Internetworks: DMVPN Phase 2 Dynamic Mapping

DMVPN (Dynamic Multipoint VPN), introduced by Cisco in late 2000, is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes can communicate with each other directly without having to go through the hub. Encryption is supported through IPsec, which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.

In DMVPN Phase 2, hub and spokes are configured as multipoint GRE and spoke-to-spoke tunnels are created. NHRP is required for spokes to register to the hub, and NHRP is also required for spoke-to-spoke resolution.
Phase 2: Spoke-to-Spoke tunnels allowed. Branches can talk directly, offloading the Hub. However, routing can become asymmetrical (traffic takes one path there and a different path back), which can cause issues with firewalls.

NHRP (Next Hop Resolution Protocol)

Think of NHRP as the "DNS for DMVPN."
When a Spoke boots up, it registers its real public IP address with the Hub using NHRP.
When Spoke A wants to talk to Spoke B, it asks the Hub, "Who is Spoke B?"
The Hub responds with Spoke B’s real public IP.
Spoke A then builds a direct IPsec tunnel to Spoke B

The Next Hop Server is a router (typically the Hub) that maintains the authoritative NHRP database for the entire DMVPN cloud. Every spoke registers its real (public) IP address and its tunnel (private) IP address with the NHS.

Topology:-

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.8
R1(config)#end

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.8
R2(config)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.8
R3(config)#end

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.8

switch-1(config)#interface range ethernet0/0-3
switch-1(config-if-range)#no switchport
switch-1(config-if-range)#shutdown
switch-1(config-if-range)#exit

switch-1(config)#interface Ethernet0/0
switch-1(config-if)#no shutdown
switch-1(config-if)# ip address 192.168.1.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface Ethernet0/1
switch-1(config-if)#no shutdown
switch-1(config-if)# ip address 192.168.2.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface Ethernet0/2
switch-1(config-if)# no switchport
switch-1(config-if)# ip address 192.168.3.8 255.255.255.0
switch-1(config-if)#exit
switch-1(config)#interface Ethernet0/3
switch-1(config-if)# no switchport
switch-1(config-if)# ip address 192.168.4.8 255.255.255.0
switch-1(config-if)#exit

switch-1(config)#interface range ethernet0/0-3
switch-1(config-if-range)#no switchport
switch-1(config-if-range)#no shutdown
switch-1(config-if-range)#exit

switch-1(config)#ip routing

R1(config)#interface tunnel 1
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#tunnel source 192.168.1.1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#ip nhrp network-id 111
R1(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

R1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel1, IPv4 NHRP Details

Type:Hub, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 192.168.2.1 10.1.1.2 UP 00:00:27 D

1 192.168.3.1 10.1.1.3 UP 00:00:27 D

1 192.168.4.1 10.1.1.4 UP 00:00:28 D

R2(config)#interface tunnel 1
R2(config-if)#ip address 10.1.1.2 255.255.255.0
R2(config-if)#tunnel source 192.168.2.1
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#ip nhrp network-id 222
R2(config-if)#ip nhrp nhs 10.1.1.1
R2(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

R2#show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Intferface Tunnel1 is up/up, Addr. is 10.1.1.2, VRF ""

Tunnel Src./Dest. addr: 192.168.2.1/MGRE, Tunnel VRF ""

Protocol/Transport: "multi-GRE/IP", Protect ""

IPv4 NHS: 10.1.1.1 RE

Type:Spoke, Total NBMA Peers (v4/v6): 1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 192.168.1.1 10.1.1.1 UP 00:01:06 S 10.1.1.1/32

R3(config)#interface tunnel 1
R3(config-if)#ip address 10.1.1.3 255.255.255.0
R3(config-if)#tunnel source 192.168.3.1
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#ip nhrp network-id 333
R3(config-if)#ip nhrp nhs 10.1.1.1
R3(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R3(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

R4(config)#interface tunnel 1
R4(config-if)#ip address 10.1.1.4 255.255.255.0
R4(config-if)#tunnel source 192.168.4.1
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#ip nhrp network-id 444
R4(config-if)#ip nhrp nhs 10.1.1.1
R4(config-if)#ip nhrp map 10.1.1.1 192.168.1.1
R4(config-if)#exit

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, hanged state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

R1#show ip nhrp
10.1.1.2/32 via 10.1.1.2
Tunnel1 created 00:03:23, expire 01:56:36
Type: dynamic, Flags: unique registered
NBMA address: 192.168.2.1
10.1.1.3/32 via 10.1.1.3
Tunnel1 created 00:03:23, expire 01:56:36
Type: dynamic, Flags: unique registered
NBMA address: 192.168.3.1
10.1.1.4/32 via 10.1.1.4
Tunnel1 created 00:03:24, expire 01:56:35
Type: dynamic, Flags: unique registered
NBMA address: 192.168.4.1

R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms

R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/48 ms

R1#ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/48 ms

R1#traceroute 10.1.1.2
Type escape sequence to abort.
Tracing the route to 10.1.1.2
1 10.1.1.2 20 msec 32 msec 28 msec

R1#traceroute 10.1.1.2
Type escape sequence to abort.
Tracing the route to 10.1.1.2
1 10.1.1.2 40 msec 28 msec 28 msec

R1#traceroute 10.1.1.3
Type escape sequence to abort.
Tracing the route to 10.1.1.3
1 10.1.1.3 44 msec 32 msec 28 msec

R1#traceroute 10.1.1.4
Type escape sequence to abort.
Tracing the route to 10.1.1.4
1 10.1.1.4 56 msec 28 msec 28 msec

Internetworks

Pages

Friday, 20 March 2026

DMVPN Phase 2 Dynamic Mapping

No comments:

Post a Comment