DMVPN Phase 3 Basic Configuration

Hi Vitaly,

Searching for this error message, it seems it’s related to the IOS version of the 7200 router. Did you have more luck with a more recent IOS version on your 2921?

Rene

Hello Rene,Laz,

In DMVPN phase 3, if spoke 1 wants to send traffic to spoke 2, then spoke1 sends NHRP resolution request to hub and hub sends ‘NHRP Traffic indication’ message to the spoke1. But I do not see any information about spoke 2 in the ‘NHRP Traffic indication’ message then what is the significance of ‘NHRP Traffic indication’ packet ?

Thanks,
Sachin

Thanks,
Sachiin

Hello Sachin

The NHRP Traffic Indication message contains information about the original packet including its IP header which includes the original destination IP address. The purpose of this message is to indicate to the sender (Spoke 1) that the original packet was received, and the NHRP registration/encapsulation has succeeded. In other words, the hub is telling Spoke 1, “I’m ready to route your traffic to this destinations successfully, please continue to send your packets”. It doesn’t need to send any other info concerning Spoke 2 other than the original destination IP address.

Once the hub receives additional packets for this destination, it can now route them to the destination of Spoke 2.

I hope this has been helpful!

Laz

Hello NetworkLessons Team. I need an explanation about NHRP below:

  • ip nhrp shortcut
  • ip nhrp network-id
  • ip nhrp map
  • ip nhrp nhs
  • ip nhtp responder

Thanks

Hello Boris

All of these commands are being used in this lesson except for the last one:


I’ll attempt to give you a brief summary of each, but you can also see them in action in the lesson too.

  • ip nhrp shortcut - This command allows the spoke routers to makes changes in the CEF entry when they receive a redirect message from the hub.
  • ip nhrp network-id - This command simply enables NHRP on the interface. All NHRP devices within the logical network must be configured with the same network identifier.
  • ip nhrp map - This command statically configures the IP-toNBMA address mapping of IP destinations connected to an NBMA network. At least one static mapping is necessary to reach the next-hop server.
  • ip nhrp nhs - This command specifies the address of one or more NHRP servers.
  • ip nhrp responder - This command is used to designate the primary IP address of the next hop server that an interface will use in NHRP reply packets when the NHRP requestor uses the responder address option.

You can find out more information about these and other NHRP commands at this Cisco documentation.

I hope this has been helpful!

Laz

2 Likes

Hello Laz.
Thanks a lot.

1 Like

Hi Everyone,

I have a question about topology that will involve DMVPN router sitting behind ASA FW. I’m trying to bring up DMVPN with my friend and my home network is already established with ASA being the first device facing internet with public IP setup on outside interface Gi0. Can some one point me to right direction what needs to be done on my router (spoke) and the ASA to make this work? Maybe some configuration example will be great…

Understand that at minimum I will need to open ports 500 and 4500 with some ACL’s on the ASA but what next?

Hello Roman

Typically, when running DMVPN behind an ASA firewall, there are several options, two of which suit your situation.

The first involves placing the DMVPN router in the DMZ of your ASA, and assigning it a public address, which means you can filter traffic, but you don’t actually have to open specific ports. The other involves having the DMVPN router behind the firewall, in which case you will need to open/forward some ports. From my understanding, it is the second scenario that you require.

For this you must forward ports udp 500 and udp 4500 for nat-t, but also, as per this Cisco documentation, you have the following restrictions:

  • For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set.
  • If one spoke is behind one NAT device and another different spoke is behind another NAT device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices, then a session initiated between the two spokes cannot be established.
  • For best DMVPN functionality, it is recommended that you run the latest Cisco IOS software Release 12.4 mainline,12.4T, or 12.2(18)SXF.

I hope this has been helpful!

Laz

Laz ,

Thanks for your response. The 2nd scenario is something that I would like to eventually implement in my lab. I will go over the Cisco doc. and play with it. Hopefully I will figured out , it will be great opportunity to learn something new. Thanks again to point me in right direction.

-Roman

1 Like

Hi Laz,

In DMVPN Phase 3 when spokes router receive NHRP redirect message then they send NHRP resolution request message so question is here that to whom they send NHRP Resolution Request message, to each other or Hub router ?

Hello Pradyumna

Take a look at this post:

You should find your answer there.

I hope this has been helpful!

Laz

Hi Laz,

I got it but still have a doubt is that post getting NBMA address of spoke 2 through redirect message then why spoke 1 router still sending a NHRP resolution request through Hub to the spoke 2 as you mentioned?

Hello Pradyumna

Yes, it is interesting that when the originating router (spoke 1) receives the redirect message from the HUB, it then sends an NHRP request to the proper spoke (spoke 2). Notice here that the target of the request is not the hub, but the request does traverse the hub. This is because the resolution request travels via the regular IP routing path, which is via the HUB, because the HUB originated the prefix to spoke 2. It is only when spoke 2 responds to the resolution request that it responds directly (not via the HUB). Once spoke 1 receives this, it can then communicate directly with spoke 2.

I hope this has been helpful!

Laz

Ok got it Laz so we can say it will be send two times by spoke 1, first for getting a nbma address of spoke 2 and second for getting a response directly from spoke 2 so they communicate directly, am i right…

Hello Pradyumna

Yes you got it!! Glad to be of help!

Laz

1 Like

This version dont work either.

HUB(config)#interface tunnel 0
HUB(config-if)#ip nhrp redirect
% NHRP-WARNING: 'ip nhrp redirect' failed to initialise
HUB(config-if)#



HUB(config-if)#do sh ver | i IOS
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S6, RELEASE SOFTWARE (fc1)

NOT WORKING FOR ME.
ANY WORKING IOS CODE PLEASE.

Hello Network J

As Andrew has mentioned in his post, the solution to the problem is to use the M-train image c7200-adventerprisek9-mz.152-4.M6. It seems that you are using the S-train image. Now the S-train image does indeed support this command on real hardware, but for some reason, it doesn’t work on GNS3.

This has also been confirmed at this GNS3 forum post.

I hope this has been helpful!

Laz

Hi,

In the OCG book I found this question.

“Which DMVPN phase introduced hierarchical tunnel structures?”
The answer is phase 3.

Can you explain this question ? What is exactly meaning with “hierarchical tunnel structures”?

Thanks

Hello Giovanni

A hierarchical DMVPN topology is one where you have multiple levels of hubs. In other words, you can have a spoke that plays the role of a hub to multiple sub-spokes. The following Cisco documentation describes this in detail:

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/211292-Configure-Phase-3-Hierarchical-DMVPN-wit.html

Only Phase 3 DMVPN supports this topology.

I see that this question is specifically in the CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide. Note that this type of DMVPN topology is not explicitly described as being in the list of covered topics, however, it is good to know about it.

I hope this has been helpful!

Laz

Hi
I need help for another question about DMVPN. (Ref. BosonExamSim)

Based on this output.

RouterA#show ip nhrp detail
10.10.10.5/32 via 10.10.10.5, Tunnel0 created 00:05:40, expire 00:00:41
  Type: dynamic, Flags: authoritative unique nat registered used
  NBMA address: 172.16.0.44

Which of the following statements is true?

  • The mapping cannot be overwritten by a different NBMA entry with the same IP address
  • The mapping was obtained from NHRP resolution request or packet
  • something wrong

The first answer is correct (the unique keyword is the key of the question), but why the second one is considered wrong?

Also, why we need a phase 3 DMVPN if phase 2 can provide a direct connectivity between spokes?

Thank you