Re: DMVPN spoke-to-spoke directly

victorgarciaternero · ‎04-08-2011

Hello, we have a DMVPN network and it is working well, but we are not able to route the traffic between two spokes directly (without going to the hub). When we generate traffic between tho spokes we can see the NHRP table as following:

spoke3#sh ip nhrp brie
Target Via NBMA Mode Intfc Claimed
10.200.251.1/32 10.200.251.1 <hub_public_ip> static Tu0 < >

10.200.251.4/32 10.200.251.4 <hub_public_ip> dynamic Tu0 < >

10.200.251.6/32 10.200.251.6 <hub_public_ip> dynamic Tu0 < >

hub#sh ip nhrp bri

   Target                        Via            NBMA                          Mode   Intfc   Claimed
10.200.251.4/32      10.200.251.4    <spoke1_public_ip>    dynamic Tu0     <   >
10.200.251.6/32      10.200.251.6    <spoke2_public_ip>    dynamic Tu0     <   >
10.200.251.10/32    10.200.251.10   <spoke3_public_ip>    dynamic Tu0     <   >

The hub tunnel interface ip address is 10.200.251.1. I think that in NHRP table in spoke 3 we should see the public ip of the other spokes, not the hub one.

The int tu0 in spoke3:

interface Tunnel0
bandwidth 1000
ip address 10.200.251.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ********
ip nhrp map multicast <hub_public_ip>
ip nhrp map 10.200.251.1 <hub_public_ip>
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.200.251.1
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
delay 1000
tunnel source Vlan2
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN_sec
end

And the int tu0 in hub:

interface Tunnel0
bandwidth 1000
ip address 10.200.251.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication ********
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
delay 1000
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN_sec

Any idea? I have exactly the same configuration in other DMVPN network and it is working well. Thanks in advance.

Best regards.

Latchum Naidu · ‎04-08-2011

HI,

The language is not clear please post the config detail in english....

When you are in dmvpn mesh the communication between spoke and spoke sill happen automatically without coming to Hub that is for what dmvpn and its major advantage.

NOTE: In DMVPN mesh Spoke sites can initiate a dynamic GRE tunnel to another spoke site based on user traffic. And Spoke-to-spoke tunnel is built over the mGRE interface.

Please rate the helpfull posts.

Regards,

Naidu.

victorgarciaternero · ‎04-08-2011

Hello, the problem is that the traffic between spokes is routed through the hub, and what I need is that this traffic is routed directly from one spoke to the another one.

I have checked it with a traceroute:

hub: 10.200.251.1

spoke2: 10.200.251.6

spoke3: 10.200.251.10

spoke3#traceroute
Protocol [ip]:
Target IP address: 10.200.251.6
Source address: 10.200.251.10
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.251.6

1 10.200.251.1 12 msec 16 msec 24 msec
2 10.200.251.6 36 msec 32 msec 32 msec

I think the traceroute should returns only one hop, directly to 10.200.251.6.

Regards.

Latchum Naidu · ‎04-11-2011

Hi,

As i said in my previous post...The config output details are not in english hence we can't understand it properly.

So please post the config in clear english format.

Please rate the all helpfull posts.

Regards,

Naidu.

victorgarciaternero · ‎04-11-2011

Sorry, the config detail in plain text:

spoke3#sh ip nhrp brie
Target Via NBMA Mode Intfc Claimed
10.200.251.1/32 10.200.251.1 static Tu0 < >

10.200.251.4/32 10.200.251.4 dynamic Tu0 < >

10.200.251.6/32 10.200.251.6 dynamic Tu0 < >

hub#sh ip nhrp bri

   Target                        Via            NBMA                          Mode   Intfc   Claimed
10.200.251.4/32      10.200.251.4        dynamic Tu0     <   >
10.200.251.6/32      10.200.251.6        dynamic Tu0     <   >
10.200.251.10/32    10.200.251.10       dynamic Tu0     <   >

The int tu0 in spoke3:

interface Tunnel0
bandwidth 1000
ip address 10.200.251.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ********
ip nhrp map multicast
ip nhrp map 10.200.251.1
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.200.251.1
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
delay 1000
tunnel source Vlan2
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN_sec
end

And the int tu0 in hub:

interface Tunnel0
bandwidth 1000
ip address 10.200.251.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication ********
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
delay 1000
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN_sec

hub: 10.200.251.1

spoke2: 10.200.251.6

spoke3: 10.200.251.10

spoke3#traceroute
Protocol [ip]:
Target IP address: 10.200.251.6
Source address: 10.200.251.10
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.251.6

1 10.200.251.1 12 msec 16 msec 24 msec
2 10.200.251.6 36 msec 32 msec 32 msec

Regards

Latchum Naidu · ‎04-11-2011

Hi,

First of all dont try trace-route from the router itself as it may go to hub....Try from the PC behind the router you will get right results.

And your configuration seems somewhat different from best practices.

Add below commands in spoke tunnel:
ip nbar protocol-discovery
ip nhrp map multicast dynamic
tunnel protection ipsec profile dmvpn-profile shared

If still issue not fixed then remove below additional commands in spoke tunnel if possible" and see...
ip nhrp holdtime 360
ip nhrp redirect
tunnel protection ipsec profile VPN_sec

However please find the below config at hub and spoke as per the best practices. This config as I have in my environment and suggested other customers also which stable since years.

Spoke:
interface Tunnel10
bandwidth 10000
ip address 192.168.xxx.xxx 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip nhrp authentication ***********
ip nhrp map multicast dynamic
ip nhrp map multicast 206.206.206.5
ip nhrp map 192.168.xxx.xxx 206.206.206.5
ip nhrp network-id 2
ip nhrp nhs 192.168.xxx.xx
ip tcp adjust-mss 1360
no ip split-horizon eigrp ******
delay 55000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key ************
tunnel protection ipsec profile dmvpn-profile shared

Hub:
interface Tunnel10
bandwidth 10000
ip address 192.168.xxx.xx 255.255.255.0
ip helper-address 10.10.10.10 no ip redirects
ip mtu 1400
ip nbar protocol-discovery
no ip next-hop-self eigrp *******

ip nhrp authentication *****************
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp ******
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key ************************************
tunnel protection ipsec profile dmvpn-profile

Please rate the all helpfull posts.
Regards,
Naidu.

victorgarciaternero · ‎04-12-2011

Hello, I have changed the command you suggested without success. In a spoke, the output of "show dmvpn" is as following:

spoke2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
-----      ---------------        ---------------      -----            --------     -----
     2     10.200.251.1      UP       1d16h     S
                                    10.200.251.10    UP    00:00:41     D

I think the output should be:

spoke2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding
         UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
-----      ---------------        ---------------      -----            --------     -----
      1       10.200.251.1      UP       1d16h     S
      1 10.200.251.10    UP    00:00:41     D

But I cannot see the mistake. Any idea?

Regards.

victorgarciaternero · ‎04-12-2011

The output of "show ip nhrp command":

spoke2#sh ip nhrp detail

10.200.251.1/32 via 10.200.251.1
   Tunnel0 created 1d17h, never expire
   Type: static, Flags: used
   NBMA address:
10.200.251.10/32 via 10.200.251.10
   Tunnel0 created 00:00:07, expire 00:02:57
   Type: dynamic, Flags: used temporary
   NBMA address:

It seems like NHRP is not able to notify to the spoke the NBMA address (public ip address) of the other spoke instead of hub one.

Regards.