Cisco DMVPN Sanity Check

Unanswered Question
Mar 20th, 2008
User Badges:

Greetings, below is the basis for an MPLS based Dmvpn network for one of my customers.


Each private ip address space will consists of 10.171.0.0 /24 networks

GRE Tunnel Interfaces will be in the 172.16.0.0 /30 range


Ill be advertising the networks below from both the hub and spoke sites using EIGRP.


10.171.0.0 0.0.0.255 and 172.16.0.0 0.0.0.255


Ive implemented a DMVPN in a lab environment successfully but i need someone to say either yes it will work or suggest alternatives to the arrangement below so that i can sleep at night!


Any comments much appreciated.


Regards



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
joseph.yuffa Fri, 03/21/2008 - 11:17
User Badges:

Hi,


What is you tunnel int config on spoke and hub routers? I have working config DMVPN GRE with IPSec (no MPLS) which I can compare with


JY

exonetinf1nity Mon, 03/24/2008 - 17:15
User Badges:

On the Hub Router


crypto isakmp policy 10

hash sha

authentication pre-share

encryption 3des

group 2

lifetime 86400

!

crypto isakmp key Pa55w0rd address 0.0.0.0 0.0.0.0

crypto isakmp nat keepalive 20

!

crypto ipsec transform-set GlobalSet esp-3des

mode tunnel

!

crypto ipsec profile *********

set transform-set GlobalSet

set security-association lifetime seconds 86400

set security-association lifetime kilobytes 4608000

!

interface Tunnel 0

description ****** DMVPN GRE Tunnel ******

ip address 172.16.255.1 255.255.255.252

bandwidth 1000

delay 1000

ip nhrp holdtime 360

ip nhrp network-id 100000

ip nhrp authentication ********

ip mtu 1400

ip tcp adjust-mss 1360

ip nhrp map multicast dynamic

tunnel source FastEthernet 0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile **********

no ip split-horizon eigrp 25

!

router eigrp 25

network 172.16.255.2 0.0.0.255

network 10.171.0.0 0.0.0.255

no auto-summary




On the first Spoke Router


interface Tunnel 10

description ****** DMVPN GRE Tunnel ******

ip address 172.16.255.2 255.255.255.252

bandwidth 1000

delay 1000

ip nhrp holdtime 360

ip nhrp network-id 100000

ip nhrp authentication ********

ip mtu 1400

ip tcp adjust-mss 1360

ip nhrp map 172.16.255.1 ***.**.**.***

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile **********

!

router eigrp 25

network 172.16.255.2 0.0.0.255

network 10.171.0.0 0.0.0.255

no auto-summary


Regards

pjhenriqs Tue, 03/25/2008 - 03:47
User Badges:

Hi,


I see a few differences from what I usually configure for DMVPN.


1. Under interface Tunnel0

- Add "ip nhrp nhs 172.16.255.1

- Add "ip nhrp map multicast ". I'm guessing you have one.


2. Under the router eigrp 25

- The network statements should be

network 172.16.255.0 0.0.0.3

network 10.171.0.0 0.0.0.255


Hope it helps, also take a look at:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hgreips.html


Regards,

Paulo

exonetinf1nity Tue, 03/25/2008 - 06:07
User Badges:

Thank you very much for your reply, ill update the config accordingly.


Regards

Actions

This Discussion