Professional Documents
Culture Documents
BRKSEC-4052
Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Recent and New Features
BRKSEC-4052
Cisco Public
DMVPN Overview
BRKSEC-4052
Cisco Public
Remote peers with dynamically assigned transport addresses. Spoke routers behind dynamic NAT; Hub routers behind static NAT.
Dynamic spoke-spoke tunnels for partial/full mesh scaling. Can be used without IPsec Encryption Works with MPLS; GRE tunnels and/or data packets in VRFs and MPLS switching over the tunnels Wide variety of network designs and options.
BRKSEC-4052
Cisco Public
DMVPN: Example
Static Spoke-to-hub tunnels Dynamic Spoke-to-spoke tunnels
192.168.0.0/24 .1
Spoke B
.1 192.168.2.0/24
...
7
NHRP Resolutions
Dynamically resolve spoke to spoke VPN to NBMA mapping to build spoke-spoke tunnels. Single instead of multiple tunnel hops across NBMA network NHRP Resolution requests/replies sent via hub-and-spoke control plane path
BRKSEC-4052
Cisco Public
BRKSEC-4052
Cisco Public
Routing
Spokes are only routing neighbors with hubs, not with other spokes
Spokes advertise local network to hubs
BRKSEC-4052
Cisco Public
10
Redundancy
Active-active redundancy model two or more hubs per spoke
All configured hubs are active and are routing neighbors with spoke Routing protocol routes are used to determine traffic forwarding Single route: one tunnel (hub) at a time primary/backup mode Multiple routes: both tunnels (hubs) load-balancing mode
ISAKMP/IPsec
Cannot use IPsec Stateful failover (NHRP isnt supported) ISAKMP invalid SPI recovery is not useful with DMVPN ISAKMP keepalives on spokes for timely hub recovery
crypto isakmp keepalives initial retry
12
Redundancy (cont)
Spokes at least two hubs (NHSs)
Phase 1: (Hub-and-spoke)
p-pGRE interfaces two DMVPN networks, one hub on each
BRKSEC-4052
Cisco Public
13
Network Designs
Hub-and-spoke Order(n)
Spoke-to-spoke traffic via hub
Phase 1: Hub bandwidth and CPU limit VPN SLB: Many identical hubs increase CPU limit
Network Virtualization
VRF-lite Multiple DMVPNs MPLS over DMVPN (2547oDMVPN) Single DMVPN
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Network Designs
Spoke-to-spoke (Phase 2)
VRF-lite
Hierarchical (Phase 3)
Cisco Public
2547oDMVPN
15
Hub-and-Spoke
Functionality
GRE, NHRP and IPsec configuration
p-pGRE or mGRE on spokes; mGRE on hubs ISAKMP Authentication
Certificate, (Pairwise/Wildcard) Pre-shared Key
NHRP Registration
Static NHRP mapping for Hub on Spoke Dynamically learn NHRP mapping for Spoke on Hub
Dynamically addressed spokes (DHCP, NAT , )
BRKSEC-4052
Cisco Public
16
NAT support
BRKSEC-4052
Cisco Public
17
Path Selection
NHRP will always build spoke-spoke tunnel No latency or performance measurement of spoke-spoke vs spoke-hub-spoke paths
18
Network Virtualization
IGP used for routing protocol outside of and over DMVPNs on Spokes and Hubs
Address family per VRF Routing neighbor per spoke per VRF
BRKSEC-4052
Cisco Public
19
Network Virtualization
MPLS configuration
Hub and Spoke routers are MPLS PEs
Multiple Hub routers for redundancy and load IGP is used for routing outside of DMVPN network BGP used for routing protocol over DMVPN
Redistribute between IGP and BGP for transport over DMVPN Import/export of routes between VRFs and Internet VRF Internet VRF for Internet access and routing between VRFs Routing neighbor per spoke
20
NHRP Details
Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
BRKSEC-4052
Cisco Public
22
Resolution
Get mapping to build dynamic spoke-spoke tunnels
Purge
Clear out stale dynamic NHRP mappings
Error
Signal error conditions
BRKSEC-4052
Cisco Public
23
Authentication Extension:
NHRP Authentication
BRKSEC-4052
Cisco Public
24
Dynamic
Registered (/32) From NHRP Registration NAT record both inside and outside NAT address Learned (/32 or /<x>) From NHRP Resolution NAT record both inside and outside NAT address
(no socket)
Not used to forward data packets Do not trigger IPsec encryption
BRKSEC-4052
Cisco Public
25
NAT
Resolution
192.168.23.0/24 via 10.0.0.19, Tunnel0 created 00:00:11, expire 00:05:48 Type: dynamic, Flags: router used NBMA address: 172.16.3.1 10.0.0.45/32, Tunnel0 created 00:00:21, expire 00:02:43 Type: incomplete, Flags: negative Cache hits: 2 10.0.0.17/32 via 10.0.2.17, Tunnel0 created 00:00:09, expire 00:02:55 Type: dynamic, Flags: used temporary NBMA address: 172.17.0.9 192.168.15.0/24 via 10.0.0.11, Tunnel0 created 00:05:39, expire 00:05:50 Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1 (no-socket)
Incomplete
Temporary Local, (no-socket)
BRKSEC-4052
Cisco Public
26
registered authoritative
used router implicit local nat
(added 12.4(6)T, removed 12.4(15)T)
rib
(12.2(33)XNE ASR1k)
nho
(12.2(33)XNE ASR1k)
BRKSEC-4052
Cisco Public
27
BRKSEC-4052
Cisco Public
28
Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
BRKSEC-4052
Cisco Public
29
NHRP Registration
Builds base hub-and-spoke network
Hub-and-spoke data traffic Control traffic; NHRP, Routing protocol, IP multicast Phase 2 Single level hub-and-spoke Phase 3 Hierarchical hub-and-spoke (tree).
Next Hop Client (NHC) has static mapping for Next Hop Servers (NHSs) NHC dynamically registers own mapping with NHS
Supports spokes with dynamic NBMA addresses or NAT Supplies outside NAT address of Hub NHRP-group for per-Tunnel QoS (12.4(22)T)
BRKSEC-4052
Cisco Public
30
NHRP Registration
Building Spoke-Hub Tunnels
Host1 Spoke1 Hub Spoke2 IKE Initialization IKE/IPsec Established Host2
IKE Initialization
IKE/IPsec Established
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted
31
NHRP Registration
Building Spoke-Hub Tunnels
NHRP Registration
192.168.0.1/24
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels
BRKSEC-4052
Cisco Public
32
BRKSEC-4052
Cisco Public
33
Contains
Spokes VPN to NBMA mapping Hubs VPN to NBMA mapping as responder Extension headers Responder Address, Forward and Reverse Transit NHS, Authentication,NAT
NHRP: Send Registration Reply via Tunnel0 vrf 0, src: 10.0.0.1, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "unique nat", src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.1 (C-1) code: no error(0), prefix: 255, mtu: 1514, hd_time: 360 Responder Address Extension(3): (C) prefix: 0, client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension(9): (C-1) prefix: 32, client NBMA: 172.17.0.1, client protocol: 10.0.0.1
BRKSEC-4052
Cisco Public
34
Hub
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:11:03, expire 00:04:52 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 01:03:31, expire 00:05:46 Type: dynamic, Flags: unique registered NBMA address: 172.16.2.1 ...
Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire Type: static, Flags: used NBMA address: 172.17.0.1
Spoke B
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:02:21, never expire Type: static, Flags: used NBMA address: 172.17.0.1
BRKSEC-4052
Cisco Public
35
IKE Initialization
IKE/IPsec Established
Routing Adjacency Routing Adjacency Routing Update Routing Update Routing Update Routing Update
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted
36
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
BRKSEC-4052
Cisco Public
37
Hub-and-Spoke
Data Packet Forwarding
Process-switching
Routing table selects outgoing interface and IP next-hop NHRP looks up packet IP destination to select IP next-hop, overriding IP next-hop from routing table.
Could attempt to trigger spoke-spoke tunnel tunnel destination Can only send to hub ip nhrp server-only Dont send NHRP resolution request
CEF switching
IP Next-hop from FIB table (Routing table)
IP Next-hop Hub data packets send to Hub
BRKSEC-4052
Cisco Public
38
Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
BRKSEC-4052
Cisco Public
39
If No Entry Found
Forward to IP next-hop (if in NHRP table) otherwise to NHS If arriving interface was not tunnel interface
Initiate NHRP Resolution Request for IP destination
BRKSEC-4052
Cisco Public
40
Phase 2 CEF-switching
Triggering NHRP Resolutions
CEF FIB table has IP next-hop of tunnel IP address of remote spoke for network behind remote spoke Triggered by IP next-hop from FIB pointing to glean or incomplete adjacency entry (no valid adjacency entry) Send resolution request for IP next-hop (tunnel IP address) of remote Spoke Resolution request forwarded via NHS path
BRKSEC-4052
Cisco Public
41
Phase 2
NHRP Resolution process changes
When:
12.4(6)T, 12.4(7), 12.2(33)XNE and later (not on 6500/7600 yet)
Why:
To Support spoke-spoke tunnels when spokes are behind NAT
How:
Registered NHRP mappings on hub are not marked Authoritative
Effect:
Resolution request will be forwarded via NHS path all the way to the remote spoke Resolution request is answered by the remote spoke Spoke-spoke tunnel is built Resolution reply forwarded back via spoke-spoke tunnel
BRKSEC-4052
Cisco Public
42
Phase 2
NHRP Resolution Request
Host1 Spoke1 Hubs Spoke2 Host2
BRKSEC-4052
Cisco Public
43
Phase 2
NHRP Resolution Request
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
44
Phase 2
NHRP Resolutions Request Message
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12 (C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
As Sent
NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104 (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12 (C-1) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
As Rcvd
45
BRKSEC-4052
Cisco Public
Phase 2
NHRP Resolution Reply
Host1 Spoke1 Hubs Spoke2 Host2
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Phase 2
NHRP Resolution Reply
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 172.16.2.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete 172.16.2.1
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 (l) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete 172.16.1.1
47
Phase 2
NHRP Resolution Reply Message
Lookup protocol destination in routing table directly connected Create NHRP local mapping entry for protocol destination address with mask-length of 32 to NBMA address Create NHRP Resolution Response with protocol destination, NBMA address and mask-length of 32 Delay Resolution response to send via direct spoke-spoke tunnel
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.12, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.12 (C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360, client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Phase 2
NHRP Resolution Response Processing
Receive NHRP Resolution reply
If using IPsec (tunnel protection ) then
Trigger IPsec to setup ISAKMP and IPsec SAs for tunnel Data packets still forwarded via spoke-hub--hub-spoke path IPsec triggers back to NHRP when done
Install new mapping in NHRP mapping table Send trigger to CEF to complete corresponding CEF adjacency
Data packets now forwarded via direct spoke-spoke tunnel by CEF, NHRP no longer involved
BRKSEC-4052
Cisco Public
49
Phase 2
NHRP Mapping Tables
Hub1
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:03:38, expire 00:04:18 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 01:02:15, expire 00:05:44 Type: dynamic, Flags: unique registered NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:53:25, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:10, expire 00:05:50 Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1 (no-socket) 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:10, expire 00:05:49 Type: dynamic, Flags: router used NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:56:12, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:11, expire 00:05:49 Type: dynamic, Flags: router used NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:11, expire 00:05:48 Type: dynamic, Flags: router unique local NBMA address: 172.16.2.1 (no-socket)
Spoke A
Spoke B
BRKSEC-4052
Cisco Public
50
CEF-switching
If expire time < 120 seconds, CEF Adjacency entry marked stale If CEF Adjacency entry is used, signal to NHRP to refresh entry
51
BRKSEC-4052
Cisco Public
52
Agenda
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
BRKSEC-4052
Cisco Public
53
Phase 3
Building Spoke-spoke Tunnels
Originating spoke
IP Data packet is forwarded out tunnel interface to destination via Hub (NHS)
Hub (NHS)
Receives and forwards data packet on tunnel interfaces with same NHRP Network-id. Sends NHRP Redirect message to originating spoke.
Originating spoke
Receives NHRP redirect message Sends NHRP Resolution Request for Data IP packet destination via NHS
Destination spoke
Receives NHRP Resolution Request Builds spoke-spoke tunnel Sends NHRP Resolution Reply over spoke-spoke tunnel
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
Phase 3
NHRP Redirects
Host1 Spoke1 Hubs Spoke2 Host2
NHRP Redirect
NHRP Redirect
BRKSEC-4052
Cisco Public
55
Phase 3
NHRP Redirects
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1
10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
56
Phase 3
NHRP Redirect Message
NHRP: inserting (172.16.1.1/192.168.2.1) in redirect table NHRP: Attempting to send packet via DEST 192.168.1.1 NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.1.1 NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 96, src: 10.0.0.1, dst: 192.168.1.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) traffic code: redirect(0) src NBMA: 172.17.0.1, src protocol: 10.0.0.1, dst protocol: 192.168.1.1 Contents of nhrp traffic indication packet: 45 00 00 64 00 19 00 00 FD 01 25 2D C0 A8 01 01 C0 A8 02 01 08 00 A8 E3 0B 78 0C Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension(9):
BRKSEC-4052
Cisco Public
57
Phase 3
NHRP Redirect Processing
Sender
Insert (GRE IP header source, packet destination IP address) in NHRP redirect table used to rate-limit NHRP redirect messages Send NHRP redirect to GRE/IP header source Time out rate-limit entries from the NHRP redirect table
Receiver
Check data IP source address from data IP header in redirect
If routing to the IP source is out: A GRE tunnel interface with the same NHRP Network-id then drop redirect Another interface, the IP destination is permitted by ip nhrp interest <ACL> and ip nhrp shortcut is configured
Trigger an NHRP resolution request to IP destination
BRKSEC-4052
Cisco Public
58
Phase 3
NHRP Resolution Request
Host1 Spoke1 Hubs Spoke2 Host2
BRKSEC-4052
Cisco Public
59
Phase 3
NHRP Resolution Request
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
60
Phase 3
NHRP Resolution Request Message
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 192.168.2.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 10599 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1 (C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
As Sent
NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 104 (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 10599 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1 (C-1) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
As Rcvd
61
BRKSEC-4052
Cisco Public
Phase 3
NHRP Resolution Processing
Spoke (NHC) routing table has Hub (NHS) as IP next-hop for networks behind remote Spoke
Note, if routing table has IP next-hop of remote spoke then process as in Phase 2
Send resolution request for IP destination from data packet header in redirect message Resolution requests forwarded via routed path Resolution replies forwarded over direct tunnel
Direct tunnel initiated from remote local spoke
NHRP forwards data packets over direct tunnel when resolution reply is received
BRKSEC-4052
Cisco Public
62
Phase 3
NHRP Resolution Reply
Host1 Spoke1 Hubs Spoke2 Host2
63
Phase 3
NHRP Resolution Reply
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.2.0/24 172.16.2.1 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1 172.16.2.1
BRKSEC-4052
Cisco Public
64
Phase 3
NHRP Resolution Reply Message
Lookup protocol destination in routing table for matching network, subnet mask and IP next-hop. Create NHRP local mapping entry for protocol destination network with mask-length to NBMA address Create NHRP Resolution Response with protocol destination, NBMA address and mask-length Delay Resolution response to send via direct spoke-spoke tunnel
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 132, src: 10.0.0.12, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 10599 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 192.168.2.1 (C-1) code: no error(0), prefix: 24, mtu: 1514, hd_time: 360, client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 client NBMA: 172.16.2.1, client protocol: 10.0.0.12 Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9):
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
Phase 3
NHRP Mapping Tables
Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:54 Type: dynamic, Flags: router implicit used NBMA address: 172.16.2.1 192.168.1.0/24 via 10.0.0.11, Tunnel0 created 00:00:06, expire 00:05:54 Type: dynamic, Flags: router unique local NBMA address: 172.16.1.1 (no-socket) 192.168.2.0/24 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:53 Type: dynamic, Flags: router NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:04:46, never expire Type: static, Flags: used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:13, expire 00:05:46 Type: dynamic, Flags: router implicit used NBMA address: 172.16.1.1 192.168.1.0/24 via 10.0.0.11, Tunnel0 created 00:00:11, expire 00:05:48 Type: dynamic, Flags: router NBMA address: 172.16.1.1 192.168.2.0/24 via 10.0.0.12, Tunnel0 created 00:00:13, expire 00:05:46 Type: dynamic, Flags: router unique local NBMA address: 172.16.2.1 (no-socket)
Spoke B
BRKSEC-4052
Cisco Public
66
Glean or Incomplete Punt to process switching Valid Select adjacency for the packet
2. NHRP in CEF Feature path Look up packet IP destination in NHRP mapping table
Matching entry reselect adjacency use direct spoke-spoke tunnel No matching entry leave CEF adjacency packet goes to hub If packet arrived on and is forwarded out the same tunnel interface
Forward data packet If ip nhrp redirect is on inbound tunnel then send NHRP redirect
67
BRKSEC-4052
Cisco Public
68
NHRP Routes
EIGRP Routes
Routing entry for 192.168.11.0/24 Known via "nhrp", distance 250, metric 1 Last update from 10.0.1.11 00:05:29 ago Routing Descriptor Blocks: * 10.0.1.11, from 10.0.1.11, 00:05:29 ago Route metric is 1, traffic share count is 1 Routing entry for 192.168.128.0/24 Known via "eigrp 1", distance 90, metric 3200000, type internal Redistributing via eigrp 1 Last update from 10.0.2.16 on Tunnel0, 00:43:44 ago Routing Descriptor Blocks: * 10.0.2.16, from 10.0.2.16, 00:43:44 ago, via Tunnel0 Route metric is 3200000, traffic share count is 1 [NHO]10.0.0.1, from 10.0.0.1, 00:05:57 ago, via Tunnel0 Route metric is 1, traffic share count is 1
Next-Hop-Override Entries
BRKSEC-4052
Cisco Public
69
Refreshing entries
Send another Resolution request and reply Resolution request/reply sent over direct tunnel
BRKSEC-4052
Cisco Public
70
Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN
Load-balancing Hubs
BRKSEC-4052
Cisco Public
72
Internet
BGP 2
172.17.0.0/30
.2 172.16.1.1/30 .6 172.16.4.1/30 .2 .2 Spoke1 .1 192.168.1.0/24 RS1 .1 192.168.11.0/24 RS2 192.168.12.0/24
BRKSEC-4052
.2
.2
172.16.2.1/30
.2 Spoke2 .1 192.168.2.0/24 .2 Spoke3 .1 192.168.3.0/24 RS3 .1
Cisco Public
172.16.3.1/30
.2
.1 192.168.14.0/24
.1
192.168.13.0/24
73
Internet
192.168.10.0/24 BGP 2
DMVPN
.11 Spoke1 BGP 1 10.0.0.0/24 BGP 1 .14 Spoke4 BGP 1 .2
.1 .2 Spoke2 BGP 1 .1
.13
.1 192.168.4.0/24
.1
.1 .2
192.168.11.0/24
.1 192.168.13.0/24
74
192.168.12.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.
Spokes:
ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.(x) 172.17.0.(y) ip nhrp map multicast 172.17.0.(y) ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect ip tcp adjust-mss 1360 delay 1000 tunnel source Serial2/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof
! interface Ethernet0/0 ip address 192.168.0.(w) 255.255.255.0 ! interface Serial2/0 ip address 172.17.0.(z) 255.255.255.252
interface Tunnel0 bandwidth 1000 ip address 10.0.0.(x) 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.(y).1 255.255.255.0 ! interface Serial1/0 ip address 172.16.(y).1 255.255.255.252
Cisco Public
BRKSEC-4052
75
Spokes:
Route-reflector-client
Both:
Set next-hop to self/peer; DMVPN Phase 3 Use same BGP AS over DMVPN on all nodes
Dynamic Neighbors, Route Reflection
BRKSEC-4052
Cisco Public
76
Dynamic Neighbors
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.
Change MED
Route Filtering
Cisco Public
77
ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ! route-map ISP-IN permit 10 set community 1:10 route-map ISP-OUT permit 10 match community 10 route-map DMVPN-OUT permit 10 match community 11 route-map BGP2IGP permit 10 match community 11 set tag 225 route-map IGP2BGP deny 10 match tag 225 route-map IGP2BGP permit 20
Neighbors
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.
BGP IGP
Route Filtering
Cisco Public
78
Neighbors
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.
Route Filtering
Cisco Public
79
Next-hop setting
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved.
Route Filtering
Cisco Public
80
Spoke1, 2
... C L B ... B C L ... B B B B ... 172.16.2.0/30 [20/0] via 172.16.1.2 172.16.1.0/30 [20/0] via 172.16.2.2,
172.16.2.0/30 is directly connected, Serial1/0 172.16.2.1/32 is directly connected, Serial1/0 172.16.3.0/30 [20/0] via 172.16.(1,2).2 172.16.4.0/30 [20/0] via 172.16.(1,2).2 172.17.0.0 [20/0] via 172.16.(1,2).2, 172.17.0.4 [20/0] via 172.16.(1,2).2,
Hub1, 2
... B B B B ... C L B ... B C L ... 172.16.1.0 [20/0] via 172.17.0.(2,6), 172.16.2.0 [20/0] via 172.17.0.(2,6), 172.16.3.0 [20/0] via 172.17.0.(2,6), 172.16.4.0 [20/0] via 172.17.0.(2,6), 172.17.0.0/30 is directly connected, Serial2/0 172.17.0.1/32 is directly connected, Serial2/0 172.17.0.4/30 [20/0] via 172.17.0.2,
RS(x), R2
... (NO ISP ROUTES!) ...
172.17.0.0/30 [20/0] via 172.17.0.6, 172.17.0.4/30 is directly connected, Serial2/0 172.17.0.5/32 is directly connected, Serial2/0
BRKSEC-4052
Cisco Public
81
Hub2
#show ip route
B B B B B 192.168.10.0/24 [160/0] 192.168.11.0/24 [160/307200] [160/307200] 192.168.12.0/24 [160/0] [160/0] 192.168.13.0/24 [160/20] [160/20] 192.168.14.0/24 [160/307200] [160/307200] via 192.168.0.3, via 10.0.0.11, via 10.0.0.1, via 10.0.0.12, via 10.0.0.1, via 10.0.0.13, via 10.0.0.1, via 10.0.0.14, via 10.0.0.1,
# show ip bgp
Network Next Hop Metric LocPrf *> i 192.168.10.0 192.168.0.3 0 100 *m * i 192.168.11.0 10.0.0.2 317200 307200 100 *> i 10.0.0.11 307200 100 *> i 192.168.12.0 10.0.0.12 0 100 * *m i 10.0.0.2 10000 100 0 * *m i 192.168.13.0 10.0.0.2 10020 100 20 *> i 10.0.0.13 20 100 *> i 192.168.14.0 10.0.0.14 307200 100 * *m i 10.0.0.2 317200 307200 100 W 0 0 0 0 0 0 0 0 0 P i ? ? i i ? ? ? ?
# show ip bgp
Network Next Hop Metric LocPrf *> i 192.168.10.0 192.168.0.3 0 100 *> i 192.168.11.0 10.0.0.11 307200 100 * *m i 10.0.0.1 317200 307200 100 * *m i 192.168.12.0 10.0.0.1 10000 100 0 *> i 10.0.0.12 0 100 * *m i 192.168.13.0 10.0.0.1 10020 100 20 *> i 10.0.0.13 20 100 * *m i 192.168.14.0 10.0.0.1 317200 307200 100 *> i 10.0.0.14 307200 100 W 0 0 0 0 0 0 0 0 0 P i ? ? i i ? ? ? ?
BRKSEC-4052
Cisco Public
82
Spoke2
#show ip route
B B B B B 192.168.10.0/24 [160/0] [160/0] 192.168.11.0/24 [160/307200] [160/307200] 192.168.12.0/24 [160/0] 192.168.13.0/24 [160/20] [160/20] 192.168.14.0/24 [160/307200] [160/307200] via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1, via 192.168.2.2, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1,
# show ip bgp
Network Next Hop Metric LocPrf W *m i 192.168.10.0 10.0.0.2 0 100 0 *> i 10.0.0.1 0 100 0 *> 192.168.11.0 192.168.1.2 307200 32768 *m i 192.168.12.0 10.0.0.2 0 100 0 *> i 10.0.0.1 0 100 0 *m i 192.168.13.0 10.0.0.2 20 100 0 *> i 10.0.0.1 20 100 0 *m i 192.168.14.0 10.0.0.2 307200 100 0 *> i 10.0.0.1 307200 100 0 P i i ? i i ? ? ? ?
# show ip bgp
Network Next Hop *> i 192.168.10.0 10.0.0.1 *m i 10.0.0.2 *m i 192.168.11.0 10.0.0.2 *> i 10.0.0.1 *> i 192.168.12.0 192.168.2.2 *> i 192.168.13.0 10.0.0.1 *m i 10.0.0.2 *> i 192.168.14.0 10.0.0.1 *m i 10.0.0.2 Metric LocPrf 0 100 0 100 307200 100 307200 100 0 100 307200 100 307200 100 20 100 20 100 W 0 0 0 0 0 0 0 0 0 P i i ? ? i ? ? ? ?
BRKSEC-4052
Cisco Public
83
RS1
#show ip route
D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1, C 192.168.11.0/24 is directly connected, Ethernet1/0 D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,
RS2
#show ip route
B B C B B 192.168.10.0/24 [200/0] via 192.168.2.1, 192.168.11.0/24 [200/307200] via 192.168.2.1, 192.168.12.0/24 is directly connected, Ethernet1/0 192.168.13.0/24 [200/307200] via 192.168.2.1, 192.168.14.0/24 [200/20] via 192.168.2.1,
# show ip bgp
Network Next Hop *> 192.168.10.0 0.0.0.0 *m i 192.168.11.0 192.168.0.2 *> i 192.168.0.1 *> i 192.168.12.0 192.168.0.1 *m i 192.168.0.2 *m i 192.168.13.0 192.168.0.2 *> i 192.168.0.1 *> i 192.168.14.0 192.168.0.1 *m i 192.168.0.2 Metric LocPrf Cmnty 0 307200 100 1:20 307200 100 1:20 0 100 1:20 0 100 1:20 20 100 1:20 20 100 1:20 307200 100 1:20 307200 100 1:20
# show ip bgp
*> *> *> *> *> i i i i Network 192.168.10.0 192.168.11.0 192.168.12.0 192.168.13.0 192.168.14.0 Next Hop 192.168.2.1 192.168.2.1 0.0.0.0 192.168.2.1 192.168.2.1 Metric LocPrf Cmnty 0 100 1:20 307200 100 1:20 0 20 100 1:20 307200 100 1:20
BRKSEC-4052
Cisco Public
84
Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN
Load-balancing Hubs
BRKSEC-4052
Cisco Public
85
Spokes:
Multiple spokes at a spoke site
Can use communities to add to IGP metric when advertising to LAN Can use communities to add to MED when learning from Hubs
Both
Set Community when learning routes from LAN
Odd Spokes; Hub1 Community 1:1 Even Spokes; Hub2 Community 1:2
BRKSEC-4052
Cisco Public
86
Cisco Public
87
router bgp 1 neighbor hubs peer-group neighbor hubs send-community neighbor 10.0.0.1 peer-group hubs neighbor 10.0.0.2 peer-group hubs ! ip bgp-community new-format route-map LAN-IN permit 10 match community 21 set community 1:2
Spoke 4 is similar
BRKSEC-4052
Cisco Public
88
# show ip bgp
*> * *> *> * * *> *> * Network Next Hop Metric LocPrf Cmnty i 192.168.10.0 192.168.0.3 0 100 1:1 i 192.168.11.0 10.0.0.2 322200 317200 100 1:1 i 10.0.0.11 307200 100 1:1 i 192.168.12.0 10.0.0.12 5000 100 0 1:2 i 10.0.0.2 10000 100 1:2 i 192.168.13.0 10.0.0.2 15020 10020 100 1:1 i 10.0.0.13 20 100 1:1 i 192.168.14.0 10.0.0.14 312200 307200 100 1:2 i 10.0.0.2 317200 100 1:2
# show ip bgp
Network Next Hop Metric LocPrf Cmnty *> i 192.168.10.0 192.168.0.3 0 100 1:2 *> i 192.168.11.0 10.0.0.11 312200 307200 100 1:1 * i 10.0.0.1 317200 100 1:1 * i 192.168.12.0 10.0.0.1 15000 10000 100 1:2 *> i 10.0.0.12 0 100 1:2 * i 192.168.13.0 10.0.0.1 10020 100 1:1 *> i 10.0.0.13 5020 100 20 1:1 * i 192.168.14.0 10.0.0.1 322200 317200 100 1:2 *> i 10.0.0.14 307200 100 1:2
BRKSEC-4052
Cisco Public
89
Spoke 4 is similar via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1, via 192.168.2.2, via 10.0.0.2, via 10.0.0.1, via 10.0.0.2, via 10.0.0.1,
# show ip bgp
*m i *> i *> *> *m i * *> i * *m i *> i *> *m i * *> i Network Next Hop Metric LocPrf Cmnty 192.168.10.0 10.0.0.2 0 100 1:2 10.0.0.1 0 100 1:1 192.168.11.0 192.168.1.2 307200 1:1 192.168.12.0 10.0.0.2 0 100 1:2 10.0.0.1 5000 100 0 1:2 192.168.13.0 10.0.0.2 5020 100 20 1:1 10.0.0.1 20 100 1:1 192.168.14.0 10.0.0.2 307200 100 1:2 10.0.0.1 312200 307200 100 1:2
# show ip bgp
*> i *m i * *m i *> i *> i *> i * *m i * *> i *> *m i Network Next Hop 192.168.10.0 10.0.0.1 10.0.0.2 192.168.11.0 10.0.0.2 10.0.0.1 192.168.12.0 192.168.2.2 192.168.13.0 10.0.0.1 10.0.0.2 192.168.14.0 10.0.0.1 10.0.0.2 Metric LocPrf Cmnty 0 100 1:1 0 100 1:2 312200 307200 100 1:1 307200 100 1:1 0 100 1:2 307200 100 20 1:1 307200 100 5020 1:1 312200 100 20 1:2 307200 100 20 1:2
BRKSEC-4052
Cisco Public
90
D EX 192.168.10.0/24 [170/2585600] via 192.168.1.1, C 192.168.11.0/24 is directly connected, Ethernet1/0 D EX 192.168.12.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.13.0/24 [170/2585600] via 192.168.1.1, D EX 192.168.14.0/24 [170/2585600] via 192.168.1.1,
# show ip bgp
Network Next Hop *> 192.168.10.0 0.0.0.0 *m * i 192.168.11.0 192.168.0.2 *> i 192.168.0.1 * *> i 192.168.12.0 192.168.0.1 *> *m i 192.168.0.2 * *m i 192.168.13.0 192.168.0.2 *> i 192.168.0.1 * *> i 192.168.14.0 192.168.0.1 *> *m i 192.168.0.2 Metric LocPrf Cmnty 0 312200 307200 100 1:20 307200 100 1:20 5000 0 100 1:20 0 100 1:20 5020 20 100 1:20 20 100 1:20 312200 307200 100 1:20 307200 100 1:20
# show ip bgp
*> *> *> *> *> i i i i Network 192.168.10.0 192.168.11.0 192.168.12.0 192.168.13.0 192.168.14.0 Next Hop Metric LocPrf Cmnty 192.168.2.1 0 100 100 1:20 192.168.2.1 307200 100 100 1:20 0.0.0.0 0 192.168.2.1 20 100 100 1:20 192.168.2.1 307200 100 100 1:20
BRKSEC-4052
Cisco Public
91
Agenda
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Recent and New Features
IKEv2 with DMVPN Tunnel Health Monitoring Backup and FQDN NHS DHCP over DMVPN DMVPN IPv6 Transport
BRKSEC-4052
Cisco Public
93
BRKSEC-4052
Cisco Public
94
Solution
New Command if-state nhrp Monitor NHRP registration replies
If all NHSs are down then set tunnel interface up/down Continue to send NHRP registration requests If a single NHS is up then set tunnel interface up/up
interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 if-state nhrp
BRKSEC-4052
Cisco Public
95
#show ip nhrp nhs detail 10.0.0.1 E req-sent 105 req-failed 0 repl-recv 90 (00:02:12 ago) 10.0.0.2 E req-sent 130 req-failed 0 repl-recv 79 (00:02:12 ago)
#show interface tunnel0 Tunnel0 is up, line protocol is down *Apr 19 21:33:12 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92 *Apr 19 21:33:13 NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 92 *Apr 19 21:34:36 NHRP: NHS 10.0.0.1 Tunnel0 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E' *Apr 19 21:34:36 NHRP: NHS-UP: 10.0.0.1 *Apr 19 21:34:42 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *Apr 19 21:34:42 NHRP: if_up: Tunnel0 proto 0 #show ip nhrp nhs detail 10.0.0.1 RE req-sent 110 req-failed 0 repl-recv 96 (00:00:19 ago) 10.0.0.2 E req-sent 135 req-failed 0 repl-recv 79 (00:04:09 ago)
BRKSEC-4052
Cisco Public
96
Solution
Set NHS max-connections
Can set NHS priority (default=0 (best))
Can have multiple hubs at the same priority
Configuration reduction
Single line NHS configuration and FQDN NHS
Functionality
NHSs are brought up in priority order, until cluster max-connections Down NHS at same priority is probed if not at max-connections Down NHS at a lower priority than an active NHS is probed even when max-connections is reached FQDN resolved when bringing up NHS
BRKSEC-4052
Cisco Public
97
interface Tunnel0 ip nhrp nhs 10.0.0.1 nbma Hub1.cisco.com multicast priority 10 cluster 1 ip nhrp nhs 10.0.0.2 nbma 172.17.0.5 multicast priority 20 cluster 1 ip nhrp nhs 10.0.0.3 nbma 172.17.0.9 multicast priority 10 cluster 2 ip nhrp nhs 10.0.0.4 nbma 172.17.0.13 multicast priority 10 cluster 2 ip nhrp nhs cluster 1 max-connections 1 ip nhrp nhs cluster 2 max-connections 1 #show ip nhrp nhs Legend: E=Expecting replies, R=Responding, W=Waiting Tunnel0: 10.0.0.1 RE NBMA Address: 172.17.0.1 (Hub1.Cisco.com) priority = 10 cluster = 1 10.0.0.2 W NBMA Address: 172.17.0.5 priority = 20 cluster = 1 10.0.0.3 RE NBMA Address: 172.17.0.9 priority = 10 cluster = 2 10.0.0.4 W NBMA Address: 172.17.0.13 priority = 10 cluster = 2
BRKSEC-4052
Cisco Public
98
Solution
Use DHCP to allocate Spokes Tunnel IP Address/Subnet
ip address dhcp ip dhcp client broadcast-flag clear
Tunnel Interface
ip helper-address <ip-dhcp-server>
Functionality
DHCP request broadcast to all NHSs, replies unicast back to Spoke Sticky until tunnel interface goes down
BRKSEC-4052
Cisco Public
99
Hub:
ip dhcp support tunnel unicast ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip helper-address 192.168.0.3 ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp redirect tunnel source Serial2/0 tunnel key 100000 tunnel protection ipsec profile vpnprof
DHCP:
22:52:32.658: DHCP: Starting DHCP discover on Tunnel0 22:52:32.658: DHCP: SDiscover attempt # 1 for entry: 22:52:32.658: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0
22:52:32.738: DHCP: Offer Message, Offered Address: 10.0.0.13 22:52:32.738: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 75600
22:52:32.738: DHCP: SRequest attempt # 1 for entry: 22:52:32.738: Temp IP addr: 10.0.0.13 for peer on Interface: Tunnel0 22:52:32.738: Temp sub net mask: 255.255.255.0 22:52:32.738: Hostname: Spoke1, B'cast on Tunnel0 interface from 0.0.0.0
22:52:32.818: DHCP: Ack Message Offered Address: 10.0.0.13 22:52:32.818: DHCP: Lease secs: 86400, Renewal secs: 43200, Rebind secs: 75600 22:52:32.818: DHCP: Host Name Option: Spoke1.cisco-test.com
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Tunnel:
22:52:29.618: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up 22:52:29.622: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up ... 22:52:32.870: Tunnel0: Linking endpoint 10.0.0.1/172.17.0.1 22:52:32.870: FIBtunnel: Tu0:TED: Adding adj for 10.0.0.1, conn_id 0 22:52:32.870: FIBtunnel: Tu0: stacking IP 10.0.0.1 to Default:172.17.0.1 ... 22:52:32.902: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.1 (Tunnel0) is up: new adjacency
BRKSEC-4052
Cisco Public
101
Configuration
Standard IPv6 configuration on Outside (WAN) interface Small change on mGRE tunnel interface Must use IKEv2 to setup IPsec encryption
Split-tunneling
Enterprise versus ISP assigned IPv6 addresses at spoke No NAT66
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
Hub
crypto ikev2 keyring DMVPN peer DMVPNv6 address ::/0 pre-shared-key cisco123v6 crypto ikev2 profile DMVPN match identity remote address ::/0 authentication local pre-share authentication remote pre-share keyring DMVPN dpd keepalive 30 5 on-demand crypto ipsec profile DMVPN set transform-set DMVPN set ikev2-profile DMVPN interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp network-id 100000 ip nhrp nhs 10.0.0.1 nbma 2001:DB8:0:FFFF:1::1 multicast ... ipv6 address 2001:DB8:0:100::B/64 ... ipv6 nhrp network-id 100006 ipv6 nhrp nhs 2001:DB8:0:100::1 nbma 2001:DB8:0:FFFF:1::1 multicast ... tunnel source Serial1/0 tunnel mode gre multipoint ipv6 tunnel protection ipsec profile DMVPN ! interface Serial1/0 ip address 172.16.1.1 255.255.255.252 ipv6 address 2001:DB8:0:FFFF:0:1:0:1/126 ! ipv6 route ::/0 Serial1/0
Spoke
BRKSEC-4052
Cisco Public
103
BRKSEC-4052
Cisco Public
104
DMVPN Futures
DMVPN Futures
Q4 CY2011
iBGP local-as Routing Protocol Scalability/Convergence EEM with DMVPN integration Smart Spoke DHCP over DMVPN IPv4
Retrieve LAN IP Subnet for Spoke to serve addresses to Hosts
Q1 CY2012
DHCP over DMVPN IPv6 Per-tunnel QoS on ASR
Future
DMVPN native multicast GRE per-tunnel Keepalives Per-tunnel QoS IPv6 over DMVPN on Hub
BRKSEC-4052
Cisco Public
106
Q&A
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books
108
109
BRKSEC-4052
Cisco Public
110
BRKSEC-4052
Cisco Public
111
Thank you.
BRKSEC-4052
Cisco Public
112
Appendix
Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
BRKSEC-4052
Cisco Public
114
Spoke B
.1 192.168.2.0/24
...
115
192.168.0.0/24 .1
Spoke B
.1 192.168.2.0/24
...
116
192.168.0.0/24 .1
Spoke B
.1 192.168.2.0/24
...
117
192.168.0.0/24 .1
Spoke B
.1 192.168.2.0/24
...
118
Appendix
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
BRKSEC-4052
Cisco Public
119
NHRP Registration
Building Hub-and-Spoke Tunnels
Host1 Spoke1 Hub Spoke2 Host2
BRKSEC-4052
Cisco Public
120
NHRP Registration
Building Hub-and-Spoke Tunnels (Step 1)
Host1 Spoke1 Hub Spoke2 IKE Initialization IKE/IPsec Established Host2
IKE Initialization
IKE/IPsec Established
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted
121
NHRP Registration
Building Hub-and-Spoke Tunnels (Step 2)
Host1 Spoke1 Hub Spoke2 Host2
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted
122
NHRP Registration
Routing Adjacency (Step 3)
Host1 Spoke1 Hub Spoke2 Host2
Routing Adjacency Routing Adjacency Routing Update Routing Update Routing Update Routing Update
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted
123
NHRP Registration
Building Hub-and-Spoke Tunnels
NHRP Registration
192.168.0.1/24
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
192.168.0.0/24 Conn.
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
192.168.1.0/24 Conn.
192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels
BRKSEC-4052
Cisco Public
124
NHRP Registration
Building Hub-and-Spoke Tunnels (Step 1&2)
NHRP Registration
192.168.0.1/24
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
5 1
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels
BRKSEC-4052
Cisco Public
125
NHRP Registration
Building Hub-and-Spoke Tunnels (Step 1&2)
NHRP Registration
192.168.0.1/24
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
1
Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn.
= Dynamic permanent IPsec tunnels
BRKSEC-4052
Cisco Public
126
NHRP Registration
Routing Adjacency (Step 3a)
Routing packet
192.168.0.1/24
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
1
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
BRKSEC-4052
Cisco Public
127
NHRP Registration
Routing Adjacency (Step 3b)
Routing packet
192.168.0.1/24
NHRP mapping
Routing Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
1 2
2
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
BRKSEC-4052
Cisco Public
128
Appendix
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
BRKSEC-4052
Cisco Public
129
Phase 2
NHRP Resolution Request (Step 1)
Host1 Spoke1 Hubs Spoke2 Host2
BRKSEC-4052
Cisco Public
130
Phase 2
NHRP Resolution Reply (Step 2)
Host1 Spoke1 Hubs Spoke2 Host2
IKE Initialization
Encrypted
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
131
Phase 2
NHRP Resolution Request
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
132
Phase 2
NHRP Resolution Request (Step 1a)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency 4
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
5 7
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
133
1 2
Phase 2
NHRP Resolution Request (Step 1b)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency 2
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 incomplete
134
Phase 2
NHRP Resolution Reply (Step 2a)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
1
192.168.1.1/24 Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 ??? 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 incomplete
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn.
Phase 2
NHRP Resolution Reply (Step 2b)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency 3
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12
2 1
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 (l) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1
136
Phase 2
NHRP Resolution Reply (Step 2c)
Data packet NHRP Resolution NHRP mapping CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.0.0/24 10.0.0.1 192.168.1.0/24 Conn. 192.168.2.0/24 10.0.0.12 10.0.0.1 172.17.0.1 10.0.0.12 172.16.2.1
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 (l) 192.168.0.0/24 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 Conn. 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1
137
1 2
Appendix
DMVPN Overview NHRP Details
NHRP Overview NHRP Registrations NHRP Resolutions/Redirects
Phase 2 Phase 3
Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
BRKSEC-4052
Cisco Public
138
Phase 3
NHRP Redirect (Step 1)
Host1 Spoke1 Hubs Spoke2 Host2
NHRP Redirect
BRKSEC-4052
Cisco Public
139
Phase 3
NHRP Resolution Request (Step 2)
Host1 Spoke1 Hubs Spoke2 Host2
BRKSEC-4052
Cisco Public
140
Phase 3
NHRP Resolution Reply (Step 3)
Host1 Spoke1 Hubs Spoke2 Host2
IKE Initialization
141
Phase 3
NHRP Resolution Redirect
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1
172.17.0.1
10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
142
Phase 3
NHRP Resolution Redirect (Step 1a)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table 7
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
4
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
3 1 2
10.0.0.1
172.17.0.1
10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
143
Phase 3
NHRP Resolution Redirect (Step 1b)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table 1
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1
10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
144
Phase 3
NHRP Resolution Request (Step 2)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table 5
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
3
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
1 2
10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1
10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
145
Phase 3
NHRP Resolution Reply (Step 3a)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
3
192.168.1.1/24 Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1
BRKSEC-4052
Cisco Public
146
Phase 3
NHRP Resolution Reply (Step 3b)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
BRKSEC-4052
Cisco Public
147
Phase 3
NHRP Resolution Reply (Step 3c)
Data packet NHRP Redirect NHRP Resolution NHRP mapping CEF FIB Table
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24
10.0.0.11 10.0.0.12
172.16.1.1 172.16.2.1
CEF Adjacency
Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
5
10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1
3 1 2 4
10.0.0.1 172.17.0.1 192.168.2.0/24 172.16.2.1 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1 172.16.2.1
BRKSEC-4052
Cisco Public
148
Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
BRKSEC-4052
Cisco Public
149
Hub1 BGP 1
.1
Internet
192.168.10.0/24 BGP 2
DMVPN
.11
Spoke1 BGP 1 10.0.0.0/24 BGP 1 .14 Spoke4 BGP 1 .2
.1 .2
.12
.13
.1 192.168.4.0/24
Spoke2 BGP 1
.1
.1 .2
Spoke3 BGP 1
.1 .2
192.168.11.0/24
.1 192.168.13.0/24
150
192.168.12.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
ip tcp adjust-mss 1360 delay 1000 tunnel source Serial2/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 ! interface Serial2/0 ip address 172.17.0.1 255.255.255.252 ! router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group spokes timers bgp 10 30 neighbor spokes peer-group neighbor spokes remote-as 1 neighbor spokes route-reflector-client neighbor spokes send-community neighbor spokes route-map CMNTY in neighbor spokes route-map DMVPN-OUT out neighbor 10.0.0.2 remote-as 1 neighbor 10.0.0.2 send-community neighbor 10.0.0.2 route-map H2H-IN in neighbor 10.0.0.2 route-map DMVPN-OUT out
Cisco Public
151
BRKSEC-4052
Cisco Public
152
ip tcp adjust-mss 1360 delay 1000 tunnel source Serial2/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.0.2 255.255.255.0 ! interface Serial2/0 ip address 172.17.0.5 255.255.255.252 ! router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group spokes timers bgp 10 30 neighbor spokes peer-group neighbor spokes remote-as 1 neighbor spokes route-reflector-client neighbor spokes send-community neighbor spokes route-map CMNTY in neighbor spokes route-map DMVPN-OUT out neighbor 10.0.0.1 remote-as 1 neighbor 10.0.0.1 send-community neighbor 10.0.0.1 route-map H2H-IN in neighbor 10.0.0.1 route-map DMVPN-OUT out
Cisco Public
153
BRKSEC-4052
Cisco Public
154
BRKSEC-4052
Cisco Public
155
route-map DMVPN-OUT permit 10 match community 11 ! route-map ISP-OUT permit 10 match community 10 ! route-map IGP2BGP deny 10 match tag 225 ! route-map IGP2BGP permit 20 set community 1:1 ! route-map BGP2IGP permit 10 match community 11 set tag 225 ! route-map ISP-IN permit 10 set community 1:10 ! control-plane ! end
Cisco Public
156
BRKSEC-4052
Cisco Public
157
BRKSEC-4052
Cisco Public
158
BRKSEC-4052
Cisco Public
159
ip bgp-community new-format ip community-list 10 permit 1:10 ip community-list 11 deny 1:10 ip community-list 11 permit ! route-map DMVPN-OUT permit 10 match community 11 ! route-map ISP-OUT permit 10 match community 10 ! route-map IGP2BGP deny 10 match tag 225 ! route-map IGP2BGP permit 20 set community 1:1 ! route-map BGP2IGP permit 10 match community 11 set tag 225 ! route-map ISP-IN permit 10 set community 1:10 ! control-plane ! end
Cisco Public
160
BRKSEC-4052
Cisco Public
161
R2
hostname RS2 ! interface Loopback0 ip address 172.20.2.1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.2.2 255.255.255.0 ! interface Ethernet1/0 ip address 192.168.12.1 255.255.255.0 ! router bgp 1 no synchronization bgp log-neighbor-changes network 172.20.2.0 mask 255.255.255.0 network 192.168.2.0 network 192.168.12.0 neighbor 192.168.2.1 remote-as 1 neighbor 192.168.2.1 next-hop-self neighbor 192.168.2.1 send-community neighbor 192.168.2.1 route-map FROM-DMVPN in no auto-summary ! ip bgp-community new-format ! route-map FROM-DMVPN permit 10 set community 1:20
RS2
BRKSEC-4052
Cisco Public
162
RS1,RS4
hostname RS3 ! interface Loopback0 ip address 172.20.3.1 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.3.2 255.255.255.0 ! interface Ethernet1/0 ip address 192.168.13.1 255.255.255.0 ! router ospf 1 log-adjacency-changes network 172.20.3.0 0.0.0.255 network 192.168.3.0 network 192.168.13.0 !
RS3
BRKSEC-4052
Cisco Public
163
Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
BRKSEC-4052
Cisco Public
164
Hierarchical Design
Multiple layers of Hub-and-Spoke control plane
Can use single mGRE subnet across all nodes Best to use multiple mGRE subnets Spokes and Central hub have single mGRE interface Distribution hubs have two mGRE interfaces Use nhrp network-id <id> to glue together mGRE interfaces into a single DMVPN cloud. Still preserve any-to-any spoke-spoke tunnels
Region 1 mGRE subnet Region 2 mGRE subnet Region 3 mGRE subnet Central mGRE subnet
BRKSEC-4052
Cisco Public
165
Hierarchical Design
Multiple Hub routers at each layer for redundancy
Hub routers in a layer/region
Configured similar to each other Interconnected as NHSs to each other Interconnected as NHSs to next lower layer hubs
Routing
Summarize routes toward spokes (leaves) No summarization of routes toward root (central hub) Routes for other mGRE subnets learned over tunnel interface
IP Multicast
Multicast source behind hub can use single mGRE subnet Multicast source behind spoke must use multiple mGRE subnets/interfaces
BRKSEC-4052
Cisco Public
166
= mGRE subnet 10.0.0.0/24 = mGRE subnet 10.0.1.0/24 = mGRE subnet 10.0.2.0/24 = Dynamic spoke to spoke
192.168.16.0/24 .1
192.168.8.0/24
.1 Hub 1 Loopback: 172.18.0.1 Tunnel1: 10.0.1.8 Physical: 172.17.0.1 Tunnel0: 10.0.0.8
.1
192.168.11.0/24
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
167
BRKSEC-4052
Cisco Public
168
BRKSEC-4052
169
BRKSEC-4052
170
BRKSEC-4052
Cisco Public
171
BRKSEC-4052
Cisco Public
172
BRKSEC-4052
Cisco Public
173
NHRP
10.0.2.16/32 via 10.0.2.16 Tunnel0 created 1d01h, never expire Type: static, Flags: used NBMA address: 172.18.0.5 D C D D 192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0 192.168.18.0/24 is directly connected, Ethernet0/0 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0 10.0.2.16 10.0.2.16 attached 10.0.2.16 10.0.2.16(16) Tunnel0 Tunnel0 Ethernet0/0 Tunnel0
Routing Table
CEF
Adjacency
BRKSEC-4052
Cisco Public
174
Spoke2 to Hub0
#ping 192.168.128.1 source 192.168.18.1 repeat 10 Sending 10, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds: Packet sent with a source address of 192.168.18.1 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 20/28/48 ms #traceroute 192.168.128.1 source 192.168.18.1 numeric Tracing the route to 192.168.128.1 1 10.0.0.1 24 msec * 28 msec
BRKSEC-4052
Cisco Public
175
Local entry
BRKSEC-4052
Cisco Public
176
Routing Table
(no change)
D C D D
192.168.128.0/24 [90/3200000] via 10.0.2.16, 1d01h, Tunnel0 192.168.18.0/24 is directly connected, Ethernet0/0 192.168.0.0/18 [90/3968000] via 10.0.2.16, 1d01h, Tunnel0 192.168.16.0/21 [90/3456000] via 10.0.2.16, 1d01h, Tunnel0
CEF
(no change)
Adjacency
IP IP IP
BRKSEC-4052
Cisco Public
177
Spoke1:
ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.2.0 255.255.255.0 Tunnel0
Hub1:
ip route 10.0.2.0 255.255.255.0 Tunnel0
Spoke2:
ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.1.0 255.255.255.0 Tunnel0
Hub2:
ip route 10.0.1.0 255.255.255.0 Tunnel0
Spoke3:
ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.1.0 255.255.255.0 Tunnel0
BRKSEC-4052
Cisco Public
178
CEF
10.0.0.0/24 10.0.1.0/24 10.0.2.0/24 10.0.2.16/32 10.0.2.18/32 192.168.0.0/18 192.168.16.0/21 192.168.18.0/24 192.168.18.1/32 192.168.128.0/24 IP Tunnel0
Adjacency
BRKSEC-4052
Cisco Public
179
Spoke2 to Hub0
#ping 192.168.128.1 source 192.168.18.1 repeat 20 Sending 20, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds: Packet sent with a source address of 192.168.18.1 !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (20/20), round-trip min/avg/max = 16/25/64 ms #traceroute 192.168.128.1 source 192.168.18.1 numeric Type escape sequence to abort. Tracing the route to 192.168.128.1 1 10.0.0.1 40 msec * 20 msec
BRKSEC-4052
Cisco Public
180
Local entry
BRKSEC-4052
Cisco Public
181
NHRP
Next-hop-override
CEF
10.0.0.0/24 10.0.0.1/32 10.0.1.0/24 10.0.1.11/32 10.0.2.0/24 10.0.2.16/32 10.0.2.18/32 192.168.0.0/18 192.168.11.0/24 192.168.16.0/21 192.168.18.0/24 192.168.18.1/32 192.168.128.0/24 IP IP IP Tunnel0 Tunnel0 Tunnel0
Adjacency
BRKSEC-4052
Cisco Public
182
Appendix
DMVPN Overview NHRP Details Use Case: iBGP over DMVPN Phase 3 Hierarchical Design Interaction with other Features
IPv6 Phase 1, NAT, Per-Tunnel QoS, MIBs
BRKSEC-4052
Cisco Public
183
IPv6 Phase 1
IPv6 packets over DMVPN IPv4 tunnels
Introduced in IOS release 12.4(20)T IPv4 infrastructure network IPv6 and/or IPv4 data packets over same IPv4 GRE tunnel
BRKSEC-4052
Cisco Public
184
IPv6 Phase 1
Configuration
ipv6 unicast-routing ipv6 cef interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 ipv6 address 2001:DB8:0:100::1/64 ipv6 mtu 1400 ipv6 eigrp 1 no ipv6 split-horizon eigrp 1 ipv6 nhrp authentication testv6 ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp redirect tunnel source Serial2/0 tunnel mode gre multipoint tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 ipv6 address 2001:DB8::1/64 ipv6 eigrp 1 ! interface Serial2/0 ip address 172.17.0.1 255.255.255.252 ! ipv6 router eigrp 1 no shutdown
Hub
ipv6 unicast-routing ipv6 cef interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp shortcut ip tcp adjust-mss 1360 ipv6 address 2001:DB8:0:100::B/64 ipv6 mtu 1400 ipv6 eigrp 1 ipv6 nhrp authentication testv6 ipv6 nhrp map multicast 172.17.0.1 ipv6 nhrp map 2001:DB8:0:100::1/128 172.17.0.1 ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:DB8:0:100::1 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel protection ipsec profile vpnprof ! interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ipv6 address 2001:DB8:0:1::1/64 ipv6 eigrp 1 ! interface Serial1/0 ip address 172.16.1.1 255.255.255.252 ! ipv6 router eigrp 1 no shutdown
Cisco Public
Spoke
BRKSEC-4052
185
IPv6 Phase 1
Hub
2001:DB8:0:100::B/128 via 2001:DB8:0:100::B Tunnel0 created 1d16h, expire 00:04:58 Type: dynamic, Flags: unique registered used NBMA address: 172.16.1.1 FE80::A8BB:CCFF:FE00:C800/128 via 2001:DB8:0:100::B Tunnel0 created 1d16h, expire 00:04:58 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 2001:DB8:0:100::1/128 via 2001:DB8:0:100::1 Tunnel0 created 1d16h, never expire Type: static, Flags: used NBMA address: 172.17.0.1 FE80::A8BB:CCFF:FE00:6400/128 via FE80::A8BB:CCFF:FE00:6400 Tunnel0 created 1d16h, expire 00:04:59 Type: dynamic, Flags: NBMA address: 172.17.0.1
Spoke
BRKSEC-4052
Cisco Public
186
Spokes outside NAT IP address passed in NHRP resolution request and reply packets Spokes use remote spokes outside NAT IP address to build spoke-to-spoke tunnel. Two spokes behind the same NAT node
Must be NAT translated to unique outside NAT IP address NAT node must support spokes using outside IP NAT address for each othertraffic loops through NAT node
If spoke-spoke tunnel will not come up, traffic will continue to be forwarded via the hub.
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
187
192.168.1.1/24
BRKSEC-4052
Cisco Public
188
BRKSEC-4052
Cisco Public
189
Phase 3 Resolutions
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84, src: 10.0.0.11, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13 (C-1) code: no error(0) prefix: 0, mtu: 1514, hd_time: 360 Responder Address Extension(3): Forward Transit NHS Record Extension(4): Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT address Extension(9): NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 152, src: 10.0.0.13, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1, shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 164 src NBMA: 172.16.1.1, src protocol: 10.0.0.11, dst protocol: 10.0.0.13 (C-1) code: no error(0), prefix: 32, mtu: 1514, hd_time: 360, client NBMA: 172.16.3.1, client protocol: 10.0.0.13 Responder Address Extension(3): (C) code: no error(0), prefix: 0, mtu: 1514, hd_time: 360 client NBMA: 172.16.3.1, client protocol: 10.0.0.13 Forward Transit NHS Record Extension(4): client NBMA: 172.17.0.1, client protocol: 10.0.0.1 Reverse Transit NHS Record Extension(5): Authentication Extension(7): type:Cleartext(1), data:test NAT Address Extension (9): (C-1) prefix: 32, client NBMA: 172.18.0.3, client protocol: 10.0.0.13
BRKSEC-4052 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
190
Multiple spokes with same NHRP group mapped to individual instances of same QoS template policy
Shaping/policing done on physical after IPsec encryption Cant have separate aggregate QoS policy on physical
BRKSEC-4052
Cisco Public
191
Per-tunnel QoS
Configurations
class-map match-all typeA_voice match access-group 100 class-map match-all typeB_voice match access-group 100 class-map match-all typeA_Routing match ip precedence 6 class-map match-all typeB_Routing match ip precedence 6 policy-map typeA class typeA_voice priority 1000 class typeA_Routing bandwidth percent 20 policy-map typeB class typeB_voice priority percent 20 class typeB_Routing bandwidth percent 10 policy-map typeA_parent class class-default shape average 3000000 service-policy typeA
Hub
interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map group typeA service-policy output typeA_parent ip nhrp map group typeB service-policy output typeB_parent ip nhrp redirect no ip split-horizon eigrp 100 ip summary-address eigrp 100 192.168.0.0 255.255.192.0 5 interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp group typeA ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp nhs 10.0.0.1 interface Tunnel0 ip address 10.0.0.12 255.255.255.0 ip nhrp group typeB ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp nhs 10.0.0.1 interface Tunnel0 ip address 10.0.0.13 255.255.255.0 ip nhrp group typeA ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp nhs 10.0.0.1
Cisco Public
Hub (cont)
Spoke1
Spoke2
Spoke3
192
Per-tunnel QoS
QoS Output
Hub#show ip nhrp
10.0.0.11/32 via 10.0.0.11 Tunnel0 created 21:24:03, expire 00:04:01 Type: dynamic, Flags: unique registered NBMA address: 172.16.1.1 Group: typeA 10.0.0.12/32 via 10.0.0.12 Tunnel0 created 21:22:33, expire 00:05:30 Type: dynamic, Flags: unique registered NBMA address: 172.16.2.1 Group: typeB 10.0.0.13/32 via 10.0.0.13 Tunnel0 created 00:09:04, expire 00:04:05 Type: dynamic, Flags: unique registered NBMA address: 172.16.3.1 Group: typeA Hub#show policy-map multipoint tunnel 0 <spoke> output
Interface Tunnel0 172.16.1.1 Service-policy output: typeA_parent Class-map: class-default (match-any) 19734 packets, 6667163 bytes shape (average) cir 3000000, bc 12000, be 12000 Service-policy : typeA Class-map: typeA_voice (match-all) 3737 packets, 4274636 bytes Class-map: typeA_Routing (match-all) 14424 packets, 1269312 bytes Class-map: class-default (match-any) 1573 packets, 1123215 bytes Interface Tunnel0 172.16.2.1 Service-policy output: typeB_parent Class-map: class-default (match-any) 11420 packets, 1076898 bytes shape (average) cir 2000000, bc 8000, be 8000 Service-policy : typeB Class-map: typeB_voice (match-all) 1005 packets, 128640 bytes Class-map: typeB_Routing (match-all) 10001 packets, 880088 bytes Class-map: class-default (match-any) 414 packets, 68170 bytes Interface Tunnel0 172.16.3.1 Service-policy output: typeA_parent Class-map: class-default (match-any) 5458 packets, 4783903 bytes shape (average) cir 3000000, bc 12000, be 12000 Service-policy : typeA Class-map: typeA_voice (match-all) 4914 packets, 4734392 bytes Class-map: typeA_Routing (match-all) 523 packets, 46004 bytes Class-map: class-default (match-any) 21 packets, 14995 bytes
Cisco Public
193
Per-tunnel QoS
Stable
Tunnels/Active 500/150 600/180 700/210
Unstable
Tunnels/Active 500/150 600/180 700/210 Key N/A
CPU Utilization
28 Mbps 43% 51% 53%(99%) 38 Mbps 52% 68%(99%) 76%(99%) 47.6 Mbps 64% 78%(99%) 99%(flapping)
1) Tunnels/Active = Number of tunnels versus number of active shapers 2) "Unstable" corresponds to detaching and re-attaching service policy on the tunnels 3) All CPU values are observed steady state values (99%) within braces means CPU was 99% for a while before stabilization. 4) Original EC = 700/210 @ 47.6 Mbps <= 80% CPU under unstable conditions (presumably) 5) For 7200 NPE-G2/VSA low scale numbers, CSCsu73714 filed.
BRKSEC-4052
Cisco Public
194
SYSLog Extension
NHServer, NHClient, NHPeer (up/down) DMVPN Crypto Session (up/down) NHRP Resolution (receive/reply/timeout/fail) NHRP Max Send NHRP Errors: (Send, Multicast , Encap)
BRKSEC-4052
Cisco Public
195
Thank you.
BRKSEC-4052
Cisco Public
196