DMVPN with EIGRP in Cisco Router

Dynamic Multipoint VPN [EIGRP]

  • The DMVPN features allows users to better scale large and small IPSec VPNs by combining GRE, IPSec and NHRP to provide users with easy configuration through crypto profiles
  • Hub router has a permanent tunnel to all Spoke router but Spoke router will not have a permanent tunnel to all other Spoke routers
  • It has 3 phases:
    • Phase 1:
      •  All traffic flows through the HUB
    • Phase 2: 
      • When SPOKE wants to communicate with another SPOKE, a dynamic SPOKE to SPOKE tunnel will get created!
      • CEF table for SPOKE2 from SPOKE1 route will be incomplete and will be in incomplete adjacancy
      • Therefore the SPOKE1 sends a NHRP request to the HUB and when HUB replies, the SPOKE2 route will become valid
      • During resolution request, CEF won’t be used – Process Switching using Routing table will be used
      • Routing table will get updated in SPOKE1 and SPOKE2
      • Temporary/Dynamic Tunnel valid for 2 hours by default!
    • Phase 3:
      • Advantages: Summarization can be done in HUB, but in Phase 2 since we preserve the next hop, we cannot do summarization
      • Problems in Phase 1:
        • No dynamic SPOKE to SPOKE tunnel
        • CPU utilization high on HUB
      • Problems in Phase 2:
        • No Summarization possible
        • Until the resolution reply, process switching is used instead of CEF
      • Therefore in Phase 3, we combine summarization and exclude process switching and form Dynamic Spoke to Spoke Tunnels
      • CEF Table is valid before resolution and after resolution
Configuration for Phase 1:
  • Step 1: ISAKMP Policy
  • Step 2: ISAKMP Key (Give Dynamic Key)
    • (config)# crypto isakmp key 0 <key> address 0.0.0.0 0.0.0.0
  • Step 3: Transform Set
  • Step 4: IPSec Profile and Call Transform Set
  • Step 5: Create Tunnel Interface and Protect it using IPSec Profile
    • In Tunnel Interface for HUB, use the mGRE HUB commands
    • In Tunnel Interface for SPOKE, use the mGRE SPOKE commands
Configuration for Phase 2:
  • At Step 5, Add the following command in the HUB:
    • (config)# no ip next-hop-self eigrp <#>
Configuration for Phase 3:
  • At Step 5, Remove the Phase 2 command and Add the following commands:
    • HUB ——->   (config)# ip nhrp redirect
    • SPOKE —–>   (config)# ip nhrp shortcut
PHASE 1: 
  • DO THE INITIAL CONFIGS ACCORDING TO THE TOPOLOGY
  • R1, R4, R5 all will have default route to R2
Configuration on R1 (HUB)
  • R1(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R1(config)# crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 // Wild Card Mask Address
  • R1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R1(config)# crypto ipsec profile DMVPN
    • set transform-set TSET
  • R1(config)#  interface Tunnel0
    • ip address 172.16.145.1 255.255.255.0
    • ip mtu 1400  // Reduce the MTU size of the tunnel to ensure DMVPN does not exceed the MTU of the physical interface
    • ip nhrp authentication cisco123
    • ip nhrp map multicast dynamic
    • ip nhrp network-id 12345
    • no ip split-horizon eigrp 145 // Required at the HUB for routing updates from R4 to go to R5 and vice versa
    • tunnel source FastEthernet0/0
    • tunnel mode gre multipoint // In Phase 1 only the server will be a GRE Multipoint
    • tunnel key 12345 // It is an identifier and not an encryption/decryption key. Not mandatory for IOS versions above 12.3(11)T3. This command used here for explanation purpose, will exclude from Phase 2 onwards.
    • tunnel protection ipsec profile DMVPN
  • R1(config)# router eigrp 145
    • network 172.16.145.0 0.0.0.255 // Tunnel IP
    • network 192.168.1.0 // Loopback IP
    • no auto-summary
Configurations on R4:
  • R4(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R4(config)#  crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R4(config)#  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)#  crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)#  interface Tunnel0
    • ip address 172.16.145.4 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map 172.16.145.1 10.1.12.1 // We need this command because we need to statically map the tunnel ip to the physical ip of the HUB
    • ip nhrp network-id 12345
    • ip nhrp holdtime 360
    • ip nhrp nhs 172.16.145.1
    • tunnel source Serial0/0.42
    • tunnel destination 10.1.12.1 // We need this in Phase 1 SPOKES since it is a point to point connection between spoke and hub
    • tunnel key 12345 // It is an identifier and not an encryption/decryption key. Not mandatory for IOS versions above 12.3(11)T3. This command used here for explanation purpose, will exclude from Phase 2 onwards.
    • tunnel protection ipsec profile DMVPN
  • R4(config)#  router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.4.0
    • no auto-summary
R4#sh ip route
************Irrelevant Output Removed**************
Gateway of last resort is 10.1.24.2 to network 0.0.0.0     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.145.0 is directly connected, Tunnel0
C    192.168.4.0/24 is directly connected, Loopback0
D    192.168.5.0/24 [90/310172416] via 172.16.145.1, 00:39:49, Tunnel0 // R5’s loopback can be reached via R1 (HUB)
10.0.0.0/24 is subnetted, 1 subnets
C       10.1.24.0 is directly connected, Serial0/0.42
D    192.168.1.0/24 [90/297372416] via 172.16.145.1, 00:39:49, Tunnel0
S*   0.0.0.0/0 [1/0] via 10.1.24.2
Configurations on R5:
  • R4(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R4(config)#  crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R4(config)#  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)#  crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)#  interface Tunnel0
    • ip address 172.16.145.5 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map 172.16.145.1 10.1.12.1
    • ip nhrp network-id 12345
    • ip nhrp holdtime 360
    • ip nhrp nhs 172.16.145.1
    • tunnel source Serial0/0.52
    • tunnel destination 10.1.12.1 // We need this in Phase 1 SPOKES since it is a point to point connection between spoke and hub
    • tunnel key 12345 // It is an identifier and not an encryption/decryption key. Not mandatory for IOS versions above 12.3(11)T3. This command used here for explanation purpose, will exclude from Phase 2 onwards.
    • tunnel protection ipsec profile DMVPN
  • R4(config)#  router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.5.0
    • no auto-summary
R5#sh ip route

************Irrelevant Output Removed**************

Gateway of last resort is 10.1.25.2 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets
C       172.16.145.0 is directly connected, Tunnel0
D    192.168.4.0/24 [90/310172416] via 172.16.145.1, 00:42:29, Tunnel0 // R4’s loopback can be reached via R1 (HUB)
C    192.168.5.0/24 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C       10.1.25.0 is directly connected, Serial0/0.52
   192.168.1.0/24 [90/297372416] via 172.16.145.1, 00:52:08, Tunnel0
S*   0.0.0.0/0 [1/0] via 10.1.25.2

Note: The critical factor that we need to understand in Phase 1 of DMVPN is that all traffic is encrypted to and from the loopbacks! And the beauty of this technology is that all the Spokes are configured exactly with the same commands! No where are we referring to the Spoke’s physical IP! They use NHRP to map to the IP address of the spoke! So if there is a dynamic allocation of the Spoke IP address and if the IP changes, the VPN tunnel works absolutely fine!
Verification Commands:
 
R1#sh ip nhrp // On the HUB
172.16.145.4/32 via 172.16.145.4, Tunnel0 created 00:28:44, expire 00:04:59 // Because HUB to Spoke mapping is dynamic
  Type: dynamic, Flags: unique registered
NBMA address: 10.1.24.4 // It has learnt the Physical IP
172.16.145.5/32 via 172.16.145.5, Tunnel0 created 00:28:33, expire 00:04:55
Type: dynamic, Flags: unique registered
NBMA address: 10.1.25.5 // It has learnt the Physical IP
R4#sh ip nhrp // On the Spoke (applicable to both)
172.16.145.1/32 via 172.16.145.1, Tunnel0 created 00:42:52, never expire // Because Spoke to HUB mapping is static
Type: static, Flags:
NBMA address: 10.1.12.1

R1#sh crypto ips sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.12.1

protected vrf: (none)
local  ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0)
current_peer 10.1.24.4 port 500
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27

    // We see many encapsulation and decapsulation even before we have started any interesting traffic. This is the EIGRP update packets being encrypted/decrypted.
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
************Irrelevant Output Removed**************
R4#sh ip cef 192.168.5.0
192.168.5.0/24, version 35, epoch 0
0 packets, 0 bytes
via 172.16.145.1, Tunnel0, 0 dependencies
next hop 172.16.145.1, Tunnel0
valid adjacency
// We see that the next hop is using the HUB and this applies for both SPOKES
PHASE 2:
Configuration on R1 (HUB)
  • R1(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R1(config)# crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R1(config)# crypto ipsec profile DMVPN
    • set transform-set TSET
  • R1(config)#  interface Tunnel0
    • ip address 172.16.145.1 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map multicast dynamic
    • ip nhrp network-id 12345
    • no ip split-horizon eigrp 145
    • no ip next-hop-self eigrp 145 // The only extra command for Phase 2. This command will prevent HUB from updating itself as the next hop for the EIGRP advertised routes.
    • tunnel source FastEthernet0/0
    • tunnel mode gre multipoint
    • tunnel key 12345
    • tunnel protection ipsec profile DMVPN
  • R1(config)# router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.1.0
    • no auto-summary
Configurations on R4:
  • R4(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R4(config)#  crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R4(config)#  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)#  crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)#  interface Tunnel0
    • ip address 172.16.145.4 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map 172.16.145.1 10.1.12.1
    • ip nhrp map multicast 10.1.12.1 // The extra command on the SPOKES
    • ip nhrp network-id 12345
    • ip nhrp holdtime 360
    • ip nhrp nhs 172.16.145.1
    • tunnel source Serial0/0.42
    • tunnel mode gre multipoint // In Phase 2 ‘tunnel destination’ is replaced with ‘tunnel mode gre multipoint’ in the SPOKES
    • tunnel key 12345
    • tunnel protection ipsec profile DMVPN
  • R4(config)#  router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.4.0
    • no auto-summary
Configurations on R5:
  • R4(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R4(config)#  crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R4(config)#  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)#  crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)#  interface Tunnel0
    • ip address 172.16.145.5 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map 172.16.145.1 10.1.12.1
    • ip nhrp map multicast 10.1.12.1 // The extra command on the SPOKES
    • ip nhrp network-id 12345
    • ip nhrp holdtime 360
    • ip nhrp nhs 172.16.145.1
    • tunnel source Serial0/0.52
    • tunnel mode gre multipoint // In Phase 2 ‘tunnel destination’ is replaced with ‘tunnel mode gre multipoint’ in the SPOKES
    • tunnel key 12345
    • tunnel protection ipsec profile DMVPN
  • R4(config)#  router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.5.0
    • no auto-summary
This command will make changes in R4 and R5 routing table as shown below:
R4#sh ip route   

************Irrelevant Output Removed**************

D    192.168.5.0/24 [90/310172416] via 172.16.145.5, 00:01:26, Tunnel0 // R5’s loopback can be reached via R5

R5#sh ip route
************Irrelevant Output Removed**************

D    192.168.4.0/24 [90/310172416] via 172.16.145.4, 00:04:13, Tunnel0 // R4’s loopback can be reached via R4

Verification Commands:
R4#sh ip cef 192.168.5.5
192.168.5.0/24, version 45, epoch 0
0 packets, 0 bytes
via 172.16.145.5, Tunnel0, 0 dependencies
next hop 172.16.145.5, Tunnel0
invalid adjacency // Invalid adjacency because the router does not know how to reach the next hop ip of 172.16.145.5. An L3 to L2 lookup happens when the first packet needs to flow to this address!
 
R5#sh ip cef 192.168.4.4
192.168.4.0/24, version 45, epoch 0
0 packets, 0 bytes
via 172.16.145.4, Tunnel0, 0 dependencies
next hop 172.16.145.4, Tunnel0
  invalid adjacency // Invalid adjacency because the router does not know how to reach the next hop ip of 172.16.145.4. An L3 to L2 lookup happens when the first packet needs to flow to this address!
Ping from R4 to the Loopback of R5 or vice-versa!
 
R4#sh ip cef 192.168.5.5
192.168.5.0/24, version 45, epoch 0
0 packets, 0 bytes
via 172.16.145.5, Tunnel0, 0 dependencies
next hop 172.16.145.5, Tunnel0
valid adjacency // Valid adjacency because of new temporary NHRP Tunnels as verified below
R5#sh ip cef 192.168.4.4
192.168.4.0/24, version 46, epoch 0
0 packets, 0 bytes
via 172.16.145.4, Tunnel0, 0 dependencies
next hop 172.16.145.4, Tunnel0
    valid adjacency // Valid adjacency because of new temporary NHRP Tunnels as verified below
 
R5#sh ip nhrp
172.16.145.1/32 via 172.16.145.1, Tunnel0 created 00:47:50, never expire
Type: static, Flags: used
NBMA address: 10.1.12.1
// Permanant Tunnel between Spoke and Hub
172.16.145.4/32 via 172.16.145.4, Tunnel0 created 00:00:29, expire 00:05:33
Type: dynamic, Flags: router
NBMA address: 10.1.24.4
// Temporary Tunnel to R4

172.16.145.5/32 via 172.16.145.5, Tunnel0 created 00:00:26, expire 00:05:37
  Type: dynamic, Flags: router unique local
NBMA address: 10.1.25.5
// Local interface of Temporary Tunnel to R4

R4#sh ip nhrp
172.16.145.1/32 via 172.16.145.1, Tunnel0 created 00:48:54, never expire
Type: static, Flags: used
NBMA address: 10.1.12.1
// Permanant Tunnel between Spoke and Hub

172.16.145.4/32 via 172.16.145.4, Tunnel0 created 00:01:05, expire 00:04:54
Type: dynamic, Flags: router unique local
NBMA address: 10.1.24.4

// Local interface of Temporary Tunnel to R5

172.16.145.5/32 via 172.16.145.5, Tunnel0 created 00:01:07, expire 00:04:58
Type: dynamic, Flags: router
NBMA address: 10.1.25.5

// Temporary Tunnel to R5
R4#sh crypto  is sa
IPv4 Crypto ISAKMP SA
dst                src                 state                conn-id slot  status
10.1.25.5       10.1.24.4       QM_IDLE           1010    0     ACTIVE // Two new SA formed for the temporary tunnels
10.1.24.4       10.1.25.5       QM_IDLE           1009    0     ACTIVE
10.1.12.1       10.1.24.4       QM_IDLE           1006    0     ACTIVE
R5#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst                src                 state                conn-id slot  status
10.1.25.5       10.1.24.4       QM_IDLE           1010    0     ACTIVE // Two new SA formed for the temporary tunnels
10.1.24.4       10.1.25.5       QM_IDLE           1009    0     ACTIVE
10.1.12.1       10.1.25.5       QM_IDLE           1006    0     ACTIVE
 
PHASE 3:
Configuration on R1 (HUB)
  • R1(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R1(config)# crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R1(config)# crypto ipsec profile DMVPN
    • set transform-set TSET
  • R1(config)#  interface Tunnel0
    • ip address 172.16.145.1 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map multicast dynamic
    • ip nhrp network-id 12345
    • ip nhrp redirect // This is the extra command in Phase 3 for HUB
    • no ip split-horizon eigrp 145
    • // Please Note: We do not have the ‘NO IP EIGRP NEXT-HOP-SELF EIGRP 145’ command in PHASE 3
    • tunnel source FastEthernet0/0
    • tunnel mode gre multipoint
    • tunnel key 12345
    • tunnel protection ipsec profile DMVPN
  • R1(config)# router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.1.0
    • no auto-summary
Configurations on R4:
  • R4(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R4(config)#  crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R4(config)#  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)#  crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)#  interface Tunnel0
    • ip address 172.16.145.4 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map 172.16.145.1 10.1.12.1
    • ip nhrp map multicast 10.1.12.1
    • ip nhrp network-id 12345
    • ip nhrp holdtime 360
    • ip nhrp nhs 172.16.145.1
    • ip nhrp shortcut // The new command in Phase 3 for SPOKES
    • tunnel source Serial0/0.42
    • tunnel mode gre multipoint
    • tunnel key 12345
    • tunnel protection ipsec profile DMVPN
  • R4(config)#  router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.4.0
    • no auto-summary
Configurations on R5:
  • R4(config)# crypto isakmp policy 10
    • encr 3des
    • authentication pre-share
    • group 2
  • R4(config)#  crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  • R4(config)#  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)#  crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)#  interface Tunnel0
    • ip address 172.16.145.5 255.255.255.0
    • ip mtu 1400
    • ip nhrp authentication cisco123
    • ip nhrp map 172.16.145.1 10.1.12.1
    • ip nhrp map multicast 10.1.12.1
    • ip nhrp network-id 12345
    • ip nhrp holdtime 360
    • ip nhrp nhs 172.16.145.1
    • ip nhrp shortcut // The new command in Phase 3 for SPOKES
    • tunnel source Serial0/0.52
    • tunnel mode gre multipoint
    • tunnel key 12345
    • tunnel protection ipsec profile DMVPN
  • R4(config)#  router eigrp 145
    • network 172.16.145.0 0.0.0.255
    • network 192.168.5.0
    • no auto-summary
Verification Commands:
R4#sh ip route   

************Irrelevant Output Removed**************

D    192.168.5.0/24 [90/310172416] via 172.16.145.1, 00:01:26, Tunnel0 // R5’s loopback can be reached via HUB

R5#sh ip route
************Irrelevant Output Removed**************

D    192.168.4.0/24 [90/310172416] via 172.16.145.1, 00:04:13, Tunnel0 // R4’s loopback can be reached via HUB

R4#sh ip cef 192.168.5.5
192.168.5.0/24, version 54, epoch 0
0 packets, 0 bytes
via 172.16.145.1, Tunnel0, 0 dependencies
next hop 172.16.145.1, Tunnel0
 valid adjacency // Valid Adjacency. This is a quality of Phase 3 – Never have Invalid Adjacency! Hub provides all the information required to reach the network!
 
R5#sh ip cef 192.168.4.4
192.168.4.0/24, version 68, epoch 0
0 packets, 0 bytes
via 172.16.145.1, Tunnel0, 0 dependencies
next hop 172.16.145.1, Tunnel0
  valid adjacency // Valid Adjacency. This is a quality of Phase 3 – Never have Invalid Adjacency! Hub provides all the information required to reach the network!
Ping from R4 to the Loopback of R5 or vice-versa!
R4#sh crypto ips sa

************Irrelevant Output Removed**************

protected vrf: (none)
local  ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0)
current_peer 10.1.25.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1 // Only 1 out of 5 packets travelled through the temporary Spoke-Spoke tunnel. All the others travelled through the HUB.
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1

************Irrelevant Output Removed**************

Was this article helpful?

Yes No

Related Articles

Leave A Comment?