DMVPN - Phase 2 vs. 3

Hate to bring up old topics, but they are so cluttered. . .

Could someone verify this for me? I've labbed up both Phases, read most of the posts on this, and here's my summary:

Phase 1: Allows dynamic spoke-to-Hub VPN.
Phase 2: Allows dynamic spoke-to-Hub VPN + spoke-to-spoke VPN via [Spoke-triggered] NHRP Requests.
Phase 3: Enhances Phase 2 by A) Stopping process-switching on the 1st packet and B) Scaling the RIB with summary/default routes on Spokes.

To elaborate on Phase 3:

A) In Phase 2, the first packet is always process-switched to the HUB, even though the next-hop is the 2nd Spoke in the RIB. The CEF entry is [invalid] to Spoke-2. In Phase 3, the CEF entry is always valid because it points to the hub, thus elminating process-switching.

B) Since all routes point to the HUB now, it is the HUB that triggers NHRP-Redirects, then Spoke-1 doing NHRP-Request by order of the Hub. This means that you can effectively just send a default route to spokes, and still have spoke-to-spoke connectivity via NHRP redirect. Great for scalability.

**OSPF NOTE**

However, OSPF can only take advantage of enhancement *A above. This is due to single-area OSPF on an interface. I suppose you might get around it by filtering Type-1 Router LSA's on the spokes, except for the HUB's Type-1 LSA, then doing [no-summary] on the Hub. But we all know filtering LSA's out of the LSDB doesn't end well for anyone ;)

Which leaves EIGRP the only IGP that can take advantage of BOTH enhancements.

----- Now, with that said. . . . . ---------

Phase 3 OSPF . . . should the network type be [broadcast] or [point-to-multipoint]?

Short Answer: [point-to-multipoint]

Debatable 2nd Answer: both

So let's just forget about enhancement *B for OSPF (RIB entry conservation). Not gonna happen in OSPF.

However, ehancement *A (getting rid of proc-switching) can still be accomplished if the Spokes receive full RIBs (or rather, full-visibility about other spokes' routes). The [point-to-multipoint] network type will cause the CEF entries to be 100% valid, at the very least -- so OSPF is still "okay" to use for this reason.

Using [broadcast] in Phase 3 simply doesn't make sense.

It WILL STILL WORK, but it's really no different from Phase 2. Using [broadcast] network type, you effectively LOSE BOTH ENHANCEMENTS that Phase 3 provides! The only thing that changes (by using redirect/shortcut cmds) is how NHRP works. However, CEF is in no way enhanced, as it's still process switching due to "invalid" spoke adjacencies (due to the Type-2 LSA with spoke neighbors directly connected), and as mentioned - no summarization of spokes' routes is possible.

If this is all correct, then I can't help but wonder. . .

In the CCIE Lab Exam, if you are asked to configure a Phase 3 DMVPN using OSPF [broadcast] network type. . .what do you do? I couldn't imagine them asking something like that. I supposed I would configure [ip nhrp redirect] on the Hub and [ip nhrp shortcut] on the Spokes, effectively changing NHRP behavior. But, since CEF behavior remains the same as Phase 2, I don't see the point.

Comments

  • JoeMJoeM ✭✭✭

    In the CCIE Lab Exam, if you are asked to configure a Phase 3 DMVPN using OSPF [broadcast] network type. . .what do you do? I couldn't imagine them asking something like that.

    Hi Zehel, You are certainly doing your homework.  Good job!  Your post forces me to brush-up on my DMVPN knowledge.  ;-)

    You will NOT be asked to do something that is clearly against the Cisco instructions.  Don't create monsters-under-the-bed (MUB) where they don't exist.

    phase 3 = ospf point-to-multipoint.   Don't be confused about this.  As a matter of fact, OSPF hub-n-spoke always screams point-to-multipoint for me. It is remembering that DMVPN phase 2 is broadcast (not p2mp).  ;-)

    Here are couple of CiscoDocs:

    Shortcut Switching Enhancements for NHRP in DMVPN Networks

     

    Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3

    "....the removal of some of the restrictions on the routing protocols
    required by Phase 2 (OSPF broadcast mode, non-split-tunneling)."

    "Following is the list of configuration changes that need to be done for
    both hubs and spokes, and for the two main routing protocols: Enhanced
    Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First
    (OSPF), which will have to be applied in any of the migration
    approaches...


    To enable NHRP shortcut switching:

    • All spokes need to have the commands ip nhrp shortcut and the ip nhrp redirect added to their tunnel interfaces. For the hubs use only ip nhrp redirect.

    • For EIGRP, in the hub side only:

    – Remove: no ip next-hop-self eigrp <as> from the hub tunnel configuration

    – Leave: no ip split-horizon eigrp <as> in the hub tunnel configuration

    – Add as needed: ip summary-address eigrp <as> <summary-of-spokes-subnets> 5

    • For OSPF, for all hubs and spokes:

    – Change from ip ospf network broadcast to ip ospf network point-multipoint.

  • JoeMJoeM ✭✭✭

    I sent a response, but it is held-up in moderation AGAIN.   Why me?   lol

    Short answer to your question: they are not going to give you a configuration like that in the lab, because that is completely against the instructions they give for OSPF and phase-2/phase-3.  They are fairly explicit about the adjustments to make for both EIGRP and OSPF.  

    Remember the rules, and do not try to reinvent the wheel, just because "it works". The reason there are more phases is because Cisco made "improvements" to the earlier phases.  

    It will probably take a couple of days to get my post moderated, so I'll post the CiscoDoc again here. ;-)

    Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3

     

     

  • Hey Joe,

    Thank for the reply. Yes, I think I may be overthinking this. I was trying to come up with all possibilities for a DMVPN scenario and maybe dug too deep, hah.

    I read that link before, and that is what I will depend on going into the Lab Exam -- using [point-to-multipiont] OSPF network type.

  • Hey Joe,

    Thank for the reply. Yes, I think I may be overthinking this. I was trying to come up with all possibilities for a DMVPN scenario and maybe dug too deep, hah.

    I read that link before, and that is what I will depend on going into the Lab Exam -- using [point-to-multipiont] OSPF network type.

Sign In or Register to comment.