4 Replies Latest reply: Jun 17, 2019 6:09 AM by Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+ RSS

    DMVPN Phase 2

    Francesco

      Question about NHRP resolution.

       

      We konw that without the shortcut/redirect commands NHRP resolution will only be triggered if an NHRP entry is missing and/or the CEF entry is incomplete.

       

      In my case, the spoke does have the entry for the other spoke, but it resolves to the NBMA address of the HUB, which forces my traffic to go via the Hub:

       

      R19#show ip nhrp  (Spoke R19 trying to go to Spoke R20 via Hub R16)

      183.100.1.16/32 via 183.100.1.16     <-- hub VPN address

         Tunnel1 created 00:15:26, never expire

         Type: static, Flags: used

         NBMA address: 10.255.255.16     <-- hub NBMA address

       

      183.100.1.20/32 via 183.100.1.20     <-- SpoleVPN address

         Tunnel1 created 00:00:34, expire 00:02:30

         Type: dynamic, Flags: used temporary

         NBMA address: 10.255.255.16      <-- HUB NBMA address

       

      So, even though the routing table is rightly pointing to the Spoke Next hop, I still end up going thoruhg the Hub because the NHRP resolution is pointing me there.

       

      Would would be making R16 respond with its own NBMA address instead of the Spoke's NBMA address?

       

      Thanks,

      Francesco

         
        • 1. Re: DMVPN Phase 2
          Samer

          usually as you know the first packets/traffic will show up going via the hub, but if you repeat the same trace route for example it will be showing going directly from spoke to spoke

           

          does it happen like this?

          • 2. Re: DMVPN Phase 2
            Francesco

            Nope, traceroute keeps going via the Hub.

             

            Tried and tried again to reset the connection and clear NHRP entry and it comes up with the same result.

             

            BTW, what you are referring to should be DMVPNv3.

            In case of DMVPNv2 the route next hop already points to the final destination (the other spoke)

            This gets an NHRP request triggered since the source spoke does not know how to reach that next hop (CEF entry will show up as incomplete). Once the requesting spoke receives the NHRP resolution reply, it will now have a complete CEF entry and it will be able to forward the packet.

             

            However, as it is happening above, the NHRP/CEF entry are alrey there, except that they are populated with the wrong NBMA (the hub)....

            I guess this is the behaviour that NHS should present when it detects that one of the spoke is behind a NAT, but this is not the case in my Lab.

             

            Francesco

            • 3. Re: DMVPN Phase 2
              jh

              183.100.1.20/32 via 183.100.1.20     <-- SpoleVPN address

                 Tunnel1 created 00:00:34, expire 00:02:30

                 Type: dynamic, Flags: used temporary

                 NBMA address: 10.255.255.16      <-- HUB NBMA address

               

              You will get that entry on R19, if on R20 you have created a static mapping of

              ip nhrp map 183.100.1.20 10.255.255.16

              • 4. Re: DMVPN Phase 2
                Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                Could you please share the DMVPN configuration part for review?