Phase 2 DMVPN in a nutshell:

• Multipoint GRE tunnels on all routers.
• NHRP is used for dynamic spoke registrations (like with Phase 1 DMVPN), but also for on-demand resolution of spoke transport addresses.
• Traffic between the spokes initially flows through the hub router until NHRP resolves the remote spoke transport IP address and IKE establishes the IPSec session with it.
• The IP next-hop address for any prefix reachable over DMVPN must be the egress router (hub or spoke). From the routing perspective, Phase 2 DMVPN subnet should behave like a LAN.
• Multicast packets (including routing protocol hello packets and routing updates) are exchanged only between the hub and the spoke routers.
• Routing adjacencies are established only between the hub and the spoke routers unless you use statically configured neighbors.

For more details watch the DMVPN webinar webinar.

This is how you configure OSPF in a Phase 1 DMVPN network (read the introductory post and Phase 1 DMVPN fundamentals first):

Remember:

• Use point-to-multipoint network type on the hub router to ensure the hub router is always the IP next hop for the DMVPN routes.
• Use point-to-multipoint network type on the spoke routers to ensure the OSPF timers match with the hub router.
• The DMVPN part of your network should be a separate OSPF area; if at all possible, make it a stub or NSSA area.
• If absolutely needed, use OSPF LSA flood filter on the hub router and a static default route on the spokes.

For more information, watch the DMVPN Technology and Configuration webinar.

Phase 1 DMVPN in a nutshell:

• Point-to-point GRE tunnel on spoke routers
• Multipoint GRE tunnel on the hub router.
• All the DMVPN traffic (including the traffic between the spokes) flows through the hub router.
• On the spoke routers, the hub router must be the IP next-hop for all destinations reachable through the DMVPN subnet (including other spokes).
• Multicast packets (including routing protocol hello packets and routing updates) are exchanged only between the hub and the spoke routers.

A few days ago I received the following e-mail from one of my readers:

I am trying presently to put in place a DMVPN solution running OSPF. I was wondering if you ever saw a solution with dual hub dual cloud design with OSPF working in practice because since I started I have issue with asymmetric routing because of the OSPF functionality.

Actually, I did… and exactly the same setup is included in the tested router configurations you get with the DMVPN: from Basics to Scalable Networks webinar. While there are many things that can go wrong with DMVPN, I’ve never heard about asymmetric routing problems, so I started to investigate what’s actually going on.

More than five years after the MPLS/VPN-in-mGRE encapsulation was standardized (add a few more years for the work-in-progress and IETF draft stages), it finally debuted in a mainstream-wannabe IOS release running on ISR routers (15.1(2)T), making it usable for the enterprise WAN designers, who are probably its best target audience.

I was writing about the two conflicting MPLS/VPN over mGRE implementations a while ago and got the impression the Service Providers aren’t too excited about this option. No wonder – most of them use full-blown MPLS backbones, so they have no need for GRE tunnels.

Upendra wrote the following comment to my “EEM CLI patterns are not context sensitive” post:

I am totally confused with sync yes|no skip yes|no. What is the mean of sync and skip, when we use these keywords and what is the mean of yes and no.

The online documentation on this topic is pretty extensive, but obviously not explicit enough, so let’s try to reword it.

Jedi Mind Tricks: HTTP Request Smuggling – an intriguing HTTP vulnerability and the countermeasure using ... what else ... F5.

Flailing IPv6 – up to 13% of IPv6 connections fail, mostly due to broken tunnels. Stop tunneling!

Cisco UCS criticism and FUD: Answered – another great article by @bradhedlund. Assuming he’s not making it up, some competitors must be really desperate.

Understanding Inter-Area Loop Prevention Caveats in OSPF Protocol – a masterpiece by @plapukhov. I thought I knew almost everything there is to know about OSPF. Boy was I wrong.

Remember how I was always saying the big picture is important? Here's the wallystic approach:

If you’re building a DMVPN network with large spoke-to-hub ratio, BGP is one of the better options – it has no scalability limitations associated with multicast flooding; the only parameter you have to consider is the number of BGP sessions the hub router can handle (and according to this presentation, ASR can handle 2000+ spokes).

Just before 2010 disappeared, a tweet by my friend Greg @etherealmind Ferro triggered a minor twitstorm. He wrote:

If we had implemented IPv6 ten years ago, would we have MPLS today? I think not.

His tweet contains two major misconceptions:

• MPLS was designed to implement layer-3 VPN services;
• We wouldn’t need VPNs if everyone would be using global IPv6 addresses.

I’ll focus on the first one today; the inaccuracy of the second one is obvious to anyone who was asked to implement MPLS VPNs in enterprise networks to ensure end-to-end path separation between departments or users with different security levels.

John McManus published excellent Remote (in Band) Configuration Tips post on etherealmind.com last week, prompting a “Too bad there isn't a fix for forgetting ‘reload in’” tweet by @mfratto. My immediate reaction was “this should be easy to solve with EEM” ... and it is.

New Year Resolution #1: I shall clean my Inbox on a weekly basis. Here are the links that started gathering dust during the last week:

• It’s amazing how similar the sysadmin problems are to ours: give us CLI, not eye candy, ASCII configurations and APIs. One could only hope the networking vendors would listen as well.
• Moving To The Cloud Is Not Cut And Paste. Some people will try to move their existing broken applications to the cloud. Some people have used screen scrapers to GUIze their existing 3270 SNA applications. The results will probably be the same.
• The Curious Case of the MBO Cloud ... and some people will move to the cloud just to get the yearly bonus. Fantastic motivation; expect pure awesomeness.
• The Recertification Treadmill – great news; I can stop ranting about stupidities in our industry. @networkingnerd is doing a great job.
• Cisco Nexus 7000 connectivity solutions for Cisco UCS – what else would you expect from @bradhedlund but another great UCS/Nexus post.
• Technology Short Take #9 – Another great summary from Scott Lowe.
• An introduction to Net Neutrality. A nice introductory article.
• Q-tools: An approach for discovery and knowledge work – a bit academic, but a must-read.
• Controller-less WLANs – the controller pendulum is swinging.

Another year-end cleanup action: I wrote lots of articles for SearchTelecom in the last few years. You can find links to all of them (together with those I wrote for SearchNetworking and SearchEnterpriseWan) on this page. Enjoy!

You have to register with TechTarget to be able to view them, but they do respect your settings (you can decide not to subscribe to any of their mailing lists).

Last gems found in dusty corners of my cluttered Inbox:

• The Myths of IT – Part 1 and Part 2. A must-read for anyone working in the IT industry.
• Phone - Scott Adams (of the Dilbert fame) ranting about smartphones. Priceless.
• Maybe you only need it because you have it – seen it too many times. Might also apply to long-distance vMotion.

Every Internet-related post is a great opportunity to increase comment count. I’ll pass this time, here are the articles I found interesting with little or no comments from my side. First the generic Internet:

• IPv6 and Transitional Myths – Great mythbuster by Geoff Huston
• Google IPv6 statistics

And then my favorite controversy:

• Net Neutrality for Dummies
• Network Neutrality: Pretty Much Just Socialism (I’m obviously not the only one claiming that)
• ISP's top data hog gobbles 2.7TB of data in a month – a bit old but still relevant
• Congress Needs to Step In for Net Neutrality...Really? Seriously?
• Mobile Carriers Dream of Charging per Page