Beruflich Dokumente
Kultur Dokumente
Each spoke has a permanent IPSec tunnel to the hub but not to the other spokes within the network.
Each spoke registers as a client of the NHRP server. The Hub router undertakes the role of the NHRP
server.
When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the
NHRP server for the real (outside) address of the destination (target) spoke.
After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec
tunnel to the target spoke.
The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.
The spoke-to-spoke links are established on demand whenever there is traffic between the spokes.
Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.
All data traversing the GRE tunnel is encrypted using IPSecurity (optional)
Configure Routing Between DMVPN mGRE Tunnels (static routing or routing protocol)
description WAN-Network
ip address 1.1.1.10 255.255.255.0
duplex auto
speed auto
Next, we configure the Tunnel0 interface. Notice this is an almost typical tunnel interface configuration with
some minor but important changes that have been highlighted:
interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 1.1.1.10
tunnel mode gre multipoint
Engineers familiar with GRE Tunnels will immediately notice the absence of the tunnel
destination command. It has been replaced with the tunnel mode gre multipointcommand, which
designates this tunnel as a multipoint GRE tunnel.
The ip nhrp map multicast dynamic command enables the forwarding of multicast traffic across the tunnel
to dynamic spokes. This is usually required by routing protocols such as OSPF and EIGRP. In most cases,
DMVPN is accompanied by a routing protocol to send and receive dynamic updates about the private
networks.
The ip nhrp network-id 1 command is used to identify this DMVPN cloud. All routers participating in this
DMVPN cloud must have the same network-id configured in order for tunnels to form between them.
The ip nhrp authentication command is used to allow the authenticated updates and queries to the NHRP
Database, ensuring unwanted queries are not provided with any information about the DMVPN network.
speed auto
!
interface FastEthernet0/1
description WAN-Network
ip address 2.2.2.10 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/0
description LAN-Network
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN-Network
ip address 3.3.3.10 255.255.255.0
duplex auto
speed auto
The output of our command provides us with some valuable information. To start with, the router
provides an explanation for each column presented (right under the show command) but we are still going
to cover them so that we are not left with any unanswered questions.
The first column #Ent shows the number of entries that exist in the NHRP Database for the same spoke.
Usually, we wouldnt expect to see more than one for each spoke.
The second column Peer NBMA Addr presents the spokes public IP address, while the third column, Peer
Tunnel Add, shows each spokes local Tunnels IP address.
Next, the State column shows the current state the tunnel is in. In our case, both tunnels are UP. Right next
to the State is the UpDN Tm, which is the Up or Down Time of the current State. This is a very important
bit of information as you can clearly see out how long your tunnel has been in its current state.
For our example, both spokes have been up for almost 5 minutes.
Lastly, the Attrib column shows the type of tunnels established by the spokes. D stands for Dynamic, S for
Static and I for Incomplete. Usually dynamic spokes will create D type tunnels. Tunnels established from
the spokes to the Hub router are expected to be S type, since the Hub remains static.
As expected, R2s output shows one entry only. When traffic needs to be directed to R3, a second GRE
tunnel will come up. Well try this soon. For now lets check our third remote site, R3 spoke router
Using the same show dmvpn command we obtain the following similar output:
consideration that their public IP address is dynamic it is imperative to use 0.0.0.0 0.0.0.0 for the remote
peer.
255.255.255.0
172.16.0.2
ip
route
192.168.1.0
ip route 192.168.3.0 255.255.255.0 172.16.0.3
255.255.255.0
172.16.0.1
255.255.255.0
172.16.0.1