DMVPN Phase 3 BGP Routing

Lesson Contents

In our first DMVPN lesson we explained the basics and the differences of the three phases. We also looked at an example for a basic DMVPN phase 3 configuration and how to configure RIP, EIGRP and OSPF on top of it.

This time, we are going to look at BGP. Here is the topology we shall use:

There is one hub router and two spoke routers. Let’s configure this!

Configuration

Tunnel Interfaces

Let’s start with a basic DMVPN phase 3 configuration:

Hub(config)#interface Tunnel0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#ip nhrp redirect
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint
Hub(config-if)#end

Spoke1(config)#interface Tunnel0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#ip nhrp shortcut

Spoke2(config)#interface Tunnel0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#ip nhrp shortcut

Let’s make sure the spokes have registered themselves with the hub:

Hub#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.2      172.16.123.2    UP 00:00:04     D
     1 192.168.123.3      172.16.123.3    UP 00:00:03     D

And let’s check if we can ping the spoke routers:

Hub#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms

Hub#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms

So far so good, time to configure BGP.

EBGP with same AS number on spokes

This configuration will be similar to what we used for BGP on DMVPN phase 2. Our spoke routers don’t need to know any specific routes so we can use a default route. We’ll use dynamic BGP peers so that we don’t have to configure static neighbors. Let’s start with the default route:

Hub(config)#ip route 0.0.0.0 0.0.0.0 Null0

Hub(config)#ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0

Hub(config)#route-map SPOKE_ROUTERS permit 10
Hub(config-route-map)#match ip address prefix-list DEFAULT_ROUTE

This route-map will be attached to the spoke routers. Let’s configure the hub:

Hub(config)#router bgp 65001
Hub(config-router)#bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
Hub(config-router)#neighbor DMVPN_SPOKES peer-group   
Hub(config-router)#neighbor DMVPN_SPOKES remote-as 65023
Hub(config-router)#neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
Hub(config-router)#network 0.0.0.0 mask 0.0.0.0

Our hub router uses a peer group for the spoke routers and we only advertise the default route. Let’s configure the spoke routers:

Spoke1(config)#router bgp 65023
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255

Spoke2(config)#router bgp 65023
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255

Now let’s check the routing tables:

Hub#show ip route bgp 

      2.0.0.0/32 is subnetted, 1 subnets
B        2.2.2.2 [20/0] via 172.16.123.2, 00:06:32
      3.0.0.0/32 is subnetted, 1 subnets
B        3.3.3.3 [20/0] via 172.16.123.3, 00:06:02

Spoke1#show ip route bgp 

B*    0.0.0.0/0 [20/0] via 172.16.123.1, 00:07:05

Spoke2#show ip route bgp 

B*    0.0.0.0/0 [20/0] via 172.16.123.1, 00:09:04

The hub sees two specific entries and the spoke routers see the default route. Let’s send some traffic from spoke1 to spoke2:

Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 [AS 65001] 7 msec 7 msec *

This is looking good, traffic goes directly from spoke1 to spoke2. This is all thanks to NHRP which installed some entries in the routing tables:

Spoke1#show ip route | include 3.3.3.3
H        3.3.3.3 [250/255] via 172.16.123.3, 00:02:48, Tunnel0

Spoke2#show ip route | include 2.2.2.2
H        2.2.2.2 [250/255] via 172.16.123.2, 00:02:44, Tunnel0

We can also check the NHRP cache of the spoke routers:

Spoke1#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.3      172.16.123.3    UP 00:02:12   DT1
                          172.16.123.3    UP 00:02:12   DT1
     1 192.168.123.1      172.16.123.1    UP 00:35:27     S

Spoke2#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.2      172.16.123.2    UP 00:02:17   DT1
                          172.16.123.2    UP 00:02:17   DT1
     1 192.168.123.1      172.16.123.1    UP 00:35:35     S

Above we can see that the spoke routers know about each others NBMA addresses.

Configurations

Want to take a look for yourself? Here you will find the eBGP configuration of each device.

Hub

hostname Hub
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
router bgp 65001
 bgp log-neighbor-changes
 bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
 network 0.0.0.0
 neighbor DMVPN_SPOKES peer-group
 neighbor DMVPN_SPOKES remote-as 65023
 neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
!
route-map SPOKE_ROUTERS permit 10
 match ip address prefix-list DEFAULT_ROUTE
!
end

Spoke1

hostname Spoke1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.2 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!         
router bgp 65023
 bgp log-neighbor-changes
 network 2.2.2.2 mask 255.255.255.255
 neighbor 172.16.123.1 remote-as 65001
!
end

Spoke2

hostname Spoke2
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!         
router bgp 65023
 bgp log-neighbor-changes
 network 3.3.3.3 mask 255.255.255.255
 neighbor 172.16.123.1 remote-as 65001
!
end

IBGP

Instead of eBGP we can also use iBGP. The configuration will be very similar to what we just did. Let’s create a default route on the hub:

Forum Replies

ranjannag says:

I noticed nhrp redirect is missing on the Hub DVMP configuration. Is this optional for DMVPN phase 3?
andrew says:

Hi Nagi,
Good call! You are 100% correct. DMVPN phase 3 requires “ip nhrp redirect” to be on the hub–in fact the presence of “ip nhrp redirect” on the hub and “ip nhrp shortcut” on the spokes are the key differences in configuration between phase 3 and other phases.

I suspect Rene just left that out by accident in the main body of the article. You will notice, however, at the bottom in the “tabbed” configuration section for the Hub, it is there.
ReneMolenaar says:

It has been fixed now, thanks for sharing!
gopalb85 says:

Hi,

Do we have this kind of tutorial with VRF ; customer vrf and transport vrf ?

Thanks,
Gk
ReneMolenaar says:

Hi GK,

Not for DMVPN but there’s a separate VRF lite tutorial:

VRF Lite

Rene

23 more replies! Ask a question or join the discussion by visiting our Community Forum

Configuration

Tunnel Interfaces

EBGP with same AS number on spokes

IBGP

We're Sorry, Full Content Access is for Members Only...

Forum Replies