Jump to content






Photo * * * * * 1 votes

DMVPN with EIGRP

Posted by MSSK , 08 December 2013 · 17,925 views

DMVPN with EIGRP Elements

We are going to configure DMVPN with EIGRP as the connecting routing protocol between the hub and the spokes
Our Hub will R1 and the spokes will be R2 and R3

Configuration

R1
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 212.118.14.1 255.255.255.0
speed 100
full-duplex

ip route 0.0.0.0 0.0.0.0 212.118.14.4

IKE Phase I
crypto isakmp policy 10
encr aes
authentication pre-share
group 2

Authentication-key configuration
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

IKE Phase II
crypto ipsec transform-set SET esp-aes esp-sha-hmac

Attaching the transform-set to IPSEC profile
crypto ipsec profile PROFILE
set transform-set SET

Tunnel Interface
interface Tunnel0
bandwidth 1000 (Not to overwhelm EIGRP bandwidth)
ip address 10.1.123.1 255.255.255.0
no ip redirects
ip mtu 1400 (it’s better to do so because of the IPSEC and GRE headers)
no ip next-hop-self eigrp 1 (the spokes are going to communicate)
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 5
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile PROFILE

Routing
router eigrp 1
network 10.1.123.1 0.0.0.0
network 192.168.1.1 0.0.0.0
no auto-summary


R2
interface Loopback0
ip address 192.168.2.1 255.255.255.0

interface FastEthernet0/0
ip address 62.215.1.2 255.255.255.0
speed 100
full-duplex

ip route 0.0.0.0 0.0.0.0 62.215.1.4

IKE Phase I
crypto isakmp policy 10
encr aes
authentication pre-share
group 2

Authentication-key configuration
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

IKE Phase II
crypto ipsec transform-set SET esp-aes esp-sha-hmac

Attaching the transform-set to IPSEC profile
crypto ipsec profile PROFILE
set transform-set SET

Tunnel Interface
interface Tunnel0
bandwidth 1000
ip address 10.1.123.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 212.118.14.1
ip nhrp map 10.1.123.1 212.118.14.1
ip nhrp network-id 5
ip nhrp nhs 10.1.123.1
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile PROFILE

Routing
router eigrp 1
network 10.0.0.0
network 192.168.2.1 0.0.0.0
no auto-summary
R3
interface Loopback0
ip address 192.168.3.1 255.255.255.0

interface FastEthernet0/0
ip address 62.215.1.3 255.255.255.0
speed 100
full-duplex

ip route 0.0.0.0 0.0.0.0 62.215.1.4

IKE Phase I
crypto isakmp policy 10
encr aes
authentication pre-share
group 2

Authentication-key configuration
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

IKE Phase II
crypto ipsec transform-set SET esp-aes esp-sha-hmac

Attaching the transform-set to IPSEC profile
crypto ipsec profile PROFILE
set transform-set SET

Tunnel Interface
interface Tunnel0
bandwidth 1000
ip address 10.1.123.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 212.118.14.1
ip nhrp map 10.1.123.1 212.118.14.1
ip nhrp network-id 5
ip nhrp nhs 10.1.123.1
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile PROFILE

Routing
router eigrp 1
network 10.1.123.3 0.0.0.0
network 192.168.3.1 0.0.0.0
no auto-summary

R4
interface FastEthernet0/0
ip address 62.215.1.4 255.255.255.0
speed 100
full-duplex

interface FastEthernet0/1
ip address 212.118.14.4 255.255.255.0
speed 100
full-duplex

Verification

R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address     Interface    Hold Uptime   SRTT   RTO  Q  Seq
    (sec) (ms)    Cnt Num
1   10.1.123.3   Tu0    14 00:30:16    9   200  0  3
0   10.1.123.2   Tu0    11 00:32:27   12   200  0  3

R1#sh ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(192.168.1.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
   r - reply Status, s - sia Status

P 192.168.1.0/24, 1 successors, FD is 128256
    via Connected, Loopback0
P 192.168.2.0/24, 1 successors, FD is 15488000
    via 10.1.123.2 (15488000/128256), Tunnel0
P 192.168.3.0/24, 1 successors, FD is 15488000
    via 10.1.123.3 (15488000/128256), Tunnel0
P 10.1.123.0/24, 1 successors, FD is 15360000
    via Connected, Tunnel0

R1#sh ip route eigrp
D    192.168.2.0/24 [90/15488000] via 10.1.123.2, 00:32:54, Tunnel0
D    192.168.3.0/24 [90/15488000] via 10.1.123.3, 00:30:43, Tunnel0

R1#ping 192.168.3.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

R2#sh ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address Interface    Hold Uptime   SRTT   RTO  Q  Seq
    (sec) (ms)    Cnt Num
0   10.1.123.1   Tu0    12 00:35:51    9   300  0  7

R2#sh ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(192.168.2.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
   r - reply Status, s - sia Status

P 192.168.1.0/24, 1 successors, FD is 15488000
    via 10.1.123.1 (15488000/128256), Tunnel0
P 192.168.2.0/24, 1 successors, FD is 128256
    via Connected, Loopback0
P 192.168.3.0/24, 1 successors, FD is 28288000
   10.1.123.3 via 10.1.123.1 (28288000/15488000), Tunnel0
P 10.1.123.0/24, 1 successors, FD is 15360000
    via Connected, Tunnel0
R2#sh ip route eigrp
D    192.168.1.0/24 [90/15488000] via 10.1.123.1, 00:35:57, Tunnel0
D    192.168.3.0/24 [90/28288000] via 10.1.123.3, 00:33:46, Tunnel0

R2#ping 192.168.1.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

R2#ping 192.168.3.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R3#sh ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(192.168.3.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
   r - reply Status, s - sia Status

P 192.168.1.0/24, 1 successors, FD is 15488000
    via 10.1.123.1 (15488000/128256), Tunnel0
P 192.168.2.0/24, 1 successors, FD is 28288000
   10.1.123.2 via 10.1.123.1 (28288000/15488000), Tunnel0
P 192.168.3.0/24, 1 successors, FD is 128256
    via Connected, Loopback0
P 10.1.123.0/24, 1 successors, FD is 15360000
    via Connected, Tunnel0

R3#sh ip route eigrp
D    192.168.1.0/24 [90/15488000] via 10.1.123.1, 00:34:11, Tunnel0
D    192.168.2.0/24 [90/28288000] via 10.1.123.2, 00:34:11, Tunnel0

R3#ping 192.168.1.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

R3#ping 192.168.2.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state   conn-id slot status
212.118.14.1    62.215.1.3   QM_IDLE    1002    0 ACTIVE
212.118.14.1    62.215.1.2   QM_IDLE    1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state   conn-id slot status
62.215.1.3   62.215.1.2   QM_IDLE    1003    0 ACTIVE
212.118.14.1    62.215.1.2   QM_IDLE    1001    0 ACTIVE
62.215.1.2   62.215.1.3   QM_IDLE    1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state   conn-id slot status
62.215.1.2   62.215.1.3   QM_IDLE    1003    0 ACTIVE
62.215.1.3   62.215.1.2   QM_IDLE    1002    0 ACTIVE
212.118.14.1    62.215.1.3   QM_IDLE    1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh ip nhrp detail
10.1.123.2/32 via 10.1.123.2, Tunnel0 created 00:37:38, expire 01:22:21
  Type: dynamic, Flags: unique registered
  NBMA address: 62.215.1.2
10.1.123.3/32 via 10.1.123.3, Tunnel0 created 00:35:16, expire 01:24:43
  Type: dynamic, Flags: unique registered
  NBMA address: 62.215.1.3

R2#sh ip nhrp detail
10.1.123.1/32 via 10.1.123.1, Tunnel0 created 00:37:52, never expire
  Type: static, Flags: used
  NBMA address: 212.118.14.1
10.1.123.2/32 via 10.1.123.2, Tunnel0 created 00:34:49, expire 01:25:10
  Type: dynamic, Flags: router unique local
  NBMA address: 62.215.1.2
(no-socket)
  Requester: 10.1.123.3 Request ID: 3
10.1.123.3/32 via 10.1.123.3, Tunnel0 created 00:34:49, expire 01:25:12
  Type: dynamic, Flags: router
  NBMA address: 62.215.1.3

R3#sh ip nhrp detail
10.1.123.1/32 via 10.1.123.1, Tunnel0 created 00:35:33, never expire
  Type: static, Flags: used
  NBMA address: 212.118.14.1
10.1.123.2/32 via 10.1.123.2, Tunnel0 created 00:34:58, expire 01:25:01
  Type: dynamic, Flags: router
  NBMA address: 62.215.1.2
10.1.123.3/32 via 10.1.123.3, Tunnel0 created 00:34:58, expire 01:25:03
  Type: dynamic, Flags: router unique local
  NBMA address: 62.215.1.3
(no-socket)
  Requester: 10.1.123.2 Request ID: 2

R3#ping 192.168.2.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/24/36 ms

R3#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 62.215.1.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (62.215.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (212.118.14.1/255.255.255.255/47/0)
   current_peer 212.118.14.1 port 500
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

local crypto endpt.: 62.215.1.3, remote crypto endpt.: 212.118.14.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8FBF604E(2411683918)

inbound esp sas:
  spi: 0x8FD1F0B9(2412900537)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 7, flow_id: SW:7, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4573644/3532)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
  spi: 0x8FBF604E(2411683918)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 8, flow_id: SW:8, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4573644/3532)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

outbound ah sas:

outbound pcp sas:

If we do ping again, it will go through R2 directly as it already resolved where R3 is using R1 as the NHRP server

R3#ping 192.168.2.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms

R3#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 62.215.1.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (62.215.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (62.215.1.2/255.255.255.255/47/0)
   current_peer 62.215.1.2 port 500
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: 62.215.1.3, remote crypto endpt.: 62.215.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x94A5F278(2493903480)

inbound esp sas:
  spi: 0xE6A6B2B8(3869684408)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 11, flow_id: SW:11, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4607889/3535)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
  spi: 0x94A5F278(2493903480)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 12, flow_id: SW:12, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4607889/3535)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (62.215.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (212.118.14.1/255.255.255.255/47/0)
   current_peer 212.118.14.1 port 500
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 52, #pkts encrypt: 52, #pkts digest: 52
    #pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

local crypto endpt.: 62.215.1.3, remote crypto endpt.: 212.118.14.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8FBF604E(2411683918)

inbound esp sas:
  spi: 0x8FD1F0B9(2412900537)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 7, flow_id: SW:7, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4573638/3397)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
  spi: 0x8FBF604E(2411683918)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 8, flow_id: SW:8, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4573639/3397)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

outbound ah sas:

outbound pcp sas:




in above topo R1 is hub and other two is spoke. so

if i down R1 - f0/0 then both spoke able to communicate or not ?

June 2017

S M T W T F S
    123
45678910
11121314151617
18192021222324
25 2627282930 

Recent Entries

Recent Comments

Tags

    Search My Blog

    Categories

    Organization

    Community

    Downloads

    Test Providers

    Site Info


    Go to top