DMVPN Phases explained with BGP
The previous post was used as an introduction or overview of all the features involving DMVPN. In this post, I will explain some of the NHRP parameters needed to create the overlay, as well as each design using my favorite routing protocol that is BGP.
The following network topology will be used to explain the three different design models:
As we know, DMVPN will create a Non Broadcast Multi Access (NBMA) network. So, the NBMA network doesn’t support multicast traffic, and at the same time, multicast traffic is required to enable dynamic routing protocols.
With this premise, there are three commands that will be used with the design models:
- ip nhrp network-id <ID> This parameter is used to define the NHRP domain for an NHRP interface and differentiate between multiple NHRP domains or networks, when two or more NHRP domains (tunnel interfaces configured as mGRE) are available on the same NHRP router. This ID is used to help keep two NHRP networks separate from each other when both are configured on the same router.
- ip nhrp map multicast dynamic This parameter is used under hub router tunnel interface to enable support of multicast traffic. Allowing each spoke to register as a receiver of multicast traffic, causing the hub to replicate and forward multicast traffic to the spoke routers.
- ip nhrp map multicast <Hub IP Address> This parameter is used under spoke routers tunnel interface. Where multicast traffic is sent only from spokes to the hub and not from spoke to spoke.
DMVPN Phase 1
On Phase 1 will provide hub to spoke communication. This means that there is no spoke-to-spoke tunnel. Traffic from one spoke site to another spoke site always passes through the hub.
- The hub router will be configured as BGP RR (Route-Reflector) Server.
- The spokes routers will be configured as BGP RR (Route-Reflector) Client.
- The tunnel interface on the hub will be mGRE.
- The tunnel interface on each spoke will be P2P GRE.
- The hub router will advertise a summary route to spoke routers.
Configuration
!
hostname Hub
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.1
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp network-id 100
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.1
bgp log-neighbor-changes
bgp listen range 192.168.100.0/24 peer-group SPOKES
no bgp default ipv4-unicast
neighbor SPOKES peer-group
neighbor SPOKES remote-as 65033
!
address-family ipv4
network 10.172.16.0 mask 255.255.255.0
aggregate-address 10.172.0.0 255.255.0.0 summary-only
neighbor SPOKES activate
neighbor SPOKES route-reflector-client
exit-address-family
!
!
hostname Spoke1
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.2
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.2 255.255.255.0
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map 192.168.100.1 200.44.0.2
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 200.44.0.2
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.100.1 remote-as 65033
!
address-family ipv4
network 10.172.17.0 mask 255.255.255.0
neighbor 192.168.100.1 activate
exit-address-family
!
!
hostname Spoke2
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.3
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.3 255.255.255.0
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map 192.168.100.1 200.44.0.2
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 200.44.0.2
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.100.1 remote-as 65033
!
address-family ipv4
network 10.172.18.0 mask 255.255.255.0
neighbor 192.168.100.1 activate
exit-address-family
!
Verification
Hub# show ip bgp summary
BGP router identifier 192.168.255.1, local AS number 65033
BGP table version is 14, main routing table version 14
4 network entries using 576 bytes of memory
4 path entries using 320 bytes of memory
3/3 BGP path/bestpath attribute entries using 456 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1352 total bytes of memory
BGP activity 6/2 prefixes, 6/2 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*192.168.100.2 4 65033 17 19 14 0 0 00:11:35 1
*192.168.100.3 4 65033 17 21 14 0 0 00:11:34 1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1
BGP peergroup SPOKES listen range group members:
192.168.100.0/24
Total dynamically created neighbors: 2/(33 max), Subnet ranges: 1
Hub# show ip bgp
BGP table version is 14, local router ID is 192.168.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.172.0.0/16 0.0.0.0 32768 i
s> 10.172.16.0/24 0.0.0.0 0 32768 i
s>i 10.172.17.0/24 192.168.100.2 0 100 0 i
s>i 10.172.18.0/24 192.168.100.3 0 100 0 i
Spoke2# show ip bgp summary
BGP router identifier 192.168.255.3, local AS number 65033
BGP table version is 8, main routing table version 8
2 network entries using 288 bytes of memory
2 path entries using 160 bytes of memory
2/2 BGP path/bestpath attribute entries using 304 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 752 total bytes of memory
BGP activity 4/2 prefixes, 4/2 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.100.1 4 65033 30 26 8 0 0 00:18:18 1
Spoke2# show ip bgp
BGP table version is 8, local router ID is 192.168.255.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.172.0.0/16 192.168.100.1 0 100 0 i
*> 10.172.18.0/24 0.0.0.0 0 32768 i
Spoke2# traceroute 10.172.17.1 source 10.172.18.1 numeric
Type escape sequence to abort.
Tracing the route to 192.168.20.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.100.1 3 msec 3 msec 3 msec
2 192.168.100.2 4 msec 5 msec *
DMVPN Phase 2
On Phase 2 is introduced the ability for dynamic spoke-to-spoke tunnels without having the traffic go through the hub. This means that is allowed each spoke to build a spoke-to-spoke tunnel on demand.
- The hub router will be configured as BGP RR (Route-Reflector) Server.
- The spokes routers will be configured as BGP RR (Route-Reflector) Client.
- The tunnel interfaces on the hub and spokes will be mGRE.
Configuration
!
hostname Hub
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.1
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
bandwidth 10240
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.1
bgp log-neighbor-changes
bgp listen range 192.168.100.0/24 peer-group SPOKES
no bgp default ipv4-unicast
neighbor SPOKES peer-group
neighbor SPOKES remote-as 65033
!
address-family ipv4
network 10.172.16.0 mask 255.255.255.0
neighbor SPOKES activate
neighbor SPOKES route-reflector-client
exit-address-family
!
!
hostname Spoke1
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.2
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map 192.168.100.1 200.44.0.2
ip nhrp map multicast 200.44.0.2
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.100.1 remote-as 65033
!
address-family ipv4
network 10.172.17.0 mask 255.255.255.0
neighbor 192.168.100.1 activate
exit-address-family
!
!
hostname Spoke2
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.3
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map 192.168.100.1 200.44.0.2
ip nhrp map multicast 200.44.0.2
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.100.1 remote-as 65033
!
address-family ipv4
network 10.172.18.0 mask 255.255.255.0
neighbor 192.168.100.1 activate
exit-address-family
!
Verification
Hub# show ip bgp summary
BGP router identifier 192.168.255.1, local AS number 65033
BGP table version is 4, main routing table version 4
3 network entries using 432 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 304 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 976 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*192.168.100.2 4 65033 14 14 4 0 0 00:08:09 1
*192.168.100.3 4 65033 13 18 4 0 0 00:08:06 1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1
BGP peergroup SPOKES listen range group members:
192.168.100.0/24
Total dynamically created neighbors: 2/(33 max), Subnet ranges: 1
Hub# show ip bgp
BGP table version is 4, local router ID is 192.168.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.172.16.0/24 0.0.0.0 0 32768 i
*>i 10.172.17.0/24 192.168.100.2 0 100 0 i
*>i 10.172.18.0/24 192.168.100.3 0 100 0 i
Spoke2# show ip bgp summary
BGP router identifier 192.168.255.3, local AS number 65033
BGP table version is 4, main routing table version 4
3 network entries using 432 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 304 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1000 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.100.1 4 65033 20 15 4 0 0 00:09:53 2
Spoke2# show ip bgp
BGP table version is 4, local router ID is 192.168.255.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.172.16.0/24 192.168.100.1 0 100 0 i
*>i 10.172.17.0/24 192.168.100.2 0 100 0 i
*> 10.172.18.0/24 0.0.0.0 0 32768 i
Spoke2# traceroute 10.172.17.1 source 10.172.18.1 numeric
Type escape sequence to abort.
Tracing the route to 192.168.20.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.100.2 3 msec * 3 msec
DMVPN Phase 3
On Phase 3 network is introduced the ability of Shortcut Switching to discover shorter paths to a destination network after receiving an NHRP redirect message from the hub. This means that is allowed the routers to communicate directly with each other without the need for an intermediate hop.
- The hub router will be configured as BGP RR (Route-Reflector) Server.
- The spokes routers will be configured as BGP RR (Route-Reflector) Client.
- The tunnel interfaces on the hub and spokes will be mGRE.
- The tunnel interface on the hub will be configued with the parameter NHRP Redirect.
- The tunnel interface on the spokes will be configued with the parameter NHRP Shortcut.
- The hub router will advertise a summary route to spoke routers.
Configuration
!
hostname Hub
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.1
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
bandwidth 10240
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.1
bgp log-neighbor-changes
bgp listen range 192.168.100.0/24 peer-group SPOKES
no bgp default ipv4-unicast
neighbor SPOKES peer-group
neighbor SPOKES remote-as 65033
!
address-family ipv4
network 10.172.16.0 mask 255.255.255.0
aggregate-address 10.172.0.0 255.255.0.0 summary-only
neighbor SPOKES activate
neighbor SPOKES route-reflector-client
exit-address-family
!
!
hostname Spoke1
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.2
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map 192.168.100.1 200.44.0.2
ip nhrp map multicast 200.44.0.2
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.100.1 remote-as 65033
!
address-family ipv4
network 10.172.17.0 mask 255.255.255.0
neighbor 192.168.100.1 activate
exit-address-family
!
!
hostname Spoke2
!
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256
prf sha512
group 19
!
crypto ikev2 policy AES/GCM/256
proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c15c0123
!
crypto ikev2 profile DMVPN-IKEv2-PROFILE
description PSK Profile
match identity remote address 0.0.0.0
identity local address 192.168.255.3
authentication local pre-share
authentication remote pre-share
keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
mode transport
!
crypto ipsec profile PROTECT-TUN100
set transform-set AES256/GCM/TRANSFORM
set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
ip address 192.168.100.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication F4RM4NH@
ip nhrp map 192.168.100.1 200.44.0.2
ip nhrp map multicast 200.44.0.2
ip nhrp network-id 100
ip nhrp nhs 192.168.100.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-TUN100
!
router bgp 65033
bgp router-id 192.168.255.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.100.1 remote-as 65033
!
address-family ipv4
network 10.172.18.0 mask 255.255.255.0
neighbor 192.168.100.1 activate
exit-address-family
!
Verification
Hub# show ip bgp summary
BGP router identifier 192.168.255.1, local AS number 65033
BGP table version is 8, main routing table version 8
4 network entries using 576 bytes of memory
4 path entries using 320 bytes of memory
3/3 BGP path/bestpath attribute entries using 456 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1352 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*192.168.100.2 4 65033 11 12 8 0 0 00:05:44 1
*192.168.100.3 4 65033 11 14 8 0 0 00:05:44 1
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1
BGP peergroup SPOKES listen range group members:
192.168.100.0/24
Total dynamically created neighbors: 2/(33 max), Subnet ranges: 1
Hub# show ip bgp
BGP table version is 8, local router ID is 192.168.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.172.0.0/16 0.0.0.0 32768 i
s> 10.172.16.0/24 0.0.0.0 0 32768 i
s>i 10.172.17.0/24 192.168.100.2 0 100 0 i
s>i 10.172.18.0/24 192.168.100.3 0 100 0 i
Hub# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel100, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 201.248.192.2 192.168.100.2 UP 00:09:16 D
1 190.75.192.2 192.168.100.3 UP 00:09:01 D
Hub# show ip nhrp
192.168.100.2/32 via 192.168.100.2
Tunnel100 created 00:12:13, expire 01:47:46
Type: dynamic, Flags: unique registered used nhop
NBMA address: 201.248.192.2
192.168.100.3/32 via 192.168.100.3
Tunnel100 created 00:12:02, expire 01:48:01
Type: dynamic, Flags: unique registered used nhop
NBMA address: 190.75.192.2
Spoke2# show ip bgp summary
BGP router identifier 192.168.255.3, local AS number 65033
BGP table version is 3, main routing table version 3
2 network entries using 288 bytes of memory
2 path entries using 160 bytes of memory
2/2 BGP path/bestpath attribute entries using 304 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 752 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.100.1 4 65033 22 20 3 0 0 00:13:39 1
Spoke2# show ip bgp
BGP table version is 3, local router ID is 192.168.255.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.172.0.0/16 192.168.100.1 0 100 0 i
*> 10.172.18.0/24 0.0.0.0 0 32768 i
Spoke2# traceroute 10.172.17.1 source 10.172.18.1 numeric
Type escape sequence to abort.
Tracing the route to 192.168.20.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.100.2 3 msec * 2 msec
Spoke2# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel100, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 201.248.192.2 192.168.100.2 UP 00:08:28 DT1
192.168.100.2 UP 00:08:28 DT1
1 200.44.0.2 192.168.100.1 UP 00:17:00 S
Spoke2# show ip nhrp
10.172.17.0/24 via 192.168.100.2
Tunnel100 created 00:10:01, expire 01:49:58
Type: dynamic, Flags: router used rib
NBMA address: 201.248.192.2
10.172.18.0/24 via 192.168.100.3
Tunnel100 created 00:10:01, expire 01:49:58
Type: dynamic, Flags: router unique local
NBMA address: 190.75.192.2
(no-socket)
192.168.100.1/32 via 192.168.100.1
Tunnel100 created 00:25:31, never expire
Type: static, Flags: used
NBMA address: 200.44.0.2
192.168.100.2/32 via 192.168.100.2
Tunnel100 created 00:10:01, expire 01:49:58
Type: dynamic, Flags: router nhop rib
NBMA address: 201.248.192.2
__
References