This example is DMVPN Phase 3 with IPsec Profile and EIGRP where we leverage an optimization of NHRP that changes the overlay next hop IP from being the hub to the spoke that advertised the route. When you look at the RIB, you'll see the hub is who advertised the route, which is the EIGRP next hop. NHRP redirects on the hub and shortcut on the spoke allow a spoke to request an update from the hub, asking what the actual next hop IP is of the tunnel on the remote spoke.
The hub receives this request and queries the remote spoke, which responds with an NHRP resolution that is forwarded back to the hub and then to the originating spoke. This NHRP resolution updates the FIB or CEF table so that the forwarding engine knows to send traffic to the remote spoke IP and not the hub IP.
R3
interface Tunnel1
ip nhrp redirect
CSR8, CSR9 and CSR10
int tunnel1
ip nhrp shortcut
CSR10#traceroute 88.88.88.88 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.3 31 msec 31 msec 25 msec
2 10.1.1.8 66 msec * 6 msec
CSR10#traceroute 88.88.88.88 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.8 11 msec * 10 msec
CSR10#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
108.0.0.8 110.0.0.10 QM_IDLE 1017 ACTIVE
103.0.0.3 110.0.0.10 QM_IDLE 1015 ACTIVE
110.0.0.10 108.0.0.8 QM_IDLE 1016 ACTIVE
IPv6 Crypto ISAKMP SA
CSR10#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 110.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (110.0.0.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (108.0.0.8/255.255.255.255/47/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 110.0.0.10, remote crypto endpt.: 108.0.0.8
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x25715391(628183953)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x805C956D(2153551213)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2063, flow_id: CSR:63, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x5909F4FC(1493824764)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2065, flow_id: CSR:65, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x68FE023B(1761477179)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2067, flow_id: CSR:67, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD2FDE8C3(3539855555)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2064, flow_id: CSR:64, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7C1B706A(2082173034)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2066, flow_id: CSR:66, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x25715391(628183953)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2068, flow_id: CSR:68, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (110.0.0.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
current_peer 103.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 844, #pkts encrypt: 844, #pkts digest: 844
#pkts decaps: 746, #pkts decrypt: 746, #pkts verify: 746
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 110.0.0.10, remote crypto endpt.: 103.0.0.3
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x9B246468(2602853480)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x99A0FE63(2577464931)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2061, flow_id: CSR:61, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607996/3435)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9B246468(2602853480)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2062, flow_id: CSR:62, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607997/3435)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR10#show ip route 88.88.88.88
Routing entry for 88.88.88.88/32
Known via "eigrp 10", distance 90, metric 28288000, type internal
Redistributing via eigrp 10
Last update from 10.1.1.3 on Tunnel1, 00:30:15 ago
Routing Descriptor Blocks:
* 10.1.1.3, from 10.1.1.3, 00:30:15 ago, via Tunnel1
Route metric is 28288000, traffic share count is 1
Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit
Reliability 255/255, minimum MTU 1472 bytes
Loading 1/255, Hops 2
CSR10#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 110.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D 10.1.0.0/16 [90/26880256] via 10.1.1.3, 01:01:06, Tunnel1
D 10.2.9.0/24 [90/28160256] via 10.1.1.3, 00:34:08, Tunnel1
88.0.0.0/32 is subnetted, 1 subnets
D % 88.88.88.88 [90/28288000] via 10.1.1.3, 00:34:08, Tunnel1
The % indicates that Next Hop Override is in play and is going to change the CEF next hop IP to that destination route.
CSR10#show ip cef 88.88.88.88
88.88.88.88/32
nexthop 10.1.1.8 Tunnel1
The RIB points to 10.1.1.3 as the next hop, but the NHRP NHO changes the next hop IP to CSR8s tunnel IP address of 10.1.1.8
The hub receives this request and queries the remote spoke, which responds with an NHRP resolution that is forwarded back to the hub and then to the originating spoke. This NHRP resolution updates the FIB or CEF table so that the forwarding engine knows to send traffic to the remote spoke IP and not the hub IP.
R3
interface Tunnel1
ip nhrp redirect
CSR8, CSR9 and CSR10
int tunnel1
ip nhrp shortcut
CSR10#traceroute 88.88.88.88 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.3 31 msec 31 msec 25 msec
2 10.1.1.8 66 msec * 6 msec
CSR10#traceroute 88.88.88.88 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.8 11 msec * 10 msec
CSR10#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
108.0.0.8 110.0.0.10 QM_IDLE 1017 ACTIVE
103.0.0.3 110.0.0.10 QM_IDLE 1015 ACTIVE
110.0.0.10 108.0.0.8 QM_IDLE 1016 ACTIVE
IPv6 Crypto ISAKMP SA
CSR10#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 110.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (110.0.0.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (108.0.0.8/255.255.255.255/47/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 110.0.0.10, remote crypto endpt.: 108.0.0.8
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x25715391(628183953)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x805C956D(2153551213)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2063, flow_id: CSR:63, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x5909F4FC(1493824764)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2065, flow_id: CSR:65, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x68FE023B(1761477179)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2067, flow_id: CSR:67, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD2FDE8C3(3539855555)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2064, flow_id: CSR:64, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7C1B706A(2082173034)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2066, flow_id: CSR:66, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x25715391(628183953)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2068, flow_id: CSR:68, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (110.0.0.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
current_peer 103.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 844, #pkts encrypt: 844, #pkts digest: 844
#pkts decaps: 746, #pkts decrypt: 746, #pkts verify: 746
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 110.0.0.10, remote crypto endpt.: 103.0.0.3
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x9B246468(2602853480)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x99A0FE63(2577464931)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2061, flow_id: CSR:61, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607996/3435)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9B246468(2602853480)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2062, flow_id: CSR:62, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607997/3435)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR10#show ip route 88.88.88.88
Routing entry for 88.88.88.88/32
Known via "eigrp 10", distance 90, metric 28288000, type internal
Redistributing via eigrp 10
Last update from 10.1.1.3 on Tunnel1, 00:30:15 ago
Routing Descriptor Blocks:
* 10.1.1.3, from 10.1.1.3, 00:30:15 ago, via Tunnel1
Route metric is 28288000, traffic share count is 1
Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit
Reliability 255/255, minimum MTU 1472 bytes
Loading 1/255, Hops 2
CSR10#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 110.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D 10.1.0.0/16 [90/26880256] via 10.1.1.3, 01:01:06, Tunnel1
D 10.2.9.0/24 [90/28160256] via 10.1.1.3, 00:34:08, Tunnel1
88.0.0.0/32 is subnetted, 1 subnets
D % 88.88.88.88 [90/28288000] via 10.1.1.3, 00:34:08, Tunnel1
The % indicates that Next Hop Override is in play and is going to change the CEF next hop IP to that destination route.
CSR10#show ip cef 88.88.88.88
88.88.88.88/32
nexthop 10.1.1.8 Tunnel1
The RIB points to 10.1.1.3 as the next hop, but the NHRP NHO changes the next hop IP to CSR8s tunnel IP address of 10.1.1.8