Change tunnel IP address DMVPN

Unanswered Question
Nov 12th, 2009
User Badges:

I need to change the tunnel IP address for all of our remote sites that connect via DMVPN. I'm trying to figure the best way to accomplish this while causing the lease impact on users. My theory is that I could create new tunnel interfaces using the new IP address for the tunnel, then simply remove the old tunnel interface. I'm not sure if I can have two tunnels that have the same IP address in the 'ip nhrp map' and 'ip nhrp multicast' lines on the configuration. For example, here is a current spoke's configuration:

interface Tunnel0

description ### DMVPN ###

bandwidth 1152

ip address 10.9.200.201 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication AUTH-METH1

ip nhrp map 10.9.200.1 PUB.LIC.IP.132

ip nhrp map multicast PUB.LIC.IP.132

ip nhrp map 10.9.200.2 PUB.LIC.IP.25

ip nhrp map multicast PUB.LIC.IP.25

ip nhrp network-id 1

ip nhrp nhs 10.9.200.1

ip nhrp nhs 10.9.200.2

ip nhrp server-only

ip tcp adjust-mss 1300

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

!

I would like to keep the above configuration and add the following tunnel:

interface Tunnel1

description ### DMVPN ###

bandwidth 1152

ip address 10.100.100.201 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication AUTH-METH1

ip nhrp map 10.100.100.1 PUB.LIC.IP.132

ip nhrp map multicast PUB.LIC.IP.132

ip nhrp map 10.100.100.2 PUB.LIC.IP.25

ip nhrp map multicast PUB.LIC.IP.25

ip nhrp network-id 1

ip nhrp nhs 10.100.100.1

ip nhrp nhs 10.100.100.2

ip nhrp server-only

ip tcp adjust-mss 1300

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

!

Does anybody know if that is possible or will that cause issues with the existing tunnels? Any assistance would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
trfinkenstadt Thu, 11/12/2009 - 11:36
User Badges:

you would need to add the keyword shared to your tunnel protection line for this to work:

tunnel protection ipsec profile DMVPN shared


Since you have two devices you might consider migrating one to your new IP address then the other to make this doable.


--tim

mpozorski Thu, 11/12/2009 - 12:08
User Badges:

Thanks Tim, I appreciate it. Could you elaborate on what you mean to migrate one then the other? I don't see how I can migrate them without taking the tunnel down.

Actions

This Discussion