Multicast over FR NBMA part4 – (multipoint GRE and DMVPN)
July 31, 2008 1 Comment
This is the fourth part of the document “Multicast over FR NBMA”, this lab focus on deploying multicast over multipoint GRE and DMVPN.
The main advantage of GRE tunneling is its transportation capability, non-ip, broadcast and multicast traffic can be encapsulated inside the unicast GRE which is easily transmitted over Layer2 technologies such Frame Relay and ATM.
Because HUB, SpokeA and SpokeB FR interfaces are in multipoint, we will use multipoint GRE.
Figure1 : lab topology
CONFIGURATION
mGRE configuration:
HUB:
| interface Tunnel0 ip address 172.16.0.1 255.255.0.0 no ip redirects !!PIM sparse-dense mode is enabled on the tunnel not on the physical interface
!! a shared key is used for tunnel authentication
!!The HUB must send all multicast traffic to all spokes that has registered to it
!! Enable NHRP on the interface, must be the same for all participants
!!Because the OSPF network type is broadcast a DR will be elected, so the HUB is assigned the biggest priority to be sure that it will be the DR
!! With small HUB and Spoke networks it is possible to configure static mGRE by pre-configuring the tunnel destination, but will not be able to set the tunnel mode
!! Set the tunnel identification key and must be identical to the network-id previously configured
|
FR configuration:
| interface Serial0/0 ip address 192.168.100.1 255.255.255.0 encapsulation frame-relay serial restart-delay 0 frame-relay map ip 192.168.100.2 101 frame-relay map ip 192.168.100.3 103 no frame-relay inverse-arp |
Routing configuration:
| router ospf 10 router-id 1.1.1.1 network 10.10.20.0 0.0.0.255 area 100
|
SpokeA:
mGRE configuration:
| interface Tunnel0 ip address 172.16.0.2 255.255.0.0 ip nhrp authentication cisco !!All multicast traffic will be forwarded to the NBMA next hop IP (HUB). ip nhrp map multicast 192.168.100.1 !!All spokes know in advance the HUB NBMA and tunnel IP addresses which are static. ip nhrp map 172.16.0.1 192.168.100.1 ip nhrp network-id 1 ip nhrp nhs 172.16.0.1 ip ospf network point-to-multipoint tunnel source Serial0/0.201 tunnel destination 192.168.100.1 tunnel key 1 |
FR configuration:
| interface Serial0/0 no ip address encapsulation frame-relay serial restart-delay 0 no frame-relay inverse-arp
interface Serial0/0.201 multipoint ip address 192.168.100.2 255.255.255.0 frame-relay map ip 192.168.100.1 201 broadcast |
Routing configuration:
| router ospf 10 router-id 200.200.200.200 network 20.20.20.0 0.0.0.255 area 200 network 172.16.0.0 0.0.255.255 area 0 |
SpokeB:
mGRE configuration:
| interface Tunnel0 ip address 172.16.0.3 255.255.0.0 no ip redirects ip pim sparse-dense-mode ip nhrp authentication cisco ip nhrp map multicast 192.168.100.1 ip nhrp map 172.16.0.1 192.168.100.1 ip nhrp network-id 1 ip nhrp nhs 172.16.0.1 ip ospf network broadcast ip ospf priority 0 tunnel source Serial0/0.301 tunnel mode gre multipoint tunnel key 1 |
FR configuration:
| interface Serial0/0 no ip address encapsulation frame-relay serial restart-delay 0 no frame-relay inverse-arp
interface Serial0/0.301 multipoint ip address 192.168.100.3 255.255.255.0 frame-relay map ip 192.168.100.1 301 broadcast |
Routing configuration:
| router ospf 10 router-id 3.3.3.3 network 172.16.0.0 0.0.255.255 area 0 network 192.168.39.0 0.0.0.255 area 300 |
RP (SpokeBnet):
| interface Loopback0 ip address 192.168.38.1 255.255.255.255 ip pim sparse-dense-mode router ospf 10 network 192.168.38.1 0.0.0.0 area 300 ip pim send-rp-announce Loopback0 scope 32 |
Mapping Agent (HUBnet):
| interface Loopback0 ip address 10.0.0.1 255.255.255.255 ip pim sparse-dense-mode router ospf 10 network 10.0.0.1 0.0.0.0 area 100 ip pim send-rp-discovery Loopback0 scope 32 |
Here is the result:
HUB:
| HUB# sh ip nhrp 172.16.0.2/32 via 172.16.0.2, Tunnel0 created 01:06:52, expire 01:34:23 Type: dynamic, Flags: authoritative unique registered NBMA address: 192.168.100.2 172.16.0.3/32 via 172.16.0.3, Tunnel0 created 01:06:35, expire 01:34:10 Type: dynamic, Flags: authoritative unique registered NBMA address: 192.168.100.3 HUB# |
The HUB has dynamically learnt spoke’s NBMA addresses and corresponding tunnel ip addresses.
| HUB#sh ip route Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2 ia – IS-IS inter area, * – candidate default, U – per-user static route o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 20.0.0.0/32 is subnetted, 1 subnets O IA 20.20.20.20 [110/11112] via 172.16.0.2, 01:08:26, Tunnel0 O IA 192.168.40.0/24 [110/11113] via 172.16.0.3, 01:08:26, Tunnel0 C 172.16.0.0/16 is directly connected, Tunnel0 192.168.38.0/32 is subnetted, 1 subnets O IA 192.168.38.1 [110/11113] via 172.16.0.3, 01:08:26, Tunnel0 O IA 192.168.39.0/24 [110/11112] via 172.16.0.3, 01:08:26, Tunnel0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.0.0.2/32 [110/2] via 10.10.20.3, 01:09:06, FastEthernet1/0 O 10.10.10.0/24 [110/2] via 10.10.20.3, 01:09:06, FastEthernet1/0 O 10.0.0.1/32 [110/2] via 10.10.20.3, 01:09:06, FastEthernet1/0 C 10.10.20.0/24 is directly connected, FastEthernet1/0 C 192.168.100.0/24 is directly connected, Serial0/0 HUB# |
The HUB has learnt all spokes local network ip addresses; note that all learnt routes points to the tunnel IP addresses, because the routing protocol is enabled on the top of the logical topology not the physical (figure2).
Figure2 : Logical topology
| HUB#sh ip pim neighbors PIM Neighbor Table Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode 172.16.0.3 172.16.0.2 10.10.20.3 FastEthernet1/0 01:07:24/00:01:15 v2 1 / DR S HUB# |
PIM neighbor relationships are established after enabling PIM-Sparse-dense mode on tunnel interfaces.
| SpokeBnet# *Mar 1 01:16:22.055: Auto-RP(0): Build RP-Announce for 192.168.38.1, PIMv2/v1, ttl 32, ht 181 *Mar 1 01:16:22.059: Auto-RP(0): Build announce entry for (224.0.0.0/4) *Mar 1 01:16:22.063: Auto-RP(0): Send RP-Announce packet on FastEthernet0/0 *Mar 1 01:16:22.063: Auto-RP(0): Send RP-Announce packet on FastEthernet1/0 *Mar 1 01:16:22.067: Auto-RP: Send RP-Announce packet on Loopback0 SpokeBnet# |
The RP (SpokeBnet) send RP-announces to all those who listen to 224.0.1.39
| Hubnet# *Mar 1 01:16:17.039: Auto-RP(0): Received RP-announce, from 192.168.38.1, RP_cnt 1, ht 181 *Mar 1 01:16:17.043: Auto-RP(0): Update (224.0.0.0/4, RP:192.168.38.1), PIMv2 v1 Hubnet# *Mar 1 01:16:49.267: Auto-RP(0): Build RP-Discovery packet *Mar 1 01:16:49.271: Auto-RP: Build mapping (224.0.0.0/4, RP:192.168.38.1), PIMv2 v1, *Mar 1 01:16:49.275: Auto-RP(0): Send RP-discovery packet on FastEthernet0/0 (1 RP entries) *Mar 1 01:16:49.275: Auto-RP(0): Send RP-discovery packet on FastEthernet1/0 (1 RP entries) Hubnet# |
HUBnet, the mapping agent (MA), listening to 224.0.1.39, has received RP-announces from the RP (SpokeBnet), has updated its records and has sent RP-Discovery to all PIM-SM routers at 224.0.1.40
| HUB# *Mar 1 01:16:47.059: Auto-RP(0): Received RP-discovery, from 10.0.0.1, RP_cnt 1, ht 181 *Mar 1 01:16:47.063: Auto-RP(0): Update (224.0.0.0/4, RP:192.168.38.1), PIMv2 v1 HUB# |
| HUB#sh ip pim rp Group: 239.255.1.1, RP: 192.168.38.1, v2, v1, uptime 01:11:49, expires 00:02:44 HUB# |
The HUB, as an example, has received the RP-to-group mapping information from the Mapping agent and now know the RP IP address.
Now let’s take a look at the multicast routing table of the RP:
| SpokeBnet#sh ip mroute IP Multicast Routing Table Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected, L – Local, P – Pruned, R – RP-bit set, F – Register flag, T – SPT-bit set, J – Join SPT, M – MSDP created entry, X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement, U – URD, I – Received Source Specific Host Report, Z – Multicast Tunnel, z – MDT-data group sender, Y – Joined MDT-data group, y – Sending to MDT-data group Outgoing interface flags: H – Hardware switched, A – Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.255.1.1), 00:39:00/stopped, RP 192.168.38.1, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet1/0, Forward/Sparse-Dense, 00:38:22/00:02:25
(10.10.10.1, 239.255.1.1), 00:39:00/00:02:58, flags: T
(*, 224.0.1.39), 01:24:31/stopped, RP 0.0.0.0, flags: D Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Sparse-Dense, 01:24:31/00:00:00
(192.168.38.1, 224.0.1.39), 01:24:31/00:02:28, flags: T Incoming interface: Loopback0, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Sparse-Dense, 01:24:31/00:00:00
(*, 224.0.1.40), 01:25:42/stopped, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Sparse-Dense, 01:25:40/00:00:00 Loopback0, Forward/Sparse-Dense, 01:25:42/00:00:00
(10.0.0.1, 224.0.1.40), 01:23:39/00:02:51, flags: LT Incoming interface: FastEthernet0/0, RPF nbr 192.168.39.1 Outgoing interface list: Loopback0, Forward/Sparse-Dense, 01:23:39/00:00:00
SpokeBnet# |
(*, 239.255.1.1) – The shared tree, rooted at the RP, used to push multicast traffic to receivers, “J” flag indicates that traffic has switched from RPT to SPT.
(10.10.10.1, 239.255.1.1) – SPT used to forward traffic from the source to the receiver, receive traffic on Fa0/0 ans forward it out of Fa1/0.
(*, 224.0.1.39) and (*, 224.0.1.40) – service group multicast, because it is a PIM sparse-dense mode, traffic for these groups were forwarded to all PIM routers using dense mode, hence the flag “D”.
This way we configured multicast over NBMA using mGRE, no layer2, no restrictions.
By the way, we are just one step far from DMVPN 🙂 all we have to do is configure IPSec VPN that will protect our mGRE tunnel, so let’s do it!
| !! IKE phase I parameters crypto isakmp policy 1 !! 3des as the encryption algorithm encryption 3des !! authentication type: simple preshared keys authentication pre-share !! Diffie Helman group2 for the exchange of the secret key group 2 !! isakmp pees are not set because the HUB doesn’t know them yet, they are learned dynamically by NHRP within mGRE crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto ipsec transform-set MyESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec profile My_profile set transform-set MyESP-3DES-SHA
int tunnel 0 tunnel protection ipsec profile My_profile |
| HUB#sh crypto isakmp sa dst src state conn-id slot status 192.168.100.1 192.168.100.2 QM_IDLE 2 0 ACTIVE 192.168.100.1 192.168.100.3 QM_IDLE 1 0 ACTIVE
HUB# |
| HUB#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 192.168.100.1
protected vrf: (none) local ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
PERMIT, flags={origin_is_acl,} #pkts encaps: 1248, #pkts encrypt: 1248, #pkts digest: 1248 #pkts decaps: 129, #pkts decrypt: 129, #pkts verify: 129 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 52, #recv errors 0
path mtu 1500, ip mtu 1500 current outbound spi: 0xCEFE3AC2(3472767682)
inbound esp sas:
transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4448676/3482) IV size: 8 bytes replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4447841/3479) IV size: 8 bytes replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none) local ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (192.168.100.3/255.255.255.255/47/0) current_peer 192.168.100.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1309, #pkts encrypt: 1309, #pkts digest: 1309 #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 26, #recv errors 0
path mtu 1500, ip mtu 1500 current outbound spi: 0xD5D509D2(3587508690)
inbound esp sas:
transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4588768/3477) IV size: 8 bytes replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4587889/3476) IV size: 8 bytes replay detection support: Y
outbound ah sas:
outbound pcp sas: HUB# |
ISAKMP and IPSec phases are successfully established and security associations are formed.
multicast over DMVPN works perfectly! That’s it!
CCIE, the beginning! 