Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​DMVPN - Phase 3 with IPsec Profile and EIGRP

Picture
This example is DMVPN Phase 3 with IPsec Profile and EIGRP where we leverage an optimization of NHRP that changes the overlay next hop IP from being the hub to the spoke that advertised the route. When you look at the RIB, you'll see the hub is who advertised the route, which is the EIGRP next hop. NHRP redirects on the hub and shortcut on the spoke allow a spoke to request an update from the hub, asking what the actual next hop IP is of the tunnel on the remote spoke.

The hub receives this request and queries the remote spoke, which responds with an NHRP resolution that is forwarded back to the hub and then to the originating spoke. This NHRP resolution updates the FIB or CEF table so that the forwarding engine knows to send traffic to the remote spoke IP and not the hub IP.




R3
interface Tunnel1
 ip nhrp redirect

CSR8, CSR9 and CSR10
int tunnel1
 ip nhrp shortcut 



CSR10#traceroute 88.88.88.88 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.3 31 msec 31 msec 25 msec
  2 10.1.1.8 66 msec *  6 msec



CSR10#traceroute 88.88.88.88 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 88.88.88.88
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.8 11 msec *  10 msec



CSR10#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
108.0.0.8       110.0.0.10      QM_IDLE           1017 ACTIVE
103.0.0.3       110.0.0.10      QM_IDLE           1015 ACTIVE
110.0.0.10      108.0.0.8       QM_IDLE           1016 ACTIVE

IPv6 Crypto ISAKMP SA



CSR10#show crypto ipsec sa 

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 110.0.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (110.0.0.10/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (108.0.0.8/255.255.255.255/47/0)
   current_peer 108.0.0.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 110.0.0.10, remote crypto endpt.: 108.0.0.8
     plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x25715391(628183953)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x805C956D(2153551213)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2063, flow_id: CSR:63, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3564)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x5909F4FC(1493824764)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2065, flow_id: CSR:65, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3564)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x68FE023B(1761477179)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2067, flow_id: CSR:67, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4607999/3564)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD2FDE8C3(3539855555)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2064, flow_id: CSR:64, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3564)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x7C1B706A(2082173034)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2066, flow_id: CSR:66, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3564)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x25715391(628183953)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2068, flow_id: CSR:68, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4607999/3564)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (110.0.0.10/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
   current_peer 103.0.0.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 844, #pkts encrypt: 844, #pkts digest: 844
    #pkts decaps: 746, #pkts decrypt: 746, #pkts verify: 746
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 110.0.0.10, remote crypto endpt.: 103.0.0.3
     plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x9B246468(2602853480)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x99A0FE63(2577464931)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2061, flow_id: CSR:61, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4607996/3435)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9B246468(2602853480)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2062, flow_id: CSR:62, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4607997/3435)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:



CSR10#show ip route 88.88.88.88                        
Routing entry for 88.88.88.88/32
  Known via "eigrp 10", distance 90, metric 28288000, type internal
  Redistributing via eigrp 10
  Last update from 10.1.1.3 on Tunnel1, 00:30:15 ago
  Routing Descriptor Blocks:
  * 10.1.1.3, from 10.1.1.3, 00:30:15 ago, via Tunnel1
      Route metric is 28288000, traffic share count is 1
      Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit
      Reliability 255/255, minimum MTU 1472 bytes
      Loading 1/255, Hops 2



CSR10#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 110.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D        10.1.0.0/16 [90/26880256] via 10.1.1.3, 01:01:06, Tunnel1
D        10.2.9.0/24 [90/28160256] via 10.1.1.3, 00:34:08, Tunnel1
      88.0.0.0/32 is subnetted, 1 subnets
D   %    88.88.88.88 [90/28288000] via 10.1.1.3, 00:34:08, Tunnel1

The % indicates that Next Hop Override is in play and is going to change the CEF next hop IP to that destination route.

CSR10#show ip cef 88.88.88.88
88.88.88.88/32
  nexthop 10.1.1.8 Tunnel1

The RIB points to 10.1.1.3 as the next hop, but the NHRP NHO changes the next hop IP to CSR8s tunnel IP address of 10.1.1.8
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto