Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
4
Helpful
4
Replies

Cisco DMVPN Sanity Check

exonetinf1nity
Level 1
Level 1

‎03-20-2008 06:32 PM - last edited on ‎02-21-2020 11:47 PM by Community Manager

Greetings, below is the basis for an MPLS based Dmvpn network for one of my customers.

Each private ip address space will consists of 10.171.0.0 /24 networks

GRE Tunnel Interfaces will be in the 172.16.0.0 /30 range

Ill be advertising the networks below from both the hub and spoke sites using EIGRP.

10.171.0.0 0.0.0.255 and 172.16.0.0 0.0.0.255

Ive implemented a DMVPN in a lab environment successfully but i need someone to say either yes it will work or suggest alternatives to the arrangement below so that i can sleep at night!

Any comments much appreciated.

Regards

Labels:
Preview file
153 KB
0 Helpful
4 Replies 4

joseph.yuffa
Level 1
Level 1

‎03-21-2008 11:17 AM

Hi,

What is you tunnel int config on spoke and hub routers? I have working config DMVPN GRE with IPSec (no MPLS) which I can compare with

JY

0 Helpful

exonetinf1nity
Level 1
Level 1
In response to joseph.yuffa

‎03-24-2008 05:15 PM

On the Hub Router

crypto isakmp policy 10

hash sha

authentication pre-share

encryption 3des

group 2

lifetime 86400

!

crypto isakmp key Pa55w0rd address 0.0.0.0 0.0.0.0

crypto isakmp nat keepalive 20

!

crypto ipsec transform-set GlobalSet esp-3des

mode tunnel

!

crypto ipsec profile *********

set transform-set GlobalSet

set security-association lifetime seconds 86400

set security-association lifetime kilobytes 4608000

!

interface Tunnel 0

description ****** DMVPN GRE Tunnel ******

ip address 172.16.255.1 255.255.255.252

bandwidth 1000

delay 1000

ip nhrp holdtime 360

ip nhrp network-id 100000

ip nhrp authentication ********

ip mtu 1400

ip tcp adjust-mss 1360

ip nhrp map multicast dynamic

tunnel source FastEthernet 0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile **********

no ip split-horizon eigrp 25

!

router eigrp 25

network 172.16.255.2 0.0.0.255

network 10.171.0.0 0.0.0.255

no auto-summary

On the first Spoke Router

interface Tunnel 10

description ****** DMVPN GRE Tunnel ******

ip address 172.16.255.2 255.255.255.252

bandwidth 1000

delay 1000

ip nhrp holdtime 360

ip nhrp network-id 100000

ip nhrp authentication ********

ip mtu 1400

ip tcp adjust-mss 1360

ip nhrp map 172.16.255.1 ***.**.**.***

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile **********

!

router eigrp 25

network 172.16.255.2 0.0.0.255

network 10.171.0.0 0.0.0.255

no auto-summary

Regards

0 Helpful

pjhenriqs
Level 1
Level 1
In response to exonetinf1nity

‎03-25-2008 03:47 AM

Hi,

I see a few differences from what I usually configure for DMVPN.

1. Under interface Tunnel0

- Add "ip nhrp nhs 172.16.255.1

- Add "ip nhrp map multicast ". I'm guessing you have one.

2. Under the router eigrp 25

- The network statements should be

network 172.16.255.0 0.0.0.3

network 10.171.0.0 0.0.0.255

Hope it helps, also take a look at:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hgreips.html

Regards,

Paulo

exonetinf1nity
Level 1
Level 1
In response to pjhenriqs

‎03-25-2008 06:07 AM

Thank you very much for your reply, ill update the config accordingly.

Regards

0 Helpful
Customers Also Viewed These Support Documents