Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​DMVPN - Phase 2 with IPsec Profile and EIGRP

Picture
This example is about DMVPN Phase 2 with IPsec Profile and EIGRP where spoke to spoke communication is needed but traffic still needs to traverse the hub location. Phase 2 is a routing protocol modification where split horizon is disabled on the tunnel. This allows spoke advertised routes to be sent to the hub and then re-advertised back to the other spokes.

No additional IKE or IPsec SAs are created.


R3
int tun1
 no ip split-horizon eigrp 10 

%DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.1.8 (Tunnel1) is resync: split horizon changed
%DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.1.10 (Tunnel1) is resync: split horizon changed
%DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.1.9 (Tunnel1) is resync: split horizon changed

CSR8, CSR9 and CSR10
%DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.1.3 (Tunnel1) is resync: peer graceful-restart

CSR8#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 108.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
D        10.1.0.0/16 [90/26880256] via 10.1.1.3, 00:40:01, Tunnel1
D        10.2.9.0/24 [90/28160256] via 10.1.1.3, 00:13:03, Tunnel1
      101.0.0.0/32 is subnetted, 1 subnets
D        101.101.101.101 [90/28288000] via 10.1.1.3, 00:13:03, Tunnel1



CSR9#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 109.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D        10.1.0.0/16 [90/26880256] via 10.1.1.3, 00:40:32, Tunnel1
      88.0.0.0/32 is subnetted, 1 subnets
D        88.88.88.88 [90/28288000] via 10.1.1.3, 00:13:35, Tunnel1
      101.0.0.0/32 is subnetted, 1 subnets
D        101.101.101.101 [90/28288000] via 10.1.1.3, 00:13:35, Tunnel1



CSR10#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 110.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
D        10.1.0.0/16 [90/26880256] via 10.1.1.3, 00:40:58, Tunnel1
D        10.2.9.0/24 [90/28160256] via 10.1.1.3, 00:14:00, Tunnel1
      88.0.0.0/32 is subnetted, 1 subnets
D        88.88.88.88 [90/28288000] via 10.1.1.3, 00:14:00, Tunnel1



CSR10#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
103.0.0.3       110.0.0.10      QM_IDLE           1015 ACTIVE

IPv6 Crypto ISAKMP SA



CSR10#show ip eigrp nei
EIGRP-IPv4 Neighbors for AS(10)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.1.1.3                Tu1                      11 00:51:11   98  1470  0  80



CSR10#traceroute 88.88.88.88 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.3 36 msec 40 msec 29 msec
  2 10.1.1.8 60 msec *  52 msec

Even with Phase 2 enabled and spoke to spoke communication enabled, traffic still must traverse the hub to reach remote spokes.
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto