12-01-2008 09:14 AM - edited 03-04-2019 12:33 AM
Topology:
1841===DMPVN_Clound===3825(hub)
The 1841 has two HWIC-1ADSL installed into each HWIC slot. 1841 running 12.22T advEnt. Config looks like this:
interface Tunnel100
description DMVPN 1
ip vrf forwarding monsters
ip address x.x.x.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PRIMARY
ip nhrp map 10.19.220.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 10.19.220.1
ip ospf network point-to-multipoint
ip ospf cost 1000
keepalive 2 3
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 123
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-PROFILE shared
interface Dialer0
ip vrf forwarding monsters
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip inspect CBAC out
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname x@x.openandclear.com
ppp chap password 7 xxxxxxxxxxxxxx
-------------
In order to get LB working I need to use vrf on dialer interfaces. This is where the problem begins. When I remove vrf forwarding from the dialer0 interface IPSEC is fine, but not with vrf. Of course doesn't make sense trying two dsl lines when single vrf is not playing ball.
Adding tunnel vrf monsters under tunnel config is of no use. I have 50sites all without this and they're all good.
Any help would be appreciated.
Ajaz
12-01-2008 09:43 AM
Hello Ajaz,
a good reference for DMVPN is in the SRND page
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html
if really using a 12.2T release I would consider an IOS upgrade on the C1841 to 12.4(20)T or later
Hope to help
Giuseppe
12-01-2008 09:51 AM
Hi Giuseppe
As stated above we have 12.4(22)T, apologies for not making that clear. In terms of SRND and various DMVPN design guides, we have utilized these to the max and have an extended live DMVPN dual-hub dual-cloud network.
The problem is IPSEC when both tunnel intf and dialer are in the same vrf.
thanks
Ajaz
12-01-2008 10:17 AM
Hello Ajaz,
>> The problem is IPSEC when both tunnel intf and dialer are in the same vrf
if you look at VRF and IPSec solutions with point-to-point GRE configuration examples you can see that the ip vrf forwarding command is usually present under the tunnel GRE config only.
I've seen some example where someone uses MLPPP to bundle two ADSLs this could be an alternate way to use both links:
if you configure both ADSL links pointing to the same dialer you should achieve this
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide