Showing posts with label Network tunneling. Show all posts
Showing posts with label Network tunneling. Show all posts

What is IPSec (Internet protocol security)? What is Internet Key Exchange IKE? How to configure IPSec tunnel?

Internetworks

(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec)  is a framework that helps us to protect our IP traffic on the network layer. Why? Because the ( internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session.




IPsec can protect our traffic with the following features:

  • Confidentiality: by encrypting your data, nobody can read it except the sender and the receiver will be able to read your data. This means that the contents are not visible to third parties 
  • Integrity: we want to make sure that no one can make changes to the data in our packets. No one can modify the data (Hashing algorithms) By calculating a hash value, the sender and receiver will be able to check if changes have been made to the packet.
  • Authentication: the sender and receiver will authenticate each other to make sure that we are really talking with the device we intend to.
  • Anti-replay: even if a packet is encrypted and authenticated, an attacker could try to capture these packets and send them again. By using sequence numbers, IPsec will not transmit any duplicate packets. This means ensuring packets are received only once a security service where the receiver can reject old or duplicate packets in order to defeat replay attacks.




We can use IPSec on many different devices; we can use it on routers, firewalls, hosts, and servers. IPSec is a bit complex and there are a lot of different ways to implement on.

We need to understand and build the IPSec tunnel before we protect any IP packets. For establishing an IPSec tunnel we have a protocol called Internet Key Exchange (IKE).

We have two phases for building an IPSec tunnel:

  1. Internet Key Exchange (IKE) phase 1
  2. Internet Key Exchange (IKE) phase 2

In Internet Key Exchange (IKE)  phase 1, two peers are going to negotiate about the encryption, authentication, hashing values, and other protocol parameters that are required, which means providing a framework for the negotiation of security parameters and  Establishment of authenticated keys.



 In this phase, an Internet Security Association and Key Management Protocol (ISAKMP) session is established. This is also called the ISAKMP tunnel or IKE phase 1 tunnel. all the parameters that the two devices will use are called SA (Security Association). 

We establish Internet Key Exchange IKE Phase 1 tunnel for traffic management, this tunnel is a method of secure establishing the second tunnel or Phase 2 in other words IPsec tunnel.


now we have an IPsec tunnel and we can send through the IKE Phase 2 tunnel or IPSec tunnel but IKE doesn't authenticate our data or encrypt our used data so we use other protocols that will help us authenticate and encrypt our data.

  • Authenticate Header (AH)
  • Encapsulating Security Payload (ESP)

both protocols give us authentication and integrity but ESP is today's protocol because it supports encryption. these two protocols AH and ESP offer two different modes:

  • Transparent mode- in this mode we use the original IP header.
  • Tunnel mode- in this mode we use a new IP header. 


The five steps of IPSec are as follows:-

Initiation we need something to start our tunnel. let's take the example of a router when we configure IPSec, the router uses an access list for what data must be protected,ed and when our router gets something that matches our assessment, the router will start the Internet Key Exchange IKE process or we can manually initiate our tunnel.

 Internet Key Exchange IKE phase 1: First we negotiate a security association to build the IKE phase 1 tunnel (ISAKMP tunnel).

 Internet Key Exchange IKEphase 2: second within the IKE phase 1 tunnel, we will build the IKE phase 2 tunnel or IPSec tunnel.

Data transfer: we use the IKE phase 2 tunnel or IPSec tunnel for sending our user data.

Termination: The IPSec tunnel will terminate when there is no user data to protect.

{ In the next section we take a closer look at all the components}

 

 

 




How to configure External BGP and EIGRP on DMVPN Phase 2?

Internetworks

 

 

The first DMVPN lesson explained the basics and I explained how to configure a basic DMVPN phase 2 network. I also explain how to configure the EIGRP phase 1 network and OSPF Phase 1 network

In this lesson, we’ll take a look at how we can use external BGP on DMVPN phase 2 networks and EIGRP. Here is the topology we will use:




R1(config)#interface serial 4/0

R1(config-if)#ip address 1.1.1.1 255.0.0.0

R1(config-if)#no shutdown


R1(config-if)#interface fastethernet 0/0

R1(config-if)#ip address 10.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit



R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown


R2(config-if)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown


R2(config-if)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown


R2(config-if)#interface fastethernet 0/0

R2(config-if)#ip address 20.1.1.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#no keepalive

R2(config-if)#exit



R3(config)#interface serial 4/1

R3(config-if)#ip address 3.3.3.2 255.0.0.0

R3(config-if)#no shutdown


R3(config-if)#interface fastethernet 0/0

R3(config-if)#ip address 30.1.1.1 255.0.0.0

R3(config-if)#no shutdown

R3(config-if)#exit


R4(config)#interface serial 4/2

R4(config-if)#ip address 4.4.4.2 255.0.0.0

R4(config-if)#no shutdown


R4(config-if)#interface fastethernet 0/0

R4(config-if)#ip address 40.1.1.1 255.0.0.0

R4(config-if)#no shutdown

R4(config-if)#exit


R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

R1(config)#exit


R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1

R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2

R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2


R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

R3(config)#exit


R4(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

R4(config)#exit



R1#ping 40.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/45/88 ms

R1#ping 30.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/40 ms

R1#ping 20.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/36 ms


R1(config)#interface tunnel 4321

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#tunnel source 1.1.1.1

R1(config-if)#tunnel mode gre multipoint

*May 27 12:15:21.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

 R1(config-if)#ip nhrp network-id 1

R1(config-if)#exit


R3(config)#interface tunnel 4321

R3(config-if)#ip address 192.168.1.2 255.255.255.0

R3(config-if)#tunnel source 3.3.3.2

R3(config-if)#tunnel mode gre multipoint

*May 27 12:19:21.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

R3(config-if)#ip nhrp network-id 3

R3(config-if)# ip nhrp map 192.168.1.1 1.1.1.1

R3(config-if)#ip nhrp nhs 192.168.1.1

R3(config)#end


R4(config)#interface tunnel 4321

R4(config-if)#ip address 192.168.1.3 255.255.255.0

R4(config-if)#tunnel source 4.4.4.2

R4(config-if)#tunnel mode gre multipoint

*May 27 12:27:05.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

R4(config-if)#ip nhrp network-id 4

R4(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

R4(config-if)#ip nhrp nhs 192.168.1.1

R4(config-if)#exit

R4(config)#end


R1(config)#router eigrp 4321

R1(config-router)#network 192.168.1.0

R1(config-router)#network 10.0.0.0

R1(config-router)#no auto-summary

R1(config-router)#exit


R3(config)#router eigrp 4321

R3(config-router)#network 192.168.1.0

R3(config-router)#network 10.0.0.0

R3(config-router)#no auto-summary

R3(config-router)#exit


R4(config)#router eigrp 4321

R4(config-router)#network 192.168.1.0

R4(config-router)#network 40.0.0.0

R4(config-router)#no auto-summary

R4(config-router)#exit


R1(config)#interface tunnel 4321

R1(config-if)#ip nhrp map multicast dynamic

R1(config-if)#exit


R1(config)#interface tunnel 4321

R1(config-if)#no ip split-horizon eigrp 4321

R1(config-if)#exit


R1(config)#interface tunnel 4321

R1(config-if)#no ip next-hop-self eigrp 4321


*May 27 12:51:44.351: %DUAL-5-NBRCHANGE: EIGRP-IPv4 4321: Neighbor 192.168.1.2 (Tunnel4321) is up: new adjacency

*May 27 12:52:53.611: %DUAL-5-NBRCHANGE: EIGRP-IPv4 4321: Neighbor 192.168.1.3 (Tunnel4321) is up: new adjacency

R1(config-if)#end


R3(config)#interface tunnel 4321

R3(config-if)#ip nhrp map multicast 1.1.1.1

R3(config-if)#ip nhrp map multicast 4.4.4.2

*May 27 12:52:05.019: %DUAL-5-NBRCHANGE: EIGRP-IPv4 4321: Neighbor 192.168.1.3 (Tunnel4321) is up: new adjacency

R3(config-if)#end


R4(config)#interface tunnel 4321

R4(config-if)#ip nhrp map multicast 3.3.3.2

R4(config-if)#ip nhrp map multicast 1.1.1.1

R4(config-if)#exit

{( if you get any error msg please shutdown physical interfaces and tunnel interface and restart the interfaces) Command SHUTDOWN and NO SHUTDOWN}


R4#show DMVPN

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel4321, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 1.1.1.1             192.168.1.1    UP 00:15:50     S

     1 3.3.3.2             192.168.1.2    UP 00:15:30     D

 

R4#show IP NHRP

192.168.1.1/32 via 192.168.1.1

   Tunnel4321 created 00:16:09, never expire

   Type: static, Flags: used

   NBMA address: 1.1.1.1

192.168.1.2/32 via 192.168.1.2

   Tunnel4321 created 00:15:41, expire 01:44:18

   Type: dynamic, Flags: router used

   NBMA address: 3.3.3.2

192.168.1.3/32 via 192.168.1.3

   Tunnel4321 created 00:15:41, expire 01:44:18

   Type: dynamic, Flags: router unique local

   NBMA address: 4.4.4.2

    (no-socket)


R4(config-if)#do show ip route eigrp 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

D     10.0.0.0/8 [90/26882560] via 192.168.1.1, 00:00:54, Tunnel4321

D     30.0.0.0/8 [90/26882560] via 192.168.1.2, 00:00:32, Tunnel4321

R4(config-if)#end



R4#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/44 ms

R4#ping 30.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/40 ms


 

R4#traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.1 56 msec 64 msec 20 msec


R4#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.2 20 msec 36 msec 32 msec


R1#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.2 20 msec 48 msec 28 msec

R1#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.3 20 msec 24 msec 44 msec


R3#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel4321, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 1.1.1.1             192.168.1.1    UP 00:09:29     S

     1 4.4.4.2             192.168.1.3    UP 00:00:58     D


 

 R3#traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.1 16 msec 36 msec 16 msec


R3#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.3 12 msec 48 msec 40 msec


How to configure EIGRP and OSPF over DMVPN Phase 1 & 2?

Internetworks


As we already discuss Phase 1 is Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces. No spokes hub and spokes topology were dynamic IP addresses on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.

Before we start our configuration of EIGRP and OSPF over DMVPN, we need to understand few things about EIGRP and OSPF.

The IP NHRP map multicast dynamic enables the forwarding of multicast traffic across the tunnel to dynamic spokes. This is usually required by the routing protocol as OSPF and EIGRP. In most cases, DMVPN is accompanied by a routing protocol to send and receive dynamic updates about the private networks. The IP NHRP map multicast dynamic command is not required if we are using static NHRP mappings.

EIGRP routers will not be advertising back on the same interface because of the split horizon rules the split-horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach the destination. To disable the split-horizon behavior, use the { NO IP SPLIT-HORIZON EIGRP AS-number interfaces command. Split horizon behavior is turned on by default. When you change the EIGRP split-horizon setting on an interface, it reset all adjacencies with EIGRP neighbors reachable over that interface. The split horizon should only be disabled on the hub site in a hub and spoke network.

Disabling split-horizon on the spokes radically increases EIGRP memory consumption on the hub router and the amount of traffic generated on the spoke routers.

By default, OSPF handles tunnel interface as a point-to-point interface no matter even if you configure multipoint GRE.  we will get neighbourship goes down messages repeatedly. to over this issue, we need to change the default setting we will see in this OSPF LAB.


Let see the configuration-_

Topology:-



What is DMVPN (Dynamic Multipoint VPN) Phase 2? How to configure DMVPN phase 2 Dynamic and Static Mapping?

Internetworks


DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes will, can communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.

As we already discussed Phase 1 is Not used nowadays, in phase 1 uses NHRP so that spokes can register themselves with the hub (NHRP is needed for spokes to register with the hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces. No spokes hub and spokes topology where dynamic IP addresses on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.

So, our traffic has to go through the hub, and our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.




In DMVPN Phase 2 hub and spokes are configured as multipoint GRE and spoke-to-spokes tunnels are created, NHRP is required for spokes to register to Hub, and NHRP is also required for spoke-to-spoke resolution.

let's see the configuration: -

Topology: -





Goal:

  • configure the topology as per the diagram 
  • assign the IP addresses to their port as per the topology 
  • configure static routing on router 2 
  • configure default routing on router 1 3 4
  • configure DMVPN Phase 2 on routers 1, 3 and 4
  • configure router 1 Hub and router 3 and 4 should be spokes routers
  • configure tunnel interfaces 192.168.10.0/24
  • configure NHRP using Stating mapping.

 

R1(config)#interface serial 4/0

R1(config-if)#ip address 1.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#ip address 10.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#no keepalive

R1(config-if)#exit

 

R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface fastethernet 0/0

R2(config-if)#ip address 20.1.1.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#no keepalive

R2(config-if)#exit

 

R3(config)#interface serial 4/1

R3(config-if)#ip address 3.3.3.2 255.0.0.0

R3(config-if)#no shutdown

R3(config-if)#interface fastethernet 0/0

R3(config-if)#ip address 30.1.1.1 255.0.0.0

R3(config-if)#no shutdown

R3(config-if)#no keepalive

R3(config-if)#exit

 

 

R4(config)#interface serial 4/2

R4(config-if)#ip address 4.4.4.2 255.0.0.0

R4(config-if)#no shutdown

R4(config-if)#interface fastethernet 0/0

R4(config-if)#ip address 40.1.1.1 255.0.0.0

R4(config-if)#no shutdown

R4(config-if)#no keepalive

R4(config-if)#exit

 



R1#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        10.1.1.1        YES manual up                    up

Serial4/0                    1.1.1.1         YES manual up                    up

 

R2#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        20.1.1.1        YES manual up                    up

Serial4/0              1.1.1.2         YES manual up                    up

Serial4/1              3.3.3.1         YES manual up                    up

Serial4/2              4.4.4.1         YES manual up                    up

 

R3#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        30.1.1.1        YES manual up                    up

Serial4/1                     3.3.3.2         YES manual up                    up

 

R4#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        40.1.1.1        YES manual up                    up

Serial4/2                    4.4.4.2         YES manual up                    up



 

R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

R1(config)#exit

R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1

R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2

R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2

R2(config)#exit

 

R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

R3(config)#exit

 

R4(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

R4(config)#exit

 

 

R1#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial4/0

R2#show ip route static

Gateway of last resort is not set

 

S     10.0.0.0/8 is directly connected, Serial4/0

S     30.0.0.0/8 is directly connected, Serial4/1

S     40.0.0.0/8 is directly connected, Serial4/2



 

R3#show ip route static

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

S*    0.0.0.0/0 is directly connected, Serial4/1

 

 

R4#show ip route static

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

S*    0.0.0.0/0 is directly connected, Serial4/2

 

R1(config)#interface tunnel 1023

R1(config-if)#ip address 192.168.10.1 255.255.255.0

R1(config-if)#tunnel source 1.1.1.1

R1(config-if)#tunnel mode gre multipoint

R1(config-if)#IP NHRP network-id 1

R1(config-if)#IP NHRP map 192.168.10.2 3.3.3.2

R1(config-if)#IP NHRP map 192.168.10.3 4.4.4.2

R1(config-if)#exit



R3(config)#interface tunnel 1023

R3(config-if)#ip address 192.168.10.2 255.255.255.0

R3(config-if)#tunnel source 3.3.3.2

R3(config-if)#tunnel mode gre multipoint

R3(config-if)#IP NHRP network-id 3

R3(config-if)#IP NHRP map 192.168.10.1 1.1.1.1

R3(config-if)#IP NHRP map 192.168.10.3 4.4.4.2

R3(config-if)#exit



R4(config)#interface tunnel 1023

R4(config-if)#ip address 192.168.10.3 255.255.255.0

R4(config-if)#tunnel source 4.4.4.2

R4(config-if)#tunnel mode gre multipoint

R4(config-if)#IP NHRP network-id 3

R4(config-if)#IP NHRP map 192.168.10.1 1.1.1.1

R4(config-if)#IP NHRP map 192.168.10.2 3.3.3.2

R4(config-if)#exit

R1#show ip interface brief tunnel 1023

Interface              IP-Address      OK? Method Status                Protocol

Tunnel1023             192.168.10.1    YES manual up                    up




R1#show ip nhrp

192.168.10.2/32 via 192.168.10.2

   Tunnel1023 created 00:40:57, never expire

   Type: static, Flags: used

   NBMA address: 3.3.3.2

192.168.10.3/32 via 192.168.10.3

   Tunnel1023 created 00:40:38, never expire

   Type: static, Flags:

   NBMA address: 4.4.4.2

R1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================


Interface: Tunnel1023, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,


 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 3.3.3.2            192.168.10.2  NHRP    never     S

     1 4.4.4.2            192.168.10.3  NHRP    never     S



R3#show ip interface brief tunnel 1023
Interface              IP-Address      OK? Method Status                Protocol
Tunnel1023             192.168.10.2    YES manual up                    up
R3#show ip nhrp
192.168.10.1/32 via 192.168.10.1
   Tunnel1023 created 00:39:56, never expire
   Type: static, Flags: used
   NBMA address: 1.1.1.1
192.168.10.3/32 via 192.168.10.3
   Tunnel1023 created 00:39:25, never expire
   Type: static, Flags: used
   NBMA address: 4.4.4.2
R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1023, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.1            192.168.10.1  NHRP    never     S
     1 4.4.4.2            192.168.10.3  NHRP    never     S



R4#show ip interface brief tunnel 1023
Interface              IP-Address      OK? Method Status                Protocol
Tunnel1023             192.168.10.3    YES manual up                    up
R4#show ip nhrp
192.168.10.1/32 via 192.168.10.1
   Tunnel1023 created 00:36:25, never expire
   Type: static, Flags: used
   NBMA address: 1.1.1.1
192.168.10.2/32 via 192.168.10.2
   Tunnel1023 created 00:36:16, never expire
   Type: static, Flags: used
   NBMA address: 3.3.3.2
R4#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1023, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.1            192.168.10.1  NHRP    never     S
     1 3.3.3.2            192.168.10.2  NHRP    never     S


( let see spokes router can get each other or not without using a hub)


R1#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/71/256 ms

R1#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/43/116 ms

 
R1#traceroute 30.1.1.1
Type escape sequence to abort.
Tracing the route to 30.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.2 236 msec 28 msec 16 msec
  2 3.3.3.2 112 msec 16 msec 16 msec

R1#traceroute 192.168.10.2
Type escape sequence to abort.
Tracing the route to 192.168.10.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.2 32 msec 28 msec 28 msec

R1#traceroute 192.168.10.3
Type escape sequence to abort.
Tracing the route to 192.168.10.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.3 20 msec 40 msec 36 msec

R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/83/100 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/32 ms

R3#traceroute 40.1.1.1
Type escape sequence to abort.
Tracing the route to 40.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 3.3.3.1 64 msec 24 msec 8 msec
  2 4.4.4.2 12 msec 28 msec 16 msec

R3#traceroute 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.1 64 msec 20 msec 28 msec


( here is the screenshot of the previous lab DMVPN PHASE 1)





R3#traceroute 192.168.10.3
Type escape sequence to abort.
Tracing the route to 192.168.10.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.3 12 msec 52 msec 44 msec

R3#traceroute 40.1.1.1
Type escape sequence to abort.
Tracing the route to 40.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 3.3.3.1 4 msec 28 msec 20 msec
  2 4.4.4.2 8 msec 32 msec 16 msec

R4#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/84 ms

R4#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/32 ms

R4#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/29/48 ms

R4#traceroute 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.1 60 msec 40 msec 24 msec

R4#traceroute 192.168.10.2
Type escape sequence to abort.
Tracing the route to 192.168.10.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.2 12 msec 48 msec 44 msec

R4#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 4.4.4.1 16 msec 16 msec 8 msec
  2 1.1.1.1 16 msec 32 msec 20 msec

(Let's see how to configure dynamic mappings )


We are modifying our previous static lab into dynamic. we are going to reconfigure our tunnel 1023 and DMVPN.




R1(config)# NO INTERFACE TUNNEL 1023

R1(config)#interface tunnel 400
R1(config-if)#ip address 192.168.100.1 255.255.255.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#ip nhrp network-id 10
R1(config-if)#exit


R3(config)#NO INTERFACE TUNNEL 1023
R3(config)#interface tunnel 400
R3(config-if)#ip address 192.168.100.2 255.255.255.0
R3(config-if)#tunnel source 3.3.3.2
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#ip nhrp network-id 20
R3(config-if)#ip nhrp map 192.168.100.1 1.1.1.1
R3(config-if)#ip nhrp nhs 192.168.100.1
R3(config-if)#exit

R4(config)#NO INTERFACE TUNNEL 1023
R4(config)#interface tunnel 400
R4(config-if)#ip address 192.168.100.3 255.255.255.0
R4(config-if)#tunnel source 4.4.4.2
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#ip nhrp network-id 30
R4(config-if)# ip nhrp map 192.168.100.1 1.1.1.1
R4(config-if)#ip nhrp nhs 192.168.100.1
R4(config-if)#exit

R1#show ip nhrp
192.168.100.2/32 via 192.168.100.2
   Tunnel400 created 00:05:28, expire 01:54:31
   Type: dynamic, Flags: unique registered used
   NBMA address: 3.3.3.2
192.168.100.3/32 via 192.168.100.3
   Tunnel400 created 00:01:14, expire 01:58:45
   Type: dynamic, Flags: unique registered used
   NBMA address: 4.4.4.2

R1#show DMVPN
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel400, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 3.3.3.2           192.168.100.2    UP 00:17:10     D
     1 4.4.4.2           192.168.100.3    UP 00:12:56     D


R1#traceroute 192.168.100.2
Type escape sequence to abort.
Tracing the route to 192.168.100.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.2 48 msec 48 msec 24 msec

R1#traceroute 192.168.100.3
Type escape sequence to abort.
Tracing the route to 192.168.100.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.3 72 msec 28 msec 40 msec

R3#show ip nhrp
192.168.100.1/32 via 192.168.100.1
   Tunnel400 created 00:06:05, never expire
   Type: static, Flags: used
   NBMA address: 1.1.1.1
R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel400, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.1           192.168.100.1    UP 00:06:15     S

R3#traceroute 192.168.100.1
Type escape sequence to abort.
Tracing the route to 192.168.100.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.1 80 msec 36 msec 32 msec

R3#traceroute 192.168.100.3
Type escape sequence to abort.
Tracing the route to 192.168.100.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.1 80 msec 52 msec 16 msec
  2 192.168.100.3 120 msec 20 msec 40 msec

R3#traceroute 192.168.100.3
Type escape sequence to abort.
Tracing the route to 192.168.100.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.3 64 msec 88 msec 28 msec

R3#traceroute 192.168.100.3
Type escape sequence to abort.
Tracing the route to 192.168.100.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.3 28 msec 16 msec 40 msec



R4#show ip nhrp
192.168.100.1/32 via 192.168.100.1
   Tunnel400 created 00:01:37, never expire
   Type: static, Flags: used
   NBMA address: 1.1.1.1

R4#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel400, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.1           192.168.100.1    UP 00:02:08     S


 
R4#traceroute 192.168.100.1
Type escape sequence to abort.
Tracing the route to 192.168.100.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.1 24 msec 48 msec 44 msec

R4#traceroute 192.168.100.2
Type escape sequence to abort.
Tracing the route to 192.168.100.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.100.2 28 msec 32 msec 36 msec




What is DMVPN (Dynamic Multipoint VPN), NHRP, mGRE and How to configure DMVPN Phase 1?

Internetworks

 

 DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes will, can communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.










 

This technology has been developed to address the need for automatically created VPN tunnels when dynamic IP addresses on the spokes are in use. This pure hub-and-spoke topology where all branches may communicate with each other securely through the hub.

There are four topics you need to know.

Multipoint GRE (mGRE)

NHRP (Next Hop Resolution Protocol)

Routing (RIP, EIGRP, OSPF, BGP, etc.)

IPsec (not required but recommended)


 

Multipoint GRE (mGRE)

Our regular GRE tunnels are point-to-point and don’t scale well. It becomes messy quickly so much point-to-point tunnels. but When we use GRE Multipoint, there will be only one tunnel interface on each router. mGRE interfaces do not have a tunnel destination. It keeps costs low, minimizing configuration complexity, and increasing flexibility. Multipoint GRE(Mgre) Uses tunnel source and tunnel mode (mgre). the Tunnel can have many endpoints by using a single tunnel interface. The endpoint can be configured as GRE or MGRE and Mapping is done by NHRP Protocol.


NHRP (Next Hop Resolution Protocol)

We want something which can help our router to figure out what the public IP address is of the other router, we do this with the help of a protocol called NHRP (Next Hop Resolution Protocol). Next hop resolution protocol (NHRP)  Maps the tunnel IP with NBMA address (public IP ) (static or dynamic). NHRP Provides layer 2 address resolution protocol and caching services similar to ARP and inverse ARP. All it does is build a dynamic database store on the hub with information about spokes IP addresses.

How NHRP works:

  • One router will be the NHRP server next-hop server (NHS).
  • All other routers will be the NHRP client's next-hop client (NHC).
  • NHRP clients register themselves with the NHRP server and report their public IP address NHC sends a query to the NHS if they want to communicate with another NHC.
  • The NHRP server keeps track of all public IP addresses in its cache, NHS acts as a mapping agent and stores all registered mappings NHS reply to queries made by NHC.
  • When one router wants to tunnel something to another router, it will request the NHRP server for the public IP address of the other router.

 

DMVPN has different three versions. we call phases.

Phase 1

Phase 2

Phase 3

 

DMVPN phase 1

Phase 1

before we started I want to let you know Phase 1 is  Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP  needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces.No spokes hub and spokes topology were dynamic IP address on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.

So our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.

DMVPN Phase 2 and 3 we will talk about in the next chapter.

let's see the configuration:

Topology:




Goal:
  • configure the topology as per the diagram 
  • assign the IP addresses to their port as per the topology 
  • configure static routing on router 2 
  • configure default routing on router 1 3 4
  • configure DMVPN Phase 1 on router 1, 3 and 4
  • configure router 1 Hub and  router 3 and 4 should be spokes routers
  • configure tunnel interfaces 192.168.1.0/24
  • configure NHRP using Stating mapping.




R1(config)#interface serial 4/0

R1(config-if)#ip address 1.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#ip address 10.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#no keepalive

R1(config-if)#exit


R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface fastethernet 0/0

R2(config-if)#ip address 20.1.1.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#no keepalive

R2(config-if)#exit


R3(config)#interface serial 4/1
R3(config-if)#ip address 3.3.3.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit


R4(config)#interface serial 4/2
R4(config-if)#ip address 4.4.4.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#interface fastethernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit


R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        10.1.1.1        YES manual up                    up
Serial4/0                    1.1.1.1         YES manual up                    up

R2#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        20.1.1.1        YES manual up                    up
Serial4/0              1.1.1.2         YES manual up                    up
Serial4/1              3.3.3.1         YES manual up                    up
Serial4/2              4.4.4.1         YES manual up                    up

R3#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        30.1.1.1        YES manual up                    up
Serial4/1                     3.3.3.2         YES manual up                    up

R4#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        40.1.1.1        YES manual up                    up
Serial4/2                    4.4.4.2         YES manual up                    up


R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

R1(config)#exit

R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1
R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1
R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2
R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2
R2(config)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
R3(config)#exit

R4(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2
R4(config)#exit


R1#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial4/0

R2#show ip route static
Gateway of last resort is not set

S     10.0.0.0/8 is directly connected, Serial4/0
S     30.0.0.0/8 is directly connected, Serial4/1
S     40.0.0.0/8 is directly connected, Serial4/2

 

R3#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial4/1


R4#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial4/2

R1(config)#interface tunnel 999
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel mode GRE multipoint

R1(config-if)#ip NHRP network-id 01
R1(config-if)#ip NHRP map 192.168.1.2 3.3.3.2
R1(config-if)#ip NHRP map 192.168.1.3 4.4.4.2
R1(config-if)#exit

R3(config)#interface tunnel 999
R3(config-if)#ip address 192.168.1.2 255.255.255.0
R3(config-if)#tunnel source 3.3.3.2
R3(config-if)#tunnel destination 1.1.1.1

R3(config-if)#ip NHRP network-id 02
R3(config-if)#ip NHRP map 192.168.1.1 1.1.1.1
R3(config-if)#exit


R4(config)#interface tunnel 999
R4(config-if)#ip address 192.168.1.3 255.255.255.0
R4(config-if)#tunnel source 4.4.4.2
R4(config-if)#tunnel destination 1.1.1.1

R4(config-if)#ip NHRP network-id 03
R4(config-if)#ip NHRP map 192.168.1.1 1.1.1.1
R4(config-if)#exit
R4(config)#end

R1#show ip nhrp
192.168.1.2/32 via 192.168.1.2
   Tunnel999 created 00:44:20, never expire
   Type: static, Flags: used
   NBMA address: 3.3.3.2
192.168.1.3/32 via 192.168.1.3
   Tunnel999 created 00:44:04, never expire
   Type: static, Flags: used
   NBMA address: 4.4.4.2

R3#show ip NHRP
192.168.1.1/32 via 192.168.1.1
   Tunnel999 created 00:29:11, never expire
   Type: static, Flags:
   NBMA address: 1.1.1.1


R4#show ip NHRP
192.168.1.1/32 via 192.168.1.1
   Tunnel999 created 00:23:36, never expire
   Type: static, Flags:
   NBMA address: 1.1.1.1


 
R4#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 1616 msec 92 msec 36 msec

R4#traceroute 192.168.1.2
Type escape sequence to abort.
Tracing the route to 192.168.1.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 12 msec 48 msec 40 msec
  2 192.168.1.2 700 msec 328 msec 84 msec

R3#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 80 msec 72 msec 72 msec


R3#traceroute 192.168.1.3
Type escape sequence to abort.
Tracing the route to 192.168.1.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.1 72 msec 56 msec 96 msec
  2 192.168.1.3 240 msec 188 msec 188 msec

R1#traceroute 192.168.1.2
Type escape sequence to abort.
Tracing the route to 192.168.1.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.2 8 msec 72 msec 96 msec

R1#traceroute 192.168.1.3
Type escape sequence to abort.
Tracing the route to 192.168.1.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 72 msec 100 msec 100 msec