Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1574
Views
0
Helpful
2
Replies

DMVPN Phases

Go to solution
dmitri_vilesov
Level 1
Level 1

‎04-13-2007 03:51 AM - edited ‎02-21-2020 02:58 PM

I'm a bit confused now, because i have realized that i can't understand DMVPN phases.

Can somebody explain me - what is the difference between Hub-and-Spoke Network and Full-Meshed Network.

1) Hub-and-Spoke Network - all DMVPN traffic goes through HUB. isn't it? and the difference between dynamic and static VPN, is that IPSec tunnels are created only when needed?

2) Full-Meshed Network - spokes ask hub for the NHRP table and establish direct tunnels (traffic goes from spoke to spoke diectly)?

If this information is correct, then where i can find a guide for configuring DMVPN in full-meshed network?

I have only found this guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml , but it seems to me, that it is Hub-and-Spoke example!

Thank you very much in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎04-14-2007 08:43 AM

Hi Dmitri,

Question 1:

All traffic goes through HUB - correct

Tunnels are created only when needed between spokes - correct

Question 2:

Correct

http://cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Please take a look at the link given above.

Snippet from the above link

"NHRP provides the capability for the spoke routers to dynamically learn the exterior physical interface address of the other spoke routers in the VPN network. This means that a spoke router will have enough information to dynamically build an IPsec+mGRE tunnel directly to other spoke routers.

The dynamic IP routing protocol running on the hub router can be configured to reflect the routes learned from one spoke back out the same interface to all of the other spokes, but the IP next-hop on these routes will usually be the hub router, not the spoke router from which the hub learned this route.

The dynamic routing protocols (RIP, OSPF and EIGRP) need to be configured on the hub router to advertise the routes back out the mGRE tunnel interface and to set the IP next-hop to the originating spoke router for routes learned from one spoke when the route is advertised back out to the other spokes.

The following are requirements for the routing protocol configurations.

RIP

You need to turn off split horizon on the mGRE tunnel interface on the hub, otherwise RIP will not advertise routes learned via the mGRE interface back out that same interface.

no ip split-horizon

No other changes are necessary. RIP will automatically use the original IP next-hop on routes that it advertises back out the same interface where it learned these routes.

EIGRP

You need to turn off split horizon on the mGRE tunnel interface on the hub, otherwise EIGRP will not advertise routes learned via the mGRE interface back out that same interface.

no ip split-horizon eigrp

EIGRP will, by default, set the IP next-hop to be the hub router for routes that it is advertising, even when advertising those routes back out the same interface where it learned them. So in this case, you need the following configuration command to instruct EIGRP to use the original IP next-hop when advertising these routes.

no ip next-hop-self eigrp

Note: The no ip next-hop-self eigrp command will be available starting in Cisco IOS release 12.3(2). For Cisco IOS releases between 12.2(13)T and 12.3(2) you must do the following:

* If spoke-to-spoke dynamic tunnels are not wanted, then the above command is not needed.

* If spoke-to-spoke dynamic tunnels are wanted, then you must use process switching on the tunnel interface on the spoke routers.

* Otherwise, you will need to use a different routing protocol over the DMVPN.

OSPF

Since OSPF is a link-state routing protocol, there are not any split horizon issues. Normally for multipoint interfaces you configure the OSPF network type to be point-to-multipoint, but this would cause OSPF to add host routes to the routing table on the spoke routers. These hosts routes would cause packets destined to networks behind other spoke routers to be forwarded via the hub, rather then forwarded directly to the other spoke. To get around this problem, configure the OSPF network type to be broadcast using the command.

ip ospf network broadcast

You also need to make sure that the hub router will be the Designated Router (DR) for the IPsec+mGRE network. This is done by setting the OSPF priority to be greater than 1 on the hub and 0 on the spokes.

* Hub: ip ospf priority 2

* Spoke: ip ospf priority 0

**SNIPPET END ***

Hope this explains.

Rate this post, if it helps.

Gilbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎04-14-2007 08:43 AM

Hi Dmitri,

Question 1:

All traffic goes through HUB - correct

Tunnels are created only when needed between spokes - correct

Question 2:

Correct

http://cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Please take a look at the link given above.

Snippet from the above link

"NHRP provides the capability for the spoke routers to dynamically learn the exterior physical interface address of the other spoke routers in the VPN network. This means that a spoke router will have enough information to dynamically build an IPsec+mGRE tunnel directly to other spoke routers.

The dynamic IP routing protocol running on the hub router can be configured to reflect the routes learned from one spoke back out the same interface to all of the other spokes, but the IP next-hop on these routes will usually be the hub router, not the spoke router from which the hub learned this route.

The dynamic routing protocols (RIP, OSPF and EIGRP) need to be configured on the hub router to advertise the routes back out the mGRE tunnel interface and to set the IP next-hop to the originating spoke router for routes learned from one spoke when the route is advertised back out to the other spokes.

The following are requirements for the routing protocol configurations.

RIP

You need to turn off split horizon on the mGRE tunnel interface on the hub, otherwise RIP will not advertise routes learned via the mGRE interface back out that same interface.

no ip split-horizon

No other changes are necessary. RIP will automatically use the original IP next-hop on routes that it advertises back out the same interface where it learned these routes.

EIGRP

You need to turn off split horizon on the mGRE tunnel interface on the hub, otherwise EIGRP will not advertise routes learned via the mGRE interface back out that same interface.

no ip split-horizon eigrp

EIGRP will, by default, set the IP next-hop to be the hub router for routes that it is advertising, even when advertising those routes back out the same interface where it learned them. So in this case, you need the following configuration command to instruct EIGRP to use the original IP next-hop when advertising these routes.

no ip next-hop-self eigrp

Note: The no ip next-hop-self eigrp command will be available starting in Cisco IOS release 12.3(2). For Cisco IOS releases between 12.2(13)T and 12.3(2) you must do the following:

* If spoke-to-spoke dynamic tunnels are not wanted, then the above command is not needed.

* If spoke-to-spoke dynamic tunnels are wanted, then you must use process switching on the tunnel interface on the spoke routers.

* Otherwise, you will need to use a different routing protocol over the DMVPN.

OSPF

Since OSPF is a link-state routing protocol, there are not any split horizon issues. Normally for multipoint interfaces you configure the OSPF network type to be point-to-multipoint, but this would cause OSPF to add host routes to the routing table on the spoke routers. These hosts routes would cause packets destined to networks behind other spoke routers to be forwarded via the hub, rather then forwarded directly to the other spoke. To get around this problem, configure the OSPF network type to be broadcast using the command.

ip ospf network broadcast

You also need to make sure that the hub router will be the Designated Router (DR) for the IPsec+mGRE network. This is done by setting the OSPF priority to be greater than 1 on the hub and 0 on the spokes.

* Hub: ip ospf priority 2

* Spoke: ip ospf priority 0

**SNIPPET END ***

Hope this explains.

Rate this post, if it helps.

Gilbert

0 Helpful

Go to solution
zeeahmed123
Level 1
Level 1
In response to ggilbert

‎02-24-2011 06:22 AM

excellent post.....just what i was looking for. thx

0 Helpful
Customers Also Viewed These Support Documents