cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17804
Views
5
Helpful
2
Comments
Ankur Bajaj
Cisco Employee
Cisco Employee

Introduction

In this blog my aim is to discuss deployment of DMVPN with vrf and BGP ( iBGP and eBGP ) as the tunneling protocol and EIRGP running on the control plane ( core ) on a different vrf. The intend is to make direct spoke to spoke communication (IKE and IPSEC/GRE) and pass traffic.

blog.jpeg

In DMVPN both the spokes will will create a GRE/IPSEC tunnel to the hub all the time and register themselves on the NHRP server which is the hub and this registeration has IP-IP mapping ie tunnel ip mapped to NBMA ip. When spoke 1 wants to send packet to a lan subnet on spoke 2, then it will query the hub ( NHRP database ) for real outside ( NBMA ) address of the destination spoke. Once spoke 1 has this information then it can initiate a GRE/IPSEC tunnel to spoke 2 since it has the NBMA address of spoke 2.  The dynamic spoke to spoke tunnel is built over the mGRE interface and when the traffic ceases then spoke to spoke tunnel is removed. And we can configure ISAKMP keepalives ( Dead peer detection packets ) to kill the tunnel. Hence two main components in DMVPN is NHRP and mGRE interface.

iBGP configuration with DMVPN :-

-----------------------------------------------------

HUB Configuration ( HUB-iBGP.rtf ) :- The hub will act as Route reflector for spoke 1 and spoke 2.  Use the same BGP AS on spoke1, spoke2 and HUB router. On the HUB router the internet traffic is routed via EIGRP in Global VRF, and tunnel traffic is via iBGP over VRF HOPA. Attached is the configuration, and show commands for IKE, IPSEC, NHRP, Sockets and routes. In phase 2 look for SA protected in VRF HOPA, and also bgp routes are in vrf HOPA.

Spoke configuration (spoke1-iBGP.rtf, spoke2-iBGP.rtf ) :- The spokes are in the same BGP AS and are configured as route-reflector client. The spokes have internet traffic via EIGRP in VRF DSL#1 and tunnel traffic via iBGP in global VRF. Attaced in the config and show commands and in IKE/IPSEC SA we see direct spoke to spoke tunnel, once we initate traffic between 11.11.11.11 and 22.22.22.22 ( simulated as LAN subnets ).

eBGP configuration with DMVPN :-

-------------------------------------------------------

HUB Configuration (hub-eBGP.rtf ) :- The HUB ia in AS 1 and spoke are in different AS. On the HUB router the internet traffic is routed via EIGRP in Global VRF, and tunnel traffic is via iBGP over VRF HOPA. Within address-family vrf HOPA we need to define remote AS, peer group, and next-hop-unchanged, neighbor spokes and advertise the networks.

Spoke configuration (sp1-sp2-eBGP.rtf ) :- The spokes are in AS 2 and for HUB the local-as is defined as 21719. The spokes have internet traffic via EIGRP in VRF DSL#1 and tunnel traffic via iBGP in global VRF. Also configure "allow-as in" under bgp configuration to allow prefixes on eack spoke to re-advertised even with duplicate AS number.

2 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: