In the first DMVPN lesson I explained some of its basics, in the second lesson I explained how to create a basic DMVPN phase 1 configuration. In this lesson, we’ll take a look how RIP behaves on DMVPN phase 1.
Here’s the topology we will use:
Above we have two spoke routers and one hub, our underlay network uses 192.168.123.0/24 and the overlay network uses 172.16.123.0/24. Each router has a loopback interface with a network that we can advertise in RIP.
Configuration
Tunnel Interfaces
Here is the configuration of the tunnel interfaces on the hub and spoke routers. I explained these commands in the DMVPN phase 1 basic configuration lesson so I’m not going to discuss them again:
Hub(config)#interface Tunnel0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipointSpoke1(config)#interface Tunnel0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel destination 192.168.123.1Spoke2(config)#interface Tunnel0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel destination 192.168.123.1
Let’s do two quick checks, we want to make sure that both spokes are registered to the hub:
Hub#show dmvpn | begin 192.168.123.
1 192.168.123.2 172.16.123.2 UP 00:22:37 D
1 192.168.123.3 172.16.123.3 UP 00:00:32 D
And we want to make sure that we can ping all tunnel IP addresses:
Hub#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 msHub#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/9 ms
Now we can focus on the RIP configuration…
RIP
Let’s enable RIP on all routers:
Hub(config)#router rip
Hub(config-router)#version 2
Hub(config-router)#network 1.0.0.0
Hub(config-router)#network 172.16.0.0
Hub(config-router)#no auto-summarySpoke1(config)#router rip
Spoke1(config-router)#version 2
Spoke1(config-router)#network 2.0.0.0
Spoke1(config-router)#network 172.16.0.0
Spoke1(config-router)#no auto-summarySpoke2(config)#router rip
Spoke2(config-router)#version 2
Spoke2(config-router)#network 3.0.0.0
Spoke2(config-router)#network 172.16.0.0
Spoke2(config-router)#no auto-summary
Now let’s see what we have…
Hub#show ip route rip
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/1] via 172.16.123.2, 00:00:07, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
R 3.3.3.3 [120/1] via 172.16.123.3, 00:00:06, Tunnel0
Our hub router has learned both networks on the loopback interfaces. Take a good look at the next hop IP addresses that we have here, these are the tunnel addresses. When the hub wants to reach these networks, it will have to check NHRP to find the NBMA addresses:
Hub#show dmvpn | begin Hub
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.123.2 172.16.123.2 UP 00:29:29 D
1 192.168.123.3 172.16.123.3 UP 00:07:24 D
When we want to reach 2.2.2.2/2 we will use 172.16.123.2 as the next hop. In our NHRP cache we see that we need to use NBMA address 192.168.123.2 to get there.
What about the spoke routers, did they learn anything?
Spoke1#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 172.16.123.1, 00:00:17, Tunnel0Spoke2#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 172.16.123.1, 00:00:08, Tunnel0
Our spoke routers only have one entry, the network on the loopback interface of the hub router. What went wrong here?
Keep in mind that RIP is a distance vector routing protocol so we have to deal with split horizon. We can disable this on the hub router:
Hub(config)#interface Tunnel 0
Hub(config-if)#no ip split-horizon
This should allow the spoke routers to learn each others networks:
Spoke1#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 172.16.123.1, 00:00:10, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
R 3.3.3.3 [120/2] via 172.16.123.3, 00:00:10, Tunnel0Spoke2#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 172.16.123.1, 00:00:01, Tunnel0
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/2] via 172.16.123.2, 00:00:01, Tunnel0
Great…so can we ping between spoke1 and spoke2?
Spoke1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms
What does the traffic pattern look like?
Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.123.1 6 msec 7 msec 7 msec
2 172.16.123.3 7 msec 8 msec *
Keep in mind that with DMVPN phase 1 there is no direct communication between the two spoke routers, everything goes through the hub which we can see in the traceroute above.
Since all traffic goes through the hub, we might as well just advertise a default route to our spoke routers. There’s no need for our spoke routers to learn all specific prefixes. Let’s advertise a default route on the hub router:
Hub(config)#interface Tunnel 0
Hub(config-if)#no ip split-horizon
Hub(config-if)#ip summary-address rip 0.0.0.0 0.0.0.0
When we advertise a default route from hub, we don’t have to worry about split horizon anymore since no networks have to be advertised between spoke routers. We can enable it again. Let’s verify our work:
Spoke1#show ip route rip
R* 0.0.0.0/0 [120/1] via 172.16.123.1, 00:00:07, Tunnel0Spoke2#show ip route rip
R* 0.0.0.0/0 [120/1] via 172.16.123.1, 00:00:06, Tunnel0
This is looking good, let’s try a quick ping:
Spoke1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/12 ms
There we go, we can still ping from spoke1 to spoke2!
In my example I was able to advertise a default route on the hub since my underlay network is directly connected. In a real world scenario, you are probably already using a default route for your Internet connection. In this case, you should use a summary that matches the networks behind your spoke routers instead of a default route.
Here’s what this ping looks like in wireshark, here’s the ICMP echo request:
Above you can see the NBMA addresses and the tunnel addresses. Here’s the ICMP echo reply:
If you want to take a look for yourself, here’s the wireshark capture file:
hostname Hub
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.1 255.255.255.0
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address rip 0.0.0.0 0.0.0.0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface GigabitEthernet0/1
ip address 192.168.123.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no cdp enable
!
router rip
version 2
network 1.0.0.0
network 172.16.0.0
no auto-summary
!
end
hostname Spoke1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.2 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.2 255.255.255.0
duplex auto
speed auto
media-type rj45
no cdp enable
!
router rip
version 2
network 2.0.0.0
network 172.16.0.0
no auto-summary
!
end
hostname Spoke1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.2 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.2 255.255.255.0
duplex auto
speed auto
media-type rj45
no cdp enable
!
router rip
version 2
network 2.0.0.0
network 172.16.0.0
no auto-summary
!
endhostname Spoke2
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.123.3 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel destination 192.168.123.1
!
interface GigabitEthernet0/1
ip address 192.168.123.3 255.255.255.0
duplex auto
speed auto
media-type rj45
no cdp enable
!
router rip
version 2
network 3.0.0.0
network 172.16.0.0
no auto-summary
!
endConclusion
You have now learned how to configure RIP on top of DMVPN phase 1. If you think about it, this is kinda pointless. All traffic between spokes goes through the hub which has to encapsulate and decapsulate all packets. With a lot of spoke routers and IPsec, this will put a big burden on the hub router.
In the next lessons we’ll see how EIGRP, OSPF and BGP behave!
- DMVPN Phase 1 EIGRP Routing
- DMVPN Phase 1 OSPF Routing
- DMVPN Phase 1 BGP Routing
I hope you enjoyed this lesson, if you have any questions feel free to ask.
No comments:
Post a Comment