Topic '[Config] DMVPN reundandt WAN (SOLVED - config inside)' in forum 'Cisco' - dslreports.com

Re: [Config] DMVPN reundandt WAN question

Fri, 23 Apr 2010 10:13:15 EDT

nicknomo posted : I managed to test it with another spoke, and nhrp dynamically connects the spokes now... That is a pretty cool feature...

Thanks for the encouragement and help!

Re: [Config] DMVPN reundandt WAN question

Fri, 23 Apr 2010 07:15:54 EDT

nosx posted : I didnt know that command existed, im going to have to do some reading today. If it works fine let me know, great work!

Re: [Config] DMVPN reundandt WAN question

Fri, 23 Apr 2010 01:09:54 EDT

nicknomo posted :

said by nosx:

The advantage of true multipoint DMVPN is that the spokes can build tunnels to eachother and communicate.

Please double check in the lab that its still possible (and they dont have to go through the hub) to get traffic from spoke A to spoke B.

Ok, I took it upon myself to try and get a phase 2 implementation... I believe I have succeeded, however any input would be appreciated.

From what I can tell is that there was an ipsec problem using the same tunnel source in the mGRE tunnel. A command was added in the IOS to allow for this. On the spoke we add:

tunnel protection ipsec profile cisco shared

The shared key word allows you to use the same tunnel source apparently.

 version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong!!interface Loopback0 ip address 192.168.1.1 255.255.255.0!interface Tunnel0 bandwidth 1000 ip address 172.16.1.1 255.255.255.0 no ip redirects ip mtu 1440 no ip next-hop-self eigrp 90 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 no ip split-horizon eigrp 90 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile cisco!interface Tunnel1 bandwidth 1000 ip address 172.17.1.1 255.255.255.0 no ip redirects ip mtu 1440 no ip next-hop-self eigrp 90 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp holdtime 600 no ip split-horizon eigrp 90 delay 1000 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile cisco!interface FastEthernet0/0 ip address 199.1.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 ip address 200.1.1.1 255.255.255.0 duplex auto speed auto!router eigrp 90 network 172.16.1.0 0.0.0.255 network 172.17.1.0 0.0.0.255 network 192.168.1.0 no auto-summary!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 199.1.1.2ip route 0.0.0.0 0.0.0.0 200.1.1.2 5!!control-plane!line con 0line aux 0line vty 0 4 login!!end

SPOKE:

version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong!!interface Loopback0 ip address 192.168.244.1 255.255.255.0 no ip redirects!interface Tunnel0 bandwidth 1000 ip address 172.16.1.2 255.255.255.0 ip mtu 1440 ip nhrp authentication cisco123 ip nhrp map multicast 199.1.1.1 ip nhrp map 172.16.1.1 199.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.16.1.1 ip nhrp registration timeout 30 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile cisco shared!interface Tunnel1 bandwidth 1000 ip address 172.17.1.2 255.255.255.0 ip mtu 1440 ip nhrp authentication cisco123 ip nhrp map multicast 200.1.1.1 ip nhrp map 172.17.1.1 200.1.1.1 ip nhrp network-id 2 ip nhrp holdtime 300 ip nhrp nhs 172.17.1.1 delay 1500 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile cisco shared!interface FastEthernet0/0 ip address 201.1.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 no ip address duplex auto speed auto!router eigrp 90 offset-list 1 out 12800 Tunnel1 network 172.16.1.0 0.0.0.255 network 172.17.1.0 0.0.0.255 network 192.168.244.0 distribute-list 1 out no auto-summary eigrp stub connected!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 201.1.1.2!!access-list 1 permit 172.168.16.0access-list 1 permit 172.168.17.0access-list 1 permit 192.168.244.0!!control-plane!!line con 0line aux 0line vty 0 4 login!!end

Re: [Config] DMVPN reundandt WAN question

Thu, 22 Apr 2010 19:32:12 EDT

nicknomo posted : You are correct. In this case the remote sites are not meshed... I'm pretty sure you'd need an mGRE tunnel to do that, correct?

Unfortunately, the mGRE tunnel does not allow the same source for the tunnels from what I've read.. I only have one external interface on the remote spoke routers..

Re: [Config] DMVPN reundandt WAN question

Thu, 22 Apr 2010 18:01:02 EDT

nosx posted : The advantage of true multipoint DMVPN is that the spokes can build tunnels to eachother and communicate.

Please double check in the lab that its still possible (and they dont have to go through the hub) to get traffic from spoke A to spoke B.

Re: [Config] DMVPN reundandt WAN question

Thu, 22 Apr 2010 15:14:57 EDT

nicknomo posted : I appreciate the reply, it got me started in the right direction. Unfortunately, the solution posted did not work... I did some research, and thanks to your network-id # change, I was able to find what I needed.

Some key changes were that
1) I needed different tunnel keys
2) I could not use an mGRE tunnel on the spokes for some reason - I had to use a ppGRE tunnel instead.

Here is the full config, tested and confirmed in GNS3 (these aren't my ips or auth keys - its a pre-production lab).. I'd be open to any feedback or suggestions to take for a different approach.

HUB:

Current configuration : 1850 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong!!interface Loopback0 ip address 192.168.1.1 255.255.255.0!interface Tunnel0 bandwidth 1000 ip address 172.16.1.1 255.255.255.0 ip mtu 1440 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 no ip split-horizon eigrp 90 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile cisco!interface Tunnel1 bandwidth 1000 ip address 172.17.1.1 255.255.255.0 ip mtu 1440 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp holdtime 600 no ip split-horizon eigrp 90 delay 1000 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile cisco!interface FastEthernet0/0 ip address 199.1.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 ip address 200.1.1.1 255.255.255.0 duplex auto speed auto!router eigrp 90 network 172.16.1.0 0.0.0.255 network 172.17.1.0 0.0.0.255 network 192.168.1.0 no auto-summary!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 199.1.1.2ip route 0.0.0.0 0.0.0.0 200.1.1.2 5!!control-plane!line con 0line aux 0line vty 0 4 login!!end

SPOKE:

version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong!!interface Loopback0 ip address 192.168.244.1 255.255.255.0 no ip redirects!interface Tunnel0 bandwidth 1000 ip address 172.16.1.2 255.255.255.0 ip mtu 1440 ip nhrp authentication cisco123 ip nhrp map 172.16.1.1 199.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.16.1.1 delay 1000 tunnel source FastEthernet0/0 tunnel destination 199.1.1.1 tunnel key 0 tunnel protection ipsec profile cisco!interface Tunnel1 bandwidth 1000 ip address 172.17.1.2 255.255.255.0 ip mtu 1440 ip nhrp authentication cisco123 ip nhrp map 172.17.1.1 200.1.1.1 ip nhrp network-id 2 ip nhrp holdtime 300 ip nhrp nhs 172.17.1.1 delay 1500 tunnel source FastEthernet0/0 tunnel destination 200.1.1.1 tunnel key 1 tunnel protection ipsec profile cisco!interface FastEthernet0/0 ip address 201.1.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 no ip address duplex auto speed auto!router eigrp 90 offset-list 1 out 12800 Tunnel1 network 172.16.1.0 0.0.0.255 network 172.17.1.0 0.0.0.255 network 192.168.244.0 distribute-list 1 out auto-summary!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 201.1.1.2!!access-list 1 permit 192.168.244.0!!control-plane! !line con 0line aux 0line vty 0 4 login!!end

For anyone else interested in this thread, the only lines I added to my base config were the tunnel interfaces, and the eigrp lines.

I used loopbacks for what would be my LAN on each router.

I hope this helps someone in the same situation, and thanks again deepblack for the help!

Re: [Config] DMVPN reundandt WAN question

Wed, 21 Apr 2010 17:40:10 EDT

nosx posted : I fudged through it with visio, you can try to source both tunnels from the same real ip. I have never seen this in the real world though. forgive any typos.

Re: [Config] DMVPN reundandt WAN question

Wed, 21 Apr 2010 17:37:01 EDT

nicknomo posted : Thanks for the reply..

My hub does in fact have two different WAN IP's from two different ISP's. I was under the impression EIGRP would pick one interface until performance became poor and/or connection was lost.

The spoke's are not redundant in any way and only have one WAN IP.

I have been editing the configuration over the last few hours, so I don't have what crashed it.. This is what I'm currently trying on the hub:

interface Tunnel1ip address 172.16.1.254 255.255.255.0no ip redirectsip mtu 1440ip nhrp authentication ciscoip nhrp map multicast dynamicip nhrp network-id 1no ip split-horizon eigrp 90no ip next-hop-self eigrp 90tunnel source ser0/1.500tunnel mode gre multipointtunnel key 0tunnel protection ipsec profile cisco

Should I maybe use a different EIGRP AS number?

Re: [Config] DMVPN reundandt WAN question

Wed, 21 Apr 2010 17:23:03 EDT

nosx posted : I need more information to better answer that question.
Does every hub site have 2 different WAN IPs?

Does every spoke site have 2 different WAN IPs?
(this is important for when the hub router resolves the internal ip 173.16.1.X to a real routable ip 1.2.3.4 to send its IPSEC encrypted GRE traffic to, which WAN interface is it going to send it out of?)

You can create multiple DMVPN tunnels but you need to be very careful of routing loops and recursive lookup failures.

I would be curious to know what IOS you are running and exactly what config crashed it (with what crash traceback info if you have any)

[Config] DMVPN reundandt WAN (SOLVED - config inside)

Wed, 21 Apr 2010 17:06:25 EDT

nicknomo posted : I'm looking to have redundancy for my DMVPN without resorting to another router. I've seen some examples for a dual router scenario, and they look pretty trivial.

I tried duplicating the tunnel configuration, and it just crashed my switch and router. Any advice would be helpful.

HUB:

!-- Outside interfaces --int ser0/1.500..... int fast0/1..... !-- Inside interfaces --int fast0/0ip address 192.168.1.1 255.255.255.0 interface Tunnel0ip address 172.16.1.1 255.255.255.0no ip redirectsip mtu 1440ip nhrp authentication ciscoip nhrp map multicast dynamicip nhrp network-id 1no ip split-horizon eigrp 90no ip next-hop-self eigrp 90tunnel source fast0/1tunnel mode gre multipointtunnel key 0tunnel protection ipsec profile cisco router eigrp 90network 172.16.1.0 0.0.0.255network 192.168.1.0no auto-summary

SPOKE:

!-- Outside interfaces --int fast0..... !-- Inside interfaces --int vlan1ip address 192.168.244.1 255.255.255.0 interface Tunnel0ip address 172.16.1.2 255.255.255.0no ip redirectsip mtu 1440ip nhrp authentication ciscoip nhrp map multicast dynamicip nhrp map 172.16.1.1 200.200.200.200ip nhrp map multicast 200.200.200.200ip nhrp network-id 1ip nhrp nhs 172.16.1.1tunnel source FastEthernet0tunnel mode gre multipointtunnel key 0tunnel protection ipsec profile cisco router eigrp 90network 172.16.1.0 0.0.0.255network 192.168.244.0 no auto-summary