<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

DMVPN configuration with both Hub and Spokes having a dynamically assigned NBMA (public) IP

Published on
5,768 Points
2,668 Views
1 Endorsement
Last Modified:
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP).

Here is the basic setup of DMVPN Phase 3. I'll not go into an in-depth discussion of DMVPN; rather, this article will focus more on the features that will enable a DMVPN with both hub and spokes having a dynamically assigned NBMA IP. The setup has been simulated using IOS version 15.4(2)T.
DMVPN-network-diagram.png
**************************************************************************************
(R1 configuration)
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip nhrp authentication NHRP_KEY
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
!
interface Ethernet0/0
 ip address 15.0.0.1 255.255.255.0
!
router eigrp 1
 network 1.1.1.1 0.0.0.0
 network 10.0.0.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 15.0.0.5
**************************************************************************************
(R2 configuration)
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip nhrp authentication NHRP_KEY
 ip nhrp map 10.0.0.1 15.0.0.1
 ip nhrp map multicast 15.0.0.1
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
!
interface Ethernet0/0
 ip address 25.0.0.2 255.255.255.0
!
router eigrp 1
 network 2.2.2.2 0.0.0.0
 network 10.0.0.2 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 25.0.0.5
**************************************************************************************
(R3 configuration)
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.3 255.255.255.0
 ip nhrp authentication NHRP_KEY
 ip nhrp map 10.0.0.1 15.0.0.1
 ip nhrp map multicast 15.0.0.1
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
!
interface Ethernet0/0
 ip address 35.0.0.3 255.255.255.0
!
router eigrp 1
 network 3.3.3.3 0.0.0.0
 network 10.0.0.3 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 35.0.0.5
**************************************************************************************
(R4 configuration)
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.4 255.255.255.0
 ip nhrp authentication NHRP_KEY
 ip nhrp map 10.0.0.1 15.0.0.1
 ip nhrp map multicast 15.0.0.1
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
!
interface Ethernet0/0
 ip address 45.0.0.4 255.255.255.0
!
router eigrp 1
 network 4.4.4.4 0.0.0.0
 network 10.0.0.4 0.0.0.0
!
router eigrp 1
 network 4.4.4.4 0.0.0.0
 network 10.0.0.4 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 45.0.0.5
**************************************************************************************
(Verification on Hub R1)
R1#
R1#show ip nhrp
10.0.0.2/32 via 10.0.0.2
   Tunnel0 created 08:25:43, expire 01:31:32
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 25.0.0.2
10.0.0.3/32 via 10.0.0.3
   Tunnel0 created 08:25:09, expire 01:34:52
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 35.0.0.3
10.0.0.4/32 via 10.0.0.4
   Tunnel0 created 08:25:39, expire 01:32:28
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 45.0.0.4
R1#
R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 25.0.0.2               10.0.0.2    UP 08:25:45     D
     1 35.0.0.3               10.0.0.3    UP 08:25:11     D
     1 45.0.0.4               10.0.0.4    UP 08:25:41     D

R1#
R1#show ip eigrp neighbor
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
2   10.0.0.3                Tu0                      11 04:26:14    1  1398  0  3
0   10.0.0.4                Tu0                      12 04:27:42    5  1398  0  4
1   10.0.0.2                Tu0                      10 04:29:02    1  1398  0  5
R1#
R1#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 15.0.0.5 to network 0.0.0.0

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/27008000] via 10.0.0.2, 04:28:42, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/27008000] via 10.0.0.3, 04:25:19, Tunnel0
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/27008000] via 10.0.0.4, 04:27:47, Tunnel0
R1#
**************************************************************************************
(Verification on Spoke R2)
R2#show ip nhrp
10.0.0.1/32 via 10.0.0.1
   Tunnel0 created 00:00:14, never expire
   Type: static, Flags: used
   NBMA address: 15.0.0.1
R2#
R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 15.0.0.1               10.0.0.1    UP 00:00:17     S

R2#
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 25.0.0.5 to network 0.0.0.0

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:00:13, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/28288000] via 10.0.0.1, 00:00:13, Tunnel0
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:00:13, Tunnel0
R2#
R2#show ip cef 3.3.3.3
3.3.3.3/32
  nexthop 10.0.0.1 Tunnel0
R2#
R2#traceroute 3.3.3.3 so 2.2.2.2
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.1 1 msec 1 msec 0 msec
  2 10.0.0.3 6 msec *  5 msec
R2#
R2#traceroute 3.3.3.3 so 2.2.2.2
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.3 1 msec *  0 msec
R2#
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 25.0.0.5 to network 0.0.0.0

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:00:43, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
D   %    3.3.3.3 [90/28288000] via 10.0.0.1, 00:00:43, Tunnel0
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:00:43, Tunnel0
R2#
R2#show ip cef 3.3.3.3
3.3.3.3/32
  nexthop 10.0.0.3 Tunnel0
R2#
**************************************************************************************

Open in new window


Normally DMVPN requires that the hub has a statically-configured NBMA IP (not changing), while the spokes can have a dynamically assigned NBMA IPs. It is important that the hub's NBMA IP does not change because it is referenced in the Next Hop Resolution Protocol (NHRP) static mapping at the spokes as shown below.

interface Tunnel0
 ip nhrp map 10.0.0.1 15.0.0.1
 ip nhrp nhs 10.0.0.1

Open in new window


The problem with both hub and spokes having a dynamically assigned public IP is that, on the spokes, we'll have to re-configure (manually) the NHRP static mapping for the NHS IP and its NBMA IP every time the hub is assigned with a new public IP.


So how can we implement a DMVPN with both Hub and Spokes having dynamically assigned public IP (NBMA IP)? The solution would require two features:

  • Dynamic DNS (DDNS) for the hub - enables the Hub router to advise a DDNS server of its currently assigned IP.
  • DMVPN configuration using FQDN for the spokes - enables the spokes NHRP configuration to reference a FQDN instead of an IP address.
Below is the basic setup that we will use for the test simulation.
DMVPN--DHCP-assigned-public-IP--network-Part 1 - DMVPN configuration using FQDN for the spokes
  • The "Internet" cloud is actually simulated by a router (R5)
  • I've used R5 (5.5.5.5) to act like "DNS server" as well as provide the DHCP address for the NBMA.
**************************************************************************************
(R5 DHCP configuration)
R5#show run | sec dhcp
ip dhcp excluded-address 15.0.0.2 15.0.0.255
ip dhcp excluded-address 25.0.0.1
ip dhcp excluded-address 25.0.0.3 25.0.0.255
ip dhcp excluded-address 35.0.0.1 35.0.0.2
ip dhcp excluded-address 35.0.0.4 35.0.0.255
ip dhcp excluded-address 45.0.0.1 45.0.0.3
ip dhcp excluded-address 45.0.0.5 45.0.0.255
ip dhcp pool Hub_POOL
 network 15.0.0.0 255.255.255.0
 default-router 15.0.0.5
ip dhcp pool SPOKE1_POOL
 network 25.0.0.0 255.255.255.0
 default-router 25.0.0.5
ip dhcp pool SPOKE2_POOL
 network 35.0.0.0 255.255.255.0
 default-router 35.0.0.5
ip dhcp pool SPOKE3_POOL
 network 45.0.0.0 255.255.255.0
 default-router 45.0.0.5
R5#
**************************************************************************************
(R5 "DNS" configuration)
R5#confi t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#
R5(config)#ip dns server
R5(config)#ip domain-lookup
R5(config)#
R5(config)#ip host google.com 208.117.231.154
R5(config)#ip host mycreateddomain.ddns.net 15.0.0.1
R5(config)#
**************************************************************************************

Open in new window


  • Configuration and verification of DHCP and DNS name server on Hub and Spokes routers.
 
**************************************************************************************
(R1 DHCP configuration and verification)
R1#
R1#show run int eth0/0 | be interface
interface Ethernet0/0
 ip address dhcp
end

R1#
R1#show run | inc ip route
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 dhcp
R1#
R1#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                15.0.0.1        YES DHCP   up                    up
Ethernet0/1                unassigned      YES TFTP   administratively down down
Ethernet0/2                unassigned      YES NVRAM  administratively down down
Ethernet0/3                unassigned      YES NVRAM  administratively down down
Loopback0                  1.1.1.1         YES NVRAM  up                    up
Tunnel0                    10.0.0.1        YES NVRAM  up                    up
R1#
R1#show ip route static | be Gateway
Gateway of last resort is 15.0.0.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 15.0.0.5, Ethernet0/0
R1#

(R1 Domain name configuration and verification)
R1#
R1#confi t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip name-server 5.5.5.5
R1(config)#ip domain-loo
R1(config)#ip domain-lookup
R1(config)#end
R1#
R1#ping google.com
Translating "google.com"...domain server (5.5.5.5) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.117.231.154, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#
R1#ping mycreateddomain.ddns.net
Translating "mycreateddomain.ddns.net"...domain server (5.5.5.5) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#
**************************************************************************************
(R3 DHCP configuration and verification)
R3#
R3#show run int eth0/0 | be interface
interface Ethernet0/0
 ip address dhcp
end

R3#
R3#show run | inc ip route
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 dhcp
R3#
R3#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                35.0.0.3        YES DHCP   up                    up
Ethernet0/1                unassigned      YES TFTP   administratively down down
Ethernet0/2                unassigned      YES NVRAM  administratively down down
Ethernet0/3                unassigned      YES NVRAM  administratively down down
Loopback0                  3.3.3.3         YES NVRAM  up                    up
Tunnel0                    10.0.0.3        YES NVRAM  up                    up
R3#
R3#show ip route static | be Gateway
Gateway of last resort is 35.0.0.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 35.0.0.5, Ethernet0/0
R3#

(R3 Domain name configuration and verification)
R3#
R3#confi t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip name-server 5.5.5.5
R3(config)#ip domain-lookup
R3(config)#end
R3#
R3#ping google.com
Translating "google.com"...domain server (5.5.5.5) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.117.231.154, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3#
R3#ping mycreateddomain.ddns.net
Translating "mycreateddomain.ddns.net"...domain server (5.5.5.5) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3#
**************************************************************************************

Open in new window


  • The WAN interface is configured with "ip address dhcp"
  • We have configured a static default route "ip route 0.0.0.0 0.0.0.0 Ethernet0/0 dhcp". The "dhcp" keyword instructs the router to obtain the default gateway from DHCP.
  • From the "show ip int br" command we can see that the WAN interface was able to obtain an ip address via Method-DHCP
  • A static default router was installed via next-hop defined by the DHCP (default-router x.x.x.x under ip dhcp pool).
  • We define the DNS server to be used by the router via the "ip-name server 5.5.5.5" command. On production networks you might point this to a public DNS like google (8.8.8.8, 8.8.4.4) for example or to your own managed DNS server.
  • We then test if we can do name resolution. It should be noted for simulation purposes, we used a static binding of the IP to hostname.
 
Now comes the fun part, we configure NHRP on the spokes to reference a FQDN instead of an IP address.
**************************************************************************************
(R3 DMVPN configuration using FQDN)
R3#
R3#show run int tun 0 | be interface
interface Tunnel0
 ip address 10.0.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NHRP_KEY
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma mycreateddomain.ddns.net multicast
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
end

R3#
**************************************************************************************
(R3 DMVPN verification)
R3#
R3#show ip nhrp
10.0.0.1/32 via 10.0.0.1
   Tunnel0 created 00:02:05, never expire
   Type: static, Flags: used
   NBMA address: 15.0.0.1  (mycreateddomain.ddns.net)
R3#
R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 15.0.0.1               10.0.0.1    UP 00:02:02     S
               (mycreateddomain.ddns.net)

R3#
R3#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 35.0.0.5 to network 0.0.0.0

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:02:08, Tunnel0
      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/28288000] via 10.0.0.1, 00:02:08, Tunnel0
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:02:08, Tunnel0
R3#
R3#show ip cef 2.2.2.2
2.2.2.2/32
  nexthop 10.0.0.1 Tunnel0
R3#
R3#traceroute 2.2.2.2 so 3.3.3.3
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.1 1 msec 1 msec 1 msec
  2 10.0.0.2 5 msec 1 msec *
R3#
R3#traceroute 2.2.2.2 so 3.3.3.3
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.2 1 msec 1 msec *
R3#
R3#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 35.0.0.5 to network 0.0.0.0

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:03:37, Tunnel0
      2.0.0.0/32 is subnetted, 1 subnets
D   %    2.2.2.2 [90/28288000] via 10.0.0.1, 00:03:37, Tunnel0
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:03:37, Tunnel0
R3#
R3#show ip cef 2.2.2.2
2.2.2.2/32
  nexthop 10.0.0.2 Tunnel0
R3#
R3#show tunnel endpoints
 Tunnel0 running in multi-GRE/IP mode

 Endpoint transport 15.0.0.1 Refcount 3 Base 0xA38B266C Create Time 00:04:10
   overlay 10.0.0.1 Refcount 2 Parent 0xA38B266C Create Time 00:04:10
   Tunnel Subblocks:
      tunnel-nhrp-sb:
         NHRP subblock has 1 entries
 Endpoint transport 25.0.0.2 Refcount 3 Base 0xA38B256C Create Time 00:01:18
   overlay 10.0.0.2 Refcount 2 Parent 0xA38B256C Create Time 00:01:18
   Tunnel Subblocks:
      tunnel-nhrp-sb:
         NHRP subblock has 2 entries
R3#
**************************************************************************************
(R1 verification of NHRP NBMA mapping)
R1#show ip nhrp
10.0.0.2/32 via 10.0.0.2
   Tunnel0 created 01:18:21, expire 01:21:38
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 25.0.0.2
10.0.0.3/32 via 10.0.0.3
   Tunnel0 created 01:18:19, expire 01:42:34
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 35.0.0.3
10.0.0.4/32 via 10.0.0.4
   Tunnel0 created 01:18:21, expire 01:58:58
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 45.0.0.4
R1#
**************************************************************************************

Open in new window

Three commands were replaced here in the tunnel configuration:  

  • ip nhrp map 10.0.0.1 15.0.0.1 (static NHRP mapping for the NHS server IP and its NBMA IP)
  • ip nhrp map multicast 15.0.0.1 (maps multicast traffic towards the NHS)
  • ip nhrp nhs 10.0.0.1 (defines the NHRP server IP)
ip nhrp nhs dynamic nbma mycreateddomain.ddns.net multicast
  • defines the NHS IP to be dynamic
  • it uses the FQDN "mycreateddomain.ddns.net" to resolve the value for the NBMA IP
  • multicast traffic is also map to the NHS identified by the FQDN
On the verification, we can see that the router was able to resolve the FQDN, then create a static NHRP mapping for its NHS. We are able to receive EIGRP routes from the hub. EIGRP uses multicast.

Let's take a closer look into how this is accomplished by looking into a packet capture on R3's WAN interface. I've initially shut down the WAN interface and re-enabled it to show the processes of DHCP, DNS, NHRP, and Routing.
R3---Packet-Capture-1.png
  • At line 5, eth0/0 of R3 was enabled and start the DHCP request process. It was able to bring up the interface and complete the process at line 24.
  • At line 25, it now starts to query the DNS server (5.5.5.5) to resolve the FQDN "mycreateddomain.ddns.net". Line 26 is the reply from the "DNS" server.
  • At line 27-28, it start its NHRP registration process to the NHS.
  • After registering to the NHS, it builds the GRE tunnel to the hub and begins the EIGRP neighbor discovery as seen on line 29-43.
  • Then I've sent a couple of pings to verify reachability and illustrate spoke-to-spoke traffic for DMVPN phase 3.

Part 2 - Dynamic DNS (DDNS) for the hub

  • When a router interface is configured with DDNS, it updates the DDNS server of its IP address.
  • When the DDNS server receives the update, it then creates the binding between that IP address and a given FQDN which it announces to the internet.
  • There are various DDNS services provided by multiple providers. Two of the most common and free DDNS providers are no-ip.com and dyndns.com. The following example will configure DDNS on a Cisco router using no-ip.com as the DDNS service provider.
  • You can use your own managed DNS server if you are able to provide DDNS.
  • We sign-up for a free DDNS account on no-ip.com.
    • username: username
    • password: password
    • FQDN: mycreateddomain.ddns.net
 
Below is the DDNS configuration on a Cisco router using the free DDNS provided by no-ip.com
**************************************************************************************
(R1 Hub DDNS configuration)
R1#confi t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip dns server
R1(config)#ip name-server 5.5.5.5
R1(config)#
R1(config)#ip ddns update method NO-IP
R1(DDNS-update-method)#http

(Hit Ctrl+V before pasting or typing the next line, due to the characters "?" and "@" will be interpreted wrong by IOS)

R1(DDNS-HTTP)#add http://username:passsword@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
R1(DDNS-HTTP)#exit
R1(DDNS-update-method)#
R1(DDNS-update-method)#interval maximum 0 0 5 0
R1(DDNS-update-method)#exit
R1(config)#
R1(config)#interface eth0/0
R1(config-if)#ip ddns update hostname mycreateddomain.ddns.net
R1(config-if)#ip ddns update NO-IP
R1(config-if)#end
R1#
*Apr  2 20:13:58.494: %SYS-5-CONFIG_I: Configured from console by console
R1#
R1#show run | sec ddns
ip ddns update method NO-IP
 HTTP
  add http://username:passsword@dynupdate.no-ip.com/nic/updatehostname=<h>&myip=<a>
 interval maximum 0 0 5 0
 ip ddns update hostname mycreateddomain.ddns.net
 ip ddns update NO-IP
R1#
**************************************************************************************

Open in new window


  • We configure the DNS server that will be used by the router (ip name-server 5.5.5.5), but in actual production network this can be a public DNS like google (8.8.8.8, 8.8.4.4) or your managed DNS server.
  • "ip ddns update method NO-IP" creates a DDNS update method named "NO-IP" and uses "http" as the method to update the DDNS server.
  • We configure "add http://username:passsword@dynupdate.no-ip.com/nic/update?hostname=&myip=". Replace the username and password with your configured details when you signed-up with no-ip.com.
  • "interval maximum 0 0 5 0" defines an update interval of every 5 minutes.
  • On the WAN interface, we configure DDNS hostname and DDNS profile: "ip ddns update hostname mycreateddomain.ddns.net". You'll use the hostname you defined during the sign-up.
Let's observe the packet capture on R1's WAN interface during shut and re-enabling.
R1---Packet-Capture-1.png
  • At line 5 the interface was re-enabled.
  • DHCP process is at lines 7-22.
  • At lines 29-30, DNS was queried for resolution of "dynupdate.no-ip.com"
  • At line 31, the router tried to send the DDNS update to no-ip.com via http (port 80).
  • At line 32, destination is unreachable since I've simulated this on a lab environment and have not connected it to the real internet.
Once the DDNS server is updated with the IP, it should begin announcing it to the internet and future resolution will resolve it to the Hubs WAN interface IP. The DDNS will continuously be updated every 5 minutes.
 

Final notes:
  • You can use any DDNS service you want or even provide your own if you manage your own DNS.
  • no-ip.com offers a free DDNS service however you'll need to reconfirm your account every 30 days.
  • DMVPN configuration using FQDN is introduced for software version above Cisco IOS Release 15.1(2)T.
 

Further reference:
Basically that sums up configuring DMVPN with both Hub and Spokes having dynamically assigned public IP address. I hope this has been helpful to you and thank you for reading the article.
1
Comment
Author:ffleisma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Expert Comment

by:shahed Israr
Dear learner,
If you don’t know anything about DMVPN configuration,
check out these links: <a href="http://gponsolution.com/dmvpn-configuration.html">DMVPN Configuration</a>
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month