In the first DMVPN lesson I explained some of its basics and in the second lesson I explained how to create a basic DMVPN phase 1 configuration. We also did a configuration for each of the IGPs:
This time, we’ll take a look at BGP. Here’s the topology we will use:
Configuration
Tunnel Interfaces
Here’s a basic DMVPN phase 1 configuration:
Hub(config)#interface Tunnel0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipointSpoke1(config)#interface Tunnel0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel destination 192.168.123.1Spoke2(config)#interface Tunnel0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel destination 192.168.123.1
Let’s verify if the tunnels are working:
Hub#show dmvpn | begin 192.168.123.
1 192.168.123.2 172.16.123.2 UP 00:22:37 D
1 192.168.123.3 172.16.123.3 UP 00:00:32 D
And do a quick ping:
Hub#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 msHub#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/9 ms
Everything seems to be working, time to configure BGP.
eBGP with different AS on the spokes
There are a number of variations we can choose from:
- eBGP with a different AS number on each spoke.
- eBGP with the same AS number on each spoke.
- iBGP
We’ll take a look at all the different options, we’ll start with eBGP with a different AS number on all spokes:
Hub(config)#router bgp 65001
Hub(config-router)#neighbor 172.16.123.2 remote-as 65002
Hub(config-router)#neighbor 172.16.123.3 remote-as 65003
Hub(config-router)#network 1.1.1.1 mask 255.255.255.255Spoke1(config)#router bgp 65002
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255Spoke2(config)#router bgp 65003
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255
Above we have a different AS number for each router, also we advertised the loopback interfaces in BGP. Let’s see if our hub router has two neighbors:
Hub#show ip bgp summary | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.123.2 4 65002 47 48 4 0 0 00:38:49 1
172.16.123.3 4 65003 46 47 4 0 0 00:38:05 1
This is looking good, we have two neighbors. Let’s take a look at the routing tables:
Hub#show ip route bgp
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 172.16.123.2, 00:37:59
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [20/0] via 172.16.123.3, 00:37:59Spoke1#show ip route bgp
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 172.16.123.1, 00:38:16
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [20/0] via 172.16.123.3, 00:37:46Spoke2#show ip route bgp
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 172.16.123.1, 00:38:34
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 172.16.123.2, 00:38:34
All routers have learned the different networks. Let’s see if spoke1 can reach spoke2:
Spoke1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms
Great, no issues there. All traffic goes through the hub so there’s no need for our spoke routers to see specific networks.
Let’s configure the hub so that it will only advertise a default route to our spokes. I’ll use a route-map for this:
Hub(config)#ip route 0.0.0.0 0.0.0.0 null0
Hub(config)#ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0
Hub(config)#route-map SPOKE_ROUTERS permit 10
Hub(config-route-map)#match ip address prefix-list DEFAULT_ROUTE
Hub(config)#router bgp 65001
Hub(config-router)#network 0.0.0.0 mask 0.0.0.0
Hub(config-router)#neighbor 172.16.123.2 route-map SPOKE_ROUTERS out
Hub(config-router)#neighbor 172.16.123.3 route-map SPOKE_ROUTERS out
Hub#clear ip bgp *
Our hub router should still have all networks, the spoke routers should only have a default route. Let’s take a look:
Hub#show ip route bgp
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 172.16.123.2, 00:00:52
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [20/0] via 172.16.123.3, 00:00:52Spoke1#show ip route bgp
B* 0.0.0.0/0 [20/0] via 172.16.123.1, 00:00:44Spoke2#show ip route bgp
B* 0.0.0.0/0 [20/0] via 172.16.123.1, 00:00:48
That’s looking good. Let’s verifiy connectivity:
Spoke1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/9 ms
It’s still working, excellent!
eBGP with same AS on the spokes
Another thing we can try with eBGP is to use the same AS number on all spoke routers. The advantage of this solution is that we don’t have to filter any networks, the spoke routers will not accept any networks where they see their own AS number in the AS path. Let’s clean up first:
Hub(config)#router bgp 65001
Hub(config-router)#no neighbor 172.16.123.2
Hub(config-router)#no neighbor 172.16.123.3Spoke1(config)#no router bgp 65002Spoke2(config)#no router bgp 65003
Now we’ll configure the spoke routers to use AS 65023:
Hub(config)#router bgp 65001
Hub(config-router)#neighbor 172.16.123.2 remote-as 65023
Hub(config-router)#neighbor 172.16.123.3 remote-as 65023Spoke1(config)#router bgp 65023
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255Spoke2(config)#router bgp 65023
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255
Our hub router is still advertising a default route but we don’t need the route-map anymore. Let’s take a closer look:
Hub#show ip route bgp
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 172.16.123.2, 00:00:56
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [20/0] via 172.16.123.3, 00:00:20
The hub still has the networks from the spoke routers in its routing table. Let’s see what it is advertising to the spoke routers:
Hub#show ip bgp neighbors 172.16.123.2 advertised-routes
BGP table version is 9, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 0.0.0.0 0 32768 i
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*> 2.2.2.2/32 172.16.123.2 0 0 65023 i
*> 3.3.3.3/32 172.16.123.3 0 0 65023 iHub#show ip bgp neighbors 172.16.123.3 advertised-routes
BGP table version is 9, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 0.0.0.0 0 32768 i
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*> 2.2.2.2/32 172.16.123.2 0 0 65023 i
*> 3.3.3.3/32 172.16.123.3 0 0 65023 i
Above you can see that the hub advertises 3.3.3.3/32 to spoke1 and 2.2.2.2/32 to spoke2. What did they install?
Spoke1#show ip route bgp
B* 0.0.0.0/0 [20/0] via 172.16.123.1, 00:04:05
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 172.16.123.1, 00:04:05Spoke2#show ip route bgp
B* 0.0.0.0/0 [20/0] via 172.16.123.1, 00:02:19
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 172.16.123.1, 00:02:19
Spoke1 doesn’t accept 3.3.3.3/32 since it has AS 65023 in the AS path. The same thing applies to spoke2, it doesn’t like 2.2.2.2/32 since AS 65023 is in the AS path. The default route is installed and we can see 1.1.1.1/32. It would be best to get rid of the
network 1.1.1.1 mask 255.255.255.255 command on the hub, we don’t need this entry.
Let’s see if the spokes can still reach each other:
Spoke1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms
Spoke1 can still reach spoke2. No problems here!
iBGP with dynamic peers
The two previous examples with eBGP work very well. Both examples had one “issue” though, we manually configured our neighbors. It works but it defeats the purpose of having dynamic DMVPN spoke routers.
BGP supports something called “dynamic peers” which means we will accept a BGP neighbor adjacency from any router in a given range. You can use this for both eBGP and iBGP but there is one catch…the remote routers have to be in the same AS.
I’ll show you how to do this with iBGP:
Hub(config)#router bgp 65001
Hub(config-router)#bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
Hub(config-router)#neighbor DMVPN_SPOKES peer-group
Hub(config-router)#neighbor DMVPN_SPOKES remote-as 65001
Hub(config-router)#network 0.0.0.0 mask 0.0.0.0
Above we used the listen range command to accept a BGP neighbor adjacency from any device in the 172.16.123.0/24 range. We also use a peer-group that specifies the iBGP neighbors in AS 65001 and the default route is advertised. Let’s configure the spoke routers:
Spoke1(config)#router bgp 65001
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255Spoke2(config)#router bgp 65001
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255
Let’s check the routing tables:
Hub#show ip route bgp
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [200/0] via 172.16.123.2, 00:02:23
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 172.16.123.3, 00:02:23Spoke1#show ip route bgp
B* 0.0.0.0/0 [200/0] via 172.16.123.1, 00:01:26Spoke2#show ip route bgp
B* 0.0.0.0/0 [200/0] via 172.16.123.1, 00:01:08
The hub router sees two networks, each spoke only sees the default route.
The advantage of iBGP in combination with DMVPN phase 1 is that you don’t have to filter anything on the hub router. Because of iBGP split horizon, the hub won’t advertise any networks from spoke1 to spoke2 (or vice versa).
hostname Hub
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.1 255.255.255.0
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface GigabitEthernet0/1
ip address 192.168.123.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 65001
bgp log-neighbor-changes
network 0.0.0.0
network 1.1.1.1 mask 255.255.255.255
neighbor 172.16.123.2 remote-as 65023
neighbor 172.16.123.3 remote-as 65023
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
!
route-map SPOKE_ROUTERS permit 10
match ip address prefix-list DEFAULT_ROUTE
!
endhostname Spoke1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.2 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 65023
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
neighbor 172.16.123.1 remote-as 65001
!
endhostname Spoke2
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.3 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 65023
bgp log-neighbor-changes
network 3.3.3.3 mask 255.255.255.255
neighbor 172.16.123.1 remote-as 65001
!
end
------------------------------------------------------------------------------------
hostname Hub
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.1 255.255.255.0
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface GigabitEthernet0/1
ip address 192.168.123.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 65001
bgp log-neighbor-changes
bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
network 0.0.0.0
neighbor DMVPN_SPOKES peer-group
neighbor DMVPN_SPOKES remote-as 65001
neighbor DMVPN_SPOKES route-map DMVPN_SPOKES out
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
!
route-map DMVPN_SPOKES permit 10
match ip address prefix-list DEFAULT_ROUTE
!
endhostname Spoke1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.2 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 65001
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
neighbor 172.16.123.1 remote-as 65001
!
endhostname Spoke2
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.3 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 65001
bgp log-neighbor-changes
network 3.3.3.3 mask 255.255.255.255
neighbor 172.16.123.1 remote-as 65001
!
endConclusion
You have now seen how to configure eBGP and iBGP for DMVPN phase 1. BGP is a good choice for DMVPN, this example was pretty straight forward since the spoke routers only required a default route. In large DMVPN setups, it can be useful to use BGP since it’s easy to advertise, summarize and filter networks.
I hope you enjoyed this lesson, if you have any questions feel free to leave a comment!
No comments:
Post a Comment