Get Full Access to our 722 Cisco Lessons Now Start $1 Trial
You are here: Home » Security

DMVPN Phase 3 BGP Routing

In our first DMVPN lesson we explained the basics and the differences of the three phases. We also looked at an example for a basic DMVPN phase 3 configuration and how to configure RIP, EIGRP and OSPF on top of it.

This time, we are going to look at BGP. Here is the topology we shall use:

DMVPN Example Topology with hub, two spokes and loopback interfaces.

There is one hub router and two spoke routers. Let’s configure this!

Configuration










Tunnel Interfaces

Let’s start with a basic DMVPN phase 3 configuration:

Hub(config)#interface Tunnel0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#ip nhrp redirect
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint
Hub(config-if)#end
Spoke1(config)#interface Tunnel0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#ip nhrp shortcut
Spoke2(config)#interface Tunnel0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#ip nhrp shortcut

Let’s make sure the spokes have registered themselves with the hub:

Hub#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.2      172.16.123.2    UP 00:00:04     D
     1 192.168.123.3      172.16.123.3    UP 00:00:03     D

And let’s check if we can ping the spoke routers:

Hub#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms
Hub#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms

So far so good, time to configure BGP.

EBGP with same AS number on spokes

This configuration will be similar to what we used for BGP on DMVPN phase 2. Our spoke routers don’t need to know any specific routes so we can use a default route. We’ll use dynamic BGP peers so that we don’t have to configure static neighbors. Let’s start with the default route:

Hub(config)#ip route 0.0.0.0 0.0.0.0 Null0

Hub(config)#ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0

Hub(config)#route-map SPOKE_ROUTERS permit 10
Hub(config-route-map)#match ip address prefix-list DEFAULT_ROUTE

This route-map will be attached to the spoke routers. Let’s configure the hub:

Hub(config)#router bgp 65001
Hub(config-router)#bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
Hub(config-router)#neighbor DMVPN_SPOKES peer-group   
Hub(config-router)#neighbor DMVPN_SPOKES remote-as 65023
Hub(config-router)#neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
Hub(config-router)#network 0.0.0.0 mask 0.0.0.0

Our hub router uses a peer group for the spoke routers and we only advertise the default route. Let’s configure the spoke routers:

Spoke1(config)#router bgp 65023
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255
Spoke2(config)#router bgp 65023
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65001
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255

Now let’s check the routing tables:

Hub#show ip route bgp 

      2.0.0.0/32 is subnetted, 1 subnets
B        2.2.2.2 [20/0] via 172.16.123.2, 00:06:32
      3.0.0.0/32 is subnetted, 1 subnets
B        3.3.3.3 [20/0] via 172.16.123.3, 00:06:02
Spoke1#show ip route bgp 

B*    0.0.0.0/0 [20/0] via 172.16.123.1, 00:07:05
Spoke2#show ip route bgp 

B*    0.0.0.0/0 [20/0] via 172.16.123.1, 00:09:04

The hub sees two specific entries and the spoke routers see the default route. Let’s send some traffic from spoke1 to spoke2:

Spoke1#traceroute 3.3.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.123.3 [AS 65001] 7 msec 7 msec *

This is looking good, traffic goes directly from spoke1 to spoke2. This is all thanks to NHRP which installed some entries in the routing tables:

Spoke1#show ip route | include 3.3.3.3
H        3.3.3.3 [250/255] via 172.16.123.3, 00:02:48, Tunnel0
Spoke2#show ip route | include 2.2.2.2
H        2.2.2.2 [250/255] via 172.16.123.2, 00:02:44, Tunnel0

We can also check the NHRP cache of the spoke routers:

Spoke1#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.3      172.16.123.3    UP 00:02:12   DT1
                          172.16.123.3    UP 00:02:12   DT1
     1 192.168.123.1      172.16.123.1    UP 00:35:27     S
Spoke2#show dmvpn | begin Peer
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 192.168.123.2      172.16.123.2    UP 00:02:17   DT1
                          172.16.123.2    UP 00:02:17   DT1
     1 192.168.123.1      172.16.123.1    UP 00:35:35     S

Above we can see that the spoke routers know about each others NBMA addresses.

Configurations

Want to take a look for yourself? Here you will find the eBGP configuration of each device.

Hub

hostname Hub
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
router bgp 65001
 bgp log-neighbor-changes
 bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
 network 0.0.0.0
 neighbor DMVPN_SPOKES peer-group
 neighbor DMVPN_SPOKES remote-as 65023
 neighbor DMVPN_SPOKES route-map SPOKE_ROUTERS out
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
!
route-map SPOKE_ROUTERS permit 10
 match ip address prefix-list DEFAULT_ROUTE
!
end

Spoke1

hostname Spoke1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.2 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!         
router bgp 65023
 bgp log-neighbor-changes
 network 2.2.2.2 mask 255.255.255.255
 neighbor 172.16.123.1 remote-as 65001
!
end

Spoke2

hostname Spoke2
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/1
 ip address 192.168.123.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!         
router bgp 65023
 bgp log-neighbor-changes
 network 3.3.3.3 mask 255.255.255.255
 neighbor 172.16.123.1 remote-as 65001
!
end

IBGP

Instead of eBGP we can also use iBGP. The configuration will be very similar to what we just did. Let’s create a default route on the hub:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 722 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Give Membership a try - it's just $1 ►

521 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Andrew,

    Thanks.

    Do we have any examples on Dual HUB along with links to two service providers from each HUB. Same thing from spoke router as well.

  2. Hello Ulrich,

    Connections are initiated from the spoke routers to the hub, and the hub doesn’t know beforehand what the IP addresses of the spoke routers are.

    Theip nhrp map multicast dynamic command tells NHRP to automatically add routers to the multicast NHRP mappings.

    You can see in the configuration of the spoke routers that we have a static multicast entry with the IP address of the hub router on them.

    Rene

  3. Hello Chris,

    Good question. If you use eBGP and the same AS number on the spoke routers then the route-map isn’t really needed since the spoke routers will deny prefixes with their own AS number. On the other hand, the hub will advertise those prefixes so a route-map isn’t a bad idea…it ensures that we really only advertise the default route.

    If you use eBGP and different AS numbers on the spoke routers, the route-map is a good idea.

    With iBGP, it’s also not really needed since because of split horizon, the hub won’t advertise a prefix from one spoke to another

    ... Continue reading in our forum

  4. im having trouble seeing my spoke network. for example on spoke 1 i can see spoke two network in my routing table but from spoke 2 im unable to see my spoke 1 network

    configuration lab from gns3:

    hostname MIAMI hub
!
int tun0
Des Miami HUB
 ip address 10.100.252.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp redirect
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 no ip split-horizon 
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 exit
!
interface Loopback0
 ip address 10.100.0.4 255.255.25
    ... Continue reading in our forum

  5. Rene I have both neighbor 10.100.252.114 remote-as 65114 and neighbor 10.100.252.6 remote-as 65020 on the miami hub i didn’t realize i uploaded the wrong configs for the hub but this is my most recent configs sorry about that

    Miami#sh running-config
Building configuration...

Current configuration : 2377 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Miami
!
ip cef
!
no ip domain lookup
!
interface Loopback0
 ip address 10.100.0.4 255.255.255.255
!
interface Loopback1
    ... Continue reading in our forum

23 more replies! Ask a question or join the discussion by visiting our Community Forum

We use cookies to give you the best personal experience on our website. By using our website, you agree to our use of cookies Read more.