DMVPN Phase 3 - Spoke to Spoke not working?
Hello everyone,
I have been trying to get my Phase 3 DMVPN working on the racks with my own config built with help of only the cisco documentation - However I can't get the spoke to spoke NHRP traffic to work any ideas folks as I am drawing a blank - R5 is the hub and R1 and R2 are spokes and I am trying to get R1 to ping R2 Loopback.
Many thanks
****R5 - HUB*****
interface Loopback0
ip address 150.1.5.5 255.255.255.255
ipv6 address 2001:150:5:5::5/128
!
interface Tunnel0
bandwidth 1000
ip address 155.1.0.5 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 1
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet1.100
tunnel mode gre multipoint
tunnel key 100000
!
interface GigabitEthernet1.100
encapsulation dot1Q 100
ip address 169.254.100.5 255.255.255.0
ipv6 address 2001:169:254:100::5/64
!
router eigrp A
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 0.0.0.0
network 150.1.0.0
network 155.1.0.0
eigrp router-id 5.5.5.5
exit-address-family
**** R1 Spoke ****
interface Loopback0
ip address 150.1.1.1 255.255.255.255
ipv6 address 2001:150:1:1::1/128
!
interface Tunnel0
bandwidth 1000
ip address 155.1.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp map 155.1.0.5 169.254.100.5
ip nhrp map multicast 169.254.100.5
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 155.1.0.5
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet1.100
tunnel mode gre multipoint
tunnel key 100000
!
interface GigabitEthernet1.100
encapsulation dot1Q 100
ip address 169.254.100.1 255.255.255.0
ipv6 address 2001:169:254:100::1/64
!
router eigrp A
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 150.1.0.0
network 155.1.0.0
eigrp router-id 1.1.1.1
exit-address-family
*** R2 Spoke ****
interface Loopback0
ip address 150.1.2.2 255.255.255.255
ipv6 address 2001:150:2:2::2/128
!
interface Tunnel0
bandwidth 1000
ip address 155.1.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp map 155.1.0.5 169.254.100.5
ip nhrp map multicast 169.254.100.5
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 155.1.0.5
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet1.100
tunnel mode gre multipoint
tunnel key 100000
!
interface GigabitEthernet1.100
encapsulation dot1Q 100
ip address 169.254.100.2 255.255.255.0
ipv6 address 2001:169:254:100::2/64
!
router eigrp A
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 150.1.0.0
network 155.1.0.0
eigrp router-id 2.2.2.2
exit-address-family
Comments
wrote:
INE - The Industry Leader in CCIE Preparation
http://www.INE.com
Subscription information may be found at:
http://www.ieoc.com/forums/ForumSubscriptions.aspx
This.
router eigrp A
address-family ipv4 auton 1
af-interface tun0
no split-horizon
no next-hop-self
Added the following and also I can ping all the VPN addresses
router eigrp A
!
address-family ipv4 unicast autonomous-system 1
!
af-interface Tunnel0
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
network 150.1.0.0
network 155.1.0.0
eigrp router-id 5.5.5.5
exit-address-family
Also the debug seems fine?
NHRP: Receive Registration Request via Tunnel0 vrf 0, packet size: 108
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 108 extoff: 52
(M) flags: "unique nat ", reqid: 57
src NBMA: 169.2
R5#54.100.2
src protocol: 155.1.0.2, dst protocol: 155.1.0.5
(C-1) code: no error(0)
prefix: 32, mtu: 9972, hd_time: 300
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
Responder Address Extension(3):
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Extension(5):
Authentication Extension(7):
type:Cleartext(1), data:donttell
NAT address Extension(9):
(C-1) code: no error(0)
prefix: 32, mtu: 9972, hd_time: 0
addr_len: 4(NSAP
R5#), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
client NBMA: 169.254.100.5
client protocol: 155.1.0.5
NHRP: netid_in = 99, to_us = 1
NHRP: No NHRP subblock found in packet
NHRP: Tunnels gave us pak src: 169.254.100.2
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: if_in: Tunnel0, nhrp_cache_pak.
NHRP-CTS: CTS capability negotiation negative
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: swidb Tunnel0, nhrp_cache_update
NHRP-MPLS: tableid:
R5# 0 vrf:
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: Tunnel0: Cache update for target 155.1.0.2/32 next-hop 155.1.0.2
169.254.100.2
NHRP: Adding Tunnel Endpoints (VPN: 155.1.0.2, NBMA: 169.254.100.2)
NHRP: NHRP subblock already exists for Tunnel Endpoints (VPN: 155.1.0.2, NBMA: 169.254.100.2)
NHRP: Peer capability:0
NHRP: Cache already has a subblock node attached for Tunnel Endpoints (VPN: 155.1.0.2, NBMA: 169.254.100.2)
NHRP: swidb Tunnel0, nhrp_cache_update
NHRP-MPLS: tableid: 0
R5# vrf:
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: Tunnel0: Cache update for target 155.1.0.2/32 next-hop 155.1.0.2
169.254.100.2
NHRP: Adding Tunnel Endpoints (VPN: 155.1.0.2, NBMA: 169.254.100.2)
NHRP: NHRP subblock already exists for Tunnel Endpoints (VPN: 155.1.0.2, NBMA: 169.254.100.2)
NHRP: Peer capability:0
NHRP: Cache already has a subblock node attached for Tunnel Endpoints (VPN: 155.1.0.2, NBMA: 169.254.100.2)
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: nhrp_subblock_c
R5#heck_for_map() - Map Already Exists
NHRP: Updating our cache with NBMA: 169.254.100.5, NBMA_ALT: 169.254.100.5
NHRP: New mandatory length: 32
NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 155.1.0.2
NHRP: Send Registration Reply via Tunnel0 vrf 0, packet size: 128
src: 155.1.0.5, dst: 155.1.0.2
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 128 extoff: 52
(M) flags: "unique nat ", reqid: 57
src NBMA: 169.254.100.2
R5#
src protocol: 155.1.0.2, dst protocol: 155.1.0.5
(C-1) code: no error(0)
prefix: 32, mtu: 9972, hd_time: 300
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
Responder Address Extension(3):
(C) code: no error(0)
prefix: 32, mtu: 9972, hd_time: 300
addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
client NBMA: 169.254.100.5
client protocol: 155.1.0.5
Forward Transit NHS Record Extension(4):
Reverse Transit NHS Record Ex
R5#tension(5):
Authentication Extension(7):
type:Cleartext(1), data:donttell
NAT address Extension(9):
(C-1) code: no error(0)
prefix: 32, mtu: 9972, hd_time: 0
addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
client NBMA: 169.254.100.5
client protocol: 155.1.0.5
NHRP: No NHRP subblock found in packet
NHRP: nhrp_ifcache: Avl Root:7F1142857F50
NHRP: Setting 'used' flag on cache entry with nhop: 155.1.0.2
NHRP: NHRP successfully mapped '155.1.0.2' to
R5#NBMA 169.254.100.2
NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 169.254.100.2
NHRP: 156 bytes out Tunnel0
Thanks for you help so far :-)
INE - The Industry Leader in CCIE Preparation
http://www.INE.com
Subscription information may be found at:
http://www.ieoc.com/forums/ForumSubscriptions.aspx
Technically you just need ip nhrp redirect on the hub and ip nhrp shortcut on the spokes.
Excellent. This solved a problem for me. I was never able to see the % sign.
To make sure I get this correct, we only use the no next-hop-self for the 2nd phase. Correct?
Thanks.
Correct, for phase 2, you don't want the hub to change the next-hop to itself, you want the next-hop to be the spoke's next-hop to trigger nhrp; for phase 3 nhrp redirects and shortcut will take care of forcing traffic from spoke to spoke
HTH
for IPsec seems to be easier with the IPsec profile rather than using crypto maps. That's just me though.
INE - The Industry Leader in CCIE Preparation
http://www.INE.com
Subscription information may be found at:
http://www.ieoc.com/forums/ForumSubscriptions.aspx
INE - The Industry Leader in CCIE Preparation
http://www.INE.com
Subscription information may be found at:
http://www.ieoc.com/forums/ForumSubscriptions.aspx
Just a quick update: What I did - Fired up GNS3 with c7200-adventerprisek9-mz.152-4.M6 add re-looked at my code and I had this working for phase 3 DMVPN with named EIGRP - In case this helps anyone:
***HUB***
interface Loopback0
ip address 150.1.5.5 255.255.255.255
!
interface Tunnel0
bandwidth 1000
ip address 155.1.0.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
!
interface FastEthernet0/0
ip address 169.254.100.5 255.255.255.0
!
router eigrp A
!
address-family ipv4 unicast autonomous-system 1
!
af-interface Tunnel0
summary-address 0.0.0.0 0.0.0.0
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
network 150.1.0.0
network 155.1.0.0
eigrp router-id 5.5.5.5
exit-address-family