Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
2
Replies

DMVPN Phase 3 Single Hub Dual Cloud - NHRP Redirect problem

noc0000041
Level 1
Level 1

‎10-24-2018 04:51 AM - edited ‎10-24-2018 05:00 AM

According to documentations...

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/12-4/nhrp-12-4-book/config-nhrp.html

...The hub receives the data packet and checks its routing table. Because this data packet is destined for a network behind another spoke, it is forwarded back out the NHRP interface to the next hop toward that spoke. At this point the hub detects that the packet arrived and was sent back out the NHRP interface. This behavior means that the data packet is taking at least two hops within the NHRP network and therefore this path via the hub is not the optimal one-hop path. The hub therefore sends an NHRP redirect message to the spoke...

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/15-mt/nhrp-15-mt-book/nhrp-switch-enhancemts-dmvpn.html

... 4. H1 follows Steps 2 and 3 and forwards the data packet to Spoke B. NHRP in the output feature path also determines that the inbound (such as Tunnel0) and the outbound (Tunnel0) interface is part of the same DMVPN network and sends an NHRP redirect traffic indication to the tunnel (Spoke A) on which the data packet was received. The NHRP redirect message includes the original IP address and first eight bytes of the data packet...

 

 

Current topology...

DMVPN Phase3.jpg

 

 

Spoke1 sometimes does not build a straight tunnel to Spoke2 because the NHRP condition (see above) may not be met, because HUB have 2 next-hop interfaces to Spoke2. If a NHRP-request from Spoke1 arrives to HUB (Tunnel1), then there are two variants of events:

- option 1: If the HUB randomly chooses the same the next-hop Interface to Spoke2 (Tunnel1) (packet arrived and was sent back out the NHRP interface - condition is True), then the Spoke-to-Spoke tunnel is built.
- option 2: if the hub selects another next-hop interface to Spoke2 (Tunnel2) (packet arrived and was sent back out the NHRP interface - condition is False), then the tunnel is not built.

How to make a Spoke-to-Spoke tunnel always built? After all, Spoks in the same DMRPN cloud

 

 

HUB:

interface Tunnel1
description *** DMVPN over ISP1 ***
ip address 172.16.1.254 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output
ip nhrp authentication sEcReT
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp redirect
ip summary-address eigrp 10 0.0.0.0 0.0.0.0
ip tcp adjust-mss 1432
qos pre-classify
tunnel source 192.168.255.1
tunnel mode gre multipoint
tunnel key 1
!
interface Tunnel2
description *** DMVPN over ISP2 ***
ip address 172.16.2.254 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output
ip nhrp authentication sEcReT
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp redirect
ip summary-address eigrp 10 0.0.0.0 0.0.0.0
ip tcp adjust-mss 1432
qos pre-classify
tunnel source 192.168.255.2
tunnel mode gre multipoint
tunnel key 2


Spoke1:

interface Tunnel1
description *** ISP1 ***
bandwidth 20480
ip address 172.16.1.7 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
ip nhrp authentication sEcReT
ip nhrp group speed-20M
ip nhrp map 172.16.1.254 192.168.255.1
ip nhrp map multicast 192.168.255.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp attribute set group speed-20M
ip nhrp nhs 172.16.1.254
ip nhrp shortcut
ip summary-address eigrp 10 192.168.8.0 255.255.255.0
ip tcp adjust-mss 1432
qos pre-classify
tunnel source 192.168.255.62
tunnel mode gre multipoint
tunnel key 1

 

Spoke2:

interface Tunnel1
description *** ISP1 ***
bandwidth 20480
ip address 172.16.1.18 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
ip nhrp authentication sEcReT
ip nhrp group speed-20M
ip nhrp map 172.16.1.254 192.168.255.1
ip nhrp map multicast 192.168.255.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp attribute set group speed-20M
ip nhrp nhs 172.16.1.254
ip nhrp shortcut
ip summary-address eigrp 10 192.168.19.0 255.255.255.0
ip tcp adjust-mss 1432
qos pre-classify
tunnel source 10.255.249.1
tunnel mode gre multipoint
tunnel key 1
!
interface Tunnel2
description *** ISP2 ***
bandwidth 20480
ip address 172.16.2.18 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
ip nhrp authentication sEcReT
ip nhrp group speed-20M
ip nhrp map 172.16.2.254 192.168.255.2
ip nhrp map multicast 192.168.255.2
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp attribute set group speed-20M
ip nhrp nhs 172.16.2.254
ip nhrp shortcut
ip summary-address eigrp 10 192.168.19.0 255.255.255.0
ip tcp adjust-mss 1432
qos pre-classify
tunnel source 10.255.251.194
tunnel mode gre multipoint
tunnel key 2



 

Labels:
0 Helpful
2 Replies 2

Spooster IT Services
Level 7
Level 7

‎10-24-2018 06:57 AM

In DMVPN, Spoke to spoke tunnels come up on as needed.

You have to adjust routing on HUB so that for Spoke 1 LAN subnet and Spoke 2 LAN subnet must be reachable through tunnel 1.

 

Spooster IT Services Team
0 Helpful

noc0000041
Level 1
Level 1
In response to Spooster IT Services

‎10-25-2018 12:06 AM

Thank you,

 

But I need solutions without adjusting routing on HUB, because the Spoke 2 need to have two load-balanced channels for in/out traffic. Are there any such solutions? Maybe in NHRP?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card