Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls
5. DMVPN Phase 3
Just go ahead and bring up my GNS three and I’m going to start with the configuration of the Hub. Okay, let’s go ahead and configure team. So what happens? We went over Face version one, face version two and Face version three. In Face version one you see that there was no spoke to spoke communication. It was so spoke to Hub communication. In face version two you saw that the spoke were able to communicate with each other. So they were a spoke to spoke tunnels created and also a spoke to Hub communication there. But it is not as good as Face version three. Face version three actually does a better job because in Facebook and two the Hub actually just forwards the traffic to create the spoke to spoke. But in Facebook three it’s just a lot better, it’s just a lot smooth to it. So in Facebook and three the NhRP requests are no longer triggered by invalid CEF entries. This means that routing information could be effectively summarized.
So before in Facebook and two we were not able to do that. And also Facebook three, the Hub is no longer used as the only source of NhRP information. Instead of this all folks participate in NhRP Information Exchange. In Facebook two you saw that the Hub took care of that NhRP information for us but now in Facebook and every single route is going to be working in that NhRP Information Exchange. And this model is less server based that way that if the Hub goes down then we still are going to be able to communicate via spoke to spoke and NhRP replies contain a whole routine prefixes instead of just next hop information. And another good news is that initial spoke to spoke packet is now switched using the CEF. It’s not process switching like it was before. And with NhRP phase two the initial packet has to be switches, has to be switched via process path as the CEF adjacency is not valid yet. But in NhRP phase two we are using the CEF all the time.
So that’s something that the DMVPN, Facebook and three is better, it’s just better overall. Okay, so let’s go ahead and start with this configuration and we are going to start with the Hub like always. And if you do I do show IP interface breathe so you can see what I have configured. I have configured my NBMA address, that’s what we are specifying, the tunnel, the NBMA address and we also have a loop pack address and this is just simulating that I have a network right here and that is my network. You can see those addresses that I have configured. So now let’s go ahead and configure the tunnel interface zero. And from here we’re going to specify an IP address of 1924. And now what we need to do over here is that we need to do a no IP split horizon again. And I want to talk what split Horizon does. I’m not going to go into those details. If you want to know what this does, you can just go ahead and Google it or go and watch my other videos where I talk about it. After that we need to do an IP and HRP map. Multicast is going to be dynamic.
Let’s go ahead and go back dynamic. And then we are doing an IPN HRP, the network ID. We are going to say network ID ten tonal source. The source is going to be which is just over here. And then we are going to do a tonal mode GRE mojapoint. And this is what creates that MGRE. Okay? And then after that has been configured we can go ahead and do an IP and SRP. We are going to do redirect. And what this tells this router is that we are going to redirect the traffic to the spokes so they are able to participate in the NhRP request. And then we’re going to do an NhRP IP NhRP shortcut. It is responsible to rewrite the CEF entry after getting the redirect message from the Hub. I’m doing it from here just to be safe. It is in the Cisco documentation that you should do it also on the Hub and as well as these spokes. And that’s why I’m putting it there. But the Hub do need to have this IPN HR redirect otherwise it won’t work. There we go. So we are done with that configuration. So as you can see for DMVPN Face version three, we have two new commands which is IPN HRP redirect and IPN HRP shortcut. Okay? So let’s go ahead and start configuring the spoke three. Let’s go ahead to config Tea and the spoke three. What we need to do is go in and open Leafpad and let’s go ahead and configure over here. So for this one we are going to create a tunnel on zero and we are going to need to have that IP address 324. Then we need to do an IP and HRP map. And the map we are going to tell you that one one goes to because I’m trying to map to the Hub. So I’m telling it that if you want to reach the Hub, which is this Tonal IP address, I want you to send it to what’s? The MBMA address. Good.
So after we create the map, we are going to tell her that the NhRP map multicast, that the multicast address. So if we get any multicast packets, I want you to send it to this MBMA IP address which is this one right here of the Hub. And then we do an IP and HRP network ID. And we’re going to say network ID ten. We can do the Tonal source which is Gigabyte, which is this one of the spoke number three, right? And then after we do that, the source, we’re going to do an IP IP NhRP shortcut and the IP NhRP shortcut. Like I said before, it is responsible to rewrite the CEF entry after getting the redirect message from the Hub. So after the Hub sends that redirect redirect message to the spoke, then the spoke is going to do this IPN HRP, which means that it’s going to rewrite the CEF entry. Okay, so that’s done. After that is done, we need to do anodegre multi point. Done. And after that has been configured, I forgot to do a lot of ERP, which we’re using is one, no auto summary.
The networks that we need to add, I need to add my three network, which is the loopback address. And then the other network that I need to add needs to be the one and two. That one is eight 10, which is the IP address of my tunnel. I forgot to do that on my Hub. So let’s go ahead and do that router. ERP, I believe is one. The one that I didn’t know is split horizon. Good. No out of summary network one, one which is a loop back address. And then network zero and then two five. Five. Good. So it looks like we are good. Let me verify that. So we configure the IP address, we did the mapping for the Hub. After that we did the multicast, then we did the network ID, then we did the tunnel source, then IP and HRP shortcut and then the tunnel mode, GRE mode to point and then we configure the router.
Yeah, GRP one. And that looks good. So let’s go ahead and just go ahead and copy this and we are going to paste this into spoke number three. All done. We should be able to form a adjacency with Ergrp. You can see it right here. This folk didn’t show yet, which is weird. But if we go to N and we do show IP and HRP, you can see that it’s incomplete. So it has not formed a adjacency yet or it has not formed a NhRP. They have not formed a tunnel yet. You can see it is incomplete if we go right here. So IP NhRP, you can see that we have static address. But for the Hub it’s still incomplete and the flags are negative or in the spoke.
It looks like it is working. So now let’s go ahead and configure spoke number two. But we are going to just copy and paste the configuration front over here because it’s going to be the same. We just need to change this network and we also need to change the IP address of this tunnel and the rest should be the same. Let me verify one and two one to cast good shortcut. So all that is good copy. It is saying that the limit exceeded. Interesting. We can go ahead and take a look at that in a second. Let’s go ahead and go into conflict and paste that configuration. So this is done. You can see that it has formed a new network adjacency if we do a show IP neighbors we have two neighbors, so that’s good. And I want you to do something in the hub. Let’s do a show IP NhRP we still have both of them are incomplete as you can see. Let’s go and do a config t actually ended. Let’s do a show DMVPN both the peer MBMA address are unknown, but we can see the tunnels NhRP and HRP.
So all of that is good. We are still getting this retry limit exceed it and then it’s just forming it back again. Let’s go and do config. Let’s do a show run. We’re going to do the section that we want to see. I want to see the section of tunnel maybe now let’s just do a showrun. You’re going to see the tunnel right here. So let’s go ahead and just why is it saying no IP? Red reacts right here and then it says redirect. Interesting. Let’s go ahead and just copy all of this.
Let’s go ahead and copy all of this. Instead of pasting, let’s go ahead and paste it right here. Let’s remove this one. Let’s remove this one and let’s go ahead and try to delete that tunnel and create it again from 15 now interface tunnel zero and then let’s go ahead and paste that, see what happens and show IP MSRP still showing as incomplete. So Ipnsrp again still showing as incomplete. Show run. Did I do the incorrect command? So IPN srpdirect multi point network ID is ten. So I be shell run.
So we are troubleshooting right now we have shortcut network ID ten multicast is good because the multicast, if I’m not mistaken yeah, the multicast is the MBMA address. So that is that can configure good GRE motor point. Did we configure GRE motorpoint? Yes, we did. And the hub still saying that the Rjrp neighbor is retrying. Let’s go ahead and look at this and let’s go ahead and go to Google and see what we can find. Let’s see somebody.
So IPN SRP multicast command should point to the MBMA address of the hub and your configuration the command points to IP. So let’s go ahead and try and use this version. So IP and SRP multicast command should point to the MBMA address. Let’s go ahead and see if we can just fix it from here. So what we’re going to do is this multicast is the MBMA address. Let’s go ahead and do it the way he’s doing it. Ipnhs 192 one and then we are going to do so x refers to the overlay or the tunnel. So x is the toner one MBMA 182101 multicast interface tunnel zero. Let’s see what’s wrong with our tunnels. Try to fix it and let’s do a no IP and HRP. I should do IP and HRP. The one that we configured was the let’s see do showrun.
Let’s try to delete this map right here. No. So we have removed that and let’s go ahead and add this one. It is saying that it’s already mapped. Let’s go and remove that map. There we go. You can see now it looks like it is working. Let’s go ahead and go to the Hub. So IP and HRP, you can see right now, now it is working. So the configuration goes like that. So now as you can see, we still get an error and that’s because now we are getting an error from this tunnel which is spoke number two because we only fix it from spoke three.
So let’s go ahead and fix it from spoke two and we need to delete the map so the interface and then we can delete the map and then we got to delete this one right here as well and it’s at this one right here. There we go. Now we are back as you can see right here. Now this spoke number two is showing it and if we go to the Hub show IPN SRP, you can see now we have two dynamic tunnels. If we go show DMVPN, we can see that Dmvpns now have the two interfaces right here and those are the MBMA interfaces. So it looks like it is working.
So like you guys saw me. I need to change my configuration, I need to remove the map and I need to remove the multicast and I just need to do like this IPN, SRP and HS telling it to go to this tunnel, which is the logical interface and then to the MBMA address, which is 1921 and it is a multicast. And now it is working. And if we go ahead and for spoke number two which is over here, I want to ping this loop back address or spoke number three. Let’s just ping the spoke one nine 2131 and I should only do a traceroute one I 2131. As you can see it went through the tunnel first, right? So it went out via the MBMA address and then it will happen on the spoke. Let’s see if we ping this one right here, as you can see this one is going to the tunnel which is the one and two. So it went to the Hub and then it went to the spoke. But now since we have established a spoke to spoke tunnel, now it goes straight to one and two and sake that one, that three because we have spoke to spoke tunnel before the first ping it went through the Hub. But then after we learned where it is and we configured spoke to spoke tunnel, now it goes straight to the spoke and we could also do the same phone trace route from spoke three. So if we ping two that to that two, you can see it went to the tunnel first and then on the second one is going to build that dynamic tunnel.
The spoke to spoke tunnel. And if we’re paying 192-6812, you can see right here it went straight to one nine two and it did not use that tunnel. What if we ping that 121. So if we ping that it’s just going to go through the ISP okay because it is not being encrypted. So it is working as you can see right now. So I just needed to make a simple change right here. So it is working the way I wanted it to be working. And this is DMVPN phase version three. As you can see that on the first try over here when we did treasure route it went to the hub. But then after the first ping it went to the hub. They configured a spoke to spoke tunnel. And now I spoke to hub anymore.
So now we have connectivity between the spoke to spoke between the spoke and they spoke. So we’re not using the hub. So the hub goes down, we’re still going to have connectivity. Let’s see if that is the issue. What if this goes down? What is it going to happen? There we go. As you can see the hub went down and even though the hub went down, we still have connectivity. Okay, so the hub went down and we still have connectivity, right? So that is why face version three is better than face version one. But first version two would do the same. But in phase version three we are actually using the IP redirect and also the IP shortcut in the spokes. So they set forth.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »