Saturday, February 22, 2020

DMVPN Phase 3 OSPF Routing

In this lesson we’ll take a look how to configure OSPF on a DMVPN phase 3 network. Here’s the topology we will use:
DMVPN Example Topology with hub, two spokes and loopback interfaces.
There is one hub router and two spoke routers.

Configuration


Tunnel Interfaces

Let’s start with a basic DMVPN phase 3 configuration:
Hub(config)#interface Tunnel0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint
Hub(config-if)#ip nhrp redirect

Spoke1(config)#interface Tunnel0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#ip nhrp shortcut
Spoke2(config)#interface Tunnel0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#ip nhrp shortcut
Let’s make sure the tunnels are working:
Hub#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.2      172.16.123.2    UP 00:00:04     D
     1 192.168.123.3      172.16.123.3    UP 00:00:03     D
We see two NHRP registrations. Let’s do a quick ping from the hub:
Hub#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms
Hub#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms
The tunnels are up and running, time to mess around with OSPF.

OSPF

Point-to-point

The first OSPF network type, point-to-point we can forget about. I’ve showed this in the OSPF configuration for phase 1 and 2 before. We can’t use this since we use GRE multipoint interfaces.

Broadcast

The broadcast network type will work. Let’s enable it on all tunnel interfaces:
Hub, Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#ip ospf network broadcast
We need to make sure that the spoke router will never be elected as DR or BDR:
Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#ip ospf priority 0
Now we can configure some network commands. I’ll turn the loopback interface of the hub into area 0 and the DMVPN network will use area 1:
Hub(config)#router ospf 1
Hub(config-router)#network 1.1.1.1 0.0.0.0 area 0
Hub(config-router)#network 172.16.123.0 0.0.0.255 area 1
Spoke1(config)#router ospf 1
Spoke1(config-router)#network 172.16.123.0 0.0.0.255 area 1
Spoke1(config-router)#network 2.2.2.2 0.0.0.0 area 1
Spoke2(config)#router ospf 1
Spoke2(config-router)#network 172.16.123.0 0.0.0.255 area 1
Spoke2(config-router)#network 3.3.3.3 0.0.0.0 area 1
Let’s see what we find in the routing tables:
Hub#show ip route ospf

      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/1001] via 172.16.123.2, 00:00:38, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/1001] via 172.16.123.3, 00:00:01, Tunnel0
Spoke1#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/1001] via 172.16.123.1, 00:00:23, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/1001] via 172.16.123.3, 00:00:13, Tunnel0
Spoke2#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/1001] via 172.16.123.1, 00:02:07, Tunnel0
      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/1001] via 172.16.123.2, 00:02:07, Tunnel0
Each spoke router still has the routes for the other spoke router. Because we use a single area for DMVPN network there’s no way to get around this. Let’s see if spoke1 can reach spoke2 directly:
Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 9 msec 6 msec *
No problem at all! The spoke routers will install the NBMA addresses in their NHRP cache:
Spoke1#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.1      172.16.123.1    UP 00:14:26     S
     1 192.168.123.3      172.16.123.3    UP 00:03:38   DT1
Spoke2#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.1      172.16.123.1    UP 00:15:04     S
     1 192.168.123.2      172.16.123.2    UP 00:04:08   DT1
Nothing will change in the routing tables since we already had specific entries and the next hop addresses are correct:
Spoke1#show ip route ospf | include 3.3.3.3
O        3.3.3.3 [110/1001] via 172.16.123.3, 00:11:26, Tunnel0
Spoke2#show ip route ospf | include 2.2.2.2
O        2.2.2.2 [110/1001] via 172.16.123.2, 00:11:39, Tunnel0
Let’s try the next network type.

Non-broadcast

This will be exactly the same as the previous example with the exception that we have to configure static neighbors. Let’s change the tunnel interfaces:
Hub,Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#ip ospf network non-broadcast
Let’s add static neighbors on the hub:
Hub(config)#router ospf 1
Hub(config-router)#neighbor 172.16.123.2
Hub(config-router)#neighbor 172.16.123.3
Everything else will remain the same. Spoke routers are still able to reach each other directly:
Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 9 msec 6 msec *
The information in the NHRP cache will also remain the same:
Spoke1#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.1      172.16.123.1    UP 00:14:26     S
     1 192.168.123.3      172.16.123.3    UP 00:03:38   DT1
Spoke2#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.1      172.16.123.1    UP 00:15:04     S
     1 192.168.123.2      172.16.123.2    UP 00:04:08   DT1
Same thing for the routing tables:
Spoke1#show ip route ospf | include 3.3.3.3
O        3.3.3.3 [110/1001] via 172.16.123.3, 00:11:26, Tunnel0
Spoke2#show ip route ospf | include 2.2.2.2
O        2.2.2.2 [110/1001] via 172.16.123.2, 00:11:39, Tunnel0
Let’s move on to the next network type…

Point-to-multipoint

Time for something different. In DMVPN phase 2, we couldn’t really use this OSPF network type since it changes the next hop. Will it work better for DMVPN phase 3? Let’s find out!
First I will remove the static neighbors:
Hub(config)#router ospf 1
Hub(config-router)#no neighbor 172.16.123.2
Hub(config-router)#no neighbor 172.16.123.3
Let’s change the network type on the tunnel interfaces:
Hub, Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#ip ospf network point-to-multipoint
Let’s make sure we have neighbors:
Hub#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:01:50    172.16.123.2    Tunnel0
3.3.3.3           0   FULL/  -        00:01:58    172.16.123.3    Tunnel0
We do and the advantage of point-to-multipoint is that you don’t have to worry about a DR/BDR election. Let’s check the routing tables:
Hub#show ip route ospf

      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/1001] via 172.16.123.2, 00:01:37, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/1001] via 172.16.123.3, 00:01:37, Tunnel0
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O        172.16.123.2/32 [110/1000] via 172.16.123.2, 00:01:37, Tunnel0
O        172.16.123.3/32 [110/1000] via 172.16.123.3, 00:01:37, Tunnel0
Spoke1#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/1001] via 172.16.123.1, 00:01:41, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/2001] via 172.16.123.1, 00:01:41, Tunnel0
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O        172.16.123.1/32 [110/1000] via 172.16.123.1, 00:01:41, Tunnel0
O   %    172.16.123.3/32 [110/2000] via 172.16.123.1, 00:01:41, Tunnel0
Spoke2#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/1001] via 172.16.123.1, 00:01:47, Tunnel0
      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/2001] via 172.16.123.1, 00:01:47, Tunnel0
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O        172.16.123.1/32 [110/1000] via 172.16.123.1, 00:01:47, Tunnel0
O   %    172.16.123.2/32 [110/2000] via 172.16.123.1, 00:01:47, Tunnel0
Above you can see that the spoke routers learned each others loopback interfaces. Take a close look at the next hop, that’s the IP address of the hub. You can also see a strange % symbol which I’ll explain in a minute. First let’s try a traceroute from spoke1 to spoke2:
Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.1 9 msec 7 msec 7 msec
  2 172.16.123.3 9 msec 8 msec *
The first time I do this, we can see that our traffic goes through the hub. When I try it a second time, something else happens:
Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 5 msec 5 msec *
This time, traffic from spoke1 goes directly to spoke2. How is this possible? Take another look at the routing table:
Spoke1#show ip route ospf | include 3.3.3.3
O   %    3.3.3.3 [110/2001] via 172.16.123.1, 00:06:07, Tunnel0
Spoke2#show ip route ospf | include 2.2.2.2
O   %    2.2.2.2 [110/2001] via 172.16.123.1, 00:06:19, Tunnel0
Both entries still have the hub as the next hop but there’s this % symbol again. This means that the next hop is overwritten because of NHRP. Take a look at the CEF table:
Spoke1#show ip cef 3.3.3.3
3.3.3.3/32
  nexthop 172.16.123.3 Tunnel0
Spoke2#show ip cef 2.2.2.2
2.2.2.2/32
  nexthop 172.16.123.2 Tunnel0
Above you can see that the next hop address has been overwritten in the CEF table. This allows the spoke routers to reach each other directly. We can also verify this in the NHRP cache:
Spoke1#show dmvpn             
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.3      172.16.123.3    UP 00:19:50   DT2
                          172.16.123.3    UP 00:19:50   DT2
     1 192.168.123.1      172.16.123.1    UP 00:30:39     S
Spoke2#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.2      172.16.123.2    UP 00:20:03   DT2
                          172.16.123.2    UP 00:20:03   DT2
     1 192.168.123.1      172.16.123.1    UP 00:30:59     S
Above you can see the DT2 attribute which means that it’s dynamic and that the next hop has been overwritten. Pretty cool right?

Point-to-multipoint non-broadcast

Let’s try the next OSPF network type. This example is exactly the same as the previous one with the exception that we have to configure static neighbors. Let’s do it:
Hub, Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#ip ospf network point-to-multipoint non-broadcast
Hub(config)#router ospf 1
Hub(config-router)#neighbor 172.16.123.2
Hub(config-router)#neighbor 172.16.123.3
Everything else will remain the same:
Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 5 msec 5 msec *
Our traceroute is working and the output in the routing table is the same:
Spoke1#show ip route ospf | include 3.3.3.3
O   %    3.3.3.3 [110/2001] via 172.16.123.1, 00:06:07, Tunnel0
Spoke2#show ip route ospf | include 2.2.2.2
O   %    2.2.2.2 [110/2001] via 172.16.123.1, 00:06:19, Tunnel0
Above we see the hub as the next hop IP address. Here’s the CEF tables:
Spoke1#show ip cef 3.3.3.3
3.3.3.3/32
  nexthop 172.16.123.3 Tunnel0
Spoke2#show ip cef 2.2.2.2
2.2.2.2/32
  nexthop 172.16.123.2 Tunnel0
That’s all there is to it!
hostname Hub
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 ip ospf network point-to-multipoint
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 172.16.123.0 0.0.0.255 area 1
!
end
 hostname Spoke1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.2 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 ip ospf network point-to-multipoint
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 1
 network 172.16.123.0 0.0.0.255 area 1
!
end

hostname Spoke2
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 ip ospf network point-to-multipoint
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 1
 network 172.16.123.0 0.0.0.255 area 1
!
end

Conclusion

OSPF for DMVPN phase 3 works but it’s not the best choice. We can’t use any summarization so the spoke routers will always have specific entries for the networks behind other spoke routers. If you use OSPF, it’s best to go for point-to-multipoint as it has automatic neighbor discovery and you don’t have to worry about the DR/BDR election.
I hope you enjoyed this lesson, if you have any questions feel free to leave a comment!
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)