Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4266
Views
0
Helpful
6
Replies

Multicast over DMVPN,IPSEC,GRE

ai.solutions
Level 1
Level 1

‎03-28-2012 01:27 AM - edited ‎03-04-2019 03:49 PM

Ok im labbing this up at the moment in preparation for a new project, the basic layout is:

snip.PNG

Firstly when I just setup a routed connection between router 1&2 everything worked fine:

Switch1 - Vlan1: ip igmp snooping

Router1 - internal interface: ip pim sparse-dense-mode

Router1 - external interface: ip pim sparse-dense-mode

Router2 - external interface: ip pim sparse-dense-mode

Router2 - internal interface: ip pim sparse-dense-mode

Switch2 - Vlan1: ip igmp snooping

Using PRTG I see that the bitrate all the way through is consistently ~150kb/s (my video streaming bitrate)

Then I tested with a DMVPN configured between Router 1&2 once again everything worked fine.

The only changes were, I removed ip pim sparse-dense-mode from the external router interfaces and put it on the tunnel interfaces.

When I use PRTG to observe the traffic, it was ~150kb/s all the way up to Router1 internal interface, then both of the DMVPN interfaces and Router2 internal interface showed ~300kb/s. The switch ports for client 1 & 2 only showed ~150kb/s.

So... what am I missing here? Why is the bandwidth double across the GRE IPSEC connection?

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Peter Paluch
Cisco Employee
Cisco Employee

‎03-31-2012 09:36 AM

Hi,

This is interesting. Can you please post the entire configuration from both your routers? Also, if you have the option of increasing or decreasing the multicast data stream rate, is the amount of data carried by the DMVPN always roughly twice the rate of the original stream?

Best regards,

Peter

0 Helpful

jamiegrive
Level 1
Level 1

‎04-01-2012 11:36 PM

By any chance is the multicast source the DMVPN Spoke? Maybe it is being replicated back to the source (e.g with DMVPN to allow spoke-spoke comms) with some strange multicast config.

Sent from Cisco Technical Support iPhone App

0 Helpful

aaron.j.wallace
Level 1
Level 1

‎04-17-2012 12:37 AM

I believe this is because the DMVPN host has to encrypt each packet as if it is an individual stream due to the way IPSec is processed for each destination. I do not think the DMVPN host can encrypt/encapsulate a single packet then sent it to 2 different destinations. Correct me if I am wrong but I believe IPSec encrypted packet's original source and destinations ip headers are encapsulated with the rest of the data and a new source and destination header is applied and these new source and destination headers are for the individual destination routers ip instead of just being a multicast destination ip.

Hope this helps.

0 Helpful

ai.solutions
Level 1
Level 1
In response to aaron.j.wallace

‎04-19-2012 08:42 PM

The WAN destination is the same... its the internal IP address behind the other router that the traffic is destined for multiple machines.

I'll grab the configs from the routers shortly.

0 Helpful

ai.solutions
Level 1
Level 1
In response to ai.solutions

‎04-23-2012 12:20 AM

Hub config:

http://pastebin.com/tk2p4PRn

Spoke Config:

http://pastebin.com/834pTVVQ

Any words of wisdom appreciated.

0 Helpful

Andrea Florio
Level 1
Level 1
In response to ai.solutions

‎12-20-2013 01:13 AM

i just found this post and i might be late any way, DMVPN is a NBMA network, therefore you need on all tunnel interfaces:

ip pin nbma-mode

Regards

Andrea

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card