Phase 1
With phase 1 we use NHRP so that spokes can register themselves with the hub. The hub is the only router that is using a multipoint GRE interface, all spokes will be using regular point-to-point GRE tunnel interfaces. This means that there will be no direct spoke-to-spoke communication, all traffic has to go through the hub!
Since our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.
Phase 2
The disadvantage of phase 1 is that there is no direct spoke to spoke tunnels. In phase 2, all spoke routers use multipoint GRE tunnels so we do have direct spoke to spoke tunneling. When a spoke router wants to reach another spoke, it will send an NHRP resolution request to the hub to find the NBMA IP address of the other spoke.
There are two requirements to make spoke to spoke tunnels work:
- Spoke routers need to have a route for the network that they are trying to reach.
- The next hop IP address of the route has to be the remote spoke.
We are using a hub and spoke topology so only the hub will exchange routing information with the spokes. Depending on the routing protocol, it’s possible that the hub changes the next hop IP address of routes that it advertises to the spokes. When it does then a spoke will use the hub as the destination when it’s trying to reach a remote spoke. I’ll show you how to deal with this when we look at the configuration.
Summarization on the hub is not possible since the spoke routers require specific routes.
Phase 3
The final phase of DMVPN changes the way NHRP operates. The spoke routers no longer need specific routes to reach remote spokes and it doesn’t matter what the next hop IP address is. When a spoke router wants to reach a remote spoke, they will forward their traffic to the hub. When the hub receives the traffic, it will realize that another spoke is the destination and it will then send a NHRP redirect to both spokes.
When the spokes receive the NHRP redirect, they will both send a NHRP resolution to figure out each other’s NBMA IP addresses. The spoke routers will then install a new entry in the routing table so that they can reach each other directly.
Configuration Differences : Phase 2
RIP
Nothing really here complicated except the command no split-horizon on the tun interface on the hub,
EIGRP ( Best with DMVPN )
On hub : no split-horizon eigrp as#, no ip self-next-hop eigrp as#
OSPF
Broadcast : set all spoke with a priority to 0 so there is no DR BDR elections and set the ospf type to broadcast on the tunnel interface.
Non Broadcast : set the ospf type to non broadcast on the tunnel interface and dont forget to use the command neighbor under the router ospf configuration. ( non broadcast )
Point to Multi Point : set the ospf type to ip ospf network point-to-multipoint on the interface.
Point-to-multipoint non-broadcast : set the ospf type to ip ospf network Point-to-multipoint non-broadcast on the interface and dont forget to use the command neighbor under the router ospf configuration. ( non broadcast )
BGP
EBGP : Traditional configuration nothing special.
IBGP : Use Dynamic Peers 🙂 see link from Networks lessons :
https://networklessons.com/cisco/ccie-routing-switching/dmvpn-phase-2-bgp-routing
Let’s try something else now, we’ll go for internal BGP. The advantage of iBGP is that we can use dynamic peers. We need to make sure that prefixes from one spoke router will be advertised to another spoke router. To accomplish this, we’ll configure the hub router as a route reflector:
Hub(config)#router bgp 65123
Hub(config-router)#bgp listen range 172.16.123.0/24 peer-group DMVPN_SPOKES
Hub(config-router)#neighbor DMVPN_SPOKES peer-group
Hub(config-router)#neighbor DMVPN_SPOKES remote-as 65123
Hub(config-router)#neighbor DMVPN_SPOKES route-reflector-client
Hub(config-router)#network 1.1.1.1 mask 255.255.255.255
In the example above I used dynamic neighbors so that the hub accepts any BGP neighbor in the 172.16.123.0/24 range. Let’s configure the spoke routers:
Spoke1(config)#router bgp 65123
Spoke1(config-router)#neighbor 172.16.123.1 remote-as 65123
Spoke1(config-router)#network 2.2.2.2 mask 255.255.255.255
Spoke2(config)#router bgp 65123
Spoke2(config-router)#neighbor 172.16.123.1 remote-as 65123
Spoke2(config-router)#network 3.3.3.3 mask 255.255.255.255
Configuration Differences : Phase 3
RIP
We need do advertise a default route on the HUB with the command default-information originate.
use a prefix list to advertise only the default route.
EIGRP ( Best with DMVPN )
On hub : on the routing protocol configuration advertise a default route : ip summary-address eigrp as# 0.0.0.0 0.0.0.0
OSPF
We can’t use any summarization so the spoke routers will always have specific entries for the networks behind other spoke routers. If you use OSPF, it’s best to go for point-to-multipoint as it has automatic neighbor discovery and you don’t have to worry about the DR/BDR election.
BGP
EBGP : Traditional configuration nothing special.
IBGP : Use Dynamic Peers 🙂 see link from Networks lessons :
1. Cisco recommends that EIGRP be deployed for DMVPN networks; the deployment of the EIGRP routing protocol is more straightforward than other options.
2. The default OSPF network type for Tunnel interfaces is point-to-point and wont work with DMVPN.
3. Difference between Phase 1 2 3 basic configuration mode
DMVPN Phase 1 : you need to set the destination on the spokes.
DMVPN Phase 2 : you need to set the mode to gre multipoint and remove the destination command.
DMVPN Phase 3 : you need to add the command ip nhrp redirect on the hub and ip nhrp shorcuts on the spokes.
And Finally IPSEC Phase 1 and 2
FROM : https://networklessons.com/cisco/ccie-routing-switching/dmvpn-over-ipsec
Phase 1
Hub, Spokes
(config)#crypto isakmp policy 10
(config-isakmp)#authentication pre-share
(config-isakmp)#encryption aes 128
(config-isakmp)#group 5
(config-isakmp)#hash sha256
Hub, Spokes
(config)#crypto isakmp key DMVPN_KEY address 0.0.0.0
Phase 2
Hub, Spokes
(config)#crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
(cfg-crypto-trans)#mode transport
Hub, Spokes
(config)#crypto ipsec profile DMVPN_PROFILE
(ipsec-profile)#set transform-set DMVPN_TRANSFORM
Hub, Spokes
(config)#interface Tunnel 0
(config-if)#tunnel protection ipsec profile DMVPN_PROFILE
