GRE Tunnel using NHRP

DKempeneers · June 2015

Hello guys,

i've a little problem with my topology. I made a connection between once hub & two spokes.

My problem is that i can't dynamicaly resolve my second spoke via my nhs (the hub)

Here you can see my topology & tunnel config:

R1#
interface Tunnel1
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
end

R1#sh ip nhrp
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:23:00, expire 01:36:59
Type: dynamic, Flags: unique registered used
NBMA address: 51.10.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:09:22, expire 01:51:32
Type: dynamic, Flags: unique registered used
NBMA address: 51.10.3.3

R2#
interface Tunnel1
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp map 192.168.0.1 51.10.1.2
ip nhrp map multicast 51.10.1.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
end

R2#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:21:38, never expire
Type: static, Flags: used
NBMA address: 51.10.1.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:00:14, expire 00:02:50
Type: dynamic, Flags: used temporary
NBMA address: 51.10.1.2

R3#
interface Tunnel1
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp map 192.168.0.1 51.10.1.2
ip nhrp map multicast 51.10.1.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
end

R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:19:41, never expire
Type: static, Flags: used
NBMA address: 51.10.1.2
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:08:08, expire 01:59:38
Type: dynamic, Flags: router implicit used
NBMA address: 51.10.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:00:48, expire 01:59:38
Type: dynamic, Flags: router unique local
NBMA address: 51.10.3.3
(no-socket)

Can you tell me what's wrong ?

Thank you a lot,
Denis.

Dieg0M · June 2015

Could you please post full config? First step, you should try and see if you can ping 51.10.1.2 sourcing from Serial1/0 of each spoke.

siggnation · June 2015

I don't think the ip nhrp map multicast dynamic is a necessary command for the spokes. Try removing these and see if it resolves afterwards (#show dmvpn).

DKempeneers · June 2015

Dieg0M wrote: »

see if you can ping 51.10.1.2 sourcing from Serial1/0 of each spoke.

Yes it is but only when i created a route from R3 to knowing R2's network.
When the route to R2's network is established, i can ping my R2's tunnel ip (192.168.0.2) from R3 (192.168.0.3)

Here you can see that i obtain the same result of R3 nhrp status :
R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:11:53, never expire
Type: static, Flags: used
NBMA address: 51.10.1.2
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:10:14, expire 01:49:45
Type: dynamic, Flags: router implicit used
NBMA address: 51.10.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:10:14, expire 01:49:45
Type: dynamic, Flags: router unique local
NBMA address: 51.10.3.2
(no-socket)

When i delete the route from R2 to R3, i can't reach my R2's tunnel ip

But, correct me if i wrong but the principe of nhrp is that i don't need to know the R2 network for reach his tunnel right ?

R1 is a hub, R2 & R3 are spoke. The goal of nhrp is that R2 reach R3 tunnel trough R1 hub right ?

Here my full config :

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface Tunnel1
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial1/0
ip address 51.10.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 51.10.2.0 255.255.255.0 Serial1/0
ip route 51.10.3.0 255.255.255.0 Serial1/0
!
!
!
!
control-plane
!
alias exec sri show run | inc
alias exec srs show run | sec
alias exec ns no sh
alias exec c conf t
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
interface Tunnel1
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map 192.168.0.1 51.10.1.2
ip nhrp map multicast 51.10.1.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial1/0
ip address 51.10.2.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 51.10.1.0 255.255.255.0 Serial1/0
ip route 51.10.3.0 255.255.255.0 Serial1/0
!
!
!
!
control-plane
!
alias exec sri show run | inc
alias exec srs show run | sec
alias exec ns no sh
alias exec c conf t
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map 192.168.0.1 51.10.1.2
ip nhrp map multicast 51.10.1.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial1/0
ip address 51.10.3.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 51.10.1.0 255.255.255.0 Serial1/0
!
!
!
!
control-plane
!
alias exec sri show run | inc
alias exec srs show run | sec
alias exec ns no sh
alias exec c conf t
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

fredrikjj · June 2015

NHRP seems (I haven't tried your configs in the lab) to be working fine to me, but you are confused about what NHRP is for and what should and shouldn't work with regards to the underlay addresses. NHRP's purpose is to map between tunnel addresses and physical addresses (your 51.x addresses). Packets will then be encapsulated with these addresses and forwarded, which requires spoke to spoke reachability.

When i delete the route from R2 to R3, i can't reach my R2's tunnel ip

Because you need to be able to send packets encapsulated with 51.x.x.x between the spokes.

But, correct me if i wrong but the principe of nhrp is that i don't need to know the R2 network for reach his tunnel right ?

No, that's not correct. The principle is that you don't need to manually create a tunnel between the spokes because NHRP resolves this automatically through the hub where you do have a static tunnel.

R1 is a hub, R2 & R3 are spoke. The goal of nhrp is that R2 reach R3 tunnel trough R1 hub right ?

No, it's the exact opposite. NHRP is so that you can have spoke to spoke communication without going through the hub, except for the NHRP resolution.

DKempeneers · June 2015

Oh ok, so it's normal that i need to reach the other spoke public address.

I see clearly now, thanks man

fredrikjj · June 2015

DKempeneers wrote: »

Oh ok, so it's normal that i need to reach the other spoke public address.

I see clearly now, thanks man

Yes that's normal. If you want to use DMVPN purely as a hub and spoke you could configure the spokes as point to point GRE tunnels while still keeping the hub as mGRE.

In your case this would looks something like this:

R1:
!
int Tunnel0
192.168.0.1 255.255.255.0
tunnel source 51.10.1.2
tunnel mode gre multipoint
ip nhrp network-id 1
!

R2:
!
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 51.10.2.2
tunnel destination 51.10.1.2
!

Note here how the spoke (R2) will always encapsulate with 51.10.1.2 and therefore doesn't need to know how to reach R3. The hub will get the spoke's mapping through NHRP.

(config isn't tested, just written).

Hondabuff · June 2015

Under your tunnel interfaces you also have to change the "ip mtu 1400" size and add "ip tcp adjust-mss 1360" since your adding a GRE header to the packet. You risk fragmenting the packets if you don't. All honestly I would learn DVTI with static VTI's on the spokes. Its more scalable and easier to apply your IPsec encapsulation to. The best part is once you get the concept down you can then learn Flex VPN with minimum effort.

DKempeneers · June 2015

Thank you Fredrikjj i understand

Hondabuff i don't know DVTI yet but it's looks like good. I'll learn about this soon

Hondabuff · June 2015

Since you learned the commands for GRE you will love DVTI. If you find the SIMOS CBT nuggets videos by looking around they few videos on it. You will not even need GRE anymore and the config is much easier.

whatislife · December 2016

Hi

I have the same problem now. I am studying for CCNP Route Exam No.300-101. I am using CBT Nuggets as one of few sources to study. Can you please help me how you were able to configure the GRE and DMVPN part of the third video in the CCNP Route series? The one that includes 3 routers and another which is an ISP

GRE Tunnel using NHRP

Comments