Introduction Of MPLS

Introduction Of MPLS
MPLS defines protocol that make different paradigm for a way routers forward packets. rather than forwarding packets based on the packets destination IP address, MPLS defines how router can forward packets based on MPLS label.

What Is OSPF Sham Links? How To Configure OSPF Sham Links?

What Is OSPF Sham Links? How To Configure OSPF Sham Links?
OSPF Sham links is a logical inter-area link carried by the super backbone. A Sham links is required only between two VPN sites that belong to the same area and have a backdoor link for backup purposes. OSPF adjacency is established across the sham link.

How To Configure MPLS L3 With BGP AS OVERRIDE?

How To Configure MPLS L3 With BGP AS OVERRIDE?
BGP has a simple loop prevention mechanism for external BGP. When you see your own Autonomous system number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue

What Is MPLS L3 VPN ? How To Configure?

What Is MPLS L3 VPN ? How To Configure?
In MPLS Layer 3 the service provider will participate in routing with the customers. The customers will run static, OSPF, EIGRP, BGP or any other routing protocol with the service provider; these routes can be shared with other sites of the customers. In VPN routing information from one customer is completely separated from other customers and tunneled over the service provider MPLS network.

Latest Posts

What is IKE (Internet Key Exchange)? How to configure IPSec site-to-site?

Internetworks

IKE (Internet Key Exchange) Phase 1

The main reason for IKE phase 1 is to establish a secure for IKE phase 2 or IPsec. let understand Phase 1 in steps 

  • The first step is Negotiation between future neighbors or peers have traffic to be 

Step 1: Negotiation

the neighbor (peer) which having traffic and want to protect will initiate the initiate INK phase 1 negotiation. Peers will negotiate about the following:

  • Hashing: peers will use a hashing algorithm to verifying the integrity and use MD5 or SHA.
  • Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
  • DH (Diffie Hellman) group : DH group determines how strong the key is and it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
  • Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each the vendor uses a different lifetime; a default value is 86400 seconds (1 day).
  • Encryption: algorithm we use for encryption DES, 3DES, or AES.


Step 2: DH Key Exchange

After completing the negotiation process, now both the peers will know what kind of policy they have to use. Now they will use the DH the group for negotiating and to exchange keying material and in the end result both peers will have a shared key.

Step 3: Authentication

in the previous step, both peers authenticate each other using authenticate method in which they agreed on in the negotiation process. Once the authentication is successful it’s mean we that both peers can send and receive on this tunnel (the tunnel is completed).

The three steps above can be completed using two different modes:

  • Main mode
  • Aggressive mode 


IKE Phase 2

IPSec tunnel or IKE phase 2 is used to protect user data. In the IKE phase 2 tunnel, there is only one mode for building the IPSec tunnel is called Quick mode.

As peers negotiate in IKE phase 1, our IKE phase 2 (IPSec) peers will be negotiated.

  • IPsec Protocol: AH or ESP
  • Encapsulation Mode: transport or tunnel mode.
  • Encryption: what encryption algorithm  DES, 3DES, or AES.
  • Authentication: what authentication algorithm is MD5 or SHA.
  • Lifetime: how long is the IKE phase 2 tunnel valid? When the tunnel is about to expire, we will refresh the keying material.

(Optional) DH exchange: used for PFS (Perfect Forward Secrecy).

IPsec Protocols

AH, and ESP is the two protocols that we use to protect user data. Both of them can be used in transport or tunnel mode, let’s see all the possible options.

Authentication Header Protocol     

AH offers authentication and integrity which is good but it doesn’t provide any encryption. AH protects IP packet by calculating a hash value over almost all fields in the IP header. The fields it excludes are the ones that can be changed in transit (TTL and header checksum).

Transport Mode

Transport mode is very simple, it just adds an AH header just after the IP header. Here’s an example of an IP packet that carries some TCP traffic:



Tunnel Mode

In tunnel mode, we add a new IP header on top of the original IP packet. So this could be useful when you are using private IP addresses and you need to tunnel your traffic over the Internet. Yes we can use AH but it doesn’t provide encryption


In simple words, IPsec uses three main protocols to create a security framework

  • ESP Encapsulation security payload is used for providing encryption, authentication, and sharing data.
  • AH, Authentication Header use provides a framework for authentication and sharing data.
  • IKE Internet Key Exchange offers a framework for negotiating security parameters and establishing authenticating keys. 







Let's take a look at our topology: 

Goal:
  • configure a site-to-site VPN 
  • configure IPSec VPN on router 1 and router 2
  • enable IKE policy on both the routers
  • verify site-to-site IPSec VPN
  • Test IPSec VPN.
  • configure an authentication type pre-shared keys
  • use AES 256 encryption, SHA Hash algorithm, and DH group 3 key exchange 
    • configure lifetime of one hour



    R1(config)#interface serial 4/0

    R1(config-if)#ip address 1.1.1.1 255.0.0.0

    R1(config-if)#no shutdown

    R1(config-if)#interface fastethernet 0/0

    R1(config-if)#ip address 10.1.1.1 255.0.0.0

    R1(config-if)#no shutdown

    R1(config-if)#no keepalive

    R1(config-if)#exit

    R1(config)#interface loopback 0

    R1(config-if)#ip address 192.168.10.1 255.255.255.0

    R1(config-if)#no shutdown

    R1(config-if)#exit


    R2(config-if)#interface serial 4/1

    R2(config-if)#ip address 3.3.3.1 255.0.0.0

    R2(config-if)#no shutdown


    R2(config-if)#interface serial 4/2

    R2(config-if)#ip address 4.4.4.1 255.0.0.0

    R2(config-if)#no shutdown


    R3(config)#interface serial 4/1
    R3(config-if)#ip address 3.3.3.2 255.0.0.0
    R3(config-if)#no shutdown

    R3(config-if)#interface fastethernet 0/0
    R3(config-if)#ip address 30.1.1.1 255.0.0.0
    R3(config-if)#no shutdown
    R3(config-if)#no keepalive
    R3(config-if)#exit
    R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
    R1(config)#exit


    R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0
    R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0
    R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1
    R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1
    R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2
    R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2
    R2(config)#exit


    R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
    R3(config)#exit

    R1#ping 30.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 72/92/156 ms

    R3#ping 10.0.0.0

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.0.0.0, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/60 ms

    R1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

    R1(config)#access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255


    R1(config)#crypto isakmp enable

    R2(config)#crypto isakmp enable

    R1(config)#crypto isakmp policy 10

    R1(config-isakmp)#authentication pre-share

    R1(config-isakmp)#encryption aes 256

    R1(config-isakmp)#hash sha

    R1(config-isakmp)# group 3

    R1(config-isakmp)#lifetime 3600

    R1(config-isakmp)#end


    R3(config)#crypto isakmp enable

    R3(config)#crypto isakmp policy 10

    R3(config-isakmp)#authentication pre-share

    R3(config-isakmp)#encryption aes ?

      128  128 bit keys.

      192  192 bit keys.

      256  256 bit keys.

      <cr>

     

    R3(config-isakmp)#encryption aes 256

    R3(config-isakmp)#hash sha?

    sha  sha256  sha384  sha512

     

    R3(config-isakmp)#hash sha

    R3(config-isakmp)#group 3

    R3(config-isakmp)#lifetime 3600


    R3(config-isakmp)#do show crypto isakmp policy

     

    Global IKE policy

    Protection suite of priority 10

            encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).

            hash algorithm:         Secure Hash Standard

            authentication method:  Pre-Shared Key

            Diffie-Hellman group:   #3 (1536 bit)

            lifetime:               3600 seconds, no volume limit


    R1(config)#crypto isakmp key 0 cisco123 address 2.2.2.2


    R3(config-isakmp)#crypto isakmp key 0 cisco123 address 1.1.1.1

    R1(config)#crypto ipsec transform-set ip_set esp-aes 256 esp-sha-hmac

    R3(config)#crypto ipsec transform-set ip_set esp-aes 256 esp-sha-hmac

    R3(cfg-crypto-trans)#exit

    R1(config)#crypto map CRMAP 10 ipsec-isakmp

    % NOTE: This new crypto map will remain disabled until a peer

            and a valid access list have been configured.

    R1(config-crypto-map)#match address 100

    R1(config-crypto-map)#set peer 2.2.2.2

    R1(config-crypto-map)#set transform-set ip_set

    R1(config-crypto-map)#exit


    R1(config)#interface serial 4/0

    R1(config-if)#crypto map CRMAP

    *Jul 30 14:16:13.923: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

    R1(config-if)#END

    R3(config)#crypto map CRMAP 10 ipsec-isakmp

    % NOTE: This new crypto map will remain disabled until a peer

            and a valid access list have been configured.

    R3(config-crypto-map)#match address 100

    R3(config-crypto-map)#set peer 1.1.1.1

    R3(config-crypto-map)#set transform-set ip_set

    R3(config-crypto-map)#end

    R3(config)#interface serial 4/1

    R3(config-if)#crypto map CRMAP


    R1#show crypto ipsec transform-set

    Transform set default: { esp-aes esp-sha-hmac  }

       will negotiate = { Transport,  },

     

    Transform set ip_set: { esp-256-aes esp-sha-hmac  }

       will negotiate = { Tunnel,  },


    R3(config)#do show crypto ipsec transform-set

    Transform set default: { esp-aes esp-sha-hmac  }

       will negotiate = { Transport,  },

     

    Transform set ip_set: { esp-256-aes esp-sha-hmac  }

       will negotiate = { Tunnel,  },

     

    R1#show crypto map

    Crypto Map IPv4 "CRMAP" 10 ipsec-isakmp

            Peer = 2.2.2.2

            Extended IP access list 100

                access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

            Current peer: 2.2.2.2

            Security association lifetime: 4608000 kilobytes/3600 seconds

            Responder-Only (Y/N): N

            PFS (Y/N): N

            Transform sets={

                    ip_set:  { esp-256-aes esp-sha-hmac  } ,

            }

            Interfaces using crypto map CRMAP:

                    Serial4/0

     R1#ping 2.2.2.2 source 10.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

    Packet sent with a source address of 10.1.1.1

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 56/109/208 ms

    R1#ping 192.168.30.1 so

    R1#ping 192.168.30.1 source 1.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:

    Packet sent with a source address of 1.1.1.1

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 52/68/88 ms
















































    What is IPSec (Internet protocol security)? What is Internet Key Exchange IKE? How to configure IPSec tunnel?

    Internetworks

    (Internet Protocol Security) IPSec is a set of protocols developed by the internet engineering Task Force (IETF). Internet protocol security (IPsec)  is a framework that helps us to protect our IP traffic on the network layer. Why? Because the ( internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.




    IPsec can protect our traffic with the following features:

    • Confidentiality: by encrypting your data, so nobody can read except the sender and the receiver will be able to read your data. This means that the contents are not visible to third parties 
    • Integrity: we want to make sure that no one can make changes to the data in our packets. No one can modify the data (Hashing algorithms) By calculating a hash value, the sender and receiver will be able to check if changes have been made to the packet.
    • Authentication: the sender and receiver will authenticate each other to make sure that we are really talking with the device we intend to.
    • Anti-replay: even if a packet is encrypted and authenticated, an attacker could try to capture these packets and send them again. By using sequence numbers, IPsec will not transmit any duplicate packets. This means ensuring packets are received only once a security service where the receiver can reject old or duplicate packets in order to defeat replay attacks.




    We can use IPSec on many different devices; we can use it on routers, firewalls, hosts, and servers. IPSec is a bit complex and there are a lot of different ways to implement on.

    We need to understand and build the IPSec tunnel before we protect any IP packets. For establishing an IPSec tunnel we have a protocol called Internet Key Exchange (IKE).

    We have two phases for building an IPSec tunnel:

    1. Internet Key Exchange (IKE) phase 1
    2. Internet Key Exchange (IKE) phase 2

    In Internet Key Exchange (IKE)  phase 1, two peers are going to be negotiate about the encryption, authentication, hashing vlues and other protocols parameters that are required, means   Provides framework for negotiation of security parameters and  Establishment of authenticated keys.



     In this phase, an Internet Security Association and Key Management Protocol (ISAKMP) session is established. This is also called the ISAKMP tunnel or IKE phase 1 tunnel. all the parameters that the two devices will use is called a SA (Security Association). 

    We establish Internet Key Exchange IKE Phase 1 tunnel for traffic management, this tunnel is a method of secure establish the second tunnel or Phase 2 in another word IPsec tunnel.


    now we have IPsec tunnel and we can sent through IKE Phase 2 tunnel or IPSec tunnel but IKE doesnt authenticate our data or encypt our used data so we use other protocol which will help us for authenticate and encrypt our data.

    • Authenticate Header (AH)
    • Encapsulating Security Payload (ESP)

    both protocols give us authentication and integrity but ESP is todays protocol because its support encryption. these two protocol AH and ESP offer two different modes:

    • Transparent mode- in this mode we use original IP header.
    • Tunnel mode- in this mode we use a new IP header. 


    Five steps of IPSec are as follow:-

    Initiation we need something to start our tunnel. lets take the example of a router when we configure IPSec, router uses an access-list for what data must be protect and when our router get something that matches our assess-list, router will start the Internet Key Exchange IKE process or we can manually initiate our tunnel.

     Internet Key Exchange IKE phase 1: First we negotiate a security association to build the IKE phase 1 tunnel (ISAKMP tunnel).

     Internet Key Exchange IKEphase 2: second within the IKE phase 1 tunnel, we will build the IKE phase 2 tunnel or IPSec tunnel.

    Data transfer: we use IKE phase 2 tunnel or IPSec tunnel for sending our user data.

    Termination: IPSec tunnel will terminate when there is no user data to protect.

    { In the next section we take closer look of all the component}

     

     

     




    How to configure External BGP and EIGRP on DMVPN Phase 2?

    Internetworks

     

     

    The first DMVPN lesson explained the basics and I explained how to configure a basic DMVPN phase 2 network. I also explain how to configure the EIGRP phase 1 network and OSPF Phase 1 network

    In this lesson, we’ll take a look at how we can use external BGP on DMVPN phase 2 networks and EIGRP. Here is the topology we will use:




    R1(config)#interface serial 4/0

    R1(config-if)#ip address 1.1.1.1 255.0.0.0

    R1(config-if)#no shutdown


    R1(config-if)#interface fastethernet 0/0

    R1(config-if)#ip address 10.1.1.1 255.0.0.0

    R1(config-if)#no shutdown

    R1(config-if)#exit



    R2(config)#interface serial 4/0

    R2(config-if)#ip address 1.1.1.2 255.0.0.0

    R2(config-if)#no shutdown


    R2(config-if)#interface serial 4/1

    R2(config-if)#ip address 3.3.3.1 255.0.0.0

    R2(config-if)#no shutdown


    R2(config-if)#interface serial 4/2

    R2(config-if)#ip address 4.4.4.1 255.0.0.0

    R2(config-if)#no shutdown


    R2(config-if)#interface fastethernet 0/0

    R2(config-if)#ip address 20.1.1.1 255.0.0.0

    R2(config-if)#no shutdown

    R2(config-if)#no keepalive

    R2(config-if)#exit



    R3(config)#interface serial 4/1

    R3(config-if)#ip address 3.3.3.2 255.0.0.0

    R3(config-if)#no shutdown


    R3(config-if)#interface fastethernet 0/0

    R3(config-if)#ip address 30.1.1.1 255.0.0.0

    R3(config-if)#no shutdown

    R3(config-if)#exit


    R4(config)#interface serial 4/2

    R4(config-if)#ip address 4.4.4.2 255.0.0.0

    R4(config-if)#no shutdown


    R4(config-if)#interface fastethernet 0/0

    R4(config-if)#ip address 40.1.1.1 255.0.0.0

    R4(config-if)#no shutdown

    R4(config-if)#exit


    R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

    R1(config)#exit


    R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0

    R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

    R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

    R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1

    R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2

    R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2


    R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

    R3(config)#exit


    R4(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

    R4(config)#exit



    R1#ping 40.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 40.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 24/45/88 ms

    R1#ping 30.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/40 ms

    R1#ping 20.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/36 ms


    R1(config)#interface tunnel 4321

    R1(config-if)#ip address 192.168.1.1 255.255.255.0

    R1(config-if)#tunnel source 1.1.1.1

    R1(config-if)#tunnel mode gre multipoint

    *May 27 12:15:21.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

     R1(config-if)#ip nhrp network-id 1

    R1(config-if)#exit


    R3(config)#interface tunnel 4321

    R3(config-if)#ip address 192.168.1.2 255.255.255.0

    R3(config-if)#tunnel source 3.3.3.2

    R3(config-if)#tunnel mode gre multipoint

    *May 27 12:19:21.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

    R3(config-if)#ip nhrp network-id 3

    R3(config-if)# ip nhrp map 192.168.1.1 1.1.1.1

    R3(config-if)#ip nhrp nhs 192.168.1.1

    R3(config)#end


    R4(config)#interface tunnel 4321

    R4(config-if)#ip address 192.168.1.3 255.255.255.0

    R4(config-if)#tunnel source 4.4.4.2

    R4(config-if)#tunnel mode gre multipoint

    *May 27 12:27:05.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

    R4(config-if)#ip nhrp network-id 4

    R4(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

    R4(config-if)#ip nhrp nhs 192.168.1.1

    R4(config-if)#exit

    R4(config)#end


    R1(config)#router eigrp 4321

    R1(config-router)#network 192.168.1.0

    R1(config-router)#network 10.0.0.0

    R1(config-router)#no auto-summary

    R1(config-router)#exit


    R3(config)#router eigrp 4321

    R3(config-router)#network 192.168.1.0

    R3(config-router)#network 10.0.0.0

    R3(config-router)#no auto-summary

    R3(config-router)#exit


    R4(config)#router eigrp 4321

    R4(config-router)#network 192.168.1.0

    R4(config-router)#network 40.0.0.0

    R4(config-router)#no auto-summary

    R4(config-router)#exit


    R1(config)#interface tunnel 4321

    R1(config-if)#ip nhrp map multicast dynamic

    R1(config-if)#exit


    R1(config)#interface tunnel 4321

    R1(config-if)#no ip split-horizon eigrp 4321

    R1(config-if)#exit


    R1(config)#interface tunnel 4321

    R1(config-if)#no ip next-hop-self eigrp 4321


    *May 27 12:51:44.351: %DUAL-5-NBRCHANGE: EIGRP-IPv4 4321: Neighbor 192.168.1.2 (Tunnel4321) is up: new adjacency

    *May 27 12:52:53.611: %DUAL-5-NBRCHANGE: EIGRP-IPv4 4321: Neighbor 192.168.1.3 (Tunnel4321) is up: new adjacency

    R1(config-if)#end


    R3(config)#interface tunnel 4321

    R3(config-if)#ip nhrp map multicast 1.1.1.1

    R3(config-if)#ip nhrp map multicast 4.4.4.2

    *May 27 12:52:05.019: %DUAL-5-NBRCHANGE: EIGRP-IPv4 4321: Neighbor 192.168.1.3 (Tunnel4321) is up: new adjacency

    R3(config-if)#end


    R4(config)#interface tunnel 4321

    R4(config-if)#ip nhrp map multicast 3.3.3.2

    R4(config-if)#ip nhrp map multicast 1.1.1.1

    R4(config-if)#exit

    {( if you get any error msg please shutdown physical interfaces and tunnel interface and restart the interfaces) Command SHUTDOWN and NO SHUTDOWN}


    R4#show DMVPN

    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

            N - NATed, L - Local, X - No Socket

            # Ent --> Number of NHRP entries with same NBMA peer

            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

            UpDn Time --> Up or Down Time for a Tunnel

    ==========================================================================

     

    Interface: Tunnel4321, IPv4 NHRP Details

    Type:Spoke, NHRP Peers:2,

     

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

     ----- --------------- --------------- ----- -------- -----

         1 1.1.1.1             192.168.1.1    UP 00:15:50     S

         1 3.3.3.2             192.168.1.2    UP 00:15:30     D

     

    R4#show IP NHRP

    192.168.1.1/32 via 192.168.1.1

       Tunnel4321 created 00:16:09, never expire

       Type: static, Flags: used

       NBMA address: 1.1.1.1

    192.168.1.2/32 via 192.168.1.2

       Tunnel4321 created 00:15:41, expire 01:44:18

       Type: dynamic, Flags: router used

       NBMA address: 3.3.3.2

    192.168.1.3/32 via 192.168.1.3

       Tunnel4321 created 00:15:41, expire 01:44:18

       Type: dynamic, Flags: router unique local

       NBMA address: 4.4.4.2

        (no-socket)


    R4(config-if)#do show ip route eigrp 

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     

    D     10.0.0.0/8 [90/26882560] via 192.168.1.1, 00:00:54, Tunnel4321

    D     30.0.0.0/8 [90/26882560] via 192.168.1.2, 00:00:32, Tunnel4321

    R4(config-if)#end



    R4#ping 10.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/44 ms

    R4#ping 30.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/40 ms


     

    R4#traceroute 10.1.1.1

    Type escape sequence to abort.

    Tracing the route to 10.1.1.1

    VRF info: (vrf in name/id, vrf out name/id)

      1 192.168.1.1 56 msec 64 msec 20 msec


    R4#traceroute 30.1.1.1

    Type escape sequence to abort.

    Tracing the route to 30.1.1.1

    VRF info: (vrf in name/id, vrf out name/id)

      1 192.168.1.2 20 msec 36 msec 32 msec


    R1#traceroute 30.1.1.1

    Type escape sequence to abort.

    Tracing the route to 30.1.1.1

    VRF info: (vrf in name/id, vrf out name/id)

      1 192.168.1.2 20 msec 48 msec 28 msec

    R1#traceroute 40.1.1.1

    Type escape sequence to abort.

    Tracing the route to 40.1.1.1

    VRF info: (vrf in name/id, vrf out name/id)

      1 192.168.1.3 20 msec 24 msec 44 msec


    R3#show dmvpn

    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

            N - NATed, L - Local, X - No Socket

            # Ent --> Number of NHRP entries with same NBMA peer

            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

            UpDn Time --> Up or Down Time for a Tunnel

    ==========================================================================

     

    Interface: Tunnel4321, IPv4 NHRP Details

    Type:Spoke, NHRP Peers:2,

     

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

     ----- --------------- --------------- ----- -------- -----

         1 1.1.1.1             192.168.1.1    UP 00:09:29     S

         1 4.4.4.2             192.168.1.3    UP 00:00:58     D


     

     R3#traceroute 10.1.1.1

    Type escape sequence to abort.

    Tracing the route to 10.1.1.1

    VRF info: (vrf in name/id, vrf out name/id)

      1 192.168.1.1 16 msec 36 msec 16 msec


    R3#traceroute 40.1.1.1

    Type escape sequence to abort.

    Tracing the route to 40.1.1.1

    VRF info: (vrf in name/id, vrf out name/id)

      1 192.168.1.3 12 msec 48 msec 40 msec


    How to configure EIGRP and OSPF over DMVPN Phase 1 & 2?

    Internetworks


    As we already discuss Phase 1 is Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces. No spokes hub and spokes topology were dynamic IP addresses on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.

    Before we start our configuration of EIGRP and OSPF over DMVPN, we need to understand few things about EIGRP and OSPF.

    The IP NHRP map multicast dynamic enables the forwarding of multicast traffic across the tunnel to dynamic spokes. This is usually required by the routing protocol as OSPF and EIGRP. In most cases, DMVPN is accompanied by a routing protocol to send and receive dynamic updates about the private networks. The IP NHRP map multicast dynamic command is not required if we are using static NHRP mappings.

    EIGRP routers will not be advertising back on the same interface because of the split horizon rules the split-horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach the destination. To disable the split-horizon behavior, use the { NO IP SPLIT-HORIZON EIGRP AS-number interfaces command. Split horizon behavior is turned on by default. When you change the EIGRP split-horizon setting on an interface, it reset all adjacencies with EIGRP neighbors reachable over that interface. The split horizon should only be disabled on the hub site in a hub and spoke network.

    Disabling split-horizon on the spokes radically increases EIGRP memory consumption on the hub router and the amount of traffic generated on the spoke routers.

    By default, OSPF handles tunnel interface as a point-to-point interface no matter even if you configure multipoint GRE.  we will get neighbourship goes down messages repeatedly. to over this issue, we need to change the default setting we will see in this OSPF LAB.


    Let see the configuration-_

    Topology:-



    What is DMVPN (Dynamic Multipoint VPN) Phase 2? How to configure DMVPN phase 2 Dynamic and Static Mapping?

    Internetworks


    DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes will, can to communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.

    As we already discuss Phase 1 is Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces. No spokes hub and spokes topology were dynamic IP addresses on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.

    So our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.




    In DMVPN Phase 2 hub and spokes are configured as multipoint GRE and spoke to spokes tunnels are create, NHRP required for spokes to register to Hub and NHRP also required for spoke to spoke resolution.

    let's see the configuration:-

    Topology:-





    Goal:

    • configure the topology as per the diagram 
    • assign the IP addresses to their port as per the topology 
    • configure static routing on router 2 
    • configure default routing on router 1 3 4
    • configure DMVPN Phase 2 on router 1, 3 and 4
    • configure router 1 Hub and  router 3 and 4 should be spokes routers
    • configure tunnel interfaces 192.168.10.0/24
    • configure NHRP using Stating mapping.

     

    R1(config)#interface serial 4/0

    R1(config-if)#ip address 1.1.1.1 255.0.0.0

    R1(config-if)#no shutdown

    R1(config-if)#ip address 10.1.1.1 255.0.0.0

    R1(config-if)#no shutdown

    R1(config-if)#no keepalive

    R1(config-if)#exit

     

    R2(config)#interface serial 4/0

    R2(config-if)#ip address 1.1.1.2 255.0.0.0

    R2(config-if)#no shutdown

    R2(config-if)#interface serial 4/1

    R2(config-if)#ip address 3.3.3.1 255.0.0.0

    R2(config-if)#no shutdown

    R2(config-if)#interface serial 4/2

    R2(config-if)#ip address 4.4.4.1 255.0.0.0

    R2(config-if)#no shutdown

    R2(config-if)#interface fastethernet 0/0

    R2(config-if)#ip address 20.1.1.1 255.0.0.0

    R2(config-if)#no shutdown

    R2(config-if)#no keepalive

    R2(config-if)#exit

     

    R3(config)#interface serial 4/1

    R3(config-if)#ip address 3.3.3.2 255.0.0.0

    R3(config-if)#no shutdown

    R3(config-if)#interface fastethernet 0/0

    R3(config-if)#ip address 30.1.1.1 255.0.0.0

    R3(config-if)#no shutdown

    R3(config-if)#no keepalive

    R3(config-if)#exit

     

     

    R4(config)#interface serial 4/2

    R4(config-if)#ip address 4.4.4.2 255.0.0.0

    R4(config-if)#no shutdown

    R4(config-if)#interface fastethernet 0/0

    R4(config-if)#ip address 40.1.1.1 255.0.0.0

    R4(config-if)#no shutdown

    R4(config-if)#no keepalive

    R4(config-if)#exit

     



    R1#show ip interface brief

    Interface              IP-Address      OK? Method Status                Protocol

    FastEthernet0/0        10.1.1.1        YES manual up                    up

    Serial4/0                    1.1.1.1         YES manual up                    up

     

    R2#show ip interface brief

    Interface              IP-Address      OK? Method Status                Protocol

    FastEthernet0/0        20.1.1.1        YES manual up                    up

    Serial4/0              1.1.1.2         YES manual up                    up

    Serial4/1              3.3.3.1         YES manual up                    up

    Serial4/2              4.4.4.1         YES manual up                    up

     

    R3#show ip interface brief

    Interface              IP-Address      OK? Method Status                Protocol

    FastEthernet0/0        30.1.1.1        YES manual up                    up

    Serial4/1                     3.3.3.2         YES manual up                    up

     

    R4#show ip interface brief

    Interface              IP-Address      OK? Method Status                Protocol

    FastEthernet0/0        40.1.1.1        YES manual up                    up

    Serial4/2                    4.4.4.2         YES manual up                    up



     

    R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

    R1(config)#exit

    R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0

    R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

    R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

    R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1

    R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2

    R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2

    R2(config)#exit

     

    R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

    R3(config)#exit

     

    R4(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

    R4(config)#exit

     

     

    R1#show ip route static

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    S*    0.0.0.0/0 is directly connected, Serial4/0

    R2#show ip route static

    Gateway of last resort is not set

     

    S     10.0.0.0/8 is directly connected, Serial4/0

    S     30.0.0.0/8 is directly connected, Serial4/1

    S     40.0.0.0/8 is directly connected, Serial4/2



     

    R3#show ip route static

     

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     

    S*    0.0.0.0/0 is directly connected, Serial4/1

     

     

    R4#show ip route static

     

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     

    S*    0.0.0.0/0 is directly connected, Serial4/2

     

    R1(config)#interface tunnel 1023

    R1(config-if)#ip address 192.168.10.1 255.255.255.0

    R1(config-if)#tunnel source 1.1.1.1

    R1(config-if)#tunnel mode gre multipoint

    R1(config-if)#IP NHRP network-id 1

    R1(config-if)#IP NHRP map 192.168.10.2 3.3.3.2

    R1(config-if)#IP NHRP map 192.168.10.3 4.4.4.2

    R1(config-if)#exit



    R3(config)#interface tunnel 1023

    R3(config-if)#ip address 192.168.10.2 255.255.255.0

    R3(config-if)#tunnel source 3.3.3.2

    R3(config-if)#tunnel mode gre multipoint

    R3(config-if)#IP NHRP network-id 3

    R3(config-if)#IP NHRP map 192.168.10.1 1.1.1.1

    R3(config-if)#IP NHRP map 192.168.10.3 4.4.4.2

    R3(config-if)#exit



    R4(config)#interface tunnel 1023

    R4(config-if)#ip address 192.168.10.3 255.255.255.0

    R4(config-if)#tunnel source 4.4.4.2

    R4(config-if)#tunnel mode gre multipoint

    R4(config-if)#IP NHRP network-id 3

    R4(config-if)#IP NHRP map 192.168.10.1 1.1.1.1

    R4(config-if)#IP NHRP map 192.168.10.2 3.3.3.2

    R4(config-if)#exit

    R1#show ip interface brief tunnel 1023

    Interface              IP-Address      OK? Method Status                Protocol

    Tunnel1023             192.168.10.1    YES manual up                    up




    R1#show ip nhrp

    192.168.10.2/32 via 192.168.10.2

       Tunnel1023 created 00:40:57, never expire

       Type: static, Flags: used

       NBMA address: 3.3.3.2

    192.168.10.3/32 via 192.168.10.3

       Tunnel1023 created 00:40:38, never expire

       Type: static, Flags:

       NBMA address: 4.4.4.2

    R1#show dmvpn

    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

            N - NATed, L - Local, X - No Socket

            # Ent --> Number of NHRP entries with same NBMA peer

            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

            UpDn Time --> Up or Down Time for a Tunnel

    ==========================================================================


    Interface: Tunnel1023, IPv4 NHRP Details

    Type:Spoke, NHRP Peers:2,


     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

     ----- --------------- --------------- ----- -------- -----

         1 3.3.3.2            192.168.10.2  NHRP    never     S

         1 4.4.4.2            192.168.10.3  NHRP    never     S



    R3#show ip interface brief tunnel 1023
    Interface              IP-Address      OK? Method Status                Protocol
    Tunnel1023             192.168.10.2    YES manual up                    up
    R3#show ip nhrp
    192.168.10.1/32 via 192.168.10.1
       Tunnel1023 created 00:39:56, never expire
       Type: static, Flags: used
       NBMA address: 1.1.1.1
    192.168.10.3/32 via 192.168.10.3
       Tunnel1023 created 00:39:25, never expire
       Type: static, Flags: used
       NBMA address: 4.4.4.2
    R3#show dmvpn
    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================
    Interface: Tunnel1023, IPv4 NHRP Details
    Type:Spoke, NHRP Peers:2,
     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
     ----- --------------- --------------- ----- -------- -----
         1 1.1.1.1            192.168.10.1  NHRP    never     S
         1 4.4.4.2            192.168.10.3  NHRP    never     S



    R4#show ip interface brief tunnel 1023
    Interface              IP-Address      OK? Method Status                Protocol
    Tunnel1023             192.168.10.3    YES manual up                    up
    R4#show ip nhrp
    192.168.10.1/32 via 192.168.10.1
       Tunnel1023 created 00:36:25, never expire
       Type: static, Flags: used
       NBMA address: 1.1.1.1
    192.168.10.2/32 via 192.168.10.2
       Tunnel1023 created 00:36:16, never expire
       Type: static, Flags: used
       NBMA address: 3.3.3.2
    R4#show dmvpn
    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================

    Interface: Tunnel1023, IPv4 NHRP Details
    Type:Spoke, NHRP Peers:2,

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
     ----- --------------- --------------- ----- -------- -----
         1 1.1.1.1            192.168.10.1  NHRP    never     S
         1 3.3.3.2            192.168.10.2  NHRP    never     S


    ( let see spokes router can get each other or not without using a hub)


    R1#ping 192.168.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/71/256 ms

    R1#ping 192.168.10.3
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 16/43/116 ms

     
    R1#traceroute 30.1.1.1
    Type escape sequence to abort.
    Tracing the route to 30.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 1.1.1.2 236 msec 28 msec 16 msec
      2 3.3.3.2 112 msec 16 msec 16 msec

    R1#traceroute 192.168.10.2
    Type escape sequence to abort.
    Tracing the route to 192.168.10.2
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.10.2 32 msec 28 msec 28 msec

    R1#traceroute 192.168.10.3
    Type escape sequence to abort.
    Tracing the route to 192.168.10.3
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.10.3 20 msec 40 msec 36 msec

    R3#ping 192.168.10.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 60/83/100 ms
    R3#ping 192.168.10.3
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/32 ms

    R3#traceroute 40.1.1.1
    Type escape sequence to abort.
    Tracing the route to 40.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 3.3.3.1 64 msec 24 msec 8 msec
      2 4.4.4.2 12 msec 28 msec 16 msec

    R3#traceroute 192.168.10.1
    Type escape sequence to abort.
    Tracing the route to 192.168.10.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.10.1 64 msec 20 msec 28 msec


    ( here is the screenshot of the previous lab DMVPN PHASE 1)





    R3#traceroute 192.168.10.3
    Type escape sequence to abort.
    Tracing the route to 192.168.10.3
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.10.3 12 msec 52 msec 44 msec

    R3#traceroute 40.1.1.1
    Type escape sequence to abort.
    Tracing the route to 40.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 3.3.3.1 4 msec 28 msec 20 msec
      2 4.4.4.2 8 msec 32 msec 16 msec

    R4#ping 10.1.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/84 ms

    R4#ping 192.168.10.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/32 ms

    R4#ping 192.168.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/29/48 ms

    R4#traceroute 192.168.10.1
    Type escape sequence to abort.
    Tracing the route to 192.168.10.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.10.1 60 msec 40 msec 24 msec

    R4#traceroute 192.168.10.2
    Type escape sequence to abort.
    Tracing the route to 192.168.10.2
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.10.2 12 msec 48 msec 44 msec

    R4#traceroute 10.1.1.1
    Type escape sequence to abort.
    Tracing the route to 10.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 4.4.4.1 16 msec 16 msec 8 msec
      2 1.1.1.1 16 msec 32 msec 20 msec

    (Let's see how to configure dynamic mappings )


    We are modifying our previous static lab into dynamic. we are going to reconfigure our tunnel 1023 and DMVPN.




    R1(config)# NO INTERFACE TUNNEL 1023

    R1(config)#interface tunnel 400
    R1(config-if)#ip address 192.168.100.1 255.255.255.0
    R1(config-if)#tunnel source 1.1.1.1
    R1(config-if)#tunnel mode gre multipoint
    R1(config-if)#ip nhrp network-id 10
    R1(config-if)#exit


    R3(config)#NO INTERFACE TUNNEL 1023
    R3(config)#interface tunnel 400
    R3(config-if)#ip address 192.168.100.2 255.255.255.0
    R3(config-if)#tunnel source 3.3.3.2
    R3(config-if)#tunnel mode gre multipoint
    R3(config-if)#ip nhrp network-id 20
    R3(config-if)#ip nhrp map 192.168.100.1 1.1.1.1
    R3(config-if)#ip nhrp nhs 192.168.100.1
    R3(config-if)#exit

    R4(config)#NO INTERFACE TUNNEL 1023
    R4(config)#interface tunnel 400
    R4(config-if)#ip address 192.168.100.3 255.255.255.0
    R4(config-if)#tunnel source 4.4.4.2
    R4(config-if)#tunnel mode gre multipoint
    R4(config-if)#ip nhrp network-id 30
    R4(config-if)# ip nhrp map 192.168.100.1 1.1.1.1
    R4(config-if)#ip nhrp nhs 192.168.100.1
    R4(config-if)#exit

    R1#show ip nhrp
    192.168.100.2/32 via 192.168.100.2
       Tunnel400 created 00:05:28, expire 01:54:31
       Type: dynamic, Flags: unique registered used
       NBMA address: 3.3.3.2
    192.168.100.3/32 via 192.168.100.3
       Tunnel400 created 00:01:14, expire 01:58:45
       Type: dynamic, Flags: unique registered used
       NBMA address: 4.4.4.2

    R1#show DMVPN
    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================

    Interface: Tunnel400, IPv4 NHRP Details
    Type:Hub, NHRP Peers:2,

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
     ----- --------------- --------------- ----- -------- -----
         1 3.3.3.2           192.168.100.2    UP 00:17:10     D
         1 4.4.4.2           192.168.100.3    UP 00:12:56     D


    R1#traceroute 192.168.100.2
    Type escape sequence to abort.
    Tracing the route to 192.168.100.2
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.2 48 msec 48 msec 24 msec

    R1#traceroute 192.168.100.3
    Type escape sequence to abort.
    Tracing the route to 192.168.100.3
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.3 72 msec 28 msec 40 msec

    R3#show ip nhrp
    192.168.100.1/32 via 192.168.100.1
       Tunnel400 created 00:06:05, never expire
       Type: static, Flags: used
       NBMA address: 1.1.1.1
    R3#show dmvpn
    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================

    Interface: Tunnel400, IPv4 NHRP Details
    Type:Spoke, NHRP Peers:1,

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
     ----- --------------- --------------- ----- -------- -----
         1 1.1.1.1           192.168.100.1    UP 00:06:15     S

    R3#traceroute 192.168.100.1
    Type escape sequence to abort.
    Tracing the route to 192.168.100.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.1 80 msec 36 msec 32 msec

    R3#traceroute 192.168.100.3
    Type escape sequence to abort.
    Tracing the route to 192.168.100.3
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.1 80 msec 52 msec 16 msec
      2 192.168.100.3 120 msec 20 msec 40 msec

    R3#traceroute 192.168.100.3
    Type escape sequence to abort.
    Tracing the route to 192.168.100.3
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.3 64 msec 88 msec 28 msec

    R3#traceroute 192.168.100.3
    Type escape sequence to abort.
    Tracing the route to 192.168.100.3
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.3 28 msec 16 msec 40 msec



    R4#show ip nhrp
    192.168.100.1/32 via 192.168.100.1
       Tunnel400 created 00:01:37, never expire
       Type: static, Flags: used
       NBMA address: 1.1.1.1

    R4#show dmvpn
    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================

    Interface: Tunnel400, IPv4 NHRP Details
    Type:Spoke, NHRP Peers:1,

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
     ----- --------------- --------------- ----- -------- -----
         1 1.1.1.1           192.168.100.1    UP 00:02:08     S


     
    R4#traceroute 192.168.100.1
    Type escape sequence to abort.
    Tracing the route to 192.168.100.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.1 24 msec 48 msec 44 msec

    R4#traceroute 192.168.100.2
    Type escape sequence to abort.
    Tracing the route to 192.168.100.2
    VRF info: (vrf in name/id, vrf out name/id)
      1 192.168.100.2 28 msec 32 msec 36 msec




    Our Team

  • R.J AnthonyPython programmer / Instructor
  • Edgar C FrancisCCIE Technical Instructor/Network consultant
  • Noel AnthonyNetwork Automation / Instructor
  • J N AnthonyCCNA,CCNP / Instructor
  • Vikram ThakurComputer Hardware and Network Engineer