Fun in the Lab: Sniffer Tracing a DMVPN Tunnel Startup

I have seen that for many people new to DMVPN… it seems quite overwhelming and scary.  I will admit it was that way for me also.  I think really cause of all those nhrp commands.  Funny thing about those nhrp is that these items have more to do with RFC2332 than DMVPN.  Once I realized all that a number of years ago …. the lightbulb went on and it all just “made sense” and came together.

Why a sniffer trace? Cause I’m a sniffer trace kinda girl.  It’s how I learn and how I “see” the underlying flow which helps me put the puzzle pieces together.  Documentation and show commands help me… but everything seems to “sink in deeper” if I can sniff the wire.

So for those of you who learn like I do….  let’s go play in the lab!

First… you may want to grab the actual pcap file we are going to be looking at together

dmvpn_tunnel_startup.pcap    <– it is on my public dropbox and I plan to keep it there for a few years.  🙂


Time to Get GEEKY!

DMVPN Topology

Overview of Environment

Welcome to our little lab environment.  Quick summary of what we are looking at here.

  • No “DIA” (direct internet access) for the branches to keep things “simpler” for now
  • No encryption enabled so we can sniff and see everything

Sniffer Capture Time

We are going to start with the “WAN” facing interfaces administratively shut down so we can capture the DMVPN coming up and then the EIGRP over it.  See the little “wireshark” logo up between Foxtrot14 and the INET cloud? This is where we are going to put our sniffer.

Frames 1 thru 10 (below) are just some ARP, STP, and CDP.  Feel free to look at them…. but we aren’t going to go into more detail on any of those here.

Sniffer Trace

“Who is echo12″” you might ask.  Foxtrot14 actually connects to a layer 2 switch named “echo12” via vlan 214.  It is that layer 2 switch that connects to the sole “INET” core router. I do this for ease of sniffing.

DMVPN Magic

Onto the first “DMVPN” magic.  We will find this on the wire with frame 11 (NHRP registration request) and frame 12 (NHRP registration reply)

  • Frame 11 is the NHRP registration request from Echo3’s NBMA IP address 21.21.102.6 TO Foxtrot14’s NBMA IP address 21.21.1.2.
  • Frame 12 is the NHRP registration reply from Foxtrot14’s NBMA IP address 21.21.1.2 to Echo3’s NBMA IP address 21.21.102.6

DMVPN diagram with sniffer trace frames of startup

So what does this look like on the wire?

RFC2332

What is RFC2332?  It is the RFC for NHRP.  Again, NHRP is one of the key pieces of magic that DMVPN utilizes.  DMVPN is  based on NHRP version 1 but Cisco has made (and continues to make) really great extensions to the protocol that we can use between Cisco devices.

How did Echo3 know where to go to?  The configs for the tunnel interface on Echo3.  Let’s look at them

dmvpn spoke tunnel config

See how Echo3 is statically configured to know the destination physical IP address it is trying to get to is 21.21.1.2?

“What happened to the dynamic part of this?” you ask —  Well, obviously while the hub can be dynamic and just sit there and listen… someone has to start the call.  🙂

Wow, that is a lot of configuration, do I have to do all of that?” you ask — No.  But everything I put in there has a reason for being in there.  Once you know what your branch DMVPN design is… you can pretty much be “cookie cutter” with the branch tunnel configs — changing really only two things at each branch

1) 4th Octet: 10.99.2.x   &

2) Tunnel Source Interface: If your branches vary here

Note: While I have not played with it myself, it is my understanding that you can also use DNS to lookup the hub.

More Sniffer Trace Fun

If you continue on in the sniffer trace you will see

  • Echo3 and Foxtrot14 exchanging NHRP registration request/reply, followed by
  • EIGRP neighboring up over the mGRE tunnel – 10.99.2.1 with 10.99.2.102, and then
  • NHRP exchange between Branch1-R2 and Foxtrot14
  • EIGRP neighboring up over the mGRE tunnel – 10.99.2.1 with 10.99.2.101

What does all this look like via the CLI and show commands?

show dmvpn output

show interface tunnel output

And then, of course, finally our EIGRP neighbor.

eigrp

Eh… Voila… our DMVPN is up along with our EIGRP neighbors. 🙂


Quick Side Note: Completely new to DMVPN?  I’m not sure if looking at this sniffer trace is going to clear that up for you.  🙂  I will suggest you read a little first on DMVPN and understand a little more about mGRE as well as NHRP.  mGRE and NHRP are key to the “magic” that is behind DMVPN.  I would also suggest if you are going to be running DMVPN in your environment that you utilize CiscoLive’s “On Demand Library”.  There are recordings of every breakout session from every CiscoLive around the world for the past few years.  And it is …. get this…. free.


*NOTE: This post was originally published in 2015 on this site. It has been updated as well as reformatted.



Categories: DMVPN, Fun in the Lab, Wireshark

Tags:

1 reply

  1. kewl stuff here Fish, thanks for sharing

Leave a Reply