暗夜星空: DMVPN Phase 3 BGP Routing

In our first DMVPN lesson we explained the basics and the differences of the three phases. We also looked at an example for a basic DMVPN phase 3 configuration and how to configure RIP, EIGRP and OSPF on top of it.

This time, we are going to look at BGP. Here is the topology we shall use:

DMVPN Example Topology with hub, two spokes and loopback interfaces.

There is one hub router and two spoke routers. Let’s configure this!

Configuration

Tunnel Interfaces

Let’s start with a basic DMVPN phase 3 configuration:

Hub(config)#interface Tunnel0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#ip nhrp redirect
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint
Hub(config-if)#end

Spoke1(config)#interface Tunnel0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#ip nhrp shortcut

Spoke2(config)#interface Tunnel0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#ip nhrp shortcut

Let’s make sure the spokes have registered themselves with the hub:

Hub#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.2      172.16.123.2    UP 00:00:04     D
     1 192.168.123.3      172.16.123.3    UP 00:00:03     D

And let’s check if we can ping the spoke routers:

Hub#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms

Hub#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms

So far so good, time to configure BGP.

EBGP with same AS number on spokes

This configuration will be similar to what we used for BGP on DMVPN phase 2. Our spoke routers don’t need to know any specific routes so we can use a default route. We’ll use dynamic BGP peers so that we don’t have to configure static neighbors. Let’s start with the default route:

Hub(config)#ip route 0.0.0.0 0.0.0.0 Null0

Hub(config)#ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0

Hub(config)#route-map SPOKE_ROUTERS permit 10
Hub(config-route-map)#match ip address prefix-list DEFAULT_ROUTE

This route-map will be attached to the spoke routers. Let’s configure the hub:

Hub(config)#router bgp 65001
Hub(config-router)#bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
Hub(config-router)#neighbor DMVPN_SPOKES peer-group   
Hub(config-router)#neighbor DMVPN_SPOKES remote-as 65023
Hub(config-router)#neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
Hub(config-router)#network 0.0.0.0 mask 0.0.0.0

Our hub router uses a peer group for the spoke routers and we only advertise the default route. Let’s configure the spoke routers:

Spoke1(config)#router bgp 65023
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255

Spoke2(config)#router bgp 65023
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255

Now let’s check the routing tables:

Hub#show ip route bgp 

      2.0.0.0/32 is subnetted, 1 subnets
B        2.2.2.2 [20/0] via 172.16.123.2, 00:06:32
      3.0.0.0/32 is subnetted, 1 subnets
B        3.3.3.3 [20/0] via 172.16.123.3, 00:06:02

Spoke1#show ip route bgp 

B*    0.0.0.0/0 [20/0] via 172.16.123.1, 00:07:05

Spoke2#show ip route bgp 

B*    0.0.0.0/0 [20/0] via 172.16.123.1, 00:09:04

The hub sees two specific entries and the spoke routers see the default route. Let’s send some traffic from spoke1 to spoke2:

Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 [AS 65001] 7 msec 7 msec *

This is looking good, traffic goes directly from spoke1 to spoke2. This is all thanks to NHRP which installed some entries in the routing tables:

Spoke1#show ip route | include 3.3.3.3
H        3.3.3.3 [250/255] via 172.16.123.3, 00:02:48, Tunnel0

Spoke2#show ip route | include 2.2.2.2
H        2.2.2.2 [250/255] via 172.16.123.2, 00:02:44, Tunnel0

We can also check the NHRP cache of the spoke routers:

Spoke1#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.3      172.16.123.3    UP 00:02:12   DT1
                          172.16.123.3    UP 00:02:12   DT1
     1 192.168.123.1      172.16.123.1    UP 00:35:27     S

Spoke2#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.2      172.16.123.2    UP 00:02:17   DT1
                          172.16.123.2    UP 00:02:17   DT1
     1 192.168.123.1      172.16.123.1    UP 00:35:35     S

Above we can see that the spoke routers know about each others NBMA addresses.

Configurations
Hub
Spoke1
Spoke2

Want to take a look for yourself? Here you will find the eBGP configuration of each device.

IBGP

Instead of eBGP we can also use iBGP. The configuration will be very similar to what we just did. Let’s create a default route on the hub:

Hub(config)#ip route 0.0.0.0 0.0.0.0 Null0

Hub(config)#ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0

Hub(config)#route-map SPOKE_ROUTERS permit 10
Hub(config-route-map)#match ip address prefix-list DEFAULT_ROUTE

And configure iBGP with dynamic peers:

Hub(config)#router bgp 65123
Hub(config-router)#bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
Hub(config-router)#neighbor DMVPN_SPOKES peer-group 
Hub(config-router)#neighbor DMVPN_SPOKES remote-as 65123
Hub(config-router)#neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
Hub(config-router)#network 0.0.0.0 mask 0.0.0.0

Let’s change the spoke routers:

Spoke1 & Spoke2
(config)#no router bgp 65023

And configure them to use the new AS number:

Spoke1(config)#router bgp 65123
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65123
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255

Spoke2(config)#router bgp 65123
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65123
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255

Let’s see what we now find in the routing tables:

Hub#show ip route bgp 

      2.0.0.0/32 is subnetted, 1 subnets
B        2.2.2.2 [200/0] via 172.16.123.2, 00:04:21
      3.0.0.0/32 is subnetted, 1 subnets
B        3.3.3.3 [200/0] via 172.16.123.3, 00:03:06

Spoke1#show ip route bgp

B*    0.0.0.0/0 [200/0] via 172.16.123.1, 00:04:39

Spoke2#show ip route bgp

B*    0.0.0.0/0 [200/0] via 172.16.123.1, 00:03:37

Let’s send some traffic from spoke1 to spoke2:

Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 [AS 65001] 7 msec 7 msec *

Now take a look at the routing tables:

Spoke1#show ip route | include 3.3.3.3
H        3.3.3.3 [250/255] via 172.16.123.3, 00:00:23, Tunnel0

Spoke2#show ip route | include 2.2.2.2
H        2.2.2.2 [250/255] via 172.16.123.2, 00:00:34, Tunnel0

The spoke routers installed two new NHRP entries. They also installed the NBMA addresses in the NHRP cache:

Spoke1#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.3      172.16.123.3    UP 00:48:51   DT1
                          172.16.123.3    UP 00:48:51   DT1
     1 192.168.123.1      172.16.123.1    UP 01:22:05     S

Spoke2#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.2      172.16.123.2    UP 00:48:53   DT1
                          172.16.123.2    UP 00:48:53   DT1
     1 192.168.123.1      172.16.123.1    UP 01:22:11     S

That’s all there is to it!

hostname Hub
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
router bgp 65123
 bgp log-neighbor-changes
 bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
 network 0.0.0.0
 neighbor DMVPN_SPOKES peer-group
 neighbor DMVPN_SPOKES remote-as 65123
 neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
!
route-map SPOKE_ROUTERS permit 10
 match ip address prefix-list DEFAULT_ROUTE
!
end

hostname Spoke1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.2 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!         
router bgp 65123
 bgp log-neighbor-changes
 network 2.2.2.2 mask 255.255.255.255
 neighbor 172.16.123.1 remote-as 65123
!
end

hostname Spoke2
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!         
router bgp 65123
 bgp log-neighbor-changes
 network 3.3.3.3 mask 255.255.255.255
 neighbor 172.16.123.1 remote-as 65123
!
end

Conclusion

That’s it, this is the final lesson so now we have covered RIP, EIGRP, OSPF and BGP on DMVPN phase 1, 2 and 3. BGP works very well on DMVPN, it’s scalable and with dynamic peers we don’t have to configure static neighbors anymore.

I hope you enjoyed this lesson, if you have any questions feel free to leave a comment!

暗夜星空

Saturday, February 22, 2020

DMVPN Phase 3 BGP Routing

Configuration

Tunnel Interfaces

EBGP with same AS number on spokes

IBGP

Conclusion

No comments:

Post a Comment