Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN Hub and Spoke behind NAT device

Hi All,

I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.

But My case i involve in both situation.

1) HUB have a Load Balancer (2 WAN Link) ISP A & B

2) Spoke have Load Balancer (2 WAN Link) ISP A & B

Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B

So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.

As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.

HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.

The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.

Any problem will face with this setup? Any guide?

Sample config at HUB.

interface Tunnel0

bandwidth 1000

ip address 172.16.1.1 255.255.255.0

ip mtu 1440

ip nhrp authentication cisco123

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile cisco

!

interface Tunnel1

bandwidth 1000

ip address 172.17.1.1 255.255.255.0

ip mtu 1440

ip nhrp authentication cisco123

ip nhrp map multicast dynamic

ip nhrp network-id 2

ip nhrp holdtime 600

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile cisco

Spoke Config

interface Tunnel0

bandwidth 1000

ip address 172.16.1.2 255.255.255.0

ip mtu 1440

ip nhrp authentication cisco123

ip nhrp map 172.16.1.1 199.1.1.1

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 172.16.1.1

delay 1000

tunnel source FastEthernet0/0

tunnel destination 199.1.1.1

tunnel key 0

tunnel protection ipsec profile cisco

!

interface Tunnel1

bandwidth 1000

ip address 172.17.1.2 255.255.255.0

ip mtu 1440

ip nhrp authentication cisco123

ip nhrp map 172.17.1.1 200.1.1.1

ip nhrp network-id 2

ip nhrp holdtime 300

ip nhrp nhs 172.17.1.1

delay 1500

tunnel source FastEthernet0/0

tunnel destination 200.1.1.1

tunnel key 1

tunnel protection ipsec profile cisco

Regards, Nagis
983
Views
0
Helpful
0
Replies
CreatePlease to create content