Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dmvpn, nhrp, tunnel protection, vrf

Hello!

Please see the configuration below.

Everythind is working w/o tunnel protection. NHRP registrations are completed, VRF eigrp is working.

If i set the tunnel protection the NHRP client registraton turn into incomplete and VRF eigrp does not working also. ( because of lack of multicast )

I've checked many config on CCO but everythin was in vain.

Thanks

!HUB

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key conet address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

ip address 172.0.1.1 255.255.255.255

!

interface Tunnel0

bandwidth 1000

ip vrf forwarding security

ip address 10.255.255.254 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication conet

ip nhrp map multicast dynamic

ip nhrp network-id 200

ip nhrp holdtime 360

ip tcp adjust-mss 1360

delay 1000

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1000

tunnel protection ipsec profile SDM_Profile1

-------------

! SPOKE

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key conet address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

description teszt if

ip vrf forwarding security

ip address 172.2.1.1 255.255.255.255

!

interface Tunnel0

bandwidth 1000

ip vrf forwarding security

ip address 10.255.255.2 255.255.255.0

ip mtu 1400

ip nhrp authentication conet

ip nhrp map 10.255.255.254 255.255.255.0 209.209.209.209

ip nhrp map multicast 209.209.209.209

ip nhrp network-id 2

ip nhrp holdtime 360

ip nhrp nhs 10.255.255.254

ip tcp adjust-mss 1360

delay 1000

tunnel source Serial0/0/0

tunnel destination 172.0.1.1

tunnel key 1000

tunnel protection ipsec profile SDM_Profile1

6 REPLIES
Hall of Fame Super Silver

Re: dmvpn, nhrp, tunnel protection, vrf

Hello Karoly,

what you see can be caused by the IOS image on the hub.

What platform and what IOS release you use as Hub ? and for the spoke ?

you can use feature navigator to verify if you have VRF aware NHRP support in your release

see

www.cisco.com/go/fn

Hope to help

Giuseppe

New Member

Re: dmvpn, nhrp, tunnel protection, vrf

Hi'

It's may be a good question but unfortunetly i did not find vrf-aware nhrp in the feature guide.

and i have problem after i set th etunnel protection. Without tunnel protection the nhrp (with VRF) is working well.

By the way the IOS version is

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1).

Regards,

Hall of Fame Super Silver

Re: dmvpn, nhrp, tunnel protection, vrf

Hello Karoly,

I've given a look to some example.

see

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_DMVPN_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1065345

What happens if you don't use the VRF on the spoke ?

Hope to help

Giuseppe

New Member

Re: dmvpn, nhrp, tunnel protection, vrf

Hi,

Thanks your comments.

It was CSCsc13355 bug.

After donwgrade all features work well.

Regards

New Member

Re: dmvpn, nhrp, tunnel protection, vrf

Exact bug number is

CSCsx13355

Hall of Fame Super Silver

Re: dmvpn, nhrp, tunnel protection, vrf

Hello Karoly,

thanks for having reported the solution to your issue this makes the thread helpful for others that can have the same problem.

Best Regards

Giuseppe

629
Views
5
Helpful
6
Replies