DMVPN LAB1

  • Use OSPF for underlay
  • Create phase3 DMVPN
  • Encrypt the DMVPN
  • BONUS: Transform the SPOKE R1 to a FrontDoor VRF

R1 = HUB
R2-4 = SPOKE
R5 = De Sjaak

Configurations…

R1

hostname R1
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key pindakaas address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface Ethernet0/0
 ip address 100.100.51.1 255.255.255.0
!
router ospf 1
 network 100.100.0.0 0.0.255.255 area 0
!
R2

hostname R2
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key pindakaas address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM
!
interface Tunnel0
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.10.10.1 100.100.51.1
 ip nhrp map multicast 100.100.51.1
 ip nhrp network-id 1
 ip nhrp nhs 10.10.10.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface Ethernet0/0
 ip address 100.100.52.2 255.255.255.0
!
router ospf 1
 network 100.100.0.0 0.0.255.255 area 0
R3

hostname R3
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key pindakaas address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 10.10.10.3 255.255.255.0
 no ip redirects
 ip nhrp map 10.10.10.1 100.100.51.1
 ip nhrp map multicast 100.100.51.1
 ip nhrp network-id 1
 ip nhrp nhs 10.10.10.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface Ethernet0/0
 ip address 100.100.53.3 255.255.255.0
!
router ospf 1
 network 100.100.0.0 0.0.255.255 area 0
R4

hostname R4
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key pindakaas address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Tunnel0
 ip address 10.10.10.4 255.255.255.0
 no ip redirects
 ip nhrp map 10.10.10.1 100.100.51.1
 ip nhrp map multicast 100.100.51.1
 ip nhrp network-id 1
 ip nhrp nhs 10.10.10.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface Ethernet0/0
 ip address 100.100.54.4 255.255.255.0
!
router ospf 1
 network 100.100.0.0 0.0.255.255 area 0
R1#show ip nhrp
10.10.10.2/32 via 10.10.10.2
   Tunnel0 created 00:19:38, expire 01:51:09
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 100.100.52.2
10.10.10.3/32 via 10.10.10.3
   Tunnel0 created 00:15:56, expire 01:51:14
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 100.100.53.3
10.10.10.4/32 via 10.10.10.4
   Tunnel0 created 00:16:11, expire 01:51:19
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 100.100.54.4
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.100.51.1    100.100.53.3    QM_IDLE           1003 ACTIVE
100.100.52.2    100.100.51.1    QM_IDLE           1002 ACTIVE
100.100.51.1    100.100.52.2    QM_IDLE           1001 ACTIVE
100.100.53.3    100.100.51.1    QM_IDLE           1006 ACTIVE
100.100.54.4    100.100.51.1    QM_IDLE           1005 ACTIVE
100.100.51.1    100.100.54.4    QM_IDLE           1004 ACTIVE


Bonus: Change to frontdoor VRF.

The bold lines are added/changed.

R2

hostname R2
vrf definition ULAY
 rd 100:100
 !
 address-family ipv4
 exit-address-family
!
crypto keyring KEYRING vrf ULAY
  pre-shared-key address 0.0.0.0 0.0.0.0 key pindakaas
!

!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM
!
interface Tunnel0
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.10.10.1 100.100.51.1
 ip nhrp map multicast 100.100.51.1
 ip nhrp network-id 1
 ip nhrp nhs 10.10.10.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf ULAY
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface Ethernet0/0
 vrf forwarding ULAY
 ip address 100.100.52.2 255.255.255.0
!
router ospf 1 vrf ULAY
 network 100.100.0.0 0.0.255.255 area 0
!

MPLS LAB 2 MPLS with prefix-suppression

The trick in this LAB is to add loopback interfaces on the P routers and add them to the underlay OSPF. When you enable prefix-suppression in OSPF, you will only advertise the loopback addresses. This will make your routing table very short and fast in big environments.

Special in this LAB.

  • Use MPLS autoconfig
  • Define a MPLS label range
  • Do not propagate the MPLS network to the customer
CE1

hostname CE1
interface Ethernet0/0
 ip address 10.10.10.10 255.255.255.0
!
router ospf 100
 network 10.10.10.0 0.0.0.255 area 100

PE1

hostname PE1
vrf definition RED
 rd 100:100
 route-target export 1000:1000
 route-target import 1000:1000
 !
 address-family ipv4
 exit-address-family

!
mpls label range 100 199
no mpls ip propagate-ttl
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
 vrf forwarding RED
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1
 ip address 100.100.12.1 255.255.255.0
!
router ospf 100 vrf RED
 redistribute bgp 65000 subnets
 network 10.10.10.0 0.0.0.255 area 100
!
router ospf 1
 mpls ldp autoconfig
 prefix-suppression
 network 1.1.1.1 0.0.0.0 area 0
 network 100.100.0.0 0.0.255.255 area 0
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 65000
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf RED
  redistribute ospf 100
 exit-address-family
P1

hostname P1
mpls label range 200 299
no mpls ip propagate-ttl

!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
 ip address 100.100.12.2 255.255.255.0
!
interface Ethernet0/1
 ip address 100.100.23.1 255.255.255.0
!
router ospf 1
 mpls ldp autoconfig
 prefix-suppression
 router-id 2.2.2.2
 network 2.2.2.2 0.0.0.0 area 0
 network 100.100.0.0 0.0.255.255 area 0
P2

hostname P2
mpls label range 300 399
no mpls ip propagate-ttl

!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
 ip address 100.100.23.2 255.255.255.0
!
interface Ethernet0/1
 ip address 100.100.34.1 255.255.255.0
!
router ospf 1
 mpls ldp autoconfig
 prefix-suppression
 router-id 3.3.3.3
 network 3.3.3.3 0.0.0.0 area 0
 network 100.100.0.0 0.0.255.255 area 0
PE2

hostname PE2
mpls label range 400 499
no mpls ip propagate-ttl
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Ethernet0/0
 ip address 100.100.34.2 255.255.255.0
!
interface Ethernet0/1
 vrf forwarding RED
 ip address 20.20.20.1 255.255.255.0
!
router ospf 100 vrf RED
 redistribute bgp 65000 subnets
 network 20.20.20.0 0.0.0.255 area 200
!
router ospf 1
 mpls ldp autoconfig
 prefix-suppression
 network 4.4.4.4 0.0.0.0 area 0
 network 100.100.0.0 0.0.255.255 area 0
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 65000
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family ipv4
  no neighbor 1.1.1.1 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf RED
  redistribute ospf 100
 exit-address-family
!
CE2

hostname CE2
interface Ethernet0/0
 ip address 20.20.20.20 255.255.255.0
!
router ospf 200
 network 20.20.20.0 0.0.0.255 area 200
!

Show the OSPF routes in the underlay. Notice that the transit subnets between the routers are gone.

PE1#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/11] via 100.100.12.2, 00:03:51, Ethernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/21] via 100.100.12.2, 00:03:09, Ethernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/31] via 100.100.12.2, 00:03:09, Ethernet0/1

MPLS LAB 1 MPLS without prefix-suppression

See in this LAB I did not use a loopback address on the P routers. When you enable prefix-suppression on the PE and P routers, you have to use loopback addresses. Loopback addresses are announced in OSPF when prefix-suppression is enabled.

Specials in this LAB.

  • Use MPLS autoconfig
  • Define a MPLS label range
  • Do not propagate the MPLS network to the customer
CE1

hostname CE1
interface Ethernet0/0
 ip address 10.10.10.10 255.255.255.0
!
router ospf 100
 network 10.10.10.0 0.0.0.255 area 100

PE1

hostname PE1
vrf definition RED
 rd 100:100
 route-target export 1000:1000
 route-target import 1000:1000
 !
 address-family ipv4
 exit-address-family

!
mpls label range 100 199
no mpls ip propagate-ttl
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
 vrf forwarding RED
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1
 ip address 100.100.12.1 255.255.255.0
!
router ospf 100 vrf RED
 redistribute bgp 65000 subnets
 network 10.10.10.0 0.0.0.255 area 100
!
router ospf 1
 mpls ldp autoconfig
 network 1.1.1.1 0.0.0.0 area 0
 network 100.100.0.0 0.0.255.255 area 0
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 65000
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf RED
  redistribute ospf 100
 exit-address-family
P1

hostname P1
mpls label range 200 299
no mpls ip propagate-ttl

!
interface Loopback0
 no ip address
!
interface Ethernet0/0
 ip address 100.100.12.2 255.255.255.0
!
interface Ethernet0/1
 ip address 100.100.23.1 255.255.255.0
!
router ospf 1
 mpls ldp autoconfig
 router-id 2.2.2.2
 network 100.100.0.0 0.0.255.255 area 0
P2

hostname P2
mpls label range 300 399
no mpls ip propagate-ttl

!
interface Loopback0
 no ip address
!
interface Ethernet0/0
 ip address 100.100.23.2 255.255.255.0
!
interface Ethernet0/1
 ip address 100.100.34.1 255.255.255.0
!
router ospf 1
 mpls ldp autoconfig
 router-id 3.3.3.3
 network 100.100.0.0 0.0.255.255 area 0
PE2

hostname PE2
mpls label range 400 499
no mpls ip propagate-ttl
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Ethernet0/0
 ip address 100.100.34.2 255.255.255.0
!
interface Ethernet0/1
 vrf forwarding RED
 ip address 20.20.20.1 255.255.255.0
!
router ospf 100 vrf RED
 redistribute bgp 65000 subnets
 network 20.20.20.0 0.0.0.255 area 200
!
router ospf 1
 mpls ldp autoconfig
 network 4.4.4.4 0.0.0.0 area 0
 network 100.100.0.0 0.0.255.255 area 0
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 65000
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family ipv4
  no neighbor 1.1.1.1 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf RED
  redistribute ospf 100
 exit-address-family
!
CE2

hostname CE2
interface Ethernet0/0
 ip address 20.20.20.20 255.255.255.0
!
router ospf 200
 network 20.20.20.0 0.0.0.255 area 200
!

Show the OSPF network within the P area.

PE1#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/31] via 100.100.12.2, 05:44:25, Ethernet0/1
      100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        100.100.23.0/24 [110/20] via 100.100.12.2, 05:39:35, Ethernet0/1
O        100.100.34.0/24 [110/30] via 100.100.12.2, 05:38:04, Ethernet0/1

I disabled the mpls propagate-ttl so the customer edge can’t see the MPLS labels used in the P network.

no mpls ip propagate-ttl
CE1#tracerout 20.20.20.20 numeric
Type escape sequence to abort.
Tracing the route to 20.20.20.20
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.10.1 1 msec 1 msec 0 msec
  2 20.20.20.1 2 msec 1 msec 1 msec
  3 20.20.20.20 3 msec *  2 msec

IPv6 autoconfig

  • Configure R4 port E0/0 as ipv6 autoconfig
  • Make R3 the prefered route
  • Make R2 the backup route
R1
ipv6 unicast-routing
interface Loopback0
 no ip address
 ipv6 address 2001:1:1::1/64
 ipv6 enable
!
interface Ethernet0/0
 no ip address
 ipv6 address 2002:DB8:12::1/64
 ipv6 enable
!
interface Ethernet0/1
 no ip address
 ipv6 address 2002:DB8:13::1/64
 ipv6 enable
!
router eigrp DAVID
 !
 address-family ipv6 unicast autonomous-system 100
  !
  topology base
  exit-af-topology
  eigrp router-id 1.1.1.1
 exit-address-family
 !
R2
interface Ethernet0/0
 no ip address
 ipv6 address 2002:DB8:24::2/64
 ipv6 enable
 ipv6 nd router-preference Low
!
interface Ethernet0/1
 no ip address
 ipv6 address 2002:DB8:12::2/64
 ipv6 enable
!
router eigrp DAVID
 !
 address-family ipv6 unicast autonomous-system 100
  !
  topology base
  exit-af-topology
  eigrp router-id 2.2.2.2
 exit-address-family
!
R3
interface Ethernet0/0
 no ip address
 ipv6 address 2002:DB8:24::3/64
 ipv6 enable
 ipv6 nd router-preference High
!
interface Ethernet0/1
 no ip address
 ipv6 address 2002:DB8:13::3/64
 ipv6 enable
!
router eigrp DAVID
 !
 address-family ipv6 unicast autonomous-system 100
  !
  topology base
  exit-af-topology
  eigrp router-id 3.3.3.3
 exit-address-family
R4
interface Ethernet0/0
 no ip address
 ipv6 address autoconfig default
 ipv6 enable
R4
R4#sh ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, la - LISP alt
       lr - LISP site-registrations, ld - LISP dyn-eid, a - Application
ND  ::/0 [2/0]
     via FE80::A8BB:CCFF:FE01:100, Ethernet0/0
NDp 2002:DB8:24::/64 [2/0]
     via Ethernet0/0, directly connected
L   2002:DB8:24:0:A8BB:CCFF:FE01:2100/128 [0/0]
     via Ethernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

FE80::A8BB:CCFF:FE01:100 is the link-local address of R3.

R4#traceroute 2001:1:1::1
Type escape sequence to abort.
Tracing the route to 2001:1:1::1

  1 2002:DB8:24::2 1 msec 1 msec 1 msec
  2 2002:DB8:12::1 2 msec 2 msec 1 msec