cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
916
Views
5
Helpful
6
Replies

dmvpn, nhrp, tunnel protection, vrf

KAROLY KOHEGYI
Level 2
Level 2

Hello!

Please see the configuration below.

Everythind is working w/o tunnel protection. NHRP registrations are completed, VRF eigrp is working.

If i set the tunnel protection the NHRP client registraton turn into incomplete and VRF eigrp does not working also. ( because of lack of multicast )

I've checked many config on CCO but everythin was in vain.

Thanks

!HUB

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key conet address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

ip address 172.0.1.1 255.255.255.255

!

interface Tunnel0

bandwidth 1000

ip vrf forwarding security

ip address 10.255.255.254 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication conet

ip nhrp map multicast dynamic

ip nhrp network-id 200

ip nhrp holdtime 360

ip tcp adjust-mss 1360

delay 1000

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1000

tunnel protection ipsec profile SDM_Profile1

-------------

! SPOKE

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key conet address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

description teszt if

ip vrf forwarding security

ip address 172.2.1.1 255.255.255.255

!

interface Tunnel0

bandwidth 1000

ip vrf forwarding security

ip address 10.255.255.2 255.255.255.0

ip mtu 1400

ip nhrp authentication conet

ip nhrp map 10.255.255.254 255.255.255.0 209.209.209.209

ip nhrp map multicast 209.209.209.209

ip nhrp network-id 2

ip nhrp holdtime 360

ip nhrp nhs 10.255.255.254

ip tcp adjust-mss 1360

delay 1000

tunnel source Serial0/0/0

tunnel destination 172.0.1.1

tunnel key 1000

tunnel protection ipsec profile SDM_Profile1

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Karoly,

what you see can be caused by the IOS image on the hub.

What platform and what IOS release you use as Hub ? and for the spoke ?

you can use feature navigator to verify if you have VRF aware NHRP support in your release

see

www.cisco.com/go/fn

Hope to help

Giuseppe

Hi'

It's may be a good question but unfortunetly i did not find vrf-aware nhrp in the feature guide.

and i have problem after i set th etunnel protection. Without tunnel protection the nhrp (with VRF) is working well.

By the way the IOS version is

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1).

Regards,

Hello Karoly,

I've given a look to some example.

see

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_DMVPN_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1065345

What happens if you don't use the VRF on the spoke ?

Hope to help

Giuseppe

Hi,

Thanks your comments.

It was CSCsc13355 bug.

After donwgrade all features work well.

Regards

Exact bug number is

CSCsx13355

Hello Karoly,

thanks for having reported the solution to your issue this makes the thread helpful for others that can have the same problem.

Best Regards

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: