GRE Tunnel using NHRP

DKempeneersDKempeneers Banned Posts: 36 ■■□□□□□□□□
Hello guys,

i've a little problem with my topology. I made a connection between once hub & two spokes.

My problem is that i can't dynamicaly resolve my second spoke via my nhs (the hub)

Here you can see my topology & tunnel config:



R1#
interface Tunnel1
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
end

R1#sh ip nhrp
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:23:00, expire 01:36:59
Type: dynamic, Flags: unique registered used
NBMA address: 51.10.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:09:22, expire 01:51:32
Type: dynamic, Flags: unique registered used
NBMA address: 51.10.3.3






R2#
interface Tunnel1
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp map 192.168.0.1 51.10.1.2
ip nhrp map multicast 51.10.1.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
end


R2#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:21:38, never expire
Type: static, Flags: used
NBMA address: 51.10.1.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:00:14, expire 00:02:50
Type: dynamic, Flags: used temporary
NBMA address: 51.10.1.2



R3#
interface Tunnel1
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip nhrp authentication denis
ip nhrp map multicast dynamic
ip nhrp map 192.168.0.1 51.10.1.2
ip nhrp map multicast 51.10.1.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 1234
end


R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel1 created 00:19:41, never expire
Type: static, Flags: used
NBMA address: 51.10.1.2
192.168.0.2/32 via 192.168.0.2
Tunnel1 created 00:08:08, expire 01:59:38
Type: dynamic, Flags: router implicit used
NBMA address: 51.10.2.2
192.168.0.3/32 via 192.168.0.3
Tunnel1 created 00:00:48, expire 01:59:38
Type: dynamic, Flags: router unique local
NBMA address: 51.10.3.3
(no-socket)





Can you tell me what's wrong ?

Thank you a lot,
Denis.

Comments

  • Dieg0MDieg0M Member Posts: 861
    Could you please post full config? First step, you should try and see if you can ping 51.10.1.2 sourcing from Serial1/0 of each spoke.
    Follow my CCDE journey at www.routingnull0.com
  • siggnationsiggnation Member Posts: 182
    I don't think the ip nhrp map multicast dynamic is a necessary command for the spokes. Try removing these and see if it resolves afterwards (#show dmvpn).
    Currently Reading:

    CCIE Routing and Switching Written Exam v. 5.1
    CCIE Routing and Switching 5.0 OCG, Vol. I
    Cisco Lan Switching
  • DKempeneersDKempeneers Banned Posts: 36 ■■□□□□□□□□
    Dieg0M wrote: »
    see if you can ping 51.10.1.2 sourcing from Serial1/0 of each spoke.

    Yes it is but only when i created a route from R3 to knowing R2's network.
    When the route to R2's network is established, i can ping my R2's tunnel ip (192.168.0.2) from R3 (192.168.0.3)


    Here you can see that i obtain the same result of R3 nhrp status :
    R3#sh ip nhrp
    192.168.0.1/32 via 192.168.0.1
    Tunnel1 created 00:11:53, never expire
    Type: static, Flags: used
    NBMA address: 51.10.1.2
    192.168.0.2/32 via 192.168.0.2
    Tunnel1 created 00:10:14, expire 01:49:45
    Type: dynamic, Flags: router implicit used
    NBMA address: 51.10.2.2
    192.168.0.3/32 via 192.168.0.3
    Tunnel1 created 00:10:14, expire 01:49:45
    Type: dynamic, Flags: router unique local
    NBMA address: 51.10.3.2
    (no-socket)


    When i delete the route from R2 to R3, i can't reach my R2's tunnel ip

    But, correct me if i wrong but the principe of nhrp is that i don't need to know the R2 network for reach his tunnel right ?

    R1 is a hub, R2 & R3 are spoke. The goal of nhrp is that R2 reach R3 tunnel trough R1 hub right ?

    Here my full config :

    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    no ip domain lookup
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    !
    !
    !
    interface Tunnel1
    ip address 192.168.0.1 255.255.255.0
    no ip redirects
    ip nhrp authentication denis
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    tunnel source Serial1/0
    tunnel mode gre multipoint
    tunnel key 1234
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface Serial1/0
    ip address 51.10.1.2 255.255.255.0
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface FastEthernet2/0
    no ip address
    shutdown
    duplex full
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip route 51.10.2.0 255.255.255.0 Serial1/0
    ip route 51.10.3.0 255.255.255.0 Serial1/0
    !
    !
    !
    !
    control-plane
    !
    alias exec sri show run | inc
    alias exec srs show run | sec
    alias exec ns no sh
    alias exec c conf t
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    !
    !
    end






    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    !
    !
    interface Tunnel1
    ip address 192.168.0.2 255.255.255.0
    no ip redirects
    ip nhrp authentication denis
    ip nhrp map 192.168.0.1 51.10.1.2
    ip nhrp map multicast 51.10.1.2
    ip nhrp network-id 1
    ip nhrp nhs 192.168.0.1
    tunnel source Serial1/0
    tunnel mode gre multipoint
    tunnel key 1234
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface Serial1/0
    ip address 51.10.2.2 255.255.255.0
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface FastEthernet2/0
    no ip address
    shutdown
    duplex full
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip route 51.10.1.0 255.255.255.0 Serial1/0
    ip route 51.10.3.0 255.255.255.0 Serial1/0
    !
    !
    !
    !
    control-plane
    !
    alias exec sri show run | inc
    alias exec srs show run | sec
    alias exec ns no sh
    alias exec c conf t
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    !
    !
    end






    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel1
    ip address 192.168.0.3 255.255.255.0
    no ip redirects
    ip nhrp authentication denis
    ip nhrp map 192.168.0.1 51.10.1.2
    ip nhrp map multicast 51.10.1.2
    ip nhrp network-id 1
    ip nhrp nhs 192.168.0.1
    tunnel source Serial1/0
    tunnel mode gre multipoint
    tunnel key 1234
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface Serial1/0
    ip address 51.10.3.2 255.255.255.0
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface FastEthernet2/0
    no ip address
    shutdown
    duplex full
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip route 51.10.1.0 255.255.255.0 Serial1/0
    !
    !
    !
    !
    control-plane
    !
    alias exec sri show run | inc
    alias exec srs show run | sec
    alias exec ns no sh
    alias exec c conf t
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    !
    !
    end
  • fredrikjjfredrikjj Member Posts: 879
    NHRP seems (I haven't tried your configs in the lab) to be working fine to me, but you are confused about what NHRP is for and what should and shouldn't work with regards to the underlay addresses. NHRP's purpose is to map between tunnel addresses and physical addresses (your 51.x addresses). Packets will then be encapsulated with these addresses and forwarded, which requires spoke to spoke reachability.
    When i delete the route from R2 to R3, i can't reach my R2's tunnel ip
    Because you need to be able to send packets encapsulated with 51.x.x.x between the spokes.
    But, correct me if i wrong but the principe of nhrp is that i don't need to know the R2 network for reach his tunnel right ?
    No, that's not correct. The principle is that you don't need to manually create a tunnel between the spokes because NHRP resolves this automatically through the hub where you do have a static tunnel.
    R1 is a hub, R2 & R3 are spoke. The goal of nhrp is that R2 reach R3 tunnel trough R1 hub right ?

    No, it's the exact opposite. NHRP is so that you can have spoke to spoke communication without going through the hub, except for the NHRP resolution.
  • DKempeneersDKempeneers Banned Posts: 36 ■■□□□□□□□□
    Oh ok, so it's normal that i need to reach the other spoke public address.

    I see clearly now, thanks man
  • fredrikjjfredrikjj Member Posts: 879
    Oh ok, so it's normal that i need to reach the other spoke public address.

    I see clearly now, thanks man

    Yes that's normal. If you want to use DMVPN purely as a hub and spoke you could configure the spokes as point to point GRE tunnels while still keeping the hub as mGRE.

    In your case this would looks something like this:

    R1:
    !
    int Tunnel0
    192.168.0.1 255.255.255.0
    tunnel source 51.10.1.2
    tunnel mode gre multipoint
    ip nhrp network-id 1
    !


    R2:
    !
    interface Tunnel0
    ip address 192.168.0.2 255.255.255.0
    ip nhrp network-id 1
    ip nhrp nhs 192.168.0.1
    tunnel source 51.10.2.2
    tunnel destination 51.10.1.2
    !

    Note here how the spoke (R2) will always encapsulate with 51.10.1.2 and therefore doesn't need to know how to reach R3. The hub will get the spoke's mapping through NHRP.

    (config isn't tested, just written).
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Under your tunnel interfaces you also have to change the "ip mtu 1400" size and add "ip tcp adjust-mss 1360" since your adding a GRE header to the packet. You risk fragmenting the packets if you don't. All honestly I would learn DVTI with static VTI's on the spokes. Its more scalable and easier to apply your IPsec encapsulation to. The best part is once you get the concept down you can then learn Flex VPN with minimum effort.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • DKempeneersDKempeneers Banned Posts: 36 ■■□□□□□□□□
    Thank you Fredrikjj i understand ;)

    Hondabuff i don't know DVTI yet but it's looks like good. I'll learn about this soon



  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Since you learned the commands for GRE you will love DVTI. If you find the SIMOS CBT nuggets videos by looking around they few videos on it. You will not even need GRE anymore and the config is much easier.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • whatislifewhatislife Registered Users Posts: 1 ■□□□□□□□□□
    Hi

    I have the same problem now. I am studying for CCNP Route Exam No.300-101. I am using CBT Nuggets as one of few sources to study. Can you please help me how you were able to configure the GRE and DMVPN part of the third video in the CCNP Route series? The one that includes 3 routers and another which is an ISP
Sign In or Register to comment.