Cisco CDP Enhancements: Comparing Versions Before and After 15.9(3)M10

Cisco Discovery Protocol (CDP) is a powerful Layer 2 protocol used to discover and share device information in Cisco networks. Network administrators often enable or disable CDP selectively on routers and interfaces for security, compatibility, or operational reasons. With Cisco IOS updates, including version 15.9(3)M10, subtle yet impactful changes in the behavior or configuration of CDP may occur.

In this blog post, we will compare the behavior of CDP configuration in Cisco IOS versions prior to and post 15.9(3)M10, highlight the changes introduced, and explore best practices for managing CDP.

---

### **Pre 15.9(3)M10 CDP Configuration**

Before version 15.9(3)M10, CDP functionality was straightforward, allowing administrators to:

1. **Enable CDP globally on the router:**  

   Using the command `cdp run` enables CDP for all interfaces unless disabled on individual ones.

2. **Enable or disable CDP on specific interfaces:**  

   - Enable: `cdp enable` (default setting for most interfaces).  

   - Disable: `no cdp enable`.

3. **Behavior:**  

   - When CDP was globally enabled, all supported interfaces would run CDP unless explicitly disabled.  

   - The configuration was simple and consistent, with no significant deviations in command syntax or behavior.

---

### **Post 15.9(3)M10 CDP Configuration Changes**

With the release of Cisco IOS 15.9(3)M10, the underlying behavior of CDP was refined to improve security, efficiency, and compliance with modern networking standards.

#### **Key Changes:**

1. **Default Behavior Shift:**  

   - Certain interfaces, particularly those on WAN links (e.g., Serial or MPLS), may have CDP disabled by default. This change reduces the exposure of CDP advertisements on less-secure or external-facing links.

2. **Enhanced Logging and Error Messages:**  

   - Post 15.9(3)M10, more detailed logging messages are generated when enabling or disabling CDP on interfaces, making it easier to troubleshoot and verify configurations.

3. **Protocol Performance Optimizations:**  

   - CDP packet processing and advertisement intervals have been optimized, reducing unnecessary traffic on interfaces with lower bandwidth.

4. **Deprecation of Legacy Syntax:**  

   - Some legacy CDP-related commands may have been deprecated or altered to align with new standards. For instance, CDP configurations may now include additional parameters like advertisement filtering.

5. **Security Enhancements:**  

   - Post 15.9(3)M10, the ability to enable CDP on certain interfaces may require additional security configurations, especially in compliance with best practices for secure networks.

---

### **Practical Configuration Example**

Below is a comparison of how CDP configuration might differ between pre and post 15.9(3)M10 versions:

#### **Pre 15.9(3)M10:**

Router1#configure terminal

Router1(config)#cdp run

Router1(config)#interface FastEthernet0/0

Router1(config-if)#no cdp enable

Router1(config)#interface Serial0/0

Router1(config-if)#cdp enable

Router1(config)#end

#### **Post 15.9(3)M10:**

Router1#configure terminal

Router1(config)#cdp run

Router1(config)#interface FastEthernet0/0

Router1(config-if)#no cdp enable

Router1(config)#interface Serial0/0

Router1(config-if)#cdp enable

%CDP: Warning - Serial0/0 requires additional configuration for CDP in secure mode.

Router1(config-if)#secure cdp allow

Router1(config)#end

The introduction of security warnings and additional commands ensures that administrators consciously configure CDP in sensitive environments.

---

### **Best Practices Post 15.9(3)M10**

1. **Audit Default Settings:**  

   Regularly review the default CDP status on all interfaces, especially when upgrading IOS versions.

2. **Disable CDP on External Links:**  

   For external-facing or untrusted links, disable CDP unless explicitly required.

3. **Leverage Enhanced Security:**  

   Use new security features like filtering and authentication to protect CDP advertisements.

4. **Document Changes:**  

   Maintain clear documentation of CDP settings before and after an IOS upgrade to ensure consistency.

---

### **Conclusion**

Cisco IOS 15.9(3)M10 brought valuable updates to CDP configuration, focusing on security and operational efficiency. While the core commands remain similar, the subtle changes in behavior and added features highlight the importance of keeping up with IOS documentation and release notes. By understanding these updates, network administrators can better secure and optimize their networks.  

Stay proactive, and ensure your CDP configurations align with your network’s needs and security policies!

Setting Up Dual Hub DMVPNs: Redundancy Made Easy with Modern Cisco IOS

Dual Hub DMVPN: Complete Configuration & Optimization Guide

📚 Table of Contents

• Introduction
• Why Dual Hub DMVPN
• Deployment Models
• Single DMVPN
• Dual DMVPN
• Routing Protocols
• IOS Enhancements
• CLI Examples
• Key Takeaways
• Related Articles

📖 Introduction

Dynamic Multipoint Virtual Private Network (DMVPN) is a scalable VPN solution that allows secure communication over public networks. When combined with a dual hub architecture, it provides high availability and redundancy.

💡 Core Concept: DMVPN uses GRE + IPsec + NHRP to dynamically build tunnels.

🚀 Why Dual Hub DMVPN?

• High Availability
• Fault Tolerance
• Load Sharing
• Reduced Downtime

🔽 Expand: Real-world Scenario

If Hub1 fails, spokes automatically reroute traffic to Hub2, ensuring uninterrupted service.

🧩 Deployment Models

1. Single DMVPN Cloud

• One tunnel interface
• Two hubs (dual NHS)
• Simple design

2. Dual DMVPN Cloud

• Two tunnel interfaces
• Separate routing domains
• Advanced traffic control

📡 Single DMVPN Configuration

In this model, all routers belong to the same DMVPN cloud.

Configuration Code

interface Tunnel0
 ip address 192.168.1.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile IPSEC_PROFILE
 ip nhrp map 192.168.1.1 HUB1_PUBLIC_IP
 ip nhrp map 192.168.1.3 HUB2_PUBLIC_IP
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 ip nhrp nhs 192.168.1.3

🔽 Expand Explanation

NHRP maps logical tunnel IPs to physical IPs. Dual NHS ensures redundancy.

🔁 Dual DMVPN Configuration

Each spoke connects to two hubs using separate tunnels.

interface Tunnel0
 ip address 192.168.1.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel key 100
 ip nhrp nhs 192.168.1.1

interface Tunnel1
 ip address 192.168.2.2 255.255.255.0
 tunnel source GigabitEthernet0/1
 tunnel key 200
 ip nhrp nhs 192.168.2.1

🔽 Expand Benefits

Provides granular control and allows traffic engineering using routing metrics.

📊 Routing Protocols

EIGRP

• Easy metric manipulation
• Fast convergence

OSPF

• More complex
• Requires tuning

🔽 Expand Deep Comparison

EIGRP allows delay/bandwidth tuning, while OSPF uses cost-based routing requiring more manual adjustments.

⚙️ Cisco IOS 15.9 Enhancements

• Improved NHRP convergence
• DMVPN Phase 3 optimization
• Enhanced IPsec encryption
• Advanced logging tools

💡 Insight: Phase 3 enables direct spoke-to-spoke communication.

💻 CLI Output Examples

Show DMVPN Status

show dmvpn

Legend: Attrb --> S - Static, D - Dynamic
Tunnel0, NHRP Details
Type:Spoke, NHRP Peers:2
Peer NBMA Addr: 10.1.1.1
Peer NBMA Addr: 10.1.1.2

Debug Output

*Mar 1 12:00:01: NHRP: Resolution request sent
*Mar 1 12:00:02: NHRP: Resolution reply received

🔽 Expand CLI Explanation

Shows tunnel peers and NHRP resolution process.

🎯 Key Takeaways

• Dual Hub DMVPN ensures redundancy
• Single cloud = simple, less control
• Dual cloud = complex, more control
• EIGRP preferred for flexibility
• IOS 15.9 improves performance significantly

📘 Conclusion

Dual hub DMVPN designs provide scalable, resilient, and efficient networking solutions. Choosing between single and dual DMVPN depends on complexity vs control requirements.

Cisco DMVPN Phase 3 OSPF Configuration and Optimization Guide

🚀 OSPF in DMVPN Phase 3 (Cisco IOS 15.9) – Complete Deployment Guide

📚 Table of Contents

• Introduction
• DMVPN Phase 3 Explained
• Role of OSPF
• OSPF Network Types
• Point-to-Multipoint Benefits
• Configuration
• CLI Verification
• IOS 15.9 Enhancements
• Key Takeaways
• Related Articles

📖 Introduction

Deploying OSPF in DMVPN Phase 3 requires precision. Unlike traditional hub-and-spoke routing, DMVPN Phase 3 introduces dynamic spoke-to-spoke tunnels, making routing decisions more complex.

💡 Core Idea: OSPF must guide traffic through the hub initially while still enabling dynamic direct tunnels.

🌐 DMVPN Phase 3 Explained

DMVPN Phase 3 allows spokes to dynamically build tunnels after initial communication through the hub. This improves latency, bandwidth usage, and scalability.

🔽 Expand: How Phase 3 Works Internally

Phase 3 uses NHRP redirect and shortcut messages. The hub informs spokes about better paths, and spokes establish direct GRE/IPsec tunnels.

📡 Role of OSPF in DMVPN

OSPF distributes routing information across the DMVPN network. Its behavior directly impacts:

• Route propagation
• Next-hop selection
• Convergence speed

⚠️ Why OSPF Network Type Matters

Default: Broadcast

• Triggers DR/BDR elections ❌
• Causes unnecessary adjacency overhead ❌
• Breaks DMVPN next-hop logic ❌

🔽 Expand: DR/BDR Problem Explained

Broadcast networks assume full mesh connectivity, which DMVPN does not provide. This mismatch leads to inefficient routing.

✅ Point-to-Multipoint Advantages

• No DR/BDR election ✔
• Hub-based next-hop ✔
• Simplified routing ✔
• Better scalability ✔

🎯 Best Practice: Always use ip ospf network point-to-multipoint in DMVPN Phase 3.

⚙️ Configuration Guide

1. Hub Configuration

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100

2. Spoke Configuration

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip nhrp map 10.0.0.1 192.168.1.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/0

3. OSPF Configuration

router ospf 1
 network 10.0.0.0 0.0.0.255 area 0

interface Tunnel0
 ip ospf network point-to-multipoint

💻 CLI Verification

Code Example

show ip ospf neighbor
show ip route ospf

Sample CLI Output

Neighbor ID     State     Address     Interface
1.1.1.1         FULL      10.0.0.1    Tunnel0

O    192.168.2.0/24 [110/2] via 10.0.0.1

🔽 Expand CLI Explanation

Routes show the hub as next-hop, ensuring proper DMVPN behavior before shortcuts occur.

🆕 Cisco IOS 15.9 Enhancements

• Improved NHRP stability
• Better next-hop handling
• Reduced need for route-maps
• Enhanced scalability

🔽 Expand: Old vs New Behavior

Older IOS required manual next-hop fixes. IOS 15.9 aligns OSPF behavior automatically with DMVPN design.

📐 Mathematical Insight: OSPF Cost & Path Selection

Understanding OSPF in DMVPN becomes clearer when we look at the mathematics behind routing decisions. OSPF selects the best path based on cost, which is inversely proportional to bandwidth.

📊 OSPF Cost Formula

The cost of an interface is calculated as:

\[ \text{Cost} = \frac{\text{Reference Bandwidth}}{\text{Interface Bandwidth}} \]

By default, the reference bandwidth is 100 Mbps. For example:

\[ \text{Cost} = \frac{100}{10} = 10 \]

This means a 10 Mbps link has a higher cost than a 100 Mbps link, so OSPF prefers higher bandwidth paths.

🔽 Expand: Why Cost Matters in DMVPN

In DMVPN Phase 3, OSPF initially routes traffic via the hub. The cost calculation ensures that the most efficient path is selected before NHRP redirects create a direct spoke-to-spoke tunnel.

📈 Shortest Path First (SPF) Algorithm

OSPF uses Dijkstra’s algorithm to compute the shortest path:

\[ D(v) = \min \left( D(u) + c(u,v) \right) \]

Where:

• \(D(v)\): shortest distance to node v
• \(c(u,v)\): cost between nodes

This ensures that routing decisions are mathematically optimal.

💡 Key Insight: In DMVPN, OSPF’s mathematical cost model ensures efficient initial routing, while NHRP dynamically optimizes actual traffic flow.

🎯 Key Takeaways

• DMVPN Phase 3 enables dynamic spoke tunnels
• OSPF must use point-to-multipoint
• Broadcast mode causes inefficiencies
• IOS 15.9 simplifies deployment

📘 Final Thoughts

Correct OSPF configuration is critical in DMVPN Phase 3. Using point-to-multipoint ensures predictable routing, scalability, and efficient tunnel creation.