DMVPN Phase 3 Implementation
Introduction
Lab topology
Phase 3 Tunnel Configuration
Routing Protocol (Eigrp) Configuration
Verification
Conclusion
Introduction
The final phase of DMVPN changes the way NHRP operates. The spoke routers no longer need specific routes to reach remote spokes and it doesn't matter what the next hop IP address is.
When a spoke router wants to reach a remote spoke, they will forward their traffic to the hub. When the hub receives the traffic, it will realize that another spoke is the destination and it will then send a NHRP redirect to both spokes.
When the spokes receive the NHRP redirect, they will both send a NHRP resolution to figure out each other's NBMA IP addresses. The spoke routers will then install a new entry in the routing table so that they can reach each other directly.
Lab Topology
Phase 3 Tunnel Configuration
Assuming that all routers are having Underlay configuration. Here are the steps for Overlay configuration:
R1 Configuration
R1(config)# interface Tunnel 0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# tunnel mode gre multipoint
R1(config-if)# tunnel source Ethernet0/0
R1(config-if)# ip nhrp authentication vpn
R1(config-if)# ip nhrp map multicast dynamic
R1(config-if)# ip nhrp network-id 1
R1(config-if)# exit
R2 Configuration
R2(config)# interface tunnel 0
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)# ip nhrp authentication vpn
R2(config-if)# ip nhrp map 192.168.1.1 1.1.1.1
R2(config-if)# ip nhrp map multicast 1.1.1.1
R2(config-if)# ip nhrp network-id 1
R2(config-if)# ip nhrp nhs 192.168.1.1
R2(config-if)# tunnel source Ethernet0/0
R2(config-if)# tunnel mode gre multipoint
R2(config-if)# exit
R3 Configuration
R3(config)# interface tunnel 0
R3(config-if)# ip address 192.168.1.3 255.255.255.0
R3(config-if)# ip nhrp authentication vpn
R3(config-if)# ip nhrp map 192.168.1.1 1.1.1.1
R3(config-if)# ip nhrp map multicast 1.1.1.1
R3(config-if)# ip nhrp network-id 1
R3(config-if)# ip nhrp nhs 192.168.1.1
R3(config-if)# tunnel source Ethernet0/0
R3(config-if)# tunnel mode gre multipoint
R3(config-if)# exit
Routing Protocol (Eigrp) Configuration
R1(config)# router eigrp 1
R1(config-router)# network 10.10.1.0 0.0.0.255
R1(config-router)# network 192.168.1.0
R1(config-router)# no auto-summary
R1(config-router)# exit
R1(config)# int tunnel 0
R1(config-if)# no ip split-horizon eigrp 1
R2(config)# router eigrp 1
R2(config-router)# network 10.10.2.0 0.0.0.255
R2(config-router)# network 192.168.1.0
R2(config-router)# no auto-summary
R2(config-router)# exit
R3(config)# router eigrp 1
R3(config-router)# network 10.10.3.0 0.0.0.255
R3(config-router)# network 192.168.1.0
R3(config-router)# no auto-summary
R3(config-router)# exit
To Migrate from DMVPN phase 2 to 3, we only need two commands, one is "ip nhrp redirect" command in Hub and another command "ip nhrp shortcut" in each spoke router.
R1(config)# interface Tunnel 0
R1(config-if)# ip nhrp redirect
R2(config)# interface Tunnel 0
R2(config-if)# ip nhrp shortcut
R3(config)# interface Tunnel 0
R3(cofnig-if)# ip nhrp shortcut
Verification
You can notice the spoke routers R2 and R3 they only have default route and still next-hop ip address as R1 router. When you ping and traceroute, we can see the traffic will directly will go from one spoke to another spoke router.
You can also notice the spoke routers R2 and R3 Learned few routes dynamically through NHRP.
Conclusion:
The drawbacks of DMVPN Phase 2 are overcome by DMVPN Phase 3 implementation. DMVPN Tunnels don't offer any encryption, so the traffic passing through these tunnels are not secure. You can implement ipsec protocol over DMVPN tunnels to encrypt traffic and make them secure. we will discuss in another article, how to implement ipsec over DMVPN Tunnels.
............................................................................................... Thank you very much..! ........................................................................
1 Comment
