase 2
NHRP Resolution Reply Message
Lookup protocol destination in routing table directly connected Create NHRP local mapping entry for protocol destination address with mask-length of 32 to NBMA address Create NHRP Resolution Response with protocol destination, NBMA address and mask-length of 32 Delay Resolution response to send via direct spoke-spoke tunnel
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.12, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12 (C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360, client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

48

Phase 2
NHRP Resolution Response Processing
Receive NHRP Resolution reply
If using IPsec (tunnel protection ) then
Trigger IPsec to setup ISAKMP and IPsec SAs for tunnel Data packets still forwarded via spoke-hub--hub-spoke path IPsec triggers back to NHRP when done

Install new mapping in NHRP mapping table Send trigger to CEF to complete corresponding CEF adjacency
Data packets now forwarded via direct spoke-spoke tunnel by CEF, NHRP no longer involved

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

49

Phase 2
NHRP Mapping Tables

Hub1

10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:03:38, expire 00:04:18 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 01:02:15, expire 00:05:44 Type: dynamic, Flags: unique registered NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:53:25, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:10, expire 00:05:50 Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1 (no-socket) 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:10, expire 00:05:49 Type: dynamic, Flags: router used NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:56:12, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:11, expire 00:05:49 Type: dynamic, Flags: router used NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:11, expire 00:05:48 Type: dynamic, Flags: router unique local NBMA address: 172.16.2.1 (no-socket)

Spoke A

Spoke B

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

Phase 2: Dynamic mappings


Refresh or Remove
Dynamic NHRP mapping entries have finite lifetime
Controlled by ip nhrp holdtime on source of mapping (spoke)

Background process checks mapping entry every 60 seconds


Process-switching
Used flag set each time mapping entry is used If used flag is set and expire time < 120 seconds, then refresh entry, otherwise clear used flag

CEF-switching
If expire time < 120 seconds, CEF Adjacency entry marked stale If CEF Adjacency entry is used, signal to NHRP to refresh entry

Another resolution request is sent to refresh entry


Resolution request via NHS path; reply via direct tunnel

If entry expires it is removed


If using IPsec Trigger IPsec to remove IPsec/ISAKMP SAs
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

51

Phase 2: CEF Switching


Data Packet Forwarding
IP Data packet is forwarded out tunnel interface to IP next-hop from CEF FIB table If adjacency is of type Valid
Packet is encapsulated and forwarded by CEF out tunnel interface NHRP is not involved

If adjacency is of type Glean or Incomplete


Punt packet to process switching If original arriving interface was not this tunnel interface
Initiate NHRP Resolution Request for IP next-hop Resolution reply is used to create NHRP mapping and to complete the Adjacency

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

52

Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Phase 3
Building Spoke-spoke Tunnels
Originating spoke
IP Data packet is forwarded out tunnel interface to destination via Hub (NHS)

Hub (NHS)
Receives and forwards data packet on tunnel interfaces with same NHRP Network-id. Sends NHRP Redirect message to originating spoke.

Originating spoke
Receives NHRP redirect message Sends NHRP Resolution Request for Data IP packet destination via NHS

Destination spoke
Receives NHRP Resolution Request Builds spoke-spoke tunnel Sends NHRP Resolution Reply over spoke-spoke tunnel
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

54

Phase 3
NHRP Redirects
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Redirect

NHRP Redirect

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Phase 3
NHRP Redirects
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

Phase 3
NHRP Redirect Message

NHRP: inserting (172.16.1.1/192.168.2.1) in redirect table NHRP: Attempting to send packet via DEST 192.168.1.1 NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.1.1 NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 96, src: 10.0.0.1, dst: 192.168.1.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) traffic code: redirect(0) src NBMA: 172.17.0.1, src protocol: 10.0.0.1, dst protocol: 192.168.1.1 Contents of nhrp traffic indication packet: 45 00 00 64 00 19 00 00 FD 01 25 2D C0 A8 01 01 C0 A8 02 01 08 00 A8 E3 0B 78 0C Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension(9):

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57

Phase 3
NHRP Redirect Processing
Sender
Insert (GRE IP header source, packet destination IP address) in NHRP redirect table used to rate-limit NHRP redirect messages Send NHRP redirect to GRE/IP header source Time out rate-limit entries from the NHRP redirect table

Receiver
Check data IP source address from data IP header in redirect
If routing to the IP source is out: A GRE tunnel interface with the same NHRP Network-id then drop redirect Another interface, the IP destination is permitted by ip nhrp interest <ACL> and ip nhrp shortcut is configured
Trigger an NHRP resolution request to IP destination

Otherwise drop redirect

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

58

Phase 3
NHRP Resolution Request
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Redirect NHRP Res. Request NHRP Res. Request

NHRP Redirect NHRP Res. Request NHRP Res. Request

IKE Initialization IKE Initialization

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

59

Phase 3
NHRP Resolution Request
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

Phase 3
NHRP Resolution Request Message
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 192.168.2.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 10599 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1 (C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):

As Sent

NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104 (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 10599 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1 (C-1) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):

As Rcvd
61

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Phase 3
NHRP Resolution Processing
Spoke (NHC) routing table has Hub (NHS) as IP next-hop for networks behind remote Spoke
Note, if routing table has IP next-hop of remote spoke then process as in Phase 2

Data packets are forwarded (CEF-switched) via routed path


Redirect message sent by next tunnel hop on routed path Redirect for data packet triggers resolution request

Send resolution request for IP destination from data packet header in redirect message Resolution requests forwarded via routed path Resolution replies forwarded over direct tunnel
Direct tunnel initiated from remote local spoke

NHRP forwards data packets over direct tunnel when resolution reply is received

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

Phase 3
NHRP Resolution Reply
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Redirect NHRP Res. Request NHRP Res. Request

NHRP Redirect NHRP Res. Request NHRP Res. Request

IKE Initialization IKE Initialization

IKE/IPsec Established NHRP Resolution Reply Encrypted


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

63

Phase 3
NHRP Resolution Reply
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.2.0/24 172.16.2.1 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1 172.16.2.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

Phase 3
NHRP Resolution Reply Message
Lookup protocol destination in routing table for matching network, subnet mask and IP next-hop. Create NHRP local mapping entry for protocol destination network with mask-length to NBMA address Create NHRP Resolution Response with protocol destination, NBMA address and mask-length Delay Resolution response to send via direct spoke-spoke tunnel
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 132, src: 10.0.0.12, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 10599 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1 (C-1) code: no error(0), prefix: 24, mtu: 1514, hd_time: 360, client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

65

Phase 3
NHRP Mapping Tables

Spoke A

10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:54 Type: dynamic, Flags: router implicit used NBMA address: 172.16.2.1 192.168.1.0/24 via 10.0.0.11, Tunnel0 created 00:00:06, expire 00:05:54 Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1 (no-socket) 192.168.2.0/24 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:53 Type: dynamic, Flags: router NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:04:46, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:13, expire 00:05:46 Type: dynamic, Flags: router implicit used NBMA address: 172.16.1.1 192.168.1.0/24 via 10.0.0.11, Tunnel0 created 00:00:11, expire 00:05:48 Type: dynamic, Flags: router NBMA address: 172.16.1.1 192.168.2.0/24 via 10.0.0.12, Tunnel0 created 00:00:13, expire 00:05:46 Type: dynamic, Flags: router unique local NBMA address: 172.16.2.1 (no-socket)

Spoke B

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Phase 3: CEF Switching


Data Packet Forwarding
(Current ISR, 7200)

IP Data packet is forwarded out tunnel interface


1. IP next-hop from CEF FIB mapped to Adjacency If adjacency is:

Glean or Incomplete Punt to process switching Valid Select adjacency for the packet
2. NHRP in CEF Feature path Look up packet IP destination in NHRP mapping table

Matching entry reselect adjacency use direct spoke-spoke tunnel No matching entry leave CEF adjacency packet goes to hub If packet arrived on and is forwarded out the same tunnel interface
Forward data packet If ip nhrp redirect is on inbound tunnel then send NHRP redirect

Packet is encapsulated, encrypted and forwarded


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

67

Phase 3: NHRP and Routing Table


Data Packet Forwarding
(ASR1k; 15.2(1)T ISR, 7200)

When NHRP resolution is received


Insert mapping information in mapping table replacing Incomplete/Temporary mapping Insert NHRP routing entry in Routing Table (RT)
NHRP NET/Mask is more specific than RT Net/Mask
Add new route owned by NHRP (Type = H) Monitor parent route If parent route changes outbound interface then remove NHRP route.

NHRP Net/Mask is equal to RT Net/Mask


Add Override Alternate Next-hop (% flag) Route still owned by original owner

NHRP Net/Mask is less specific than RT Net/Mask


Reduce NHRP mask to = RT Mask Add Override Alternate Next-hop (% flag)

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

68

Phase 3: NHRP and RT


Routing Table
#show ip route
H D 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02 % 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:50:56, Tunnel0

(ASR1k; 15.2(1)T ISR, 7200)

NHRP Routes

#show ip route next-hop-override | section H|%


H D 192.168.11.0/24 [250/1] via 10.0.1.11, 00:01:02 % 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:50:56, Tunnel0 [NHO][90/1] via 10.0.0.1, 00:00:40, Tunnel0

EIGRP Routes

Routing entry for 192.168.11.0/24 Known via "nhrp", distance 250, metric 1 Last update from 10.0.1.11 00:05:29 ago Routing Descriptor Blocks: * 10.0.1.11, from 10.0.1.11, 00:05:29 ago Route metric is 1, traffic share count is 1 Routing entry for 192.168.128.0/24 Known via "eigrp 1", distance 90, metric 3200000, type internal Redistributing via eigrp 1 Last update from 10.0.2.16 on Tunnel0, 00:43:44 ago Routing Descriptor Blocks: * 10.0.2.16, from 10.0.2.16, 00:43:44 ago, via Tunnel0 Route metric is 3200000, traffic share count is 1 [NHO]10.0.0.1, from 10.0.0.1, 00:05:57 ago, via Tunnel0 Route metric is 1, traffic share count is 1

Next-Hop-Override Entries

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

69

Phase 3: Dynamic Mappings


Refresh or Remove
Dynamic NHRP mapping entries have finite lifetime
Controlled by ip nhrp holdtime on source of mapping (spoke) Two types of mapping entries Master entry Remote Spoke Tunnel IP address Child entries Remote Network address(es)

Background process checks mapping entries every 60 seconds


Child entry: Marked used and timing out refresh Child entry Master entry: Timing out mark CEF adjacency stale If CEF adjacency is used refresh Master entry

Refreshing entries
Send another Resolution request and reply Resolution request/reply sent over direct tunnel

If entry expires it is removed


If using IPsec and last entry using NBMA address Trigger IPsec to remove IPsec and ISAKMP SAs

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

Use Case: iBGP over DMVPN

Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN
Load-balancing Hubs

Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

iBGP over DMVPN


Base Physical Topology
192.168.10.0/24 .1 R2 .3 .2 Hub1 .1 .5 192.168.0.0/24 .1 Hub2

Internet
BGP 2

172.17.0.0/30
.2 172.16.1.1/30 .6 172.16.4.1/30 .2 .2 Spoke1 .1 192.168.1.0/24 RS1 .1 192.168.11.0/24 RS2 192.168.12.0/24
BRKSEC-4052

.2
.2

172.16.2.1/30
.2 Spoke2 .1 192.168.2.0/24 .2 Spoke3 .1 192.168.3.0/24 RS3 .1
Cisco Public

172.16.3.1/30

Spoke4 .1 192.168.4.0/24 RS4 .2

.2

.1 192.168.14.0/24

.1

192.168.13.0/24
73

2011 Cisco and/or its affiliates. All rights reserved.

iBGP over DMVPN


Base Logical Topology
192.168.10.0/24 .1 .3 Hub1 BGP 1 .1 .2 R2 BGP 1 192.168.0.0/24 .1 Hub2 BGP 1 .2

Internet
192.168.10.0/24 BGP 2

DMVPN
.11 Spoke1 BGP 1 10.0.0.0/24 BGP 1 .14 Spoke4 BGP 1 .2

.1 .2 Spoke2 BGP 1 .1

.12 Spoke3 BGP 1 .2

.13

.1 192.168.4.0/24

192.168.1.0/24 RS1 EIGRP 1

.1

.1 .2

RS4 EIGRP 1 .1 192.168.14.0/24

192.168.2.0/24 RS2 BGP 1 .1

192.168.3.0/24 RS3 OSPF 1


Cisco Public

192.168.11.0/24

.1 192.168.13.0/24
74

192.168.12.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

iBGP over DMVPN


Base Interface configurations
Hubs:
Hub (w) (x) interface Tunnel0 (y) bandwidth 1000 ip address 10.0.0.(w) 255.255.255.0 (z) 1 1 2 5 1 2 2 1 1 5

Spokes:

ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.(x) 172.17.0.(y) ip nhrp map multicast 172.17.0.(y) ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect ip tcp adjust-mss 1360 delay 1000 tunnel source Serial2/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof

! interface Ethernet0/0 ip address 192.168.0.(w) 255.255.255.0 ! interface Serial2/0 ip address 172.17.0.(z) 255.255.255.252

interface Tunnel0 bandwidth 1000 ip address 10.0.0.(x) 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.(y).1 255.255.255.0 ! interface Serial1/0 ip address 172.16.(y).1 255.255.255.252
Cisco Public

Spoke 1 2 3 4 (x) 11 12 13 14 (y) 1 2 3 4

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

75

iBGP over DMVPN


Hubs:
Dynamic Neighbors (15.1(2)T) Route-reflector for spokes (client) Regular neighbor between hubs Add to MED when advertising between hubs

Spokes:
Route-reflector-client

Both:
Set next-hop to self/peer; DMVPN Phase 3 Use same BGP AS over DMVPN on all nodes
Dynamic Neighbors, Route Reflection

Block ISP routes from advertising over DMVPN and LAN


Use Community 1:10

Accept only local LAN routes from LAN


Use Community 1:20 for BGP and route-tag 225 for IGP

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

76

iBGP over DMVPN


Hub Routing Configuration
router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group spokes network 192.168.0.0 timers bgp 10 30 neighbor spokes peer-group neighbor spokes remote-as 1 neighbor spokes route-reflector-client neighbor spokes route-map DMVPN-OUT out neighbor 10.0.0.(2,1) remote-as 1 neighbor 10.0.0.(2,1) route-map H2H-IN in neighbor 10.0.0.(2,1) route-map DMVPN-OUT out neighbor 172.17.0.(2,6) remote-as 2 neighbor 172.17.0.(2,6) route-map ISP-IN in neighbor 172.17.0.(2,6) route-map ISP-OUT out neighbor 192.168.0.3 remote-as 1 neighbor 192.168.0.3 route-map LAN-IN in neighbor 192.168.0.3 route-map LAN-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ip community-list 21 deny 1:20 ip community-list 21 permit ! route-map DMVPN-OUT permit 10 match community 11 set ip next-hop 10.0.0.(1,2) route-map LAN-OUT permit 10 match community 11 set ip next-hop 192.168.0.(1,2) route-map H2H-IN permit 10 set metric +10000 route-map ISP-IN permit 10 set community 1:10 route-map ISP-OUT permit 10 match community 10 route-map LAN-IN permit 10 match community 21

Dynamic Neighbors
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

Change MED
Route Filtering
Cisco Public

77

iBGP over DMVPN


Spoke1 Routing (IGP) Configuration
router eigrp 1 default-metric 1000 0 255 100 1500 network 192.168.1.0 redistribute bgp 1 route-map BGP2IGP ! router bgp 1 bgp log-neighbor-changes bgp redistribute-internal timers bgp 10 30 redistribute eigrp 1 route-map IGP2BGP neighbor hubs peer-group neighbor hubs remote-as 1 neighbor hubs next-hop-self neighbor hubs route-map DMVPN-OUT out neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs neighbor 172.16.1.2 remote-as 2 neighbor 172.16.1.2 route-map ISP-IN in neighbor 172.16.1.2 route-map ISP-OUT out maximum-paths ibgp 4 distance bgp 20 160 160

Spokes 3,4 are similar

ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ! route-map ISP-IN permit 10 set community 1:10 route-map ISP-OUT permit 10 match community 10 route-map DMVPN-OUT permit 10 match community 11 route-map BGP2IGP permit 10 match community 11 set tag 225 route-map IGP2BGP deny 10 match tag 225 route-map IGP2BGP permit 20

Neighbors
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

BGP IGP
Route Filtering
Cisco Public

78

iBGP over DMVPN


Spoke2 Routing (iBGP) Configuration
router bgp 1 bgp log-neighbor-changes timers bgp 10 30 neighbor hubs peer-group neighbor hubs remote-as 1 neighbor hubs route-map DMVPN-OUT out neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs neighbor 172.16.1.2 remote-as 2 neighbor 172.16.1.2 route-map ISP-IN in neighbor 172.16.1.2 route-map ISP-OUT out neighbor 192.168.2.2 remote-as 1 neighbor 192.168.2.2 route-reflector-client neighbor 192.168.2.2 route-map LAN-IN in neighbor 192.168.2.2 route-map LAN-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ip community-list 21 deny 1:20 ip community-list 21 permit ! route-map DMVPN-OUT permit 10 match community 11 set ip next-hop 10.0.0.12 route-map LAN-OUT permit 10 match community 11 set ip next-hop 192.168.2.1 route-map ISP-IN permit 10 set community 1:10 route-map ISP-OUT permit 10 match community 10 route-map LAN-IN permit 10 match community 21

Neighbors
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

Route Filtering
Cisco Public

79

iBGP over DMVPN


R2, RS2 Routing (iBGP) Configuration
R2 (behind hubs) RS2 (behind Spoke2)
router bgp 1 router bgp 1 network 192.168.0.0 network 192.168.2.0 network 192.168.10.0 network 192.168.12.0 neighbor hubs peer-group neighbor hubs remote-as 1 neighbor 192.168.2.1 remote-as 1 neighbor hubs route-reflector-client neighbor hubs next-hop-self neighbor 192.168.2.1 next-hop-self neighbor hubs send-community neighbor hubs send-community neighbor hubs route-map FROM-DMVPN in neighbor 192.168.2.1 route-map FROM-DMVPN in neighbor 192.168.0.1 peer-group hubs neighbor 192.168.0.2 peer-group hubs maximum-paths ibgp 4 maximum-paths ibgp 4 ip bgp-community new-format ip bgp-community new-format route-map FROM-DMVPN permit 10 route-map FROM-DMVPN permit 10 set community 1:20 set community 1:20 RS1, 3 ,4 use standard IGP configuration

Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

Route Filtering
Cisco Public

80

iBGP over DMVPN


ISP Routes
Internet Router
(NO INTERNAL ROUTES!) C C C C C C 172.17.0.4 is directly connected, Serial2/0 172.17.0.0 is directly connected, Serial1/0 172.16.4.0 is directly connected, Serial6/0 172.16.1.0 is directly connected, Serial3/0 172.16.2.0 is directly connected, Serial4/0 172.16.3.0 is directly connected, Serial5/0

Spoke1, 2
... C L B ... B C L ... B B B B ... 172.16.2.0/30 [20/0] via 172.16.1.2 172.16.1.0/30 [20/0] via 172.16.2.2,

Spokes 3,4 are similar

172.16.1.0/30 is directly connected, Serial1/0 172.16.1.1/32 is directly connected, Serial1/0

172.16.2.0/30 is directly connected, Serial1/0 172.16.2.1/32 is directly connected, Serial1/0 172.16.3.0/30 [20/0] via 172.16.(1,2).2 172.16.4.0/30 [20/0] via 172.16.(1,2).2 172.17.0.0 [20/0] via 172.16.(1,2).2, 172.17.0.4 [20/0] via 172.16.(1,2).2,

Hub1, 2
... B B B B ... C L B ... B C L ... 172.16.1.0 [20/0] via 172.17.0.(2,6), 172.16.2.0 [20/0] via 172.17.0.(2,6), 172.16.3.0 [20/0] via 172.17.0.(2,6), 172.16.4.0 [20/0] via 172.17.0.(2,6), 172.17.0.0/30 is directly connected, Serial2/0 172.17.0.1/32 is directly connected, Serial2/0 172.17.0.4/30 [20/0] via 172.17.0.2,

RS(x), R2
... (NO ISP ROUTES!) ...

172.17.0.0/30 [20/0] via 172.17.0.6, 172.17.0.4/30 is directly connected, Serial2/0 172.17.0.5/32 is directly connected, Serial2/0

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

iBGP over DMVPN


Hub internal routes (192.168.1x.0/24)
Hub1
#show ip route
B B B B B 192.168.10.0/24 [160/0] 192.168.11.0/24 [160/307200] [160/307200] 192.168.12.0/24 [160/0] [160/0] 192.168.13.0/24 [160/20] [160/20] 192.168.14.0/24 [160/307200] [160/307200] via 192.168.0.3, via 10.0.0.11, via 10.0.0.2, via 10.0.0.12, via 10.0.0.2, via 10.0.0.13, via 10.0.0.2, via 10.0.0.14, via 10.0.0.2,

Hub2
#show ip route
B B B B B 192.168.10.0/24 [160/0] 192.168.11.0/24 [160/307200] [160/307200] 192.168.12.0/24 [160/0] [160/0] 192.168.13.0/24 [160/20] [160/20] 192.168.14.0/24 [160/307200] [160/307200] via 192.168.0.3, via 10.0.0.11, via 10.0.0.1, via 10.0.0.12, via 10.0.0.1, via 10.0.0.13, via 10.0.0.1, via 10.0.0.14, via 10.0.0.1,

# show ip bgp
Network Next Hop Metric LocPrf *> i 192.168.10.0 192.168.0.3 0 100 *m * i 192.168.11.0 10.0.0.2 317200 307200 100 *> i 10.0.0.11 307200 100 *> i 192.168.12.0 10.0.0.12 0 100 * *m i 10.0.0.2 10000 100 0 * *m i 192.168.13.0 10.0.0.2 10020 100 20 *> i 10.0.0.13 20 100 *> i 192.168.14.0 10.0.0.14 307200 100 * *m i 10.0.0.2 317200 307200 100 W 0 0 0 0 0 0 0 0 0 P i ? ? i i ? ? ? ?

# show ip bgp
Network Next Hop Metric LocPrf *> i 192.168.10.0 192.168.0.3 0 100 *> i 192.168.11.0 10.0.0.11 307200 100 * *m i 10.0.0.1 317200 307200 100 * *m i 192.168.12.0 10.0.0.1 10000 100 0 *> i 10.0.0.12 0 100 * *m i 192.168.13.0 10.0.0.1 10020 100 20 *> i 10.0.0.13 20 100 * *m i 192.168.14.0 10.0.0.1 317200 307200 100 *> i 10.0.0.14 307200 100 W 0 0 0 0 0 0 0 0 0 P i ? ? i i ? ? ? ?

MED +10000 via other Hub

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

82

iBGP over DMVPN


Spoke1,2 internal routes (192.168.1x.0/24)
Spoke1
#show ip route
B D B B B 192.168.10.0/24 [160/0] [160/0] 192.168.11.0/24 [90/307200] 192.168.12.0/24 [160/0] [160/0] 192.168.13.0/24 [160/20] [160/20] 192.168.14.0/24 [160/307200] [160/307200]

Spokes 3,4 are similar


via 10.0.0.2, via 10.0.0.1, via 192.168.1.2, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1,

Spoke2
#show ip route
B B B B B 192.168.10.0/24 [160/0] [160/0] 192.168.11.0/24 [160/307200] [160/307200] 192.168.12.0/24 [160/0] 192.168.13.0/24 [160/20] [160/20] 192.168.14.0/24 [160/307200] [160/307200] via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1, via 192.168.2.2, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1,

# show ip bgp
Network Next Hop Metric LocPrf W *m i 192.168.10.0 10.0.0.2 0 100 0 *> i 10.0.0.1 0 100 0 *> 192.168.11.0 192.168.1.2 307200 32768 *m i 192.168.12.0 10.0.0.2 0 100 0 *> i 10.0.0.1 0 100 0 *m i 192.168.13.0 10.0.0.2 20 100 0 *> i 10.0.0.1 20 100 0 *m i 192.168.14.0 10.0.0.2 307200 100 0 *> i 10.0.0.1 307200 100 0 P i i ? i i ? ? ? ?

# show ip bgp
Network Next Hop *> i 192.168.10.0 10.0.0.1 *m i 10.0.0.2 *m i 192.168.11.0 10.0.0.2 *> i 10.0.0.1 *> i 192.168.12.0 192.168.2.2 *> i 192.168.13.0 10.0.0.1 *m i 10.0.0.2 *> i 192.168.14.0 10.0.0.1 *m i 10.0.0.2 Metric LocPrf 0 100 0 100 307200 100 307200 100 0 100 307200 100 307200 100 20 100 20 100 W 0 0 0 0 0 0 0 0 0 P i i ? ? i ? ? ? ?

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

83

iBGP over DMVPN


R2, RS(x) internal routes (192.168.1x.0/24)
R2
#show ip route
C B B B B 192.168.10.0/24 is directly connected, Ethernet1/0 192.168.11.0/24 [200/307200] via 192.168.0.1, [200/307200] via 192.168.0.2, 192.168.12.0/24 [200/0] via 192.168.0.2, [200/0] via 192.168.0.1, 192.168.13.0/24 [200/20] via 192.168.0.1, [200/20] via 192.168.0.2, 192.168.14.0/24 [200/307200] via 192.168.0.2, [200/307200] via 192.168.0.1,

RS1
#show ip route

RS(3,4) are similar

D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1, C 192.168.11.0/24 is directly connected, Ethernet1/0 D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,

RS2
#show ip route
B B C B B 192.168.10.0/24 [200/0] via 192.168.2.1, 192.168.11.0/24 [200/307200] via 192.168.2.1, 192.168.12.0/24 is directly connected, Ethernet1/0 192.168.13.0/24 [200/307200] via 192.168.2.1, 192.168.14.0/24 [200/20] via 192.168.2.1,

# show ip bgp
Network Next Hop *> 192.168.10.0 0.0.0.0 *m i 192.168.11.0 192.168.0.2 *> i 192.168.0.1 *> i 192.168.12.0 192.168.0.1 *m i 192.168.0.2 *m i 192.168.13.0 192.168.0.2 *> i 192.168.0.1 *> i 192.168.14.0 192.168.0.1 *m i 192.168.0.2 Metric LocPrf Cmnty 0 307200 100 1:20 307200 100 1:20 0 100 1:20 0 100 1:20 20 100 1:20 20 100 1:20 307200 100 1:20 307200 100 1:20

# show ip bgp
*> *> *> *> *> i i i i Network 192.168.10.0 192.168.11.0 192.168.12.0 192.168.13.0 192.168.14.0 Next Hop 192.168.2.1 192.168.2.1 0.0.0.0 192.168.2.1 192.168.2.1 Metric LocPrf Cmnty 0 100 1:20 307200 100 1:20 0 20 100 1:20 307200 100 1:20

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN
Load-balancing Hubs

Recent and New Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

85

iBGP over DMVPN Load balancing Hubs


Hubs:
Use Communities to add to MED when learning from Spokes
Hub1 Community 1:1 (+0), Community 1:2 (+5000), Other (+7500) Hub2 Community 1:2 (+0), Community 1:1 (+5000), Other (+7500) +5000 for other community < +10000 via other hub

Spokes:
Multiple spokes at a spoke site
Can use communities to add to IGP metric when advertising to LAN Can use communities to add to MED when learning from Hubs

Both
Set Community when learning routes from LAN
Odd Spokes; Hub1 Community 1:1 Even Spokes; Hub2 Community 1:2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

86

iBGP over DMVPN Load balancing Hubs


Hub Routing Configuration changes
Send communities to DMVPN Neighbors
router bgp 1 neighbor spokes send-community neighbor spokes route-map CMNTY in neighbor 10.0.0.(x) send-community ! ip bgp-community new-format ip community-list 1 permit 1:1 ip community-list 2 permit 1:2 route-map CMNTY permit 10 match community (y) route-map CMNTY permit 20 match community (x) set metric +5000 route-map CMNTY permit 30 set metric +7500 route-map LAN-IN permit 10 match community 21 set community 1:(y)
Hub 1 2 (x) 2 1 (y) 1 2

Routes with same community as Hub

Routes with different community from Hub


Other Routes

Set community on inbound from LAN


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

87

iBGP over DMVPN Load balancing Hubs


Spoke Routing Configuration changes
Spoke1
router bgp 1 neighbor hubs peer-group neighbor hubs send-community neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs ! ip bgp-community new-format route-map IGP2BGP deny 10 match tag 225 route-map IGP2BGP permit 20 set community 1:1
Spoke 3 is similar

Send communities to DMVPN Neighbors

Spoke2 Set community on inbound from LAN

router bgp 1 neighbor hubs peer-group neighbor hubs send-community neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs ! ip bgp-community new-format route-map LAN-IN permit 10 match community 21 set community 1:2

Spoke 4 is similar

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

88

iBGP over DMVPN Load balancing Hubs


Hub internal routes (192.168.1x.0/24)
Hub1 (Cmnty 1:1)
#show ip route
B B B B B 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 [160/0] [160/307200] [160/5000] [160/0] [160/20] [160/312200] [160/307200] via 192.168.0.3, via 10.0.0.11, via 10.0.0.12, via 10.0.0.13, via 10.0.0.14,

Hub2 (Cmnty 1:2)


#show ip route
B B B B B 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 [160/0] [160/312200] [160/307200] [160/0] [160/5020] [160/20] [160/307200] via 192.168.0.3, via 10.0.0.11, via 10.0.0.12, via 10.0.0.13, via 10.0.0.14,

# show ip bgp
*> * *> *> * * *> *> * Network Next Hop Metric LocPrf Cmnty i 192.168.10.0 192.168.0.3 0 100 1:1 i 192.168.11.0 10.0.0.2 322200 317200 100 1:1 i 10.0.0.11 307200 100 1:1 i 192.168.12.0 10.0.0.12 5000 100 0 1:2 i 10.0.0.2 10000 100 1:2 i 192.168.13.0 10.0.0.2 15020 10020 100 1:1 i 10.0.0.13 20 100 1:1 i 192.168.14.0 10.0.0.14 312200 307200 100 1:2 i 10.0.0.2 317200 100 1:2

# show ip bgp
Network Next Hop Metric LocPrf Cmnty *> i 192.168.10.0 192.168.0.3 0 100 1:2 *> i 192.168.11.0 10.0.0.11 312200 307200 100 1:1 * i 10.0.0.1 317200 100 1:1 * i 192.168.12.0 10.0.0.1 15000 10000 100 1:2 *> i 10.0.0.12 0 100 1:2 * i 192.168.13.0 10.0.0.1 10020 100 1:1 *> i 10.0.0.13 5020 100 20 1:1 * i 192.168.14.0 10.0.0.1 322200 317200 100 1:2 *> i 10.0.0.14 307200 100 1:2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

iBGP over DMVPN Load balancing Hubs


Spoke1,2 internal routes (192.168.1x.0/24)
Spoke1 (Cmnty 1:1)
#show ip route
B D B B B B 192.168.10.0/24 [160/0] [160/0] 192.168.11.0/24 [90/307200] 192.168.12.0/24 [160/0] [160/0] 192.168.13.0/24 [160/20] 192.168.13.0/24 [160/20] 192.168.14.0/24 [160/307200] [160/307200] Spoke 3 is similar via 10.0.0.2, via 10.0.0.1, via 192.168.1.2, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1,

Spoke2 (Cmnty 1:2)


#show ip route
B B B B B B B 192.168.10.0/24 [160/0] [160/0] 192.168.11.0/24 [160/307200] 192.168.11.0/24 [160/307200] 192.168.12.0/24 [160/0] 192.168.13.0/24 [160/20] 192.168.13.0/24 [160/20] 192.168.14.0/24 [160/307200] [160/307200]

Spoke 4 is similar via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1, via 192.168.2.2, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1,

# show ip bgp
*m i *> i *> *> *m i * *> i * *m i *> i *> *m i * *> i Network Next Hop Metric LocPrf Cmnty 192.168.10.0 10.0.0.2 0 100 1:2 10.0.0.1 0 100 1:1 192.168.11.0 192.168.1.2 307200 1:1 192.168.12.0 10.0.0.2 0 100 1:2 10.0.0.1 5000 100 0 1:2 192.168.13.0 10.0.0.2 5020 100 20 1:1 10.0.0.1 20 100 1:1 192.168.14.0 10.0.0.2 307200 100 1:2 10.0.0.1 312200 307200 100 1:2

# show ip bgp
*> i *m i * *m i *> i *> i *> i * *m i * *> i *> *m i Network Next Hop 192.168.10.0 10.0.0.1 10.0.0.2 192.168.11.0 10.0.0.2 10.0.0.1 192.168.12.0 192.168.2.2 192.168.13.0 10.0.0.1 10.0.0.2 192.168.14.0 10.0.0.1 10.0.0.2 Metric LocPrf Cmnty 0 100 1:1 0 100 1:2 312200 307200 100 1:1 307200 100 1:1 0 100 1:2 307200 100 20 1:1 307200 100 5020 1:1 312200 100 20 1:2 307200 100 20 1:2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

90

iBGP over DMVPN Load balancing Hubs


R2, RS(x) internal routes (192.168.1x.0/24)
R2
#show ip route
C B B B B 192.168.10.0/24 is directly connected, Ethernet1/0 192.168.11.0/24 [200/307200] via 192.168.0.1, [200/307200] via 192.168.0.2, 192.168.12.0/24 [200/0] via 192.168.0.2, [200/0] via 192.168.0.1, 192.168.13.0/24 [200/20] via 192.168.0.1, [200/20] via 192.168.0.2, 192.168.14.0/24 [200/307200] via 192.168.0.2, [200/307200] via 192.168.0.1,

RS1 (no change)


#show ip route

RS(3,4) are similar

D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1, C 192.168.11.0/24 is directly connected, Ethernet1/0 D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,

RS2 (no change)


#show ip route
B B C B B 192.168.10.0/24 [200/0] via 192.168.2.1, 192.168.11.0/24 [200/307200] via 192.168.2.1, 192.168.12.0/24 is directly connected, Ethernet1/0 192.168.13.0/24 [200/307200] via 192.168.2.1, 192.168.14.0/24 [200/20] via 192.168.2.1,

# show ip bgp
Network Next Hop *> 192.168.10.0 0.0.0.0 *m * i 192.168.11.0 192.168.0.2 *> i 192.168.0.1 * *> i 192.168.12.0 192.168.0.1 *> *m i 192.168.0.2 * *m i 192.168.13.0 192.168.0.2 *> i 192.168.0.1 * *> i 192.168.14.0 192.168.0.1 *> *m i 192.168.0.2 Metric LocPrf Cmnty 0 312200 307200 100 1:20 307200 100 1:20 5000 0 100 1:20 0 100 1:20 5020 20 100 1:20 20 100 1:20 312200 307200 100 1:20 307200 100 1:20

# show ip bgp
*> *> *> *> *> i i i i Network 192.168.10.0 192.168.11.0 192.168.12.0 192.168.13.0 192.168.14.0 Next Hop Metric LocPrf Cmnty 192.168.2.1 0 100 100 1:20 192.168.2.1 307200 100 100 1:20 0.0.0.0 0 192.168.2.1 20 100 100 1:20 192.168.2.1 307200 100 100 1:20

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

Recent and New Features

Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Recent and New Features
IKEv2 with DMVPN Tunnel Health Monitoring Backup and FQDN NHS DHCP over DMVPN DMVPN IPv6 Transport

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

IKEv2 with DMPVN


DMVPN can work with ISAKMP (IKEv1) and/or IKEv2
Transparent to DMVPN Node can be responder for both ISAKMP and IKEv2
Both ISAKMP and IKEv2 are configured.

Node can be Initiator for either ISAKMP or IKEv2 not both


Configure under the crypto ipsec profile ...
crypto isakmp policy 2 encr aes authentication pre-share group 2 crypto ikev2 keyring DMVPN peer DMVPN address 0.0.0.0 0.0.0.0 pre-shared-key cisco123 crypto ikev2 profile DMVPN match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring DMVPN crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac mode transport [require] crypto ipsec profile DMVPN set transform-set DMVPN set ikev2-profile DMVPN interface Tunnel0 ... tunnel protection ipsec profile DMVPN

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

94

Tunnel Health Monitoring


Interface State 15.0(1)M
Issue
mGRE tunnel Interface is always up Cant use standard backup/recovery mechanisms
backup interface, static interface routes,

Solution
New Command if-state nhrp Monitor NHRP registration replies
If all NHSs are down then set tunnel interface up/down Continue to send NHRP registration requests If a single NHS is up then set tunnel interface up/up
interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 if-state nhrp

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

Tunnel Health Monitoring


Interface State (cont)
#show ip nhrp nhs detail 10.0.0.1 RE req-sent 100 req-failed 0 repl-recv 90 (00:01:38 ago) 10.0.0.2 RE req-sent 125 req-failed 0 repl-recv 79 (00:01:38 ago) #show interface tunnel0 Tunnel0 is up, line protocol is up *Apr 19 21:32:52 NHRP: NHS-DOWN: 10.0.0.1 *Apr 19 21:32:52 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'E' from 'RE' *Apr 19 21:32:53 NHRP: NHS-DOWN: 10.0.0.2 *Apr 19 21:32:53 NHRP: NHS 10.0.0.2 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'E' from 'RE' *Apr 19 21:33:02 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down *Apr 19 21:33:02 NHRP: if_down: Tunnel0 proto IPv4

#show ip nhrp nhs detail 10.0.0.1 E req-sent 105 req-failed 0 repl-recv 90 (00:02:12 ago) 10.0.0.2 E req-sent 130 req-failed 0 repl-recv 79 (00:02:12 ago)
#show interface tunnel0 Tunnel0 is up, line protocol is down *Apr 19 21:33:12 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92 *Apr 19 21:33:13 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92 *Apr 19 21:34:36 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E' *Apr 19 21:34:36 NHRP: NHS-UP: 10.0.0.1 *Apr 19 21:34:42 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *Apr 19 21:34:42 NHRP: if_up: Tunnel0 proto 0 #show ip nhrp nhs detail 10.0.0.1 RE req-sent 110 req-failed 0 repl-recv 96 (00:00:19 ago) 10.0.0.2 E req-sent 135 req-failed 0 repl-recv 79 (00:04:09 ago)

#show interface tunnel0 Tunnel0 is up, line protocol is up

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

Backup and FQDN NHS 15.1(2)T


Issue
Backup NHSs only needed when primary NHSs are down Backup NHSs can be over subscribed

Solution
Set NHS max-connections
Can set NHS priority (default=0 (best))
Can have multiple hubs at the same priority

Can group NHSs into clusters (default=0)


Separate max-connection value per cluster

Configuration reduction
Single line NHS configuration and FQDN NHS

Functionality
NHSs are brought up in priority order, until cluster max-connections Down NHS at same priority is probed if not at max-connections Down NHS at a lower priority than an active NHS is probed even when max-connections is reached FQDN resolved when bringing up NHS

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

97

Backup and FQDN NHS (cont)


interface Tunnel0 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.3 172.17.0.9 ip nhrp map multicast 172.17.0.9 ip nhrp map 10.0.0.4 172.17.0.13 ip nhrp map multicast 172.17.0.13 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip nhrp nhs 10.0.0.3 ip nhrp nhs 10.0.0.4 ip nhrp nhs cluster 0 max-connections 2 #show ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 Type: static, Flags: used NBMA address: 172.17.0.5 10.0.0.3/32 via 10.0.0.3 Tunnel0 Type: static, Flags: used NBMA address: 172.17.0.9 (no-socket) 10.0.0.4/32 via 10.0.0.4 Tunnel0 Type: static, Flags: used NBMA address: 172.17.0.13 (no-socket) #show ip nhrp nhs Legend: E=Expecting replies, R=Responding, W=Waiting Tunnel0: 10.0.0.1 RE priority = 0 cluster = 0 10.0.0.2 RE priority = 0 cluster = 0 10.0.0.3 W priority = 0 cluster = 0 10.0.0.4 W priority = 0 cluster = 0

interface Tunnel0 ip nhrp nhs 10.0.0.1 nbma Hub1.cisco.com multicast priority 10 cluster 1 ip nhrp nhs 10.0.0.2 nbma 172.17.0.5 multicast priority 20 cluster 1 ip nhrp nhs 10.0.0.3 nbma 172.17.0.9 multicast priority 10 cluster 2 ip nhrp nhs 10.0.0.4 nbma 172.17.0.13 multicast priority 10 cluster 2 ip nhrp nhs cluster 1 max-connections 1 ip nhrp nhs cluster 2 max-connections 1 #show ip nhrp nhs Legend: E=Expecting replies, R=Responding, W=Waiting Tunnel0: 10.0.0.1 RE NBMA Address: 172.17.0.1 (Hub1.Cisco.com) priority = 10 cluster = 1 10.0.0.2 W NBMA Address: 172.17.0.5 priority = 20 cluster = 1 10.0.0.3 RE NBMA Address: 172.17.0.9 priority = 10 cluster = 2 10.0.0.4 W NBMA Address: 172.17.0.13 priority = 10 cluster = 2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

DHCP over DMVPN 15.1(3)T


Issue
Must pre-configure tunnel interface IP Address and Subnet on Spokes

Solution
Use DHCP to allocate Spokes Tunnel IP Address/Subnet
ip address dhcp ip dhcp client broadcast-flag clear

Hub is DHCP Relay Agent


Global
ip dhcp support tunnel unicast

Tunnel Interface
ip helper-address <ip-dhcp-server>

Functionality
DHCP request broadcast to all NHSs, replies unicast back to Spoke Sticky until tunnel interface goes down

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

99

DHCP and FQDN NHS


Example:
Spoke:
interface Tunnel0 ip dhcp client broadcast-flag clear ip address dhcp ip nhrp network-id 100000 ip nhrp nhs dynamic nbma Hub1-NBMA multicast ip nhrp shortcut tunnel source Serial1/0 tunnel key 100000 tunnel protection ipsec profile vpnprof

Hub:
ip dhcp support tunnel unicast ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip helper-address 192.168.0.3 ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp redirect tunnel source Serial2/0 tunnel key 100000 tunnel protection ipsec profile vpnprof

DHCP:
22:52:32.658: DHCP: Starting DHCP discover on Tunnel0 22:52:32.658: DHCP: SDiscover attempt # 1 for entry: 22:52:32.658: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0

22:52:32.738: DHCP: Offer Message, Offered Address: 10.0.0.13 22:52:32.738: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 75600
22:52:32.738: DHCP: SRequest attempt # 1 for entry: 22:52:32.738: Temp IP addr: 10.0.0.13 for peer on Interface: Tunnel0 22:52:32.738: Temp sub net mask: 255.255.255.0 22:52:32.738: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0

22:52:32.818: DHCP: Ack Message Offered Address: 10.0.0.13 22:52:32.818: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 75600 22:52:32.818: DHCP: Host Name Option: Spoke1.cisco-test.com
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

100

DHCP and FQDN NHS


Example: (cont)
NHRP:
22:52:32.242: NHRP: Resolved FQDN Hub1-NBMA to 172.17.0.1 22:52:32.242: NHRP: Supressing registration requests (Tunnel0) has invalid address ... 22:52:32.818: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 104 22:52:32.818: src NBMA: 172.16.1.1, src proto: 10.0.0.13, dst proto: 10.0.0.13 22:52:32.818: NAT address Extension(9): client NBMA: 172.17.0.1, client protocol: 10.0.0.13 ... 22:52:32.870: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 124 22:52:32.870: src NBMA: 172.16.1.1, src proto: 10.0.0.13, dst proto: 10.0.0.1 22:52:32.870: Responder Address Extension(3): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 22:52:32.870: NAT address Extension(9): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 22:52:32.870: NHRP: Tu0: Creating nhs mapping for 10.0.0.1/32 NBMA: 172.17.0.1 22:52:32.870: NHRP: Tunnel0: Cache add for target 10.0.0.1/32 next-hop 10.0.0.1, 172.17.0.1 22:52:32.870: NHRP: Adding Tunnel Endpoints (VPN: 10.0.0.1, NBMA: 172.17.0.1)

Tunnel:
22:52:29.618: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up 22:52:29.622: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up ... 22:52:32.870: Tunnel0: Linking endpoint 10.0.0.1/172.17.0.1 22:52:32.870: FIBtunnel: Tu0:TED: Adding adj for 10.0.0.1, conn_id 0 22:52:32.870: FIBtunnel: Tu0: stacking IP 10.0.0.1 to Default:172.17.0.1 ... 22:52:32.902: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.1 (Tunnel0) is up: new adjacency

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

101

DMVPN over IPv6 Transport


15.2(1)T (August 2011)
IPv6 and IPv4 packets over DMVPN IPv6 tunnels
Introducing in IOS release 15.2(1)T IPv6 infrastructure network IPv6 and/or IPv4 data packets over same IPv6 GRE tunnel NHRP modifies Routing Table like on ASR1k routers

Can run both DMVPN IPv4 and DMVPN IPv6


Separate DMVPNs (mGRE tunnel interfaces) DMVPN IPv4 DMVPN IPv6 spoke to spoke via hub

Configuration
Standard IPv6 configuration on Outside (WAN) interface Small change on mGRE tunnel interface Must use IKEv2 to setup IPsec encryption

Split-tunneling
Enterprise versus ISP assigned IPv6 addresses at spoke No NAT66
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

102

DMVPN over IPv6 Transport


Configuration
crypto ikev2 keyring DMVPN peer DMVPNv6 address ::/0 pre-shared-key cisco123v6 crypto ikev2 profile DMVPN match identity remote address ::/0 authentication local pre-share authentication remote pre-share keyring DMVPN crypto ipsec profile DMVPN set transform-set DMVPN set ikev2-profile DMVPN interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ... ip nhrp map multicast dynamic ip nhrp network-id 100000 ... ipv6 address 2001:DB8:0:100::1/64 ... ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006 ... tunnel source Serial2/0 tunnel mode gre multipoint ipv6 tunnel protection ipsec profile DMVPN ! interface Serial2/0 ip address 172.17.0.1 255.255.255.252 ipv6 address 2001:DB8:0:FFFF:1::1/126 ! ipv6 route ::/0 Serial2/0

Hub

crypto ikev2 keyring DMVPN peer DMVPNv6 address ::/0 pre-shared-key cisco123v6 crypto ikev2 profile DMVPN match identity remote address ::/0 authentication local pre-share authentication remote pre-share keyring DMVPN dpd keepalive 30 5 on-demand crypto ipsec profile DMVPN set transform-set DMVPN set ikev2-profile DMVPN interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp network-id 100000 ip nhrp nhs 10.0.0.1 nbma 2001:DB8:0:FFFF:1::1 multicast ... ipv6 address 2001:DB8:0:100::B/64 ... ipv6 nhrp network-id 100006 ipv6 nhrp nhs 2001:DB8:0:100::1 nbma 2001:DB8:0:FFFF:1::1 multicast ... tunnel source Serial1/0 tunnel mode gre multipoint ipv6 tunnel protection ipsec profile DMVPN ! interface Serial1/0 ip address 172.16.1.1 255.255.255.252 ipv6 address 2001:DB8:0:FFFF:0:1:0:1/126 ! ipv6 route ::/0 Serial1/0

Spoke

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

103

DMVPN over IPv6 Transport


Data Structures
Hub1#show ip nhrp 10.0.0.11/32 via 10.0.0.11 Tunnel0 created 22:26:55, expire 00:03:37 Type: dynamic, Flags: unique registered used NBMA address: 2001:DB8:0:FFFF:0:1:0:1 Hub1#show ipv6 nhrp 2001:DB8:0:100::B/128 via 2001:DB8:0:100::B Tunnel0 created 22:27:52, expire 00:03:39 Type: dynamic, Flags: unique registered NBMA address: 2001:DB8:0:FFFF:0:1:0:1 FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B Tunnel0 created 22:27:52, expire 00:03:39 Type: dynamic, Flags: unique registered NBMA address: 2001:DB8:0:FFFF:0:1:0:1 Hub1#show crypto session Interface: Tunnel0; Session status: UP-ACTIVE Peer: 2001:DB8:0:FFFF:0:1:0:1 port 500 IKEv2 SA: local 2001:DB8:0:FFFF:1::1/500 remote 2001:DB8:0:FFFF:0:1:0:1/500 Active IPSEC FLOW: permit 47 host 2001:DB8:0:FFFF:1::1 host 2001:DB8:0:FFFF:0:1:0:1 Active SAs: 2, origin: crypto map

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

104

DMVPN Futures

DMVPN Futures
Q4 CY2011
iBGP local-as Routing Protocol Scalability/Convergence EEM with DMVPN integration Smart Spoke DHCP over DMVPN IPv4
Retrieve LAN IP Subnet for Spoke to serve addresses to Hosts

Q1 CY2012
DHCP over DMVPN IPv6 Per-tunnel QoS on ASR

Future
DMVPN native multicast GRE per-tunnel Keepalives Per-tunnel QoS IPv6 over DMVPN on Hub

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

106

Q&A

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company StoreSM


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

108

Complete Your Online Session Evaluation


Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be announced by email after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

109

Visit the Cisco Store for Related Titles http://theciscostores.com

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

110

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

111

Thank you.

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

112

Appendix

Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

114

Dynamic Multipoint VPNExample


192.168.0.0/24 .1

LANs can have private addressing


Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Static known IP address

Physical: dynamic Tunnel0: 10.0.0.12

Dynamic unknown IP addresses

Spoke B

.1 192.168.2.0/24

Physical: dynamic Tunnel0: 10.0.0.11


Spoke A .1 192.168.1.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

...
115

Dynamic Multipoint VPNExample


(Step 1)
Static Spoke-to-hub tunnels

192.168.0.0/24 .1

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: dynamic Tunnel0: 10.0.0.12

Build Spoke-Hub Tunnels

Spoke B

.1 192.168.2.0/24

Physical: dynamic Tunnel0: 10.0.0.11


Spoke A .1 192.168.1.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

...
116

Dynamic Multipoint VPNExample


(Step 2)
Static Spoke-to-hub tunnels Dynamic Spoke-to-spoke tunnels

192.168.0.0/24 .1

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Build Dynamic Spoke-spoke Tunnel

Physical: dynamic Tunnel0: 10.0.0.12

Spoke B

.1 192.168.2.0/24

Physical: dynamic Tunnel0: 10.0.0.11


Spoke A .1 192.168.1.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

...
117

Dynamic Multipoint VPNExample


(Step 3)
Static Spoke-to-hub tunnels Dynamic Spoke-to-spoke tunnels

192.168.0.0/24 .1

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Remove Dynamic Spoke-spoke Tunnel

Physical: dynamic Tunnel0: 10.0.0.12

Spoke B

.1 192.168.2.0/24

Physical: dynamic Tunnel0: 10.0.0.11


Spoke A .1 192.168.1.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

...
118

Appendix
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

119

NHRP Registration
Building Hub-and-Spoke Tunnels
Host1 Spoke1 Hub Spoke2 Host2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

120

NHRP Registration
Building Hub-and-Spoke Tunnels (Step 1)
Host1 Spoke1 Hub Spoke2 IKE Initialization IKE/IPsec Established Host2

IKE Initialization
IKE/IPsec Established

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Encrypted
121

NHRP Registration
Building Hub-and-Spoke Tunnels (Step 2)
Host1 Spoke1 Hub Spoke2 Host2

NHRP Regist. Req.


NHRP Regist. Rep.

NHRP Regist. Req.


NHRP Regist. Rep.

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Encrypted
122

NHRP Registration
Routing Adjacency (Step 3)
Host1 Spoke1 Hub Spoke2 Host2

Routing Adjacency Routing Adjacency Routing Update Routing Update Routing Update Routing Update

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Encrypted
123

NHRP Registration
Building Hub-and-Spoke Tunnels
NHRP Registration
192.168.0.1/24

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

192.168.0.0/24 Conn.

Physical: (dynamic) Tunnel0: 10.0.0.11

Physical: (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

192.168.1.0/24 Conn.

192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

124

NHRP Registration
Building Hub-and-Spoke Tunnels (Step 1&2)
NHRP Registration
192.168.0.1/24

10.0.0.11 172.16.1.1 192.168.0.0/24 Conn.

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

5 1
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.1.0/24 Conn.

192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

125

NHRP Registration
Building Hub-and-Spoke Tunnels (Step 1&2)
NHRP Registration
192.168.0.1/24

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 192.168.0.0/24 Conn.

1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

126

NHRP Registration
Routing Adjacency (Step 3a)
Routing packet
192.168.0.1/24

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 2 4

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 192.168.0.0/16 Summ.


3
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

1
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1 192.168.2.0/24 Conn.

= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

127

NHRP Registration
Routing Adjacency (Step 3b)
Routing packet
192.168.0.1/24

NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

1 2

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 192.168.0.0/16 Summ.


Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

2
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 3 192.168.0.0/16 10.0.0.1 192.168.1.0/24 Conn. 3

10.0.0.1 172.17.0.1 192.168.0.0/16 10.0.0.1 192.168.2.0/24 Conn.

= Dynamic permanent IPsec tunnels

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

128

Appendix
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

129

Phase 2
NHRP Resolution Request (Step 1)
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Res. Request

NHRP Res. Request

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

130

Phase 2
NHRP Resolution Reply (Step 2)
Host1 Spoke1 Hubs Spoke2 Host2

IKE Initialization

IKE/IPsec Established NHRP Resolution Response

Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

131

Phase 2
NHRP Resolution Request
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
132

Phase 2
NHRP Resolution Request (Step 1a)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency 4
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

5 7

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


6 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
133

1 2

Phase 2
NHRP Resolution Request (Step 1b)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency 2
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


4 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
134

Phase 2
NHRP Resolution Reply (Step 2a)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

1
192.168.1.1/24 Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn.

10.0.0.1 172.17.0.1 10.0.0.11 incomplete 172.16.1.1


135

Phase 2
NHRP Resolution Reply (Step 2b)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency 3
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12

2 1

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 (l) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1

10.0.0.1 172.17.0.1 10.0.0.12 172.16.2.1


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

136

Phase 2
NHRP Resolution Reply (Step 2c)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 172.16.2.1
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 (l) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1
137

1 2

Appendix
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3

Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

138

Phase 3
NHRP Redirect (Step 1)
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Redirect

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

139

Phase 3
NHRP Resolution Request (Step 2)
Host1 Spoke1 Hubs Spoke2 Host2

NHRP Res. Request

NHRP Res. Request

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

140

Phase 3
NHRP Resolution Reply (Step 3)
Host1 Spoke1 Hubs Spoke2 Host2

IKE Initialization

IKE/IPsec Established NHRP Resolution Response Encrypted


BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

141

Phase 3
NHRP Resolution Redirect
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1

172.17.0.1

10.0.0.1 172.17.0.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

142

Phase 3
NHRP Resolution Redirect (Step 1a)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table 7
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


6 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
4
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

3 1 2

10.0.0.1

172.17.0.1

10.0.0.1 172.17.0.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

143

Phase 3
NHRP Resolution Redirect (Step 1b)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table 1
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

144

Phase 3
NHRP Resolution Request (Step 2)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table 5
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
3
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

1 2

10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

145

Phase 3
NHRP Resolution Reply (Step 3a)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

3
192.168.1.1/24 Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

146

Phase 3
NHRP Resolution Reply (Step 3b)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 2
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.0/24 172.16.2.1 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

10.0.0.1 172.17.0.1 172.16.2.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

147

Phase 3
NHRP Resolution Reply (Step 3c)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1

192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12


10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

5
10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1

3 1 2 4

10.0.0.1 172.17.0.1 192.168.2.0/24 172.16.2.1 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1 172.16.2.1

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

148

Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

149

iBGP over DMVPN


Base Logical Topology
192.168.10.0/24 .1 .3 R2 BGP 1 .2 192.168.0.0/24 .1 Hub2 BGP 1 .2

Hub1 BGP 1
.1

Internet
192.168.10.0/24 BGP 2

DMVPN
.11
Spoke1 BGP 1 10.0.0.0/24 BGP 1 .14 Spoke4 BGP 1 .2

.1 .2

.12

.13

.1 192.168.4.0/24

192.168.1.0/24 RS1 EIGRP 1

Spoke2 BGP 1
.1

.1 .2

Spoke3 BGP 1

.1 .2

RS4 OSPF 1 .1 192.168.14.0/24

192.168.2.0/24 RS2 BGP 1 .1

192.168.3.0/24 RS3 EIGRP 1

192.168.11.0/24

.1 192.168.13.0/24
150

192.168.12.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

iBGP over DMVPN


Hub1 Configuration
version 15.1 ! hostname Hub1 ! ip cef ! crypto isakmp policy 2 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set t3 esp-des esp-md5-hmac mode transport require ! crypto ipsec profile vpnprof set transform-set t3 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

ip tcp adjust-mss 1360 delay 1000 tunnel source Serial2/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 ! interface Serial2/0 ip address 172.17.0.1 255.255.255.252 ! router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group spokes timers bgp 10 30 neighbor spokes peer-group neighbor spokes remote-as 1 neighbor spokes route-reflector-client neighbor spokes send-community neighbor spokes route-map CMNTY in neighbor spokes route-map DMVPN-OUT out neighbor 10.0.0.2 remote-as 1 neighbor 10.0.0.2 send-community neighbor 10.0.0.2 route-map H2H-IN in neighbor 10.0.0.2 route-map DMVPN-OUT out
Cisco Public

151

iBGP over DMVPN


Hub1 Configuration (cont)
neighbor 172.17.0.2 remote-as 2 neighbor 172.17.0.2 route-map ISP-IN in neighbor 172.17.0.2 route-map ISP-OUT out neighbor 192.168.0.3 remote-as 1 neighbor 192.168.0.3 route-map LAN-IN in neighbor 192.168.0.3 route-map LAN-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 no auto-summary ! ip bgp-community new-format ip community-list 1 permit 1:1 ip community-list 2 permit 1:2 ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ip community-list 21 deny 1:20 ip community-list 21 permit ! route-map H2H-IN permit 10 set metric +10000 ! route-map LAN-OUT permit 10 match community 11 set ip next-hop 192.168.0.1 ! route-map DMVPN-OUT permit 10 match community 11 set ip next-hop 10.0.0.1 ! route-map ISP-OUT permit 10 match community 10 ! route-map CMNTY permit 10 match community 1 ! route-map CMNTY permit 20 match community 2 set metric +5000 ! route-map CMNTY permit 30 set metric +7500 ! route-map ISP-IN permit 10 set community 1:10 ! route-map LAN-IN permit 10 match community 21 set community 1:1 ! control-plane ! end

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

152

iBGP over DMVPN


Hub2 Configuration
version 15.1 ! hostname Hub2 ! ip cef ! crypto isakmp policy 2 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set t3 esp-des esp-md5-hmac mode transport require ! crypto ipsec profile vpnprof set transform-set t3 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

ip tcp adjust-mss 1360 delay 1000 tunnel source Serial2/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.0.2 255.255.255.0 ! interface Serial2/0 ip address 172.17.0.5 255.255.255.252 ! router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group spokes timers bgp 10 30 neighbor spokes peer-group neighbor spokes remote-as 1 neighbor spokes route-reflector-client neighbor spokes send-community neighbor spokes route-map CMNTY in neighbor spokes route-map DMVPN-OUT out neighbor 10.0.0.1 remote-as 1 neighbor 10.0.0.1 send-community neighbor 10.0.0.1 route-map H2H-IN in neighbor 10.0.0.1 route-map DMVPN-OUT out
Cisco Public

153

iBGP over DMVPN


Hub2 Configuration (cont)
neighbor 172.17.0.6 remote-as 2 neighbor 172.17.0.6 route-map ISP-IN in neighbor 172.17.0.6 route-map ISP-OUT out neighbor 192.168.0.3 remote-as 1 neighbor 192.168.0.3 route-map LAN-IN in neighbor 192.168.0.3 route-map LAN-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 no auto-summary ! ip bgp-community new-format ip community-list 1 permit 1:1 ip community-list 2 permit 1:2 ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ip community-list 21 deny 1:20 ip community-list 21 permit ! route-map H2H-IN permit 10 set metric +10000 ! route-map LAN-OUT permit 10 match community 11 set ip next-hop 192.168.0.2 ! route-map DMVPN-OUT permit 10 match community 11 set ip next-hop 10.0.0.2 ! route-map ISP-OUT permit 10 match community 10 ! route-map CMNTY permit 10 match community 2 ! route-map CMNTY permit 20 match community 1 set metric +5000 ! route-map CMNTY permit 30 set metric +7500 ! route-map ISP-IN permit 10 set community 1:10 ! route-map LAN-IN permit 10 match community 21 set community 1:2 ! control-plane ! end

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

154

iBGP over DMVPN


Spoke1 Configuration
version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Spoke1 ! ip cef ! crypto isakmp policy 2 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 30 5 ! crypto ipsec transform-set t2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set t2 interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ! interface Serial1/0 ip address 172.16.1.1 255.255.255.252

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

155

iBGP over DMVPN


Spoke1 Configuration (cont)
router eigrp 1 default-metric 1000 0 255 100 1500 network 192.168.1.0 redistribute bgp 1 route-map BGP2IGP ! router bgp 1 bgp log-neighbor-changes bgp redistribute-internal timers bgp 10 30 redistribute eigrp 1 route-map IGP2BGP neighbor hubs peer-group neighbor hubs remote-as 1 neighbor hubs next-hop-self neighbor hubs send-community neighbor hubs route-map DMVPN-OUT out neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs neighbor 172.16.1.2 remote-as 2 neighbor 172.16.1.2 route-map ISP-IN in neighbor 172.16.1.2 route-map ISP-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 no auto-summary ! ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

route-map DMVPN-OUT permit 10 match community 11 ! route-map ISP-OUT permit 10 match community 10 ! route-map IGP2BGP deny 10 match tag 225 ! route-map IGP2BGP permit 20 set community 1:1 ! route-map BGP2IGP permit 10 match community 11 set tag 225 ! route-map ISP-IN permit 10 set community 1:10 ! control-plane ! end

Cisco Public

156

iBGP over DMVPN


Spoke2 Configuration
version 15.1 ! hostname Spoke2 ! ip cef ! crypto isakmp policy 2 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 30 5 ! crypto ipsec transform-set t2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set t2 interface Tunnel0 bandwidth 1000 ip address 10.0.0.12 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.2.1 255.255.255.0 ! interface Serial1/0 ip address 172.16.2.1 255.255.255.252

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

157

iBGP over DMVPN


Spoke2 Configuration (cont)
router bgp 1 bgp log-neighbor-changes bgp redistribute-internal timers bgp 10 30 neighbor hubs peer-group neighbor hubs remote-as 1 neighbor hubs send-community neighbor hubs route-map DMVPN-OUT out neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs neighbor 172.16.2.2 remote-as 2 neighbor 172.16.2.2 route-map ISP-IN in neighbor 172.16.2.2 route-map ISP-OUT out neighbor 192.168.2.2 remote-as 1 neighbor 192.168.2.2 route-reflector-client neighbor 192.168.2.2 route-map LAN-IN in neighbor 192.168.2.2 route-map LAN-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 no auto-summary ! ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ip community-list 21 deny 1:20 ip community-list 21 permit route-map LAN-OUT permit 10 match community 11 set ip next-hop 192.168.2.1 ! route-map DMVPN-OUT permit 10 match community 11 set ip next-hop 10.0.0.12 ! route-map ISP-OUT permit 10 match community 10 ! route-map ISP-IN permit 10 set community 1:10 ! route-map LAN-IN permit 10 match community 21 set community 1:2 ! control-plane ! end

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

158

iBGP over DMVPN


(Spoke3, Spoke4) Configuration
version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Spoke(3,4) ! ip cef ! crypto isakmp policy 2 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 30 5 ! crypto ipsec transform-set t2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set t2 interface Tunnel0 bandwidth 1000 ip address 10.0.0.(13,14) 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.(3,4).1 255.255.255.0 ! interface Serial1/0 ip address 172.16.(3,4).1 255.255.255.252

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

159

iBGP over DMVPN


(Spoke3, Spoke4) Configuration (cont)
router ospf 1 redistribute bgp 1 subnets route-map BGP2IGP network 192.168.3.0 0.0.0.255 area 1 ! router eigrp 1 default-metric 1000 0 255 100 1500 network 192.168.4.0 redistribute bgp 1 route-map BGP2IGP ! router bgp 1 bgp log-neighbor-changes bgp redistribute-internal timers bgp 10 30 redistribute ospf 1 route-map IGP2BGP redistribute eigrp 1 route-map IGP2BGP neighbor hubs peer-group neighbor hubs remote-as 1 neighbor hubs next-hop-self neighbor hubs send-community neighbor hubs route-map DMVPN-OUT out neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs neighbor 172.16.(3,4).2 remote-as 2 neighbor 172.16.(3,4).2 route-map ISP-IN in neighbor 172.16.(3,4).2 route-map ISP-OUT out maximum-paths ibgp 4 distance bgp 20 160 160 no auto-summary
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.

ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ! route-map DMVPN-OUT permit 10 match community 11 ! route-map ISP-OUT permit 10 match community 10 ! route-map IGP2BGP deny 10 match tag 225 ! route-map IGP2BGP permit 20 set community 1:1 ! route-map BGP2IGP permit 10 match community 11 set tag 225 ! route-map ISP-IN permit 10 set community 1:10 ! control-plane ! end

Cisco Public

160

iBGP over DMVPN


Internet Configuration
version 12.3 ! hostname Internet ! interface Serial1/0 ip address 172.17.0.2 255.255.255.252 ! interface Serial2/0 ip address 172.17.0.6 255.255.255.252 ! interface Serial3/0 ip address 172.16.1.2 255.255.255.252 ! interface Serial4/0 ip address 172.16.2.2 255.255.255.252 ! interface Serial5/0 ip address 172.16.3.2 255.255.255.252 ! interface Serial6/0 ip address 172.16.4.2 255.255.255.252 router bgp 2 no synchronization bgp log-neighbor-changes network 172.16.1.0 mask 255.255.255.252 network 172.16.2.0 mask 255.255.255.252 network 172.16.3.0 mask 255.255.255.252 network 172.16.4.0 mask 255.255.255.252 network 172.17.0.0 mask 255.255.255.252 network 172.17.0.4 mask 255.255.255.252 neighbor 172.16.1.1 remote-as 1 neighbor 172.16.2.1 remote-as 1 neighbor 172.16.3.1 remote-as 1 neighbor 172.16.4.1 remote-as 1 neighbor 172.17.0.1 remote-as 1 neighbor 172.17.0.5 remote-as 1 no auto-summary ! end

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

161

iBGP over DMVPN


R2 (behind hubs), RS2 (behind Spoke2) Configuration
hostname R2 ! interface Loopback0 ip address 172.20.0.1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.0.3 255.255.255.0 ! interface Ethernet1/0 ip address 192.168.10.1 255.255.255.0 ! router bgp 1 no synchronization bgp log-neighbor-changes network 172.20.0.0 mask 255.255.255.0 network 192.168.0.0 network 192.168.10.0 neighbor hubs peer-group neighbor hubs remote-as 1 neighbor hubs route-reflector-client neighbor hubs next-hop-self neighbor hubs send-community neighbor hubs route-map FROM-DMVPN in neighbor 192.168.0.1 peer-group hubs neighbor 192.168.0.2 peer-group hubs maximum-paths ibgp 4 no auto-summary ! ip bgp-community new-format ! route-map FROM-DMVPN permit 10 set community 1:20

R2

hostname RS2 ! interface Loopback0 ip address 172.20.2.1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.2.2 255.255.255.0 ! interface Ethernet1/0 ip address 192.168.12.1 255.255.255.0 ! router bgp 1 no synchronization bgp log-neighbor-changes network 172.20.2.0 mask 255.255.255.0 network 192.168.2.0 network 192.168.12.0 neighbor 192.168.2.1 remote-as 1 neighbor 192.168.2.1 next-hop-self neighbor 192.168.2.1 send-community neighbor 192.168.2.1 route-map FROM-DMVPN in no auto-summary ! ip bgp-community new-format ! route-map FROM-DMVPN permit 10 set community 1:20

RS2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

162

iBGP over DMVPN


(RS1,RS4); RS3 Configuration
hostname (RS1,RS4) ! interface Loopback0 ip address 172.20.(1,4).1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.(1,4).2 255.255.255.0 ! interface Ethernet1/0 ip address 192.168.(11,14).1 255.255.255.0 ! router eigrp 1 network 172.20.(1,4).0 0.0.0.255 network 192.168.(1,4).0 network 192.168.(11,14).0 no auto-summary !

RS1,RS4

hostname RS3 ! interface Loopback0 ip address 172.20.3.1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.3.2 255.255.255.0 ! interface Ethernet1/0 ip address 192.168.13.1 255.255.255.0 ! router ospf 1 log-adjacency-changes network 172.20.3.0 0.0.0.255 network 192.168.3.0 network 192.168.13.0 !

RS3

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

163

Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

164

Hierarchical Design
Multiple layers of Hub-and-Spoke control plane
Can use single mGRE subnet across all nodes Best to use multiple mGRE subnets Spokes and Central hub have single mGRE interface Distribution hubs have two mGRE interfaces Use nhrp network-id <id> to glue together mGRE interfaces into a single DMVPN cloud. Still preserve any-to-any spoke-spoke tunnels
Region 1 mGRE subnet Region 2 mGRE subnet Region 3 mGRE subnet Central mGRE subnet

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

165

Hierarchical Design
Multiple Hub routers at each layer for redundancy
Hub routers in a layer/region
Configured similar to each other Interconnected as NHSs to each other Interconnected as NHSs to next lower layer hubs

Routing
Summarize routes toward spokes (leaves) No summarization of routes toward root (central hub) Routes for other mGRE subnets learned over tunnel interface

IP Multicast
Multicast source behind hub can use single mGRE subnet Multicast source behind spoke must use multiple mGRE subnets/interfaces

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

166

DMVPN Hierarchical Hub


(Phase 3)
192.168.128.0/24 .1 192.168.1.0/24 .1 Hub 2 Hub 0

= mGRE subnet 10.0.0.0/24 = mGRE subnet 10.0.1.0/24 = mGRE subnet 10.0.2.0/24 = Dynamic spoke to spoke
192.168.16.0/24 .1

Physical: 172.17.0.9 Tunnel0: 10.0.0.1

192.168.8.0/24
.1 Hub 1 Loopback: 172.18.0.1 Tunnel1: 10.0.1.8 Physical: 172.17.0.1 Tunnel0: 10.0.0.8

Physical: 172.17.0.5 Tunnel0: 10.0.0.16

Loopback: 172.18.0.5 Tunnel2: 10.0.2.16

Physical: 172.16.3.1 Tunnel2: 10.0.2.19 Spoke 3 .1

Physical: 172.16.1.1 Tunnel1: 10.0.1.11

192.168.19.0/24 Physical: 172.16.2.1 Tunnel2: 10.0.2.18

.1

Spoke 1 Spoke 2 .1 192.168.18.0/24

192.168.11.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

167

DMVPN Hierarchical Hub


Central Hub Configuration
version 12.2 ! hostname Hub0 ! ip cef ! interface Loopback0 ip address 192.168.100.1 255.255.255.0 ! interface Loopback1 ip address 192.168.128.1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 ! interface Serial1/0 ip address 172.17.0.9 255.255.255.252 ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 network 192.168.100.0 network 192.168.128.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 172.17.0.10 interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp shortcut ip nhrp redirect no ip split-horizon eigrp 1 ip summary-address eigrp 1 192.168.0.0 255.255.192.0 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

168

DMVPN Hierarchical Hub


Regional Hub1 Configuration
version 12.2 ! hostname Hub1 ! ip cef ! interface Loopback0 ip address 192.168.101.1 255.255.255.0 ! interface Loopback1 ip address 172.18.0.1 255.255.255.252 ! interface Ethernet0/0 ip address 192.168.8.1 255.255.255.0 ! interface Serial1/0 ip address 172.17.0.1 255.255.255.252 ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 10.0.1.0 0.0.0.255 network 192.168.8.0 network 192.168.101.0 ! ip route 0.0.0.0 0.0.0.0 172.17.0.2 interface Tunnel0 bandwidth 1000 ip address 10.0.0.8 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.9 ip nhrp map 10.0.0.1 172.17.0.9 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp shortcut ip nhrp redirect ip summary-address eigrp 1 192.168.8.0 255.255.248.0 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 ! interface Tunnel1 bandwidth 1000 ip address 10.0.1.8 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect no ip split-horizon eigrp 1 ip summary-address eigrp 1 192.168.8.0 255.255.248.0 ip summary-address eigrp 1 192.168.100.0 255.255.252.0 delay 1000 tunnel source Loopback1 tunnel mode gre multipoint tunnel key 100000
Cisco Public

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

169

DMVPN Hierarchical Hub


Regional Hub2 Configuration
version 12.2 ! hostname Hub2 ! ip cef ! interface Loopback0 ip address 192.168.102.1 255.255.255.0 ! interface Loopback1 ip address 172.18.0.5 255.255.255.252 ! interface Ethernet0/0 ip address 192.168.16.1 255.255.255.0 ! interface Serial1/0 ip address 172.17.0.5 255.255.255.252 ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 10.0.2.0 0.0.0.255 network 192.168.16.0 network 192.168.102.0 ! ip route 0.0.0.0 0.0.0.0 172.17.0.6 interface Tunnel0 bandwidth 1000 ip address 10.0.0.16 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.9 ip nhrp map 10.0.0.1 172.17.0.9 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp shortcut ip nhrp redirect ip summary-address eigrp 1 192.168.16.0 255.255.248.0 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 ! interface Tunnel2 bandwidth 1000 ip address 10.0.2.16 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect no ip split-horizon eigrp 1 ip summary-address eigrp 1 192.168.16.0 255.255.248.0 ip summary-address eigrp 1 192.168.100.0 255.255.252.0 delay 1100 tunnel source Loopback1 tunnel mode gre multipoint tunnel key 100000
Cisco Public

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

170

DMVPN Hierarchical Hub


Spoke1 Configuration
version 12.2 ! hostname Spoke1 ! ip cef ! interface Ethernet0/0 ip address 192.168.11.1 255.255.255.0 ! interface Serial1/0 ip address 172.16.1.1 255.255.255.252 ! router eigrp 1 network 10.0.1.0 0.0.0.255 network 192.168.11.0 ! ip route 0.0.0.0 0.0.0.0 172.16.1.2 interface Tunnel0 bandwidth 1000 ip address 10.0.1.11 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.1.8 172.18.0.1 ip nhrp map multicast 172.18.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.1.8 ip nhrp shortcut delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

171

DMVPN Hierarchical Hub


Spoke2 Configuration
version 12.2 ! hostname Spoke2 ! ip cef ! interface Ethernet0/0 ip address 192.168.18.1 255.255.255.0 ! interface Serial1/0 ip address 172.16.2.1 255.255.255.252 ! router eigrp 1 network 10.0.2.0 0.0.0.255 network 192.168.18.0 ! ip route 0.0.0.0 0.0.0.0 172.16.2.2 interface Tunnel0 bandwidth 1000 ip address 10.0.2.18 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.2.16 172.18.0.5 ip nhrp map multicast 172.18.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.2.16 ip nhrp shortcut delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

172

DMVPN Hierarchical Hub


Spoke3 Configuration
version 12.2 ! hostname Spoke3 ! ip cef ! interface Ethernet0/0 ip address 192.168.19.1 255.255.255.0 ! interface Serial1/0 ip address 172.16.3.1 255.255.255.252 ! router eigrp 1 network 10.0.2.0 0.0.0.255 network 192.168.19.0 ! ip route 0.0.0.0 0.0.0.0 172.16.3.2 interface Tunnel0 bandwidth 1000 ip address 10.0.2.19 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.2.16 172.18.0.5 ip nhrp map multicast 172.18.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.2.16 ip nhrp shortcut delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

173

DMVPN Heirarchical Hub (12.4T)

Spoke2 Before spoke-spoke tunnels

NHRP

10.0.2.16/32 via 10.0.2.16 Tunnel0 created 1d01h, never expire Type: static, Flags: used NBMA address: 172.18.0.5 D C D D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0 192.168.18.0/24 is directly connected, Ethernet0/0 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0 10.0.2.16 10.0.2.16 attached 10.0.2.16 10.0.2.16(16) Tunnel0 Tunnel0 Ethernet0/0 Tunnel0

Routing Table

CEF

192.168.0.0/18 192.168.16.0/21 192.168.18.0/24 192.168.128.0/24 IP Tunnel0

Adjacency

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

174

DMVPN Heirarchical Hub (12.4T)


Spoke2 Ping to Spoke1 and Hub0
Spoke2 to Spoke1
#ping 192.168.11.1 source 192.168.18.1 Sending 10, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds: Packet sent with a source address of 192.168.18.1 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 16/54/80 ms #traceroute 192.168.11.1 source 192.168.18.1 numeric Tracing the route to 192.168.11.1 1 10.0.1.11 32 msec * 28 msec

Spoke2 to Hub0

#ping 192.168.128.1 source 192.168.18.1 repeat 10 Sending 10, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds: Packet sent with a source address of 192.168.18.1 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 20/28/48 ms #traceroute 192.168.128.1 source 192.168.18.1 numeric Tracing the route to 192.168.128.1 1 10.0.0.1 24 msec * 28 msec

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

175

DMVPN Heirarchical Hub (12.4T)


NHRP
Mappings for tunnel to Spoke1

Spoke B After spoke-spoke tunnels


10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:00:25, expire 00:05:34 Type: dynamic, Flags: router implicit NBMA address: 172.17.0.9 10.0.1.11/32 via 10.0.1.11 Tunnel0 created 00:00:06, expire 00:05:53 Type: dynamic, Flags: router implicit NBMA address: 172.16.1.1 10.0.2.16/32 via 10.0.2.16 Tunnel0 created 1d01h, never expire Type: static, Flags: used NBMA address: 172.18.0.5 192.168.11.0/24 via 10.0.1.11 Tunnel0 created 00:00:06, expire 00:05:53 Type: dynamic, Flags: router used NBMA address: 172.16.1.1 192.168.18.0/24 via 10.0.2.18 Tunnel0 created 00:00:25, expire 00:05:53 Type: dynamic, Flags: router unique local NBMA address: 172.16.2.1 (no-socket) 192.168.128.0/24 via 10.0.0.1 Tunnel0 created 00:00:25, expire 00:05:34 Type: dynamic, Flags: router NBMA address: 172.17.0.9

Static Mapping to NHS (Hub2)

Mappings for tunnel to Hub0

Local entry

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

176

DMVPN Heirarchical Hub (12.4T)

Spoke2 After spoke-spoke tunnels (cont)

Routing Table
(no change)

D C D D

192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0 192.168.18.0/24 is directly connected, Ethernet0/0 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0

CEF
(no change)

192.168.0.0/18 192.168.16.0/21 192.168.18.0/24 192.168.128.0/24

10.0.2.16 10.0.2.16 attached 10.0.2.16

Tunnel0 Tunnel0 Ethernet0/0 Tunnel0

Adjacency

IP IP IP

Tunnel0 Tunnel0 Tunnel0

10.0.0.1(5) 10.0.1.11(5) 10.0.2.16(16)

Adjacency for Hub0 Adjacency for Spoke1 Adjacency for Hub2

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

177

DMVPN Hierarchical Hub (12.2(33)XNE)


Changes for ASR1K
Routes for other mGRE subnets must be directly connected for CEF switching to work Currently must use static connected routes.
Hub0:
ip route 10.0.1.0 255.255.255.0 Tunnel0 ip route 10.0.2.0 255.255.255.0 Tunnel0

Spoke1:
ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.2.0 255.255.255.0 Tunnel0

Hub1:
ip route 10.0.2.0 255.255.255.0 Tunnel0

Spoke2:
ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.1.0 255.255.255.0 Tunnel0

Hub2:
ip route 10.0.1.0 255.255.255.0 Tunnel0

Spoke3:
ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.1.0 255.255.255.0 Tunnel0

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

178

DMVPN Heirarchical Hub (12.2(33)XNE)


Spoke2 Before spoke-spoke tunnels
NHRP Routing Table
10.0.2.16/32 via 10.0.2.16 Tunnel0 created 1w0d, never expire Type: static, Flags: used NBMA address: 172.18.0.5 S S C L D D C L D 10.0.0.0/24 is directly connected, Tunnel0 10.0.1.0/24 is directly connected, Tunnel0 10.0.2.0/24 is directly connected, Tunnel0 10.0.2.18/32 is directly connected, Tunnel0 192.168.0.0/18 [90/3635200] via 10.0.2.16, 5d21h, Tunnel0 192.168.16.0/21 [90/3123200] via 10.0.2.16, 5d21h, Tunnel0 192.168.18.0/24 is directly connected, Ethernet0/0 192.168.18.1/32 is directly connected, Ethernet0/0 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1w0d, Tunnel0 attached attached attached attached receive 10.0.2.16 10.0.2.16 attached receive 10.0.2.16 10.0.2.16(15) Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Ethernet0/0 Ethernet0/0 Tunnel0

CEF

10.0.0.0/24 10.0.1.0/24 10.0.2.0/24 10.0.2.16/32 10.0.2.18/32 192.168.0.0/18 192.168.16.0/21 192.168.18.0/24 192.168.18.1/32 192.168.128.0/24 IP Tunnel0

Adjacency

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

179

DMVPN Heirarchical Hub (12.2(33)XNE)


Spoke2 Ping to Spoke1 and Hub0
Spoke2 to Spoke1
#ping 192.168.11.1 source 192.168.18.1 repeat 20 Sending 20, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds: Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (20/20), round-trip min/avg/max = 20/41/85 ms #traceroute 192.168.11.1 source 192.168.18.1 numeric Type escape sequence to abort. Tracing the route to 192.168.11.1 1 10.0.1.11 24 msec * 28 msec

Spoke2 to Hub0

#ping 192.168.128.1 source 192.168.18.1 repeat 20 Sending 20, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds: Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (20/20), round-trip min/avg/max = 16/25/64 ms #traceroute 192.168.128.1 source 192.168.18.1 numeric Type escape sequence to abort. Tracing the route to 192.168.128.1 1 10.0.0.1 40 msec * 20 msec

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

180

DMVPN Heirarchical Hub (12.2(33)XNE)


Spoke2 After spoke-spoke tunnels
NHRP
Mappings for tunnel to Spoke1
10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:01:17, expire 00:04:42 Type: dynamic, Flags: router implicit NBMA address: 172.17.0.9 10.0.1.11/32 via 10.0.1.11 Tunnel0 created 00:00:38, expire 00:05:21 Type: dynamic, Flags: router implicit used NBMA address: 172.16.1.1 10.0.2.16/32 via 10.0.2.16 Tunnel0 created 00:06:24, never expire Type: static, Flags: used NBMA address: 172.18.0.5 192.168.11.0/24 via 10.0.1.11 Tunnel0 created 00:00:36, expire 00:05:23 Type: dynamic, Flags: router used rib NBMA address: 172.16.1.1 192.168.18.0/24 via 10.0.2.18 Tunnel0 created 00:01:17, expire 00:05:21 Type: dynamic, Flags: router unique local NBMA address: 172.16.2.1 (no-socket) 192.168.128.0/24 via 10.0.0.1 Tunnel0 created 00:01:16, expire 00:04:43 Type: dynamic, Flags: router rib nho NBMA address: 172.17.0.9

Static Mapping to NHS (Hub2)

Mappings for tunnel to Hub0

Local entry

Entered in Routing Table

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

181

DMVPN Heirarchical Hub (12.2(33)XNE)


Spoke2 After spoke-spoke tunnels (cont)
Routing Table
S S C L D H D C L D % 10.0.0.0/24 is directly connected, Tunnel0 10.0.1.0/24 is directly connected, Tunnel0 10.0.2.0/24 is directly connected, Tunnel0 10.0.2.18/32 is directly connected, Tunnel0 192.168.0.0/18 [90/3635200] via 10.0.2.16, 00:06:28, Tunnel0 192.168.11.0/24 [250/1] via 10.0.1.11, 00:00:47 192.168.16.0/21 [90/3123200] via 10.0.2.16, 00:06:28, Tunnel0 192.168.18.0/24 is directly connected, Ethernet0/0 192.168.18.1/32 is directly connected, Ethernet0/0 192.168.128.0/24 [90/3200000] via 10.0.2.16, 00:06:28, Tunnel0 [NHO][90/1] via 10.0.0.1, 00:01:27, Tunnel0 attached attached attached attached attached attached receive 10.0.2.16 10.0.1.11 10.0.2.16 attached receive 10.0.0.1 10.0.0.1(11) 10.0.1.11(10) 10.0.2.16(14) Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Tunnel0 Ethernet0/0 Ethernet0/0 Tunnel0

NHRP

Next-hop-override

CEF

10.0.0.0/24 10.0.0.1/32 10.0.1.0/24 10.0.1.11/32 10.0.2.0/24 10.0.2.16/32 10.0.2.18/32 192.168.0.0/18 192.168.11.0/24 192.168.16.0/21 192.168.18.0/24 192.168.18.1/32 192.168.128.0/24 IP IP IP Tunnel0 Tunnel0 Tunnel0

Adjacency

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

182

Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
IPv6 Phase 1, NAT, Per-Tunnel QoS, MIBs

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

183

IPv6 Phase 1
IPv6 packets over DMVPN IPv4 tunnels
Introduced in IOS release 12.4(20)T IPv4 infrastructure network IPv6 and/or IPv4 data packets over same IPv4 GRE tunnel

Configure IPv6 just like on other interfaces


Complete set of NHRP commands
network-id, holdtime, authentication, map, etc.

NHRP registers two addresses


Link-local for routing protocol (Automatic or Manual) Unicast Global for packet forwarding (Mandatory)

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

184

IPv6 Phase 1
Configuration
ipv6 unicast-routing ipv6 cef interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 ipv6 address 2001:DB8:0:100::1/64 ipv6 mtu 1400 ipv6 eigrp 1 no ipv6 split-horizon eigrp 1 ipv6 nhrp authentication testv6 ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp redirect tunnel source Serial2/0 tunnel mode gre multipoint tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 ipv6 address 2001:DB8::1/64 ipv6 eigrp 1 ! interface Serial2/0 ip address 172.17.0.1 255.255.255.252 ! ipv6 router eigrp 1 no shutdown

Hub

ipv6 unicast-routing ipv6 cef interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp shortcut ip tcp adjust-mss 1360 ipv6 address 2001:DB8:0:100::B/64 ipv6 mtu 1400 ipv6 eigrp 1 ipv6 nhrp authentication testv6 ipv6 nhrp map multicast 172.17.0.1 ipv6 nhrp map 2001:DB8:0:100::1/128 172.17.0.1 ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:DB8:0:100::1 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ipv6 address 2001:DB8:0:1::1/64 ipv6 eigrp 1 ! interface Serial1/0 ip address 172.16.1.1 255.255.255.252 ! ipv6 router eigrp 1 no shutdown
Cisco Public

Spoke

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

185

IPv6 Phase 1

show ipv6 nhrp

Hub

2001:DB8:0:100::B/128 via 2001:DB8:0:100::B Tunnel0 created 1d16h, expire 00:04:58 Type: dynamic, Flags: unique registered used NBMA address: 172.16.1.1 FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B Tunnel0 created 1d16h, expire 00:04:58 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 2001:DB8:0:100::1/128 via 2001:DB8:0:100::1 Tunnel0 created 1d16h, never expire Type: static, Flags: used NBMA address: 172.17.0.1 FE80::A8BB:CCFF:FE00:6400/128 via FE80::A8BB:CCFF:FE00:6400 Tunnel0 created 1d16h, expire 00:04:59 Type: dynamic, Flags: NBMA address: 172.17.0.1

Spoke

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

186

DMVPN and NAT-T Spoke-Spoke


Phase 2 & 3 (12.4(6)T)
Spoke-spoke dynamic tunnels are now supported to/from NAT translated spokes
Hub reports spokes outside NAT IP address back to spoke in NHRP registration reply.

Spokes outside NAT IP address passed in NHRP resolution request and reply packets Spokes use remote spokes outside NAT IP address to build spoke-to-spoke tunnel. Two spokes behind the same NAT node
Must be NAT translated to unique outside NAT IP address NAT node must support spokes using outside IP NAT address for each othertraffic loops through NAT node

If spoke-spoke tunnel will not come up, traffic will continue to be forwarded via the hub.
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

187

DMVPN and NAT-T


10.0.0.11 172.16.1.1 10.0.0.13 172.18.0.3* (172.16.3.1)
Peer 172.16.1.1 Peer 172.18.0.3
192.168.0.1/24

NHRP mapping *(NAT-T)

Crypto Map Table


Physical: 172.17.0.1 Tunnel0: 10.0.0.1

NAT: 172.16.3.1 172.18.0.3

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: 172.16.3.1 (dynamic) Tunnel0: 10.0.0.13

192.168.1.1/24

Spoke A Spoke C 192.168.3.1/24

10.0.0.1 172.17.0.1 172.18.0.3* (172.16.3.1) 10.0.0.13 ? Peer 172.17.0.1 Peer 172.18.0.3

10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 10.0.0.13 172.18.0.3* (172.16.3.1)

Peer 172.17.0.1 Peer 172.16.1.1

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

188

DMVPN and NAT-T


Registrations
NHRP: Send Registration Request via Tunnel0 vrf 0, src: 10.0.0.13, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "unique nat", src NBMA: 172.16.3.1, src protocol: 10.0.0.13, dst protocol: 10.0.0.1 (C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1 NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.13 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "unique nat", src NBMA: 172.16.3.1, src protocol: 10.0.0.13, dst protocol: 10.0.0.1 (C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360 Responder Address Extension(3): (C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1 (C-2) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

189

DMVPN and NAT-T

Phase 3 Resolutions
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13 (C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9): NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.13, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13 (C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360, client NBMA: 172.16.3.1, client protocol: 10.0.0.13 Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 client NBMA: 172.16.3.1, client protocol: 10.0.0.13 Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

190

Per-tunnel QoS 12.4(22)T


QoS per tunnel (spoke) on hub
Dynamically selected Hierarchical (parent/child) QoS Policy
Spoke: Configure NHRP group name Hub: NHRP group name mapped to QoS template policy

Multiple spokes with same NHRP group mapped to individual instances of same QoS template policy

QoS policy applied at outbound physical interface


Classification done before GRE encapsulation by tunnel
ACL match against Data IP packet qos pre-classify not configured on tunnel interface

Shaping/policing done on physical after IPsec encryption Cant have separate aggregate QoS policy on physical

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

191

Per-tunnel QoS
Configurations
class-map match-all typeA_voice match access-group 100 class-map match-all typeB_voice match access-group 100 class-map match-all typeA_Routing match ip precedence 6 class-map match-all typeB_Routing match ip precedence 6 policy-map typeA class typeA_voice priority 1000 class typeA_Routing bandwidth percent 20 policy-map typeB class typeB_voice priority percent 20 class typeB_Routing bandwidth percent 10 policy-map typeA_parent class class-default shape average 3000000 service-policy typeA

Hub

interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map group typeA service-policy output typeA_parent ip nhrp map group typeB service-policy output typeB_parent ip nhrp redirect no ip split-horizon eigrp 100 ip summary-address eigrp 100 192.168.0.0 255.255.192.0 5 interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp group typeA ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp nhs 10.0.0.1 interface Tunnel0 ip address 10.0.0.12 255.255.255.0 ip nhrp group typeB ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp nhs 10.0.0.1 interface Tunnel0 ip address 10.0.0.13 255.255.255.0 ip nhrp group typeA ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp nhs 10.0.0.1
Cisco Public

Hub (cont)

Spoke1

Spoke2

policy-map typeB_parent class class-default shape average 2000000 service-policy typeB


BRKSEC-4052

Spoke3

2011 Cisco and/or its affiliates. All rights reserved.

192

Per-tunnel QoS
QoS Output
Hub#show ip nhrp
10.0.0.11/32 via 10.0.0.11 Tunnel0 created 21:24:03, expire 00:04:01 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 Group: typeA 10.0.0.12/32 via 10.0.0.12 Tunnel0 created 21:22:33, expire 00:05:30 Type: dynamic, Flags: unique registered NBMA address: 172.16.2.1 Group: typeB 10.0.0.13/32 via 10.0.0.13 Tunnel0 created 00:09:04, expire 00:04:05 Type: dynamic, Flags: unique registered NBMA address: 172.16.3.1 Group: typeA Hub#show policy-map multipoint tunnel 0 <spoke> output
Interface Tunnel0 172.16.1.1 Service-policy output: typeA_parent Class-map: class-default (match-any) 19734 packets, 6667163 bytes shape (average) cir 3000000, bc 12000, be 12000 Service-policy : typeA Class-map: typeA_voice (match-all) 3737 packets, 4274636 bytes Class-map: typeA_Routing (match-all) 14424 packets, 1269312 bytes Class-map: class-default (match-any) 1573 packets, 1123215 bytes Interface Tunnel0 172.16.2.1 Service-policy output: typeB_parent Class-map: class-default (match-any) 11420 packets, 1076898 bytes shape (average) cir 2000000, bc 8000, be 8000 Service-policy : typeB Class-map: typeB_voice (match-all) 1005 packets, 128640 bytes Class-map: typeB_Routing (match-all) 10001 packets, 880088 bytes Class-map: class-default (match-any) 414 packets, 68170 bytes Interface Tunnel0 172.16.3.1 Service-policy output: typeA_parent Class-map: class-default (match-any) 5458 packets, 4783903 bytes shape (average) cir 3000000, bc 12000, be 12000 Service-policy : typeA Class-map: typeA_voice (match-all) 4914 packets, 4734392 bytes Class-map: typeA_Routing (match-all) 523 packets, 46004 bytes Class-map: class-default (match-any) 21 packets, 14995 bytes
Cisco Public

Hub#show ip nhrp group-map


Interface: Tunnel0 NHRP group: typeA QoS policy: typeA_parent Tunnels using the QoS policy: Tunnel destination overlay/transport address 10.0.0.11/172.16.1.1 10.0.0.13/172.16.3.1 NHRP group: typeB QoS policy: typeB_parent Tunnels using the QoS policy: Tunnel destination overlay/transport address 10.0.0.12/172.16.2.1
BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

193

Per-tunnel QoS
Stable
Tunnels/Active 500/150 600/180 700/210

Scaling 7200 NPE-G1/VAM2+


CPU Utilization
No traffic 9% 12% 14% 28 Mbps 41% 49% 53% 38 Mbps 52% 62% 73% 47.6 Mbps 64% 75% 85%

Unstable
Tunnels/Active 500/150 600/180 700/210 Key N/A

CPU Utilization
28 Mbps 43% 51% 53%(99%) 38 Mbps 52% 68%(99%) 76%(99%) 47.6 Mbps 64% 78%(99%) 99%(flapping)

1) Tunnels/Active = Number of tunnels versus number of active shapers 2) "Unstable" corresponds to detaching and re-attaching service policy on the tunnels 3) All CPU values are observed steady state values (99%) within braces means CPU was 99% for a while before stabilization. 4) Original EC = 700/210 @ 47.6 Mbps <= 80% CPU under unstable conditions (presumably) 5) For 7200 NPE-G2/VSA low scale numbers, CSCsu73714 filed.

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

194

NHRP MIB and SYSLog Extensions


15.0(1)M
NHRP Extension MIB
An extension of the NHRP MIB (RFC-2677) Defines notifications for critical events in NHRP (RFC 2332)
NHServer and NHClient (up/down); NHPeer (up/down); RateLimitExceeded; NHRP Errors

Cisco proprietary enhancements to the protocol


NHRP Redirect

SYSLog Extension
NHServer, NHClient, NHPeer (up/down) DMVPN Crypto Session (up/down) NHRP Resolution (receive/reply/timeout/fail) NHRP Max Send NHRP Errors: (Send, Multicast , Encap)

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

195

Thank you.

BRKSEC-4052

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

196