DMVPN Phase 2 and Phase 3 are identical however in Phase 3, there is no need for the command "no ip next-hop-sef eigrp 10".
Here mentioned are few good links about DMVPN
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
http://blog.ine.com/2008/08/02/dmvpn-explained/
To implement Phase 3, we will have to configure one additional command "ip nhrp redirect" on the hub and one additional command on the spokes ""ip nhrp shortcut".
The idea here is that when a spoke try to send packets to another spoke, the initial packet will be forwarded to the hub. Upon receiving the packet on mGRE interface, hub will reply back with an "NHRP Redirect" packet which will indicate that the spoke is not using an optimal path and it should look for alternate way by using NHRP reosolution.
The spoke will then sends an NHRP request directly to the destination spoke address (not the hub). The destination spoke will reply abck with the IP routing prefix. When the source spoke receives this reply, it will then know the NBMA IP address of the destination.
In Phase 3, the hub will not be the only source of NHRP information. The spokes will also participate in this.
Let's see this in action.
We will first remove the "no ip next-hop-sef eigrp 10" from R1(hub) and configure "ip nhrp redirect".
Now we will configure "ip nhrp shortcut" on R2 and R3.
If we check the routing table of R2, we can see that it has learned R3's loopback with the next hop being R1's tunnel IP.
Let's try and ping R3's loopback with the source of R2's loopback.
The ping works. Let's check the traceroute now
We can see that eventhough the next-hop is set to 10.1.1.1 in the routing table, the traffic for the destination 192.168.3.1 goes to R3's tunnel IP directly. This is because the "ip nhrp shortcut" command overrides the routing table if the spoke received "NHRP redirect" message from the hub.
If we check the routing table again on R2
We can see "%" sign on the eigrp route for the prefix 192.168.3.0/24. The % means that this router is not using the next-hop specified in the routing table.
Here mentioned are few good links about DMVPN
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
http://blog.ine.com/2008/08/02/dmvpn-explained/
excellent. All Phase 1,2 and 3 cleared DMVPN.
ReplyDeleteJigar, thank you for post. Keep Sharing your knowledge with everyone. We appreciated your time and effort., so We can use Stub at spokes for phase 3 cause we are override next hop using NHRP, In Phase -2 we can't make stub cause we need routing entries from other spokes.
ReplyDelete