Hi everyone, in this lab I’ll walk you through how to configure a Dual Hub DMVPN Phase3 - IPSec topology.
This is a pre-ready topology — I’ve already configured basic interface IP addresses and underlay routing, so I’ll focus on exactly the relevant parts of this lab.
I’ll start by configuring the Hubs.
Here is the topology:
HUB-1:
IPSEC:
HUB-1(config)#crypto isakmp policy 10
HUB-1(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
HUB-1(config-isakmp)#authentication pre-share
HUB-1(config-isakmp)#encryption aes 256
HUB-1(config-isakmp)#group 14
HUB-1(config-isakmp)#hash sha256
HUB-1(config-isakmp)#lifetime 86400
HUB-1(config-isakmp)#exit
HUB-1(config)#crypto isakmp key besiktas address 0.0.0.0 0.0.0.0
HUB-1(config)#crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
HUB-1(cfg-crypto-trans)#mode transport
HUB-1(cfg-crypto-trans)#exit
HUB-1(config)#crypto ipsec profile DMVPN-PROFILE
HUB-1(ipsec-profile)#set transform-set DMVPN-TS
HUB-1(ipsec-profile)#exitDMVPN:
HUB-1(config)#int tunnel 0
HUB-1(config-if)#ip addr 50.50.50.1 255.255.255.0
HUB-1(config-if)#tunnel source g0/0
HUB-1(config-if)#tunnel mode gre multipoint
HUB-1(config-if)#tunnel key 1000
HUB-1(config-if)#tunnel protection ipsec profile DMVPN-PROFILE
HUB-1(config-if)#ip mtu 1400
HUB-1(config-if)#ip tcp adjust-mss 1360
HUB-1(config-if)#ip nhrp network-id 10
HUB-1(config-if)#ip nhrp authentication quaresma
HUB-1(config-if)#ip nhrp map multicast dynamic
HUB-1(config-if)#ip nhrp map multicast 100.0.0.6
HUB-1(config-if)#ip nhrp map 50.50.50.2 100.0.0.6
HUB-1(config-if)#ip nhrp redirect
HUB-1(config-if)#ip ospf network point-to-multipoint
HUB-1(config-if)#ip ospf priority 255
HUB-1(config-if)#exit OSPF:
HUB-1(config)#router ospf 1
HUB-1(config-router)#router-id 1.1.1.1
HUB-1(config-router)#network 50.50.50.0 0.0.0.255 area 0
HUB-1(config-router)#network 1.1.1.1 255.255.255.255 area 0
HUB-1(config-router)#exitHUB-2:
IPSEC:
HUB-2>en
HUB-2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HUB-2(config)#crypto isakmp policy 10
HUB-2(config-isakmp)#encryption aes 256
HUB-2(config-isakmp)#hash sha256
HUB-2(config-isakmp)#authentication pre-share
HUB-2(config-isakmp)#group 14
HUB-2(config-isakmp)#lifetime 86400
HUB-2(config-isakmp)#exit
HUB-2(config)#crypto isakmp key besiktas address 0.0.0.0 0.0.0.0
HUB-2(config)#crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
HUB-2(cfg-crypto-trans)#mode transport
HUB-2(cfg-crypto-trans)#exit
HUB-2(config)#crypto ipsec profile DMVPN-PROFILE
HUB-2(ipsec-profile)#set transform-set DMVPN-TS
HUB-2(ipsec-profile)#exit DMVPN:
HUB-2(config)#interface tunnel 0
HUB-2(config-if)#ip address 50.50.50.2 255.255.255.0
HUB-2(config-if)#tunnel mode gre multipoint
HUB-2(config-if)#tunnel source g0/0
HUB-2(config-if)#tunnel key 1000
HUB-2(config-if)#ip mtu 1400
HUB-2(config-if)#ip tcp adjust-mss 1360
HUB-2(config-if)#tunnel protection ipsec profile DMVPN-PROFILE
HUB-2(config-if)#ip nhrp authentication quaresma
HUB-2(config-if)#ip nhrp network-id 10
HUB-2(config-if)#ip nhrp map multicast dynamic
HUB-2(config-if)#ip nhrp map multicast 100.0.0.2
HUB-2(config-if)#ip nhrp map 50.50.50.1 100.0.0.2
HUB-2(config-if)#ip nhrp redirect
HUB-2(config-if)#ip ospf network point-to-multipoint
HUB-2(config-if)#ip ospf priority 254
HUB-2(config-if)#exit OSPF:
HUB-2(config)#router ospf 1
HUB-2(config-router)#router-id 2.2.2.2
HUB-2(config-router)#network 2.2.2.2 255.255.255.255 area 0
HUB-2(config-router)#network 50.50.50.0 255.255.255.0 area 0
HUB-2(config-router)#endBoth Hub configurations are done. Now it’s time for the Spokes.
SPOKE-1:
IPSEC:
SPOKE-1>en
SPOKE-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SPOKE-1(config)#crypto isakmp policy 10
SPOKE-1(config-isakmp)#encryption aes 256
SPOKE-1(config-isakmp)#hash sha256
SPOKE-1(config-isakmp)#authentication pre-share
SPOKE-1(config-isakmp)#group 14
SPOKE-1(config-isakmp)#lifetime 86400
SPOKE-1(config-isakmp)#exit
SPOKE-1(config)#crypto isakmp key besiktas address 0.0.0.0 0.0.0.0
SPOKE-1(config)#$crypto ipsec transform-set transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
SPOKE-1(cfg-crypto-trans)#mode transport
SPOKE-1(cfg-crypto-trans)#exit
SPOKE-1(config)#crypto ipsec profile DMVPN-PROFILE
SPOKE-1(ipsec-profile)#set transform-set DMVPN-TS
SPOKE-1(ipsec-profile)#exit DMVPN:
SPOKE-1(config)#interface tunnel 0
SPOKE-1(config-if)#ip address 50.50.50.3 255.255.255.0
SPOKE-1(config-if)#tunnel mode gre multipoint
SPOKE-1(config-if)#tunnel source g0/0
SPOKE-1(config-if)#tunnel key 1000
SPOKE-1(config-if)#ip mtu 1400
SPOKE-1(config-if)#ip tcp adjust-mss 1360
SPOKE-1(config-if)#tunnel protection ipsec profile DMVPN-PROFILE
SPOKE-1(config-if)#ip nhrp authentication quaresma
SPOKE-1(config-if)#ip nhrp network-id 10
SPOKE-1(config-if)#ip nhrp map multicast 100.0.0.2
SPOKE-1(config-if)#ip nhrp map multicast 100.0.0.6
SPOKE-1(config-if)#ip nhrp map 50.50.50.1 100.0.0.2
SPOKE-1(config-if)#ip nhrp map 50.50.50.2 100.0.0.6
SPOKE-1(config-if)#ip nhrp nhs 50.50.50.1
SPOKE-1(config-if)#ip nhrp nhs 50.50.50.2
SPOKE-1(config-if)#ip nhrp shortcut
SPOKE-1(config-if)#ip ospf network point-to-multipoint
SPOKE-1(config-if)#ip ospf priority 0
SPOKE-1(config-if)#exit OSPF:
SPOKE-1(config)#router ospf 1
SPOKE-1(config-router)#router-id 3.3.3.3
SPOKE-1(config-router)#network 3.3.3.3 255.255.255.255 area 0
SPOKE-1(config-router)#network 50.50.50.0 255.255.255.0 area 0
SPOKE-1(config-router)#endSPOKE-2:
IPSEC:
SPOKE-2>en
SPOKE-2#conf t
SPOKE-2(config)#crypto isakmp policy 10
SPOKE-2(config-isakmp)#encryption aes 256
SPOKE-2(config-isakmp)#hash sha256
SPOKE-2(config-isakmp)#authentication pre-share
SPOKE-2(config-isakmp)#group 14
SPOKE-2(config-isakmp)#lifetime 86400
SPOKE-2(config-isakmp)#exit
SPOKE-2(config)#crypto isakmp key besiktas address 0.0.0.0 0.0.0.0
SPOKE-2(config)#$crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
SPOKE-2(cfg-crypto-trans)#mode transport
SPOKE-2(cfg-crypto-trans)#exit
SPOKE-2(config)#crypto ipsec profile DMVPN-PROFILE
SPOKE-2(ipsec-profile)#set transform-set DMVPN-TS
SPOKE-2(ipsec-profile)#exit DMVPN:
SPOKE-2(config)#interface tunnel 0
SPOKE-2(config-if)#ip address 50.50.50.4 255.255.255.0
SPOKE-2(config-if)#tunnel mode gre multipoint
SPOKE-2(config-if)#tunnel source g0/0
SPOKE-2(config-if)#tunnel key 1000
SPOKE-2(config-if)#ip mtu 1400
SPOKE-2(config-if)#ip tcp adjust-mss 1360
SPOKE-2(config-if)#tunnel protection ipsec profile DMVPN-PROFILE
SPOKE-2(config-if)#ip nhrp authentication quaresma
SPOKE-2(config-if)#ip nhrp network-id 10
SPOKE-2(config-if)#ip nhrp map multicast 100.0.0.2
SPOKE-2(config-if)#ip nhrp map multicast 100.0.0.6
SPOKE-2(config-if)#ip nhrp map 50.50.50.1 100.0.0.2
SPOKE-2(config-if)#ip nhrp map 50.50.50.2 100.0.0.6
SPOKE-2(config-if)#ip nhrp nhs 50.50.50.1
SPOKE-2(config-if)#ip nhrp nhs 50.50.50.2
SPOKE-2(config-if)#ip nhrp shortcut
SPOKE-2(config-if)#ip ospf network point-to-multipoint
SPOKE-2(config-if)#ip ospf priority 0
SPOKE-2(config-if)#exit OSPF:
SPOKE-2(config)#router ospf 1
SPOKE-2(config-router)#router-id 4.4.4.4
SPOKE-2(config-router)#network 4.4.4.4 255.255.255.255 area 0
SPOKE-2(config-router)#network 50.50.50.0 255.255.255.0 area 0
SPOKE-2(config-router)#endSPOKE-3:
IPSEC:
SPOKE-3>en
SPOKE-3#conf t
SPOKE-3(config)#crypto isakmp policy 10
SPOKE-3(config-isakmp)#encryption aes 256
SPOKE-3(config-isakmp)#hash sha256
SPOKE-3(config-isakmp)#authentication pre-share
SPOKE-3(config-isakmp)#group 14
SPOKE-3(config-isakmp)#lifetime 86400
SPOKE-3(config-isakmp)#exit
SPOKE-3(config)#crypto isakmp key besiktas address 0.0.0.0 0.0.0.0
SPOKE-3(config)#$c transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
SPOKE-3(cfg-crypto-trans)#mode transport
SPOKE-3(cfg-crypto-trans)#exit
SPOKE-3(config)#crypto ipsec profile DMVPN-PROFILE
SPOKE-3(ipsec-profile)#set transform-set DMVPN-TS
SPOKE-3(ipsec-profile)#exit DMVPN:
SPOKE-3(config)#interface tunnel 0
SPOKE-3(config-if)#ip address 50.50.50.5 255.255.255.0
SPOKE-3(config-if)#tunnel mode gre multipoint
SPOKE-3(config-if)#tunnel source g0/0
SPOKE-3(config-if)#tunnel key 1000
SPOKE-3(config-if)#ip mtu 1400
SPOKE-3(config-if)#ip tcp adjust-mss 1360
SPOKE-3(config-if)#tunnel protection ipsec profile DMVPN-PROFILE
SPOKE-3(config-if)#ip nhrp authentication quaresma
SPOKE-3(config-if)#ip nhrp network-id 10
SPOKE-3(config-if)#ip nhrp map multicast 100.0.0.2
SPOKE-3(config-if)#ip nhrp map multicast 100.0.0.6
SPOKE-3(config-if)#ip nhrp map 50.50.50.1 100.0.0.2
SPOKE-3(config-if)#ip nhrp map 50.50.50.2 100.0.0.6
SPOKE-3(config-if)#ip nhrp nhs 50.50.50.1
SPOKE-3(config-if)#ip nhrp nhs 50.50.50.2
SPOKE-3(config-if)#ip nhrp shortcut
SPOKE-3(config-if)#ip ospf network point-to-multipoint
SPOKE-3(config-if)#ip ospf priority 0
SPOKE-3(config-if)#exit OSPF:
SPOKE-3(config)#router ospf 1
SPOKE-3(config-router)#router-id 5.5.5.5
SPOKE-3(config-router)#network 5.5.5.5 255.255.255.255 area 0
SPOKE-3(config-router)#network 50.50.50.0 255.255.255.0 area 0
SPOKE-3(config-router)#endTESTS
HUB-1
-
DMVPN Table:
HUB-1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub/Spoke, NHRP Peers:4,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.6 50.50.50.2 NHRP never SC
1 100.0.0.10 50.50.50.3 UP 00:01:40 D
1 100.0.0.14 50.50.50.4 UP 00:01:21 D
1 100.0.0.18 50.50.50.5 UP 00:01:07 D-
NHRP Table:
HUB-1#sh ip nhrp
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:14:45, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6
50.50.50.3/32 via 50.50.50.3
Tunnel0 created 00:06:32, expire 00:06:47
Type: dynamic, Flags: registered nhop
NBMA address: 100.0.0.10
50.50.50.4/32 via 50.50.50.4
Tunnel0 created 00:06:31, expire 00:07:07
Type: dynamic, Flags: registered nhop
NBMA address: 100.0.0.14
50.50.50.5/32 via 50.50.50.5
Tunnel0 created 00:05:58, expire 00:07:21
Type: dynamic, Flags: registered nhop
NBMA address: 100.0.0.18HUB-2
-
DMVPN Table:
HUB-2(config)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub/Spoke, NHRP Peers:4,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.2 50.50.50.1 NHRP never SC
1 100.0.0.10 50.50.50.3 UP 00:02:05 D
1 100.0.0.14 50.50.50.4 UP 00:01:46 D
1 100.0.0.18 50.50.50.5 UP 00:01:32 D-
NHRP Table:
HUB-2(config)#do sh ip nhrp
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:12:52, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.3/32 via 50.50.50.3
Tunnel0 created 00:05:59, expire 00:07:20
Type: dynamic, Flags: registered nhop
NBMA address: 100.0.0.10
50.50.50.4/32 via 50.50.50.4
Tunnel0 created 00:05:58, expire 00:07:39
Type: dynamic, Flags: registered nhop
NBMA address: 100.0.0.14
50.50.50.5/32 via 50.50.50.5
Tunnel0 created 00:05:58, expire 00:07:53
Type: dynamic, Flags: registered nhop
NBMA address: 100.0.0.18SPOKE-1
-
DMVPN Table:
SPOKE-1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.2 50.50.50.1 UP 00:02:25 S
1 100.0.0.6 50.50.50.2 UP 00:02:25 S-
NHRP Table:
SPOKE-1#sh ip nhrp
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:05:40, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:05:40, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6 SPOKE-2
-
DMVPN Table:
SPOKE-2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.2 50.50.50.1 UP 00:02:28 S
1 100.0.0.6 50.50.50.2 UP 00:02:28 S-
NHRP Table:
SPOKE-2#sh ip nhrp
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:04:57, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:04:57, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6 SPOKE-3
-
DMVPN Table:
SPOKE-3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.2 50.50.50.1 UP 00:02:27 S
1 100.0.0.6 50.50.50.2 UP 00:02:26 S-
NHRP Table:
SPOKE-3#show ip nhrp
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:02:54, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:02:54, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6 As you see in the table above, even though we configured all the necessary things, Spokes do not know how to reach each other. This is the nature of DMVPN Phase3.
In Phase 3, once a spoke pings another spoke, it learns the route and writes it to the DMVPN table.
That means, I’ll be able to see a new DMVPN tunnel entry once I ping from SPOKE-1 to SPOKE-2 and SPOKE-3.
Let’s see.
SPOKE-1:
SPOKE-1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.2 50.50.50.1 UP 00:07:41 S
1 100.0.0.6 50.50.50.2 UP 00:07:41 S
SPOKE-1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/35/44 ms
SPOKE-1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 100.0.0.14 50.50.50.4 UP 00:00:02 DT2
50.50.50.4 UP 00:00:02 DT2
1 100.0.0.2 50.50.50.1 UP 00:07:50 S
1 100.0.0.6 50.50.50.2 UP 00:07:50 S
SPOKE-1#sh ip nhrp
4.4.4.4/32 via 50.50.50.4
Tunnel0 created 00:02:35, expire 00:07:24
Type: dynamic, Flags: router rib nho
NBMA address: 100.0.0.14
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:10:23, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:10:23, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6
50.50.50.3/32 via 50.50.50.3
Tunnel0 created 00:02:35, expire 00:07:24
Type: dynamic, Flags: router unique local
NBMA address: 100.0.0.10
(no-socket)
50.50.50.4/32 via 50.50.50.4
Tunnel0 created 00:02:35, expire 00:07:24
Type: dynamic, Flags: router nhop rib nho
NBMA address: 100.0.0.14Now, SPOKE-1 just learned how to reach SPOKE-2.
Traceroute Test:
In this test I’ll show you how Spokes learn the direct path to reach each other through the Hub.
SPOKE-3:
SPOKE-3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 100.0.0.2 50.50.50.1 UP 00:10:32 S
1 100.0.0.6 50.50.50.2 UP 00:10:32 S
SPOKE-3#sh ip nhrp
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:10:38, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:10:38, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6
SPOKE-3#traceroute 3.3.3.3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 50.50.50.1 14 msec
50.50.50.2 12 msec
50.50.50.1 14 msec
2 50.50.50.3 26 msec 25 msec *
SPOKE-3#As you see above, SPOKE-3 went to the Hubs for the very first time to learn how to reach SPOKE-1. Once it learned, it writes the direct path into its NHRP table.
Now, I’ll run the traceroute again to show you how it reaches SPOKE-1 directly.
SPOKE-3#traceroute 3.3.3.3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 50.50.50.3 19 msec 19 msec *
SPOKE-3#sh ip nhrp
3.3.3.3/32 via 50.50.50.3
Tunnel0 created 00:08:23, expire 00:01:36
Type: dynamic, Flags: router used rib nho
NBMA address: 100.0.0.10
50.50.50.1/32 via 50.50.50.1
Tunnel0 created 00:19:56, never expire
Type: static, Flags: used
NBMA address: 100.0.0.2
50.50.50.2/32 via 50.50.50.2
Tunnel0 created 00:19:56, never expire
Type: static, Flags: used
NBMA address: 100.0.0.6
50.50.50.3/32 via 50.50.50.3
Tunnel0 created 00:08:23, expire 00:01:36
Type: dynamic, Flags: router nhop rib nho
NBMA address: 100.0.0.10
50.50.50.5/32 via 50.50.50.5
Tunnel0 created 00:08:23, expire 00:01:36
Type: dynamic, Flags: router unique local
NBMA address: 100.0.0.18
(no-socket) As you see, SPOKE-3 now reaches SPOKE-1 directly. From now on, they will reach each other directly.
Thank you for taking time to read this article, I hope you’ll find it useful.
Keep up the great work!