Multicast over Encrypted DMVPN

Lab Introduction

This lab tests multicast over DMVPN. DMVPN Phase 3 is deployed with R01 as HUB and R02 and R03 as SPOKEs. Point-to-multipoint OSPF runs over DMVPN. WAN-facing physical interfaces are in global routing table; while tunnels and R04 interfaces are in GREEN_IVRF routing table.

DMVPN tunnel is encrypted by IKEv2 with pre-shared key (PSK). R04 is configured as BSR candidate and RP candidate. Multicast is enabled for VRF GREEN_IVRF. The goal is to ping multicast group address and all group member interfaces will respond. Please refer to Verification section for result.

CSR1000v (IOS-XE) integrated with GNS3 is used for this lab. Please refer to Install CSR1000v on GNS3 for setup.

The lab topology is as below:

multicastoverdmvpn.png

Configuration

R01_HUB

hostname R01_HUB
!
boot-start-marker
boot-end-marker
!
vrf definition GREEN_IVRF
!
address-family ipv4
exit-address-family
enable password cisco
no aaa new-model
ip multicast-routing vrf GREEN_IVRF distributed
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 96FB2ROYCWZ
!
spanning-tree extend system-id
!
redundancy
!
crypto ikev2 keyring GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key GREEN
!
crypto ikev2 profile GREEN_PROFILE
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local GREEN
dpd 60 2 on-demand
!
crypto ipsec profile GREEN_IPSEC
set ikev2-profile GREEN_PROFILE
!
interface Loopback1
vrf forwarding GREEN_IVRF
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip ospf 1 area 1
!
interface Tunnel1
vrf forwarding GREEN_IVRF
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode #hub is configured in pim nbma-mode, which means point-to-multipoint in ospf routing. It is intended to overcome the default split-horizon policy that prevents forwarding packets out the same interface they were received on. nmba-mode is only configured on HUB.
ip pim sparse-mode
ip nhrp authentication GREEN
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp redirect
ip igmp join-group 239.1.1.1
ip ospf network point-to-multipoint
ip ospf 1 area 0
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile GREEN_IPSEC
!
interface GigabitEthernet1
ip address 192.168.0.71 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 200.1.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
vrf forwarding GREEN_IVRF
ip address 10.1.14.1 255.255.255.0
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip ospf network point-to-point
ip ospf 1 area 0
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
interface GigabitEthernet5
no ip address
negotiation auto
!
interface GigabitEthernet6
no ip address
negotiation auto
!
router ospf 1 vrf GREEN_IVRF
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
end

 

R02_SPOKE

hostname R02_SPOKE
!
boot-start-marker
boot-end-marker
!
vrf definition GREEN_IVRF
!
address-family ipv4
exit-address-family
!
enable password cisco
!
no aaa new-model
!
ip multicast-routing vrf GREEN_IVRF distributed
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9FW9IHOJQ9R
!
spanning-tree extend system-id
!
redundancy
!
crypto ikev2 keyring GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key GREEN
!
crypto ikev2 profile GREEN_PROFILE
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local GREEN
dpd 60 2 on-demand
!
crypto ipsec profile GREEN_IPSEC
set ikev2-profile GREEN_PROFILE
!
interface Loopback1
vrf forwarding GREEN_IVRF
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip ospf 1 area 2
!
interface Tunnel1
vrf forwarding GREEN_IVRF
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication GREEN
ip nhrp map multicast 200.1.1.1
ip nhrp map 172.16.1.1 200.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
ip igmp join-group 239.1.1.1
ip ospf network point-to-multipoint
ip ospf 1 area 0
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile GREEN_IPSEC
!
interface GigabitEthernet1
ip address 192.168.0.72 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 200.1.1.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
interface GigabitEthernet5
no ip address
negotiation auto
!
interface GigabitEthernet6
no ip address
negotiation auto
!
router ospf 1 vrf GREEN_IVRF
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
end

R03_SPOKE

hostname R03_SPOKE
!
boot-start-marker
boot-end-marker
!
vrf definition GREEN_IVRF
!
address-family ipv4
exit-address-family
!
enable password cisco
!
no aaa new-model
!
ip multicast-routing vrf GREEN_IVRF distributed
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9YXZYAEXI7B
!
spanning-tree extend system-id
!
redundancy
!
crypto ikev2 keyring GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key GREEN
!
crypto ikev2 profile GREEN_PROFILE
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local GREEN
dpd 60 2 on-demand
!
crypto ipsec profile GREEN_IPSEC
set ikev2-profile GREEN_PROFILE
!
interface Loopback1
vrf forwarding GREEN_IVRF
ip address 3.3.3.3 255.255.255.255
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip ospf 1 area 3
!
interface Tunnel1
vrf forwarding GREEN_IVRF
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication GREEN
ip nhrp map multicast 200.1.1.1
ip nhrp map 172.16.1.1 200.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
ip igmp join-group 239.1.1.1
ip ospf network point-to-multipoint
ip ospf 1 area 0
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile GREEN_IPSEC
!
interface GigabitEthernet1
ip address 192.168.0.73 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 200.1.1.3 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
interface GigabitEthernet5
no ip address
negotiation auto
!
interface GigabitEthernet6
no ip address
negotiation auto
!
router ospf 1 vrf GREEN_IVRF
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
end

 

R04_Multi

R04_Multi#show run
Building configuration…Current configuration : 1750 bytes
!
! Last configuration change at 05:21:53 UTC Fri May 6 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname R04_Multi
!
boot-start-marker
boot-end-marker
!
vrf definition GREEN_IVRF
!
address-family ipv4
exit-address-family
!
enable password cisco
!
no aaa new-model
!
ip multicast-routing vrf GREEN_IVRF distributed
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 94G8PLWSLGN
!
spanning-tree extend system-id
!
redundancy
!
interface Loopback1
vrf forwarding GREEN_IVRF
ip address 4.4.4.4 255.255.255.255
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip ospf 1 area 1
!
interface GigabitEthernet1
ip address 192.168.0.74 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
negotiation auto
!
interface GigabitEthernet3
vrf forwarding GREEN_IVRF
ip address 10.1.14.4 255.255.255.0
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip ospf network point-to-point
ip ospf 1 area 0
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
interface GigabitEthernet5
no ip address
negotiation auto
!
interface GigabitEthernet6
no ip address
negotiation auto
!
router ospf 1 vrf GREEN_IVRF
router-id 4.4.4.4
!
ip forward-protocol nd
ip pim vrf GREEN_IVRF bsr-candidate Loopback1 0
ip pim vrf GREEN_IVRF rp-candidate Loopback1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
end

 

Verification

Verify multicast routes in VRF GREEN_IVRF on R01, R02, R03 and R04.

R02_SPOKE# show ip mroute vrf GREEN_IVRF
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry, E – Extranet,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group,
G – Received BGP C-Mroute, g – Sent BGP C-Mroute,
N – Received BGP Shared-Tree Prune, n – BGP C-Mroute suppressed,
Q – Received BGP S-A Route, q – Sent BGP S-A Route,
V – RD & Vector, v – Vector, p – PIM Joins on route,
x – VxLAN group
Outgoing interface flags: H – Hardware switched, A – Assert winner, p – PIM Join
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode(*, 239.1.1.1), 01:21:18/stopped, RP 4.4.4.4, flags: SJCLF
Incoming interface: Tunnel1, RPF nbr 172.16.1.1
Outgoing interface list:
Loopback1, Forward/Sparse, 01:21:18/00:02:20(172.16.1.3, 239.1.1.1), 00:01:18/00:01:41, flags: LFT
Incoming interface: Tunnel1, RPF nbr 0.0.0.0, Registering
Outgoing interface list:
Loopback1, Forward/Sparse, 00:01:18/00:02:20(*, 224.0.1.40), 01:21:18/00:02:55, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Tunnel1, Forward/Sparse, 01:21:18/00:02:55

Ping multicast group IP, all interfaces joined the group should respond.

R03_SPOKE#ping vrf GREEN_IVRF 239.1.1.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:Reply to request 0 from 172.16.1.1, 40 ms
Reply to request 0 from 4.4.4.4, 142 ms
Reply to request 0 from 10.1.14.4, 130 ms
Reply to request 0 from 2.2.2.2, 109 ms
Reply to request 0 from 172.16.1.2, 92 ms
Reply to request 0 from 4.4.4.4, 66 ms
Reply to request 0 from 10.1.14.4, 52 ms
Reply to request 0 from 3.3.3.3, 46 ms
Reply to request 0 from 172.16.1.3, 46 ms
Reply to request 0 from 172.16.1.1, 43 ms
Reply to request 0 from 1.1.1.1, 42 ms

Since IOS v15 including IOS-XE, a tunnel will be automatically created for PIM registering. 

R01_HUB#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.0.71 YES manual up up
GigabitEthernet2 200.1.1.1 YES manual up up
GigabitEthernet3 10.1.14.1 YES manual up up
GigabitEthernet4 unassigned YES unset down down
GigabitEthernet5 unassigned YES unset down down
GigabitEthernet6 unassigned YES unset down down
Loopback1 1.1.1.1 YES manual up up
Tunnel0 10.1.14.1 YES unset up up
Tunnel1 172.16.1.1 YES manual up up

 

R01_HUB(config)#no int tu 0
%Tunnel0 used by PIM for Registering, configuration not allowed

 

Other Useful Commands

show ip pim vrf GREEN_IVRF neighbor

show ip pim vrf GREEN_IVRF interface

show ip igmp vrf GREEN_IVRF groups

show ip igmp vrf GREEN_IVRF membership

show ip pim vrf GREEN_IVRF rp mapping

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s