DMVPN Phase 3 Basic Configuration

(Rene Molenaar) #5

Hi Davis,

The main advantage is that you have smaller routing tables. In phase 2, each spoke router requires specific entries for networks it wants to reach behind other spoke routers. With phase 3, a summary route is all you need.

Rene

(Davis W) #6

Hi Rene,

ok. Thanks

Davis

(Valeriya S) #7

Hello,

Should router do icmp redirection to his neighbors when they are in one subnet? This feature of IP protocol doesn’t work in this case, does it?
I see that you disable icmp redirects by issuing “no ip redirects” command on Tunnel interface.

(Andrew P) #8

Valeriya,
It is common practice to disable ICMP redirects independently of DMVPN. These are generally considered troublesome from a security perspective, so most people turn off ICMP redirects.

In the case of DMVPN, a completely separate protocol, the NHRP Redirect, is responsible for telling a spoke about a direct path to another spoke, rather than sending all traffic through the hub (which is what happens in DMVPN Phase 1).

(Andrew P) #9

Point of clarification: I meant to say “IP Redirects” not “ICMP Redirects” because that is the technically accurate term, even though IP redirection is accomplished via ICMP Type 5 messages (redirects) :slight_smile:

(Deep) #10

Hi Rene, may be a trivial question but I have not played with GNS3 much. How do you simulate cloud like in this topology?

1 Like
(Andrew P) #11

Parajuli,
The most important part of GNS3 is ensuring you have an IOS that supports the features you want. I have done many simulations of DMVPN (all three phases) in GNS3. The IOS image I found that works best is c7200-adventerprisek9-mz.152-4.M6. To answer your next question, the only legal way for you to obtain a GNS3 IOS image is via your Cisco account. :slight_smile:

There is nothing special about a “cloud” setup. You could simulate the same thing by just hooking your GNS3 routers together via Ethernet.

(Deep) #12

Thanks Andrew. I have that image in production. Will set up lab.

(Vanessa) #13

Hello Rene,
First, thanks for your great job! it’s really simple to understand

I have a problem with the configuration of the phase 3 DMVPN in GNS3. Since i type the 'ip nhrp redirect’command, i have te following error message ‘% NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise’
Could you please tell me why? I use the 7200 ios version 15.2.

Thanks for your reply

(Andrew P) #14

Vanessa,
I ran into this issue with GNS3 as well. I recommend you try to use the following IOS image to solve this problem:

c7200-adventerprisek9-mz.152-4.M6

Unfortunately, we will not be able to provide you assistance in actually getting this image, as legally, you must obtain this via your Cisco account.

(Vanessa) #15

No matter Andrew, i’ll try it then. Many thanks!

(Dan B) #16

Hi Renee!
Great lesson as always

I was just wondering what about the “ip nhrp server-only” what is the purpose of the command??

-Dan

(Andrew P) #17

Dan,
That command would be useful only in an environment where you want to force spoke to spoke traffic to flow through the hub–for example in an WAN environment where there is NOT a full mesh between the spokes. In this type of environment it is not possible to have direct spoke to spoke traffic, so you would not want the spokes to ask for NHRP shortcut information (since they couldn’t use it anyway).

The server-only option prevents the NHRP router from sending out resolution requests as part of the attempt to establish a shortcut.

(Dan B) #18

That make sense now
Thanks for the good explanation Andrew!

-Dan

(Jigar S) #19

'Hi Rene,

In this phase, if local ISP of Hub and both spokes are different then its required all the local ISP to know about public IP’s of each other. Right ?

E.g, Local ISP of spoke 2 should know about Public IP of both Hub and spoke 1, Right ? If not, then how the traffic from Spoke 1 goes directly to Spoke 2 ? How Spoke 1 is reachable to public IP of Spoke 2 ?’

(Andrew P) #20

Jigar,
You are correct. This is why public IPs are used as part of the NHRP registration–the assumption is that any site can reach any other site directly. If, for some reason, that is not the case, then at a minimum the hub must be reachable to and from all spoke locations. In this case, you would essentially be running like you were in Phase 1, where the hub would reside in the data plane of all traffic, and the spokes would only be able to communicate with other spokes through the hub.

(Vitaly K) #22

Hello Rene,
I run 15.2(4)S5 on 7200. Is it possible to implement P3 if ip nhrp redirect failed ?

% NHRP-WARNING: 'ip nhrp redirect' failed to initialise

I looked up IOS features and Phase 3 seems supported.

thanks

(Lazaros Agapides) #23

Hello Vitaly

I was looking at the Cisco Feature Navigator and I was unable to find the 15.2(4)S5 IOS software release you mention:


Can you verify the release? Also, once that’s verified, you can use the Cisco Feature Navigator to verify that Phase 3 is supported. Let us know what you find!

Looking further into it I see that others are having similar problems when attempting to implement a similar lab using GNS3. It can be buggy, so it may be due to GNS3 and not the IOS version itself. Can you attempt it on another platform to verify?

I hope this has been helpful!

Laz

(Vitaly K) #24

Thanks

I use real routers not GNS3, 7200, 2811,1841, 2921
c7200-advipservicesk9-mz.152-4.S5.bin
P3 DMVPN cant be established. I will try 2921 as a hub.

The P2 config for IPSEC DMVPN (the lessons) does kill my tunnel comms. As soon as I remove IPSEC config statement from the tunnel interface it could have been reestablished with the two spokes I have.
the IPSEC wrapper breaks the membership

(Rene Molenaar) #25

Hi Vitaly,

Searching for this error message, it seems it’s related to the IOS version of the 7200 router. Did you have more luck with a more recent IOS version on your 2921?

Rene