Re: DMVPN in Private Network

amsriv00081 · ‎09-15-2020

Hi All,

We have our own p2p network over OFC and Microwave RF from 1 Hub location and multiple Brach locations. However, we are successfully established secured IPSEC GRE P2P tunnels between HUB and Branch (Spoke to Hub scenario) we have multiple tunnel interfaces in Hub router. We want to implement DMVPN and want to have Spoke to Spoke dynamic tunnel but have multiple source interfaces at the Hub router.

While surfing on the internet I found only example scenarios over ISP cloud which has only one outgoing interface to the internet.

How can we achieve this?

Our example scenario is attached for your reference. we use static IP address all over the network and use EIGRP.

Thank you.

balaji.bandi · ‎09-15-2020

If this totally private network there is no Internet involved. GetVPN is the right candiate personally i feel. (if you are not deployed already DMVPN).

With the DMVPN Phare 3 you can do the same - You may have many interfaces, But you can create a tunnel betwee Hub and spoke using IP.

if i am not understood the question, please explain more ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amsriv00081 · ‎09-15-2020

Hi BB,

We already deployed P2P GRE tunnels from HUB to Spokes. Here we configured one tunnel interface in hub for one spoke likewise we configured a number of tunnel interfaces in HUB with the respective physical interface as the tunnel source which creates P2P only any communication from spoke to spoke is always happening through HUB. I think it is DMVPN phase 1.

I tried with DMVPN Phase 3 but not able to establish spoke to spoke dynamic tunnel. I might be we have multiple tunnel interfaces in the HUB router for its respective spokes

balaji.bandi · ‎09-15-2020

I would be more intrested to see your configuraiton and what kind of errro you encounter when you deployed DMVPN - learn better so we can suggest better.

what kind of Links these are ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎09-16-2020

Hello @amsriv00081 ,

>> we configured a number of tunnel interfaces in HUB with the respective physical interface as the tunnel source which creates P2P only any communication from spoke to spoke is always happening through HUB. I think it is DMVPN phase 1.

No, what you have is a collection of p2p WAN links and you run p2p GRE tunnels protected by IPSec..

If your WAN topology is this all you can achieve with DMVPN is a reduction in complexity in HUB router configuration.

Your DMVPN "physical" interface on HUB could be a loopback interface advertised over the WAN links using a routing protocol.

However, if really your WAN topology is a collection of p2p links rooted at HUB router all the traffic would still pass via the HUB router even after implementing DMVPN phase 2 or phase 3.

Your direct Spoke to Spoke dynamic tunnel could not be offloaded from HUB router in the forwarding plane.

Hope to help

Giuseppe

paul driver · ‎09-15-2020

Hello
Can you elaborate on your current network , Is this internet based connectivity or as stated by @balaji.bandi mpls based the reason is DMVPN is designed for internet based connectivity but also dont rule out flexVPN as n additional option, i would definitely suggest review this technology also, its more lighter than DMVPN, and not has complex to setup.
Also, what routing protocols are you running between the hub and spoke sites, and do you have any ip security applied

Lastly can you post the current DMVPN configuration of the Hub router you have already that you said didn't work for spoke to spoke connectivity

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

amsriv00081 · ‎09-16-2020

Hi All,

Please look into the configuration and some debug.

Unable to establish communication between spokes.

HUB
##################################################################
*Sep 16 20:59:23.839: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 72
*Sep 16 20:59:23.843: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 16 20:59:23.843: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:23.843: pktsz: 72 extoff: 52
*Sep 16 20:59:23.843: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:23.847: src NBMA: 12.0.0.1
*Sep 16 20:59:23.847: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:23.851: (C-1) code: no error(0)
*Sep 16 20:59:23.855: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:23.855: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 16 20:59:23.859: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 92
*Sep 16 20:59:23.863: src: 10.1.1.1, dst: 10.1.1.2
*Sep 16 20:59:23.867: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Sep 16 20:59:23.867: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:23.867: pktsz: 92 ex
HUB(config-if)#toff: 52
*Sep 16 20:59:23.871: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:23.871: src NBMA: 12.0.0.1
*Sep 16 20:59:23.871: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:23.879: (C-1) code: no error(0)
*Sep 16 20:59:23.879: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:23.879: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 16 20:59:25.403: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 72
*Sep 16 20:59:25.407: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 16 20:59:25.411: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:25.411: pktsz: 72 extoff: 52
*Sep 16 20:59:25.411: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:25.415: src NBMA: 12.0.0.1
*Sep 16 20:59:25.415: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:25.419: (C-1) code: no error(0)
*Sep 16 20:59:25.419: prefix: 32, mtu: 17912, hd_time: 72
HUB(config-if)#00
*Sep 16 20:59:25.423: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 16 20:59:25.427: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 92
*Sep 16 20:59:25.431: src: 10.1.1.1, dst: 10.1.1.2
*Sep 16 20:59:25.431: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Sep 16 20:59:25.435: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:25.435: pktsz: 92 extoff: 52
*Sep 16 20:59:25.435: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:25.439: src NBMA: 12.0.0.1
*Sep 16 20:59:25.439: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:25.443: (C-1) code: no error(0)
*Sep 16 20:59:25.443: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:25.447: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
HUB(config-if)#
*Sep 16 20:59:28.743: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 72
*Sep 16 20:59:28.743: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 16 20:59:28.747: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:28.747: pktsz: 72 extoff: 52
*Sep 16 20:59:28.747: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:28.751: src NBMA: 12.0.0.1
*Sep 16 20:59:28.751: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:28.755: (C-1) code: no error(0)
*Sep 16 20:59:28.755: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:28.759: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 16 20:59:28.763: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 92
*Sep 16 20:59:28.767: src: 10.1.1.1, dst: 10.1.1.2
*Sep 16 20:59:28.771: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Sep 16 20:59:28.771: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:28.771: pktsz: 92 ex
HUB(config-if)#toff: 52
*Sep 16 20:59:28.775: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:28.775: src NBMA: 12.0.0.1
*Sep 16 20:59:28.775: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:28.779: (C-1) code: no error(0)
*Sep 16 20:59:28.783: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:28.783: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
HUB(config-if)#
*Sep 16 20:59:35.283: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 72
*Sep 16 20:59:35.287: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 16 20:59:35.287: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:35.287: pktsz: 72 extoff: 52
*Sep 16 20:59:35.287: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:35.291: src NBMA: 12.0.0.1
*Sep 16 20:59:35.291: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:35.295: (C-1) code: no error(0)
*Sep 16 20:59:35.299: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:35.299: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 16 20:59:35.303: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 92
*Sep 16 20:59:35.307: src: 10.1.1.1, dst: 10.1.1.2
*Sep 16 20:59:35.311: (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
*Sep 16 20:59:35.311: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 16 20:59:35.311: pktsz: 92 ex
HUB(config-if)#toff: 52
*Sep 16 20:59:35.315: (M) flags: "router auth src-stable nat ", reqid: 5
*Sep 16 20:59:35.315: src NBMA: 12.0.0.1
*Sep 16 20:59:35.315: src protocol: 10.1.1.3, dst protocol: 10.1.1.2
*Sep 16 20:59:35.319: (C-1) code: no error(0)
*Sep 16 20:59:35.323: prefix: 32, mtu: 17912, hd_time: 7200
*Sep 16 20:59:35.323: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
HUB(config-if)#
HUB(config-if)#do sh ip nhrp
10.1.1.2/32 via 10.1.1.2
Tunnel0 created 00:03:41, expire 01:56:43
Type: dynamic, Flags: unique registered used
NBMA address: 11.0.0.1
10.1.1.3/32 via 10.1.1.3
Tunnel0 created 00:03:41, expire 01:56:46
Type: dynamic, Flags: unique registered used
NBMA address: 12.0.0.1

HUB#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 10.1.1.1, VRF ""
Tunnel Src./Dest. addr: 10.0.0.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 11.0.0.1 10.1.1.2 UP 00:17:38 D 10.1.1.2/32
1 12.0.0.1 10.1.1.3 UP 00:17:35 D 10.1.1.3/32

Crypto Session Details:
--------------------------------------------------------------------------------

Pending DMVPN Sessions:

interface GigabitEthernet0/0/0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 2.2.2.1 255.255.255.0
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 10.1.1.0 0.0.0.255
network 192.168.1.0
!
ip route 11.0.0.0 255.255.255.0 1.1.1.2
ip route 12.0.0.0 255.255.255.0 2.2.2.2

#############################################################################################
Spoke-1
#############################################################################################
Spoke-1(config-router)#
*Sep 16 21:15:57.923: NHRP-ATTR: ext_type: 32771, ext_len : 0

*Sep 16 21:15:57.923: NHRP-ATTR: ext_type: 32772, ext_len : 20

*Sep 16 21:15:57.927: NHRP-ATTR: ext_type: 32773, ext_len : 0

*Sep 16 21:15:57.927: NHRP-ATTR: ext_type: 9, ext_len : 0

*Sep 16 21:15:57.931: NHRP-ATTR: ext_type: 32768, ext_len : 0

*Sep 16 21:15:57.935: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 92
*Sep 16 21:15:57.939: NHRP: netid_in = 1, to_us = 1
*Sep 16 21:15:57.939: NHRP: nhrp_rtlookup for destination on 10.1.1.2 yielded interface Tunnel0, prefixlen 24
*Sep 16 21:15:57.943: NHRP-ATTR: smart spoke feature and attributes are not configured,

*Sep 16 21:15:57.947: NHRP-ATTR: In nhrp_process_recv_resolution_request eem_decision : TRUE, time : 0, LINE: 7007

*Sep 16 21:15:57.951: NHRP: This is a forwarded packet
*Sep 16 21:15:57.951: NHRP: nhrp_rtlookup on 10.1.1.2 yielded interface Tunnel0, prefixlen 24
*Sep 16 21:15:57.955: NHRP: Request was to us, responding with ouraddress
*Sep 16 21:15:57.959: NHRP: Checking for delayed event 10.1.1.3/10.1.1.2 on list (Tunnel0).
*Sep 16 21:15:57.959: NHRP: No node found.
*Sep 16 21:15:57.963: NHRP: No need to delay processing of resolution event nbma src:11.0.0.1 nbma dst:12.0.0.1
*Sep 16 21:15:57.967: NHRP-ATTR: In nhrp_cache_pak LINE: 1422

*Sep 16 21:15:57.971: NHRP: Adding Tunnel Endpoints (VPN: 10.1.1.3, NBMA: 12.0.0.1)
*Sep 16 21:15:57.971: NHRP: NHRP subblock already exists for Tunnel Endpoints (VPN: 10.1.1.3, NBMA: 12.0.0.1)
*Sep 16 21:15:57.975: NHRP: Cache already has a subblock node attached for Tunnel Endpoints (VPN: 10.1.1.3, NBMA: 12.0.0.1)
*Sep 16 21:15:57.979: NHRP: Attempting to send packet via DEST 10.1.1.3
*Sep 16 21:15:57.983: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 12.0.0.1
*Sep 16 21:15:57.987: NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 120
*Sep 16 21:15:57.991: src: 10.1.1.2, dst: 10.1.1.3
*Sep 16 21:15:57.995: NHRP: 148 bytes out Tunnel0

Spoke-1(config-router)#

Spoke-1(config-if)#do sh ip nhrp
10.1.1.1/32 via 10.1.1.1
Tunnel0 created 00:02:10, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
10.1.1.2/32 via 10.1.1.2
Tunnel0 created 00:01:03, expire 01:59:48
Type: dynamic, Flags: router unique local
NBMA address: 11.0.0.1
(no-socket)
10.1.1.3/32 via 10.1.1.3
Tunnel0 created 00:01:03, expire 01:59:48
Type: dynamic, Flags: router implicit used
NBMA address: 12.0.0.1
Spoke-1(config-if)#

Spoke-1(config-router)#do sh dmvpn det
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 10.1.1.2, VRF ""
Tunnel Src./Dest. addr: 11.0.0.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled

IPv4 NHS:
10.1.1.1 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 3

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.0.0.1 10.1.1.1 UP 00:18:56 S 10.1.1.1/32
1 11.0.0.1 10.1.1.2 UP 00:17:50 DLX 10.1.1.2/32
1 12.0.0.1 10.1.1.3 UP 00:17:50 D 10.1.1.3/32

Crypto Session Details:
--------------------------------------------------------------------------------

Pending DMVPN Sessions:

interface Loopback0
ip address 11.0.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
ip nhrp map 10.1.1.1 10.0.0.1
ip nhrp map multicast 10.0.0.1
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
!
router eigrp 1
network 10.1.1.0 0.0.0.255
network 11.0.0.0 0.0.0.255
network 192.168.2.0
!
ip route 10.0.0.0 255.255.255.0 1.1.1.1

#############################################################################################
Spoke-2
#############################################################################################
Spoke-2(config-if)#do sh ip nhrp
10.1.1.1/32 via 10.1.1.1
Tunnel0 created 00:02:34, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
10.1.1.2/32 via 10.1.1.2
Tunnel0 created 00:01:29, expire 00:01:35
Type: dynamic, Flags: used temporary
NBMA address: 10.0.0.1
Spoke-2(config-if)#

Spoke-2(config-router)#do sh dmvpn det
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 10.1.1.3, VRF ""
Tunnel Src./Dest. addr: 12.0.0.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled

IPv4 NHS:
10.1.1.1 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
2 10.0.0.1 10.1.1.1 UP 00:19:03 S 10.1.1.1/32
10.0.0.1 10.1.1.2 UP 00:00:17 D 10.1.1.2/32

Crypto Session Details:
--------------------------------------------------------------------------------

Pending DMVPN Sessions:

interface Loopback0
ip address 12.0.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
ip address 10.1.1.3 255.255.255.0
ip nhrp map 10.1.1.1 10.0.0.1
ip nhrp map multicast 10.0.0.1
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface GigabitEthernet0/0/0
ip address 2.2.2.2 255.255.255.0
!
router eigrp 1
network 10.1.1.0 0.0.0.255
network 12.0.0.0 0.0.0.255
network 192.168.3.0
!
ip route 10.0.0.0 255.255.255.0 2.2.2.1

===============================================================================================