DMVPN Phase 3 Basic Configuration

ReneMolenaar · December 29, 2016, 8:28pm

This topic is to discuss the following lesson:

norman · December 27, 2015, 12:09pm

Hi !

I didnt have “ip nhrp redirect” in my IOS (C3745-ADVENTERPRISEK9_SNA-M) ??? that´s the only one i got…

/Oskar

ReneMolenaar · December 27, 2015, 1:45pm

Hi Oskar,

Check the Cisco Feature Navigator to find out which IOS versions support certain commands.

It seems the T11 release for the 3725 should support ip nhrp redirect:

c3725-adventerprisek9_sna-mz.124-6.T11.bin

http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=5963

Rene

wdavis84 · January 9, 2016, 9:26am

Hi Rene,

What is the advantages using the Phase 3 over Phase 2?

Try to minimize the routing entry in the spoke router?

Davis

ReneMolenaar · January 11, 2016, 11:47am

Hi Davis,

The main advantage is that you have smaller routing tables. In phase 2, each spoke router requires specific entries for networks it wants to reach behind other spoke routers. With phase 3, a summary route is all you need.

Rene

wdavis84 · January 12, 2016, 2:11am

Hi Rene,

ok. Thanks

Davis

kxdemonya-ru · February 11, 2016, 12:43pm

Hello,

Should router do icmp redirection to his neighbors when they are in one subnet? This feature of IP protocol doesn’t work in this case, does it?
I see that you disable icmp redirects by issuing “no ip redirects” command on Tunnel interface.

andrew · February 11, 2016, 3:55pm

Valeriya,
It is common practice to disable ICMP redirects independently of DMVPN. These are generally considered troublesome from a security perspective, so most people turn off ICMP redirects.

In the case of DMVPN, a completely separate protocol, the NHRP Redirect, is responsible for telling a spoke about a direct path to another spoke, rather than sending all traffic through the hub (which is what happens in DMVPN Phase 1).

andrew · February 11, 2016, 6:32pm

Point of clarification: I meant to say “IP Redirects” not “ICMP Redirects” because that is the technically accurate term, even though IP redirection is accomplished via ICMP Type 5 messages (redirects)

Deep · June 14, 2016, 9:56pm

Hi Rene, may be a trivial question but I have not played with GNS3 much. How do you simulate cloud like in this topology?

andrew · June 14, 2016, 10:42pm

Parajuli,
The most important part of GNS3 is ensuring you have an IOS that supports the features you want. I have done many simulations of DMVPN (all three phases) in GNS3. The IOS image I found that works best is c7200-adventerprisek9-mz.152-4.M6. To answer your next question, the only legal way for you to obtain a GNS3 IOS image is via your Cisco account.

There is nothing special about a “cloud” setup. You could simulate the same thing by just hooking your GNS3 routers together via Ethernet.

Deep · June 15, 2016, 12:04am

Thanks Andrew. I have that image in production. Will set up lab.

xelegend · July 27, 2016, 9:30am

Hello Rene,
First, thanks for your great job! it’s really simple to understand

I have a problem with the configuration of the phase 3 DMVPN in GNS3. Since i type the 'ip nhrp redirect’command, i have te following error message ‘% NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise’
Could you please tell me why? I use the 7200 ios version 15.2.

Thanks for your reply

andrew · July 27, 2016, 5:31pm

Vanessa,
I ran into this issue with GNS3 as well. I recommend you try to use the following IOS image to solve this problem:

c7200-adventerprisek9-mz.152-4.M6

Unfortunately, we will not be able to provide you assistance in actually getting this image, as legally, you must obtain this via your Cisco account.

xelegend · July 27, 2016, 11:17pm

No matter Andrew, i’ll try it then. Many thanks!

danobustos1 · August 5, 2016, 3:20pm

Hi Renee!
Great lesson as always

I was just wondering what about the “ip nhrp server-only” what is the purpose of the command??

-Dan

andrew · August 5, 2016, 11:35pm

Dan,
That command would be useful only in an environment where you want to force spoke to spoke traffic to flow through the hub–for example in an WAN environment where there is NOT a full mesh between the spokes. In this type of environment it is not possible to have direct spoke to spoke traffic, so you would not want the spokes to ask for NHRP shortcut information (since they couldn’t use it anyway).

The server-only option prevents the NHRP router from sending out resolution requests as part of the attempt to establish a shortcut.

danobustos1 · August 7, 2016, 7:22pm

That make sense now
Thanks for the good explanation Andrew!

-Dan

jigarshah91291 · August 21, 2016, 6:25pm

'Hi Rene,

In this phase, if local ISP of Hub and both spokes are different then its required all the local ISP to know about public IP’s of each other. Right ?

E.g, Local ISP of spoke 2 should know about Public IP of both Hub and spoke 1, Right ? If not, then how the traffic from Spoke 1 goes directly to Spoke 2 ? How Spoke 1 is reachable to public IP of Spoke 2 ?’

andrew · August 23, 2016, 12:36am

Jigar,
You are correct. This is why public IPs are used as part of the NHRP registration–the assumption is that any site can reach any other site directly. If, for some reason, that is not the case, then at a minimum the hub must be reachable to and from all spoke locations. In this case, you would essentially be running like you were in Phase 1, where the hub would reside in the data plane of all traffic, and the spokes would only be able to communicate with other spokes through the hub.