DMVPN Deployment Configuration ( BGP + VRF )

Blog

Sep 25, 2011 9:56 AM
Sep 25th, 2011

Introduction

In this blog my aim is to discuss deployment of DMVPN with vrf and BGP ( iBGP and eBGP ) as the tunneling protocol and EIRGP running on the control plane ( core ) on a different vrf. The intend is to make direct spoke to spoke communication (IKE and IPSEC/GRE) and pass traffic.

blog.jpeg

In DMVPN both the spokes will will create a GRE/IPSEC tunnel to the hub all the time and register themselves on the NHRP server which is the hub and this registeration has IP-IP mapping ie tunnel ip mapped to NBMA ip. When spoke 1 wants to send packet to a lan subnet on spoke 2, then it will query the hub ( NHRP database ) for real outside ( NBMA ) address of the destination spoke. Once spoke 1 has this information then it can initiate a GRE/IPSEC tunnel to spoke 2 since it has the NBMA address of spoke 2.  The dynamic spoke to spoke tunnel is built over the mGRE interface and when the traffic ceases then spoke to spoke tunnel is removed. And we can configure ISAKMP keepalives ( Dead peer detection packets ) to kill the tunnel. Hence two main components in DMVPN is NHRP and mGRE interface.

iBGP configuration with DMVPN :-

-----------------------------------------------------

HUB Configuration ( HUB-iBGP.rtf ) :- The hub will act as Route reflector for spoke 1 and spoke 2.  Use the same BGP AS on spoke1, spoke2 and HUB router. On the HUB router the internet traffic is routed via EIGRP in Global VRF, and tunnel traffic is via iBGP over VRF HOPA. Attached is the configuration, and show commands for IKE, IPSEC, NHRP, Sockets and routes. In phase 2 look for SA protected in VRF HOPA, and also bgp routes are in vrf HOPA.

Spoke configuration (spoke1-iBGP.rtf, spoke2-iBGP.rtf ) :- The spokes are in the same BGP AS and are configured as route-reflector client. The spokes have internet traffic via EIGRP in VRF DSL#1 and tunnel traffic via iBGP in global VRF. Attaced in the config and show commands and in IKE/IPSEC SA we see direct spoke to spoke tunnel, once we initate traffic between 11.11.11.11 and 22.22.22.22 ( simulated as LAN subnets ).

eBGP configuration with DMVPN :-

-------------------------------------------------------

HUB Configuration (hub-eBGP.rtf ) :- The HUB ia in AS 1 and spoke are in different AS. On the HUB router the internet traffic is routed via EIGRP in Global VRF, and tunnel traffic is via iBGP over VRF HOPA. Within address-family vrf HOPA we need to define remote AS, peer group, and next-hop-unchanged, neighbor spokes and advertise the networks.

Spoke configuration (sp1-sp2-eBGP.rtf ) :- The spokes are in AS 2 and for HUB the local-as is defined as 21719. The spokes have internet traffic via EIGRP in VRF DSL#1 and tunnel traffic via iBGP in global VRF. Also configure "allow-as in" under bgp configuration to allow prefixes on eack spoke to re-advertised even with duplicate AS number.

Average Rating: 5 (1 ratings)

Comments

ctrujillo@magenta.cl Wed, 06/26/2013 - 21:47 (reply to jportugu)

Hi,

Just want to know, if in the examples presented there was also tested H.A? (dual hub/dual dmvpn) and fast convergence?

I have a similar setup like the one presented, with ebgp between hub and spokes. I want to test fast convergence once the main hub is down, but still not find any valid solution yet. I copy the link of the other threat that describes my problem.

https://supportforums.cisco.com/message/3975776#3975776

Thanks,

Carlos Trujillo.

Actions

Login or Register to take actions

This Blog

Posted September 25, 2011 at 9:56 AM
Stats:
Comments:2 Avg. Rating:5
Views:7845   
Shares:0

Related Content

Blogs Leaderboard