dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed

nosx

join:2004-12-27
00000
kudos:5
reply to nicknomo

Re: [Config] DMVPN reundandt WAN question

I fudged through it with visio, you can try to source both tunnels from the same real ip. I have never seen this in the real world though. forgive any typos.

nicknomo

join:2004-05-02
East Meadow, NY
I appreciate the reply, it got me started in the right direction. Unfortunately, the solution posted did not work... I did some research, and thanks to your network-id # change, I was able to find what I needed.

Some key changes were that
1) I needed different tunnel keys
2) I could not use an mGRE tunnel on the spokes for some reason - I had to use a ppGRE tunnel instead.

Here is the full config, tested and confirmed in GNS3 (these aren't my ips or auth keys - its a pre-production lab).. I'd be open to any feedback or suggestions to take for a different approach.

HUB:
Current configuration : 1850 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
 bandwidth 1000
 ip address 172.16.1.1 255.255.255.0
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 600
 no ip split-horizon eigrp 90
 delay 1000
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile cisco
!
interface Tunnel1
 bandwidth 1000
 ip address 172.17.1.1 255.255.255.0
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 600
 no ip split-horizon eigrp 90
 delay 1000
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
 ip address 199.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 200.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 90
 network 172.16.1.0 0.0.0.255
 network 172.17.1.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 199.1.1.2
ip route 0.0.0.0 0.0.0.0 200.1.1.2 5
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
 

SPOKE:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong
!
!
interface Loopback0
 ip address 192.168.244.1 255.255.255.0
 no ip redirects
!
interface Tunnel0
 bandwidth 1000
 ip address 172.16.1.2 255.255.255.0
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map 172.16.1.1 199.1.1.1
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.1.1
 delay 1000
 tunnel source FastEthernet0/0
 tunnel destination 199.1.1.1
 tunnel key 0
 tunnel protection ipsec profile cisco
!
interface Tunnel1
 bandwidth 1000
 ip address 172.17.1.2 255.255.255.0
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map 172.17.1.1 200.1.1.1
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip nhrp nhs 172.17.1.1
 delay 1500
 tunnel source FastEthernet0/0
 tunnel destination 200.1.1.1
 tunnel key 1
 tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
 ip address 201.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
router eigrp 90
 offset-list 1 out 12800 Tunnel1
 network 172.16.1.0 0.0.0.255
 network 172.17.1.0 0.0.0.255
 network 192.168.244.0
 distribute-list 1 out
 auto-summary
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 201.1.1.2
!
!
access-list 1 permit 192.168.244.0
!
!
control-plane
!
 
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
 

For anyone else interested in this thread, the only lines I added to my base config were the tunnel interfaces, and the eigrp lines.

I used loopbacks for what would be my LAN on each router.

I hope this helps someone in the same situation, and thanks again deepblack for the help!

nosx

join:2004-12-27
00000
kudos:5
The advantage of true multipoint DMVPN is that the spokes can build tunnels to eachother and communicate.

Please double check in the lab that its still possible (and they dont have to go through the hub) to get traffic from spoke A to spoke B.

nicknomo

join:2004-05-02
East Meadow, NY
You are correct. In this case the remote sites are not meshed... I'm pretty sure you'd need an mGRE tunnel to do that, correct?

Unfortunately, the mGRE tunnel does not allow the same source for the tunnels from what I've read.. I only have one external interface on the remote spoke routers..

nicknomo

join:2004-05-02
East Meadow, NY
reply to nosx
said by nosx:

The advantage of true multipoint DMVPN is that the spokes can build tunnels to eachother and communicate.

Please double check in the lab that its still possible (and they dont have to go through the hub) to get traffic from spoke A to spoke B.
Ok, I took it upon myself to try and get a phase 2 implementation... I believe I have succeeded, however any input would be appreciated.

From what I can tell is that there was an ipsec problem using the same tunnel source in the mGRE tunnel. A command was added in the IOS to allow for this. On the spoke we add:

tunnel protection ipsec profile cisco shared

The shared key word allows you to use the same tunnel source apparently.

 
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
 bandwidth 1000
 ip address 172.16.1.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 90
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 600
 no ip split-horizon eigrp 90
 delay 1000
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile cisco
!
interface Tunnel1
 bandwidth 1000
 ip address 172.17.1.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 90
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 600
 no ip split-horizon eigrp 90
 delay 1000
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
 ip address 199.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 200.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 90
 network 172.16.1.0 0.0.0.255
 network 172.17.1.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 199.1.1.2
ip route 0.0.0.0 0.0.0.0 200.1.1.2 5
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
 

SPOKE:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong
!
!
interface Loopback0
 ip address 192.168.244.1 255.255.255.0
 no ip redirects
!
interface Tunnel0
 bandwidth 1000
 ip address 172.16.1.2 255.255.255.0
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast 199.1.1.1
 ip nhrp map 172.16.1.1 199.1.1.1
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.1.1
 ip nhrp registration timeout 30
 delay 1000
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile cisco shared
!
interface Tunnel1
 bandwidth 1000
 ip address 172.17.1.2 255.255.255.0
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast 200.1.1.1
 ip nhrp map 172.17.1.1 200.1.1.1
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip nhrp nhs 172.17.1.1
 delay 1500
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco shared
!
interface FastEthernet0/0
 ip address 201.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
router eigrp 90
 offset-list 1 out 12800 Tunnel1
 network 172.16.1.0 0.0.0.255
 network 172.17.1.0 0.0.0.255
 network 192.168.244.0
 distribute-list 1 out
 no auto-summary
 eigrp stub connected
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 201.1.1.2
!
!
access-list 1 permit 172.168.16.0
access-list 1 permit 172.168.17.0
access-list 1 permit 192.168.244.0
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
 

nosx

join:2004-12-27
00000
kudos:5
I didnt know that command existed, im going to have to do some reading today. If it works fine let me know, great work!

nicknomo

join:2004-05-02
East Meadow, NY
I managed to test it with another spoke, and nhrp dynamically connects the spokes now... That is a pretty cool feature...

Thanks for the encouragement and help!