DMVPN: Bonding Two DSL to Provide LoadSharing with VRF

Unanswered Question
Dec 1st, 2008
User Badges:
  • Silver, 250 points or more



The 1841 has two HWIC-1ADSL installed into each HWIC slot. 1841 running 12.22T advEnt. Config looks like this:

interface Tunnel100

description DMVPN 1

ip vrf forwarding monsters

ip address x.x.x.x

no ip redirects

ip mtu 1400

ip nhrp authentication PRIMARY

ip nhrp map x.x.x.x

ip nhrp map multicast x.x.x.x

ip nhrp network-id 100

ip nhrp holdtime 300

ip nhrp nhs

ip ospf network point-to-multipoint

ip ospf cost 1000

keepalive 2 3

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 123

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN-PROFILE shared

interface Dialer0

ip vrf forwarding monsters

ip address negotiated

ip access-group 101 in

ip mtu 1492

ip inspect CBAC out

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password 7 xxxxxxxxxxxxxx


In order to get LB working I need to use vrf on dialer interfaces. This is where the problem begins. When I remove vrf forwarding from the dialer0 interface IPSEC is fine, but not with vrf. Of course doesn't make sense trying two dsl lines when single vrf is not playing ball.

Adding tunnel vrf monsters under tunnel config is of no use. I have 50sites all without this and they're all good.

Any help would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
AJAZ NAWAZ Mon, 12/01/2008 - 09:51
User Badges:
  • Silver, 250 points or more

Hi Giuseppe

As stated above we have 12.4(22)T, apologies for not making that clear. In terms of SRND and various DMVPN design guides, we have utilized these to the max and have an extended live DMVPN dual-hub dual-cloud network.

The problem is IPSEC when both tunnel intf and dialer are in the same vrf.



Giuseppe Larosa Mon, 12/01/2008 - 10:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ajaz,

>> The problem is IPSEC when both tunnel intf and dialer are in the same vrf

if you look at VRF and IPSec solutions with point-to-point GRE configuration examples you can see that the ip vrf forwarding command is usually present under the tunnel GRE config only.

I've seen some example where someone uses MLPPP to bundle two ADSLs this could be an alternate way to use both links:

if you configure both ADSL links pointing to the same dialer you should achieve this

Hope to help



This Discussion