in

IEOC - Internetwork Expert's Online Community

Welcome to Internetwork Expert's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and Internetwork Expert's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Scott Morris - Quad CCIE #4713, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, Anthony Sequeira - CCIE #15626, Keith Barker - Dual CCIE #6783, and Marvin Greenlee - Triple CCIE #12237.
Forums » CCIE Forums » CCIE Security Technical » Huge DMVPN confusion - INE blog post inconsistent with LAB3 VOL2 results
Latest post 01-13-2010 11:03 AM by Paul Alexander. 3 replies.
Page 1 of 1 (4 items)
Sort Posts: Previous Next

  • 01-11-2010 3:25 PM

    Huge DMVPN confusion - INE blog post inconsistent with LAB3 VOL2 results

    Reply Contact

     

     

    Ok, have spent a fair ammount of time on this now and its all stemmed from doing INE Volume II LAB 3 (DMVPN tasks). I've come to a point where I cant solve this myself because my lab testing exhibits different behavior to whats published on the INE blog and VolII workbook (LAB3). Any help with clarification would be most appreciated! :)

    In LAB 3 it asks you to configure DMVPN between 3 devices and it asks you to use OSPF for for the routing protocol. Fine, no problems there. The next task however, asked you to "configure R1, R4 and R5 so that that DMVPN spoke nodes do not need to query the hub's NHRP mapping table in order to discover the NBMA IP address of another spoke".

    So immediately I thought PHASE 3 DMVPN by configuring point-to-multipoint for OSPF and using NHRP REDIRECT and NHRP SHORTCUT.  The lab solution uses broadcast mode OSPF with REDIRECT/SHORCUT.

    My further testing of broadcast mode with redirect and shortcut shows the following when pinging from spoke to spoke:

    Topology is  R1 (hub) R2 (spoke) R3 (spoke)

     

    SPOKE

    Rack1R3#ping 150.1.2.2

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:

    *Mar  1 01:35:12.635: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 123
    *Mar  1 01:35:12.639: NHRP: Checking for delayed event 0.0.0.0/10.0.0.2 on list (Tunnel0).
    *Mar  1 01:35:12.643: NHRP: No node found.
    *Mar  1 01:35:12.647: NHRP: Sending packet to NHS 10.0.0.1 on Tunnel0
    *Mar  1 01:35:12.663: NHRP: Checking for delayed event 0.0.0.0/10.0.0.2 on list (Tunnel0).
    *Mar  1 01:35:12.667: NHRP: No node found.
    *Mar  1 01:35:12.671: NHRP: Attempting to send packet via DEST 10.0.0.2
    *Mar  1 01:35:12.675: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 83
    *Mar  1 01:35:12.675:  src: 10.0.0.3, dst: 10.0.0.2
    *Mar  1 01:35:12.679:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
    *Mar  1 01:35:12.683:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  1 01:35:12.683:  (M) flags: "router auth src-stable nat ", reqid: 30
    *Mar  1 01:35:12.687:      src NBMA: 136.1.0.3
    *Mar  1 01:35:12.687:      src protocol: 10.0.0.3, dst protocol: 10.0.0.2
    *Mar  1 01:35:12.691!!:  (C-1) code: no error(0)
    *Mar  1 01:35:12.691:        prefix: 0, mtu: 1514, hd_time: 7200
    *Mar  1 01:35:12.695:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
    *Mar  1 01:35:12.699: NHRP: Encapsulation failed for destination 10.0.0.2 out Tunnel0
    *Mar  1 01:35:12.699: NHRP: Attempting to send packet via NHS 10.0.0.1
    *Mar  1 01:35:12.703: NHRP: Encapsulation succeeded.  Tunnel IP addr 136.1.0.1
    *Mar  1 01:35:12.707: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 83
    *Mar  1 01:35:12.711:  src: 10.0.0.3, dst: 10.0.0.1
    *Mar  1 01:35:12.715:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
    *Mar  1 01:35:12.715:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  1 01:35:12.719:  (M) flags: "router auth src-stable nat ", reqid: 30
    *Mar  1 01:35:12.719:      src NBMA: 136.1.0.3
    *Mar  1 01:35:12.719:      src protocol: 10.0.0.3, dst protocol: 10.0.0.2
    *Mar  1 01:35:12.723:  (C-1) code: no error(0)
    *Mar  1 01:35:12.727:        prefix: 0, mtu: 1514, hd!!_time: 7200
    *Mar  1 01:35:12.727:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0


    ON THE HUB

    Rack1R1#
    *Mar  1 01:35:13.475: NHRP: inserting (136.1.0.3/150.1.2.2) in redirect table
    *Mar  1 01:35:13.491: NHRP: Attempting to send packet via DEST 10.0.0.3
    *Mar  1 01:35:13.495: NHRP: Encapsulation succeeded.  Tunnel IP addr 136.1.0.3
    *Mar  1 01:35:13.499: NHRP: Send Traffic Indication via Tunnel0 vrf 0, packet size: 95
    *Mar  1 01:35:13.499:  src: 10.0.0.1, dst: 10.0.0.3
    *Mar  1 01:35:13.503:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
    *Mar  1 01:35:13.507:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  1 01:35:13.507:  (M) traffic code: redirect(0)
    *Mar  1 01:35:13.511:      src NBMA: 136.1.0.1
    *Mar  1 01:35:13.511:      src protocol: 10.0.0.1, dst protocol: 10.0.0.3
    *Mar  1 01:35:13.515:      Contents of nhrp traffic indication packet:
    *Mar  1 01:35:13.519:         45 00 00 64 00 2D 00 00 FD 01 1B 66 0A 00 00 03
    *Mar  1 01:35:13.519:         96 01 02 02 08 00 52 EE 00 09 00
    *Mar  1 01:35:13.523: NHRP: 95 bytes out Tunnel0
    *Mar  1 01:35:13.547: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 83
    *Mar  1 01:35:13.551:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
    *Mar  1 01:35:13.555:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  1 01:35:13.555:  (M) flags: "router auth src-stable nat ", reqid: 30
    *Mar  1 01:35:13.559:      src NBMA: 136.1.0.3
    *Mar  1 01:35:13.559:      src protocol: 10.0.0.3, dst protocol: 10.0.0.2
    *Mar  1 01:35:13.563:  (C-1) code: no error(0)
    *Mar  1 01:35:13.567:        prefix: 0, mtu: 1514, hd_time: 7200
    *Mar  1 01:35:13.567:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
    *Mar  1 01:35:13.571: NHRP: netid_in = 123, to_us = 0
    *Mar  1 01:35:13.571: NHRP: nhrp_rtlookup yielded Tunnel0
    *Mar  1 01:35:13.575: NHRP: netid_out 123, netid_in 123
    *Mar  1 01:35:13.579: NHRP: nhrp_cache_lookup_comp returned 0x66C9D184
    *Mar  1 01:35:13.579: NHRP: Forwarding request due to authoritative request.
    *Mar  1 01:35:13.583: NHRP: Attempting to send packet via DEST 10.0.0.2

     

     

    Am I reading this wrong??? To me it seems that the spoke is still querying the NHS for a resolution request. I believe that point-to-point is the right answer but the workbook doesnt go into any detail why broadcast is the correct choice.

     

     

    Thanks in advance!

     

    Paul

     

     

     

     

    CCIE # 22671 (R&S)

    Studying for CCIE Security

    http://cciejournal.wordpress.com
    • Post Points: 35

  • 01-11-2010 9:30 PM In reply to

    Re: Huge DMVPN confusion - INE blog post inconsistent with LAB3 VOL2 results

    Reply Contact

    If the question says that the spoke's traffic should go only through the hub, then we need to use hub & spoke topology where we would have "tunnel destination" and that is phase 1.

    In phase 2, the spokes queries the hub for all the destinations.

    If the spoke's should query the hub, then we need to use DMVPN phase 3 with shortcut and redirect configured.

    For the redirect, the spoke should send all the traffic to the hub after which the hub will send a redirect message to the spoke.

    For the spoke to send all the traffic to hub, the network type should be "point to multipoint".

    In the case of DMVPN phase 3, the spoke will send a resolution request to the destination spoke's NBMA IP address that was sent in the redirect message.

    For phase 2, the network type should be broadcast and for phase 3 it should be point to multipoint.

    When point to mutlipoint is configured, the hub will send replicated copies of the OSPF updates to all the spokes present in the hub. Broadcast should also work for Phase 3 for Ethernet but if it is a Frame-relay network then I think we need point to multipoint.

     

    I am just posting whatever I have understood from various site's and blog's reading and my practical experience.

     

    With regards

    Kings
    • Post Points: 5

  • 01-13-2010 8:34 AM In reply to

    Re: Huge DMVPN confusion - INE blog post inconsistent with LAB3 VOL2 results

    Reply Contact

    There is a slight difference between "query the hub's NHRP mapping table" and "send a resolution request to the hub and have the hub forward the request"


    Per the blog post, the request "traverses hop by hop" to the final spoke, and is still forwarded to the hub, with the difference being that the request gets forwarded since the hub is not the final destination.

    Your output cuts off, but the next to last line on the hub says "forwarding request".  Did you have any debug turned on at the other spoke?  Also, do you have the rest of the debug from the first spoke?  Who is it receiving the resolution reply from?

    I don't have the section in front of me at the moment, but I don't recall anything in the section that would prohibit a different network type, as long as you are still able to successfully create a spoke to spoke tunnel, shouldn't cause any problems.

     

    Another possibility if not prohibited would be to add additional static NHRP mappings on each spoke, for the remote spokes.

     
    • Post Points: 20

  • 01-13-2010 11:03 AM In reply to

    Re: Huge DMVPN confusion - INE blog post inconsistent with LAB3 VOL2 results - SOLVED

    Reply Contact

    Thanks Marvin, yep I labbed it agian and R1 (the hub) does indeed forward it on to R2.

    For everyone elses benefit heres the output:

     

    HUB

    *Mar  2 21:11:42.812: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 83
    *Mar  2 21:11:42.816:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
    *Mar  2 21:11:42.816:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  2 21:11:42.820:  (M) flag
    Rack1R1#s: "router auth src-stable nat ", reqid: 98
    *Mar  2 21:11:42.820:      src NBMA: 136.1.0.3
    *Mar  2 21:11:42.824:      src protocol: 10.0.0.3, dst protocol: 150.1.2.2
    *Mar  2 21:11:42.828:  (C-1) code: no error(0)
    *Mar  2 21:11:42.828:        prefix: 0, mtu: 1514, hd_time: 7200
    *Mar  2 21:11:42.832:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
    *Mar  2 21:11:42.832: NHRP: netid_in = 123, to_us = 0
    *Mar  2 21:11:42.836: NHRP: nhrp_rtlookup yielded Tunnel0
    *Mar  2 21:11:42.836: NHRP: netid_out 123, netid_in 123
    *Mar  2 21:11:42.840: NHRP: nhrp_cache_lookup_comp returned 0x0
    *Mar  2 21:11:42.844: NHRP: Attempting to send packet via DEST 150.1.2.2
    *Mar  2 21:11:42.848: NHRP: Encapsulation succeeded.  Tunnel IP addr 136.1.0.2
    *Mar  2 21:11:42.848: NHRP: Forwarding Resolution Request via Tunnel0 vrf 0, packet size: 103
    *Mar  2 21:11:42.852:  src: 10.0.0.1, dst: 150.1.2.2
    *Mar  2 21:11:42.856:  (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1
    *Mar  2 2
    Rack1R1#1:11:42.860:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  2 21:11:42.860:  (M) flags: "router auth src-stable nat ", reqid: 98
    *Mar  2 21:11:42.864:      src NBMA: 136.1.0.3
    *Mar  2 21:11:42.864:      src protocol: 10.0.0.3, dst protocol: 150.1.2.2
    *Mar  2 21:11:42.864:  (C-1) code: no error(0)
    *Mar  2 21:11:42.864:        prefix: 0, mtu: 1514, hd_time: 7200
    *Mar  2 21:11:42.864:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
    *Mar  2 21:11:42.864: NHRP: 103 bytes out Tunnel0


    Receiving spoke (R2)

    *Mar  2 21:11:42.776: NHRP: Receive Resolution Request via Tunnel0 vrf
    Rack1R2# 0, packet size: 103
    *Mar  2 21:11:42.780:  (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1
    *Mar  2 21:11:42.784:      shtl: 4(NSAP), sstl: 0(NSAP)
    *Mar  2 21:11:42.784:  (M) flags: "router auth src-stable nat ", reqid: 98
    *Mar  2 21:11:42.788:      src NBMA: 136.1.0.3
    *Mar  2 21:11:42.788:      src protocol: 10.0.0.3, dst protocol: 150.1.2.2
    *Mar  2 21:11:42.792:  (C-1) code: no error(0)
    *Mar  2 21:11:42.792:        prefix: 0, mtu: 1514, hd_time: 7200
    *Mar  2 21:11:42.796:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
    *Mar  2 21:11:42.796: NHRP: netid_in = 123, to_us = 0
    *Mar  2 21:11:42.800: NHRP: nhrp_rtlookup yielded Loopback0
    *Mar  2 21:11:42.804: NHRP: netid_out 0, netid_in 123
    *Mar  2 21:11:42.804: NHRP: We are egress router for target 150.1.2.2, recevied via Tunnel0

     

    Regards,

     

     

    CCIE # 22671 (R&S)

    Studying for CCIE Security

    http://cciejournal.wordpress.com
    • Post Points: 5
Page 1 of 1 (4 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved