Solved: Re: DMVPN with OSPF and RIP

mohammed asif suleman · ‎09-25-2013

Hi,

i am configuraing DMVPN with ospf at my head office and rip at spoke router

i am able to reach head office network from spoke routers but from hub i am not able to reach the spoke routers even though the tunnel is up

here the config is

HUB Router

-----------------------------------------------------------------------------------------------------------------------------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key asicovpn address 0.0.0.0 0.0.0.0

!

interface Tunnel0

ip address 172.20.20.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication asicovpn

ip nhrp map multicast dynamic

ip nhrp map multicast 172.20.20.1

ip nhrp network-id 254

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 199

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 78.93.37.134 255.255.255.240

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.12.124 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

router ospf 10

redistribute rip metric 22222 subnets

network 192.168.12.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 10 metric 1

network 172.20.0.0

no auto-summary

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 78.93.37.129

!

-----------------------------------------------------------------------------------------------------------------------------------------------------

Spoke Router

------------------------------------------------------------------------------------------------------------------------------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key asicovpn address 78.93.37.134

!

interface Tunnel0

bandwidth 1000

ip address 172.20.20.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication asicovpn

ip nhrp map multicast dynamic

ip nhrp map multicast 78.93.37.134

ip nhrp map 172.20.20.1 78.93.37.134

ip nhrp network-id 254

ip nhrp nhs 172.20.20.1

tunnel source FastEthernet4

tunnel destination 78.93.37.134

tunnel key 199

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.75.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

router rip

version 2

network 172.20.0.0

network 192.168.75.0

no auto-summary

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 2000 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route 78.93.37.134 255.255.255.255 192.168.1.1

!

access-list 2000 deny ip any 192.168.12.0 0.0.0.255

access-list 2000 deny ip any 192.168.13.0 0.0.0.255

access-list 2000 deny ip any 192.168.118.0 0.0.0.255

access-list 2000 deny ip any 192.168.114.0 0.0.0.255

access-list 2000 deny ip any 192.168.115.0 0.0.0.255

access-list 2000 deny ip any 192.168.116.0 0.0.0.255

access-list 2000 deny ip any 192.168.117.0 0.0.0.255

access-list 2000 deny ip any 192.168.21.0 0.0.0.255

access-list 2000 deny ip any 192.168.33.0 0.0.0.255

access-list 2000 deny ip any 192.168.41.0 0.0.0.255

access-list 2000 permit ip any any

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

the NAT on spoke router is to prevent internet traffic to go on tunnel

for that i have to remove default route , but in this case when i am removing default route all traffic going to internet from local DSL

can anyone help me please...

Lei Tian · ‎09-25-2013

Hi,

You cannot really filter ospf routes. Even you filter the route from routing table, it will still in OSPF database, and will be advertise out to the ospf neighbor. Instead of filtering the routes, you can consider summarize the routes, so only see the summarized routers in the RIB.

HTH,
Lei Tian

View solution in original post

Lei Tian · ‎09-25-2013

Hi,

What do you have of 'show ip route 192.168.75.0' on the hub? On the spoke, do you want internet go through the tunnel or local DSL?

HTH,

Lei Tian

mohammed asif suleman · ‎09-25-2013

Hi Lei,

Thank you for the reply....

now every thing working fine i don't know how, but the route on hub is like below

Router#sh ip route 192.168.75.1

Routing entry for 192.168.75.0/29

Known via "rip", distance 120, metric 1

Redistributing via ospf 10, rip

Advertised by ospf 10 metric 22222 subnets

Last update from 172.20.20.2 on Tunnel0, 00:00:04 ago

Routing Descriptor Blocks:

* 172.20.20.2, from 172.20.20.2, 00:00:04 ago, via Tunnel0

Route metric is 1, traffic share count is 1

yes i want the internet traffic go through DSL only , not on Tunnel

once again i will paste the config which is working

HUB

-------------------------------------------------------------------------------------------------------------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key asicovpn address 0.0.0.0 0.0.0.0

!

interface Tunnel0

ip address 172.20.20.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication asicovpn

ip nhrp map multicast dynamic

ip nhrp map multicast 172.20.20.1

ip nhrp network-id 254

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 199

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 78.93.37.134 255.255.255.240

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.12.124 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

router ospf 10

redistribute rip metric 22222 subnets

network 192.168.12.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 10 metric 10

network 172.20.0.0

no auto-summary

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 78.93.37.129

!

-----------------------------------------------------------------------------------------------------------------------------------------

SPOKE

------------------------------------------------------------------------------------------------------------------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key asicovpn address 78.93.37.134

!

interface Tunnel0

bandwidth 1000

ip address 172.20.20.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication asicovpn

ip nhrp map multicast dynamic

ip nhrp map multicast 78.93.37.134

ip nhrp map 172.20.20.1 78.93.37.134

ip nhrp network-id 254

ip nhrp nhs 172.20.20.1

tunnel source FastEthernet4

tunnel destination 78.93.37.134

tunnel key 199

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.75.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

router rip

version 2

network 172.20.0.0

network 192.168.75.0

no auto-summary

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 2000 interface FastEthernet4 overload

ip route 78.93.37.134 255.255.255.255 192.168.1.1

!

access-list 2000 deny ip any 192.168.12.0 0.0.0.255

access-list 2000 deny ip any 192.168.13.0 0.0.0.255

access-list 2000 deny ip any 192.168.118.0 0.0.0.255

access-list 2000 deny ip any 192.168.114.0 0.0.0.255

access-list 2000 deny ip any 192.168.115.0 0.0.0.255

access-list 2000 deny ip any 192.168.116.0 0.0.0.255

access-list 2000 deny ip any 192.168.117.0 0.0.0.255

access-list 2000 deny ip any 192.168.21.0 0.0.0.255

access-list 2000 deny ip any 192.168.33.0 0.0.0.255

access-list 2000 deny ip any 192.168.41.0 0.0.0.255

access-list 2000 permit ip any any

mohammed asif suleman · ‎09-25-2013

Hi one more question,

i have too much routes on this router which i don't require

i am attaching the routing table here

i need only 192.168.12.0,to 192.168.45.0and 10.10.10.0 subnets from headoffice network

how can i prevent all other routes from getting to this router

mohammed asif suleman · ‎09-25-2013

Hi,

i filtered the inbound routes and now the routing table looks clean and clear

is this the correct way to filter, i don't know whether any routing loops will occur , please correct me if i am missing anything

router ospf 10

distributed list 10 in

access-list 10 permit 192.168.0.0 0.0.63.255

access-list 10 permit 192.168.112.0 0.0.7.255

access-list 10 permit 10.10.10.0

Lei Tian · ‎09-25-2013

Hi,

You cannot really filter ospf routes. Even you filter the route from routing table, it will still in OSPF database, and will be advertise out to the ospf neighbor. Instead of filtering the routes, you can consider summarize the routes, so only see the summarized routers in the RIB.

HTH,
Lei Tian