Networking with FISH te on wire (944 bits), 118 02:b7:3f:00:20 (cc:02:b & ER ef Protocol, Sre Port: bgp A ol - OPEN Message HOME ABOUT FISH FISH MORE FISH BLOG ROLL Fun in the Lab: Sniffer Tracing a DMVPN Tunnel Startup Posted on May 21, 2015 by Denise "Fish" Fishburne * 1 Comment DMVPN's per-tunnel QoS is really cool. |s this post about per-tunnel QoS? Actually... no, ® This is the post PRIOR to that post. @ This is the post that will familiarize you with the environment we will be do doing the per-tunnel QoS in. This is the post where you get to download the sniffer trace of a DMVPN tunnel coming up in a nice clean lab environment and what the NHRP looks like prior to us putting per-tunnel QoS on. Why a sniffer trace? Cause I'm a sniffer trace kinda girl, It's how | learn and how | “see” the underlying flow which helps me put the puzzle pieces together. Documentation and show commands help me... but everything seems to “sink in deeper” if| can sniff the wire. So for those of you who learn like Ido.... let's go play in the lab! First... you may want to grab the actual peap file we are going to be looking at together dmvpn_tunnel_startup.pcap <- itis on my public dropbox and | plan to keep it there for a few years. @ Ready?1A xx/16 302xx/16 Welcome to our little lab environment. toop0 101.12 Aggies Again... this will be the environment we will also be using for the DMVPN per-tunnel ‘ai.in0 wan ior 102.100 van 202 QoS post which (in theory) is next. Quick summary of what we are looking at here + INET side of my larger IWAN play environment + No “DIA” (direct internet access) for the branches to keep things “simpler” for now + No encryption enabled so we can sniff and see everything We are going to start with the “WANT facing interfaces administratively shut down so we can capture the DMVPN coming up and then the EIGRP over it. See the litle “wireshark” logo up between Foxtrot{4 and the INET cloud? This is where we are going to put our sniffer. Quick Side Note: Completely new to DMVPN? I'm not sure if looking at this sniffer trace is going to clear that up for you. @ I will suggest you read a ittle first on DMVPN and understand a little more about mGRE as well as NHRP. mGRE and NHRP are key to the "magic" that is behind DMVPN. would also suggest if you are going to be running DMVPN in your environment that you utilize CiscoLive's “On Demand Library". There are recordings of every breakout session from every CiscoLive around the world for the past few years. And itis .... get this.... free. Frames 1 thru 10 (below) are just some ARP, STP, and CDP. Feel free to look at them... but we aren't going to go into more detail on any of those here. No. sous Destnaton Prateek Length fo 11 Cisco_ad:f8:0a/Spanning-tres STP 64 Conf. Root = 32768/214/S0:34:eS:ad: 18:00 Cost = © Port = Broadcast ARP=—=—=«6 Gratuitous ARP for 21.21.1.2 (Reply) 3 ‘cop/viPyore/.. GDP 447 Device ID: echol? Port 10; GigabstEtnerneti/21 4 COP/VTP/OTP/.. COP +390 Device 1D: foxtrott4 Port 1D: GigabitEthernet0/0/1 5 Broadcast. AP 64 Who has 21.21.1,17 Tel 21.21.1.2, 6 Cisco 7e:3e:. ARP 64 72.21.1.1 is at 10:17:55:58:ec:80 7 CR/VIP/OTP/. GP 447 Device 10: echo12 Port ID: Gigabitethernet1/11 8 COP/VTP/OTP/. CP +390 Device ID: faxtrotis Port 1D: GigabitEthernet0/0/1 CDP/vTe/OTP/.. OP ——«447 Device TD: echol2 Port TD: Gigabitethernett/11“Who is echo12™ you might ask, Foxtrot14 actually connects to a layer 2 switch named “echo12" via vian 214, Its that layer 2 switch that connects to the sole "INET" core router. | do this for ease of sniffing. ‘Onto the first “DMVPN" magic. We will find this on the wire with frame 11 (NHRP registration request) and frame 12 (NHRP registration reply) + Frame 11 is the NHRP registration request from Echo3’s NBMA IP address 21.21.102.6 TO Foxtrot14’s NBMA IP address 21.21.1.2. + Frame 12 is the NHRP registration reply from Foxtrot14's NBMA IP address 21.21.1.2 to Echo3's NBMA IP address 21.21.102.6 So what does this look like on the wire?TT 21.21.1026 21.21.12 NAP «151 NHRD Registration Request, ID=4452 22 21.212 21.21.102.6 _NARP___171_ NAR Registration Reply, 1D=4452, Code-Success 5 Cisco_ed: fara CDP/VTP/DTP7— CDP “447 Device 10: echol2 Port TO: Gigabitethernet1/IT > Frame 11: 151 bytes on wire (1208 bits), 151 bytes captured (1208 bits) > Ethernet IT, Src: Cisco_58:ec:80 (f0:17:55:58:ec:80), Dst: Cisco_7B:3e:01 (88:43:e1: » Internet Protocol Version 4, Src: 21.21.102.6 (21.21,102.6), Ost? 21.22.1.2 (21.21.1. » Generic Routing Encapsulation (NHRP) Next Hop Resolution Protocol (HAP Registration Request + NHRP Fixed Header ‘Address Fanily Number: 1Pv4 (Oxo001) Protocol Type (short forn): 1P (@x0800) Protocol Type (ong form): seee0eeaee Hop Count: 255, Packet Length: 105 NAR Packet Checksun: 0x2083 [correct] Extension Offset: 52 36:01) Fe > Source Subsddress Type/Len: NSAP foraat/0 Source Protocol Lent 4 Destination Protocol Len: 4 > Flags: @x0082, Cisco NAT Supported Request 10: ox09001164 (4452) Source NOWA Address: 21.21.102.6 (21.21. 162.6) What is Source Protocol Address: 10.99.2.102 (10.99.2.102) Destination Protocol Address: 10.99.2.1 (10.99.2.1) > Client Information Entry Responder Address Extension Forvard Transit NHS Record Extension Reverse Transit NHS Record Extension NKR authentication Extension Cisco NAT Address Extension End of Extension RFC2332? Itis the RFC for NHRP. Again, NHRP is one of the key pieces of magic that DMVPN utilizes. DMVPN is based on NHRP version 1 but Cisco has made (and continues to make) really great extensions to the protocol that we can use between Cisco devices. How did Echo3 know where to go to? The configs for the tunnel interface on Echo3. Let's look at them linterface Tunnel description WAN ECHO3 {ip address 10.99.2,102 255.255.255.0 a ip redirects {ip stu 1400 {ip shrp authentication cisco ip ahep nap 10.99.2.1 21.21.1.2 ip ahrp nap milticast 21.21.1.2 4p ahrp network-id 2 {ip shrp holdtime 600 4p shrp hs 10.99.2.1 {ip ahep registration no-unique 4p shrp shortcut ip top adjust-nss 1360 Aoai-interval 30 delay 20000 f-state ann ‘tunel source Gigabit therneto/@/2 ‘tunnel node gre multipoint ‘tunnel key 2 ‘tunnel veF Internet ‘See how Echo3 is statically configured to know the destination physical IP address itis trying to get to is 24.21.1.27“What happened to the dynamic part of this?” you ask— Well, obviously while the hub can be dynamic and just sit there and listen... someone has to start the call. © “Wow, that is a lot of configuration, do I have to do all of that?” you ask — No, But everything | put in there has a reason for being in there. Once you know what your branch DMVPN design is... you can pretty much be “cookie cutter” with the branch tunnel configs — changing really only two things at each branch 4) 4th Octet: 10.99.2x & 2) Tunnel Source Interface: If your branches vary here Note: While | have not played with it myself, it is my understanding that you can also use DNS to lookup the hub, If you continue on in the sniffer trace you will see Echo3 and Foxtrot4 exchanging NHRP registration request/reply, followed by EIGRP neighboring up over the mGRE tunnel ~ 10.99.2.1 with 10.99.2.102, and then NHRP exchange between Branch1-R2 and Foxtrot14, EIGRP neighboring up over the mGRE tunnel ~ 10.99.2.1 with 10.99.2.101 What does all this look like via the CLI and show commands? foxtroti4#sh driven SOW dmvpn Legend: Attrb --> S- Static, D ~ Dynanic, I - Inconplete N- NATed, L- Local, x - No Socket Ti ~ Route Installed, T2 ~ Nexthop-override C- CIS Copable # Ent —> Nunber of NHRP entries with sane NEMA peer E --> Expecting Replies, R --> Responding, W --> Waiting > Up or Down Time for a Tunnel Interface: Tunnel2, IPv4 NERP Details ‘Type:Hub, NARP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpOn Tm attr 21.21.101.6 10.99.2.101 UP 07:42:11 24.21.102.6 10.99.2.102 UP 07:42:16 foxtroti4ash int ture show interface tunnel2 Tunmel2 18 up, Line protocol ts up Hordvore ‘+ Tunnel Description: MA rernet aaaress 15-1272) ————_. 5072 bytes, BN 1000 Koit/sec, LY 10050 wee, TuNNEI2 IP 10.99.2.1 reliebitity 255/255, txlood 1/285, rxlood 17255_ Tunnel Source 21.21.1.2 Encopsutation TOWEL, foopback not sek ees oe MultiGRE/P Ture Linestate evaluation u “Tunnel protocol/transport multi-GRE/IP Key Ox2, sequencing discbled Checksurming of pockets disabled Tunrel TTL 255, Fost tunneling enoblecAnd then, of course, finally our EIGRP neighbor. foxtrotldteh ip sigrp neighbors EIGEP-TPvs VACHN) Address: Farily Neighbors for ASCL) We Adoress Interface Wold Uptine RTT RTO 0. Seq ee) Gs) cre Ran 2 9.99.2.200 na WS oBs2:11 23 13H 0107 2 99.2302 ta Ss oui2s 2 10 9 54 © win2i.2 saw Bigs 1 100 8 13 Eh... Voila... our DMVPN is up along with our EIGRP neighbors. @ Filed Under: DMVPN, Fun in the Lab, Wireshark «Tunnels and the Use of Front Door VREs YouTube: Packet Capturing with VIRL —> ‘Tim Martin kewl stuff here Fish, thanks for sharing