I am deploying DMVPN. The main complexity is that some spokes are behind NAT and those can't transfer traffic directly to each other, so required to transfer it through hub. However, it dosn't work as expected. The traffic is still being sent directly to other spoke.
The topology is one cloud, dual hub. In the test lab (GNS3) I have four spokes: two of them have 'direct' access to spoke (no address translation) and two others are behind other router wihch does NAT, each spoke has its own (so no two spokes behing a single nat).
Dynamic routing is done with EIGRP, because Cisco explicitly recommends it in later DMVPN-related documents, and says OSPF doesn't get excessive testing. However, I am not sure and could use OSPF if it can perform better.
(some hosts are shown as down in the picture, this picture is made after I made all described tests and analysis)
Relevant configs are:hub1:
hub2:
spoke1 (direct internet):
spoke2 is similar to 1, only addresses differ. lo0 has 10.100.200.9/30
spoke3 (behind NAT):
spoke3-gw (the one which does NAT for spoke3):
spoke4 and spoke4-gw pair is similar, lo0 has 10.100.200.17/30. 'grey' addresses are same 192.168.1.0/24. Cisco explicitely states this is valid case and should work.
internet has all those 172.31.{0,1,2,3,4}.1 addresses and just plain forwards packets between .2-s and .0.3;service is just a system which has 10.100.200.241 address and defaults to 10.100.200.252 (HSRP-managed).
There is no IPSEC configured. I am trying to do things gradually, it is overhelming to try to do everyting right from the first shot.
I've done tests with commands like 'ping 10.100.200.13 source 10.100.200.17' (from spoke3 to spoke4) and so on.
This 'seems' to work. I.e. the said ping works. But capturing packets on link 'internet.e1/3 - spoke4-gw.e0/0' showed that we still have direct packets from spoke3-gw to spoke4-gw and vice versa. 'show ip nhrp' on spoke3 and spoke4 shows exactly this (resolved to other's -gw 'white' address). Inspecting NAT 'show ip nat translations' on -gw's showed that yes, there is translation of GRE from spoke3 to spoke4-gw on spoke3-gw (and similar on spoke4-gw). This is the way why said ping works. I am just lucky in this lab to have Cisco doing NAT, which is doing it right.
In the wild world NAT boxes will be anything. I can't require use of some concrete equipment (it is illegal to do so). Lycoming 235 front seal. I only can require it to do NAT of GRE to hubs and back correctly (which is minimum to run DMVPN).
If I block direct traffic between spoke3-gw and spoke4-gw (on internet system, by installing access-rules denying from 172.31.4.2 to 172.31.3.2 and other way around), I expect the system will see that and forward everyting between spoke3 and spoke4 via hub. However, it doesn't work.
sh ip nhrp on spoke3 this time shows it is unable to resolve 10.100.200.17:
Why it doesn't direct packets via hub in this case? This way is still open.
Nikita KipriyanovNikita Kipriyanov
1 Answer
Spoke-to-Spoke DMVPN is considered DMVPN Phase II. Spoke-to-Hub design is considered DMVPN Phase I.
I suggest making the following changes to change your behavior to DMVPN Phase I.
Hub1
Hub2
Spoke1
Spoke2
Spoke3
More details on the configuration as well as validating behavior can be found here.
TDurdenTDurden
Not the answer you're looking for? Browse other questions tagged cisconateigrp or ask your own question.
Posted by1 year ago
Archived
Hello again,
This will be a bit long, because I don't know how exactly to ask this question concisely. Please bear with me.
I'm experimenting with OSPF network types using a simple Frame Relay topology. See below:
In earlier games in the series, each radio station was essentially a single looped sound file, playing the same songs, announcements and advertisements in the same order each time. Gta san andreas stories psp.
In this topology, I have successfully created OSPF neighborships between Hub-S1 and Hub-S2 using the OSPF point-to-multipoint network type. I also know how to handle simple point-to-point neighborships.
My confusion starts here: I want to create a Frame Relay topology in which OSPF uses NBMA logic. In other words, I want this NBMA topology to emulate a broadcast network insofar as OSPF neighborships and DR/BDR elections are concerned. This means each router should exist on the same subnet.
It is my understanding that there are two ways to do this:
-
Set the OSPF network type to 'broadcast' on each router's OSPF interface.
-
Statically configure each neighbor's IP address in OSPF router configuration mode.
The problem is that I do not know how to configure my PVCs for this kind of OSPF network!
For a point-to-point connection, I would create a subinterface both on the Hub and one of the spokes, and I would assign both of them an IP address in some /30 subnet. The hub and spoke would become neighbors. The OSPF network type would be point-to-point. No DR/BDR election occurs.
For a point-to-multipoint connection, I would create a multipoint subinterface on the Hub with multiple DLCIs and one IP address. On each Spoke, I would configure a point-to-point interface and an IP address in the same subnet as all other routers. The OSPF type would be point-to-multipoint on each router, and no DR/BDR election occurs.
But what about NBMA? I have no clue how to configure my interfaces for this. Any idea that I have ends up being a non-working variation of one of the above.
I'm having quite a bit of trouble wrapping my head around this, and I have been unable to find any clear answers in Cisco docs.
Thanks a lot for your time!
6 comments
Dear Analy,
Thank you for your reply I'm using Build 9926.
The Maps App is installed though only shows a world map normally shows my locality. I cannot see any option for downloaded maps. If I go via Settings/System/ Maps I get this Sorry how can I send a snip of the page, I did a Save As a picture instead. Now you can see my problem I did remove my Cat5 connection to see if it needed to be offline though that has no improvement. I have downloaded Andorra, Australia, Austria, UK and Uganda. However when I click on a map to view it only offers me to delete it or at the bottom to delete all downloaded maps.
Perhaps I'm totally wrong how should you view these maps?
Another odd problem with the photo App I can see some pictures though not those from the One Drive or from pictures in My Picture folder then without warning it will keep Minimising its self. Weird.
Otherwise is really the bees knees for me. I look forward to a full release.
One other question will Windows 10 be released using 32 bit version too?
Yours sincerely,
Roger
Posted by4 years ago
Archived
Update
i did everything from the begining what is the problem i cant get it
configurations
R3#sh run int tunnel 0
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication asdfasdf
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
tunnel source Serial3/2
tunnel mode gre multipoint
tunnel key 123123
R2#sh run int tunnel 0
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication asdfasdf
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
tunnel source Serial3/1
tunnel mode gre multipoint
tunnel key 123123
HUB#sh run int tunnel 0
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication asdfasdf
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source 192.168.1.100
tunnel mode gre multipoint
tunnel key 123123
debug
R2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:02:40, never expire
Type: static, Flags: used
NBMA address: 192.168.1.100
R2#ping 172.16.0.1
Type escape sequence to abort.
Dmvpn Phase 2
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/75/80 ms
R2#ping 172.16.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds:
!..
Success rate is 20 percent (1/5), round-trip min/avg/max = 136/136/136 ms
R2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:03:39, never expire
Type: static, Flags: used
NBMA address: 192.168.1.100
172.16.0.3/32 via 172.16.0.3
Tunnel0 created 00:00:33, expire 00:02:31
Type: dynamic, Flags: used temporary
NBMA address: 192.168.1.100
R2#ping 172.16.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds:
...
Success rate is 0 percent (0/5)
R2#show dmvpn
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
R2#
R3 OUTPUT
R3#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:09:19, never expire
Type: static, Flags: used
NBMA address: 192.168.1.100
172.16.0.2/32 via 172.16.0.2
Gns 3 Nhrp Could Not Map 10.1.1.3 To Nbma Time
Tunnel0 created 00:08:37, expire 01:52:20
Type: dynamic, Flags: router implicit used
And has gained huge popularity among the viewers all over the world.PSL Cricket games is probably then 1st game in this series.Internet incoming Recent Searches Of HBL PSL GAME 2017(Pakistan Super League Cricket Game)Live Cricket Psl-Psl 2016-Psl League -Psl Live Sricket-HBL PSL game 2017 Free download-Pakistan Super League Cricket game-Hbl Psl game 2017 free.
HBL PSL GAME (Pakistan Super League Cricket Game ) 2017 1st Time PCB (Pakistan Cricket Bord ) Launch PSL Game For ComputerYou Can Download PSL Cricket games(Pakistan Super League Cricket Game) official Game For Computer.HBL PSL GAME Game Download Free For Pc, For PC, Download For Pc, Full Version Game, Full Pc Game Fullypcgames-Apunkagames-PcgamefreetopPSl Cricket published by (Ea Sports) PSL(Pakistan Super League) is a T20 format Cricket Tournament where different franchise teams play with other franchise teams for title.Psl Cricket Tournament was started in 2016.
NBMA address: 192.168.2.2
172.16.0.3/32 via 172.16.0.3
Tunnel0 created 00:08:37, expire 01:52:20
Type: dynamic, Flags: router unique local
NBMA address: 192.168.3.3
R3#sh dmvpn
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
HUB output
HUB#sh dmvpn
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
HUB#sh ip nhrp
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:12:24, expire 01:47:36
Type: dynamic, Flags: unique registered
NBMA address: 192.168.2.2
172.16.0.3/32 via 172.16.0.3
Tunnel0 created 00:10:47, expire 01:49:12
Type: dynamic, Flags: unique registered
NBMA address: 192.168.3.3
this is the GNS ?? HOW DO I resolve that where start cheacking i cant tell this is first time i doing labs on this program so this kinda new for me
5 comments
Hi Experts,Wonder if someone could help me?
I need to setup a Cisco to Cisco VPN on 2x Cisco 2921 Routers Both running 15.1 IOS. Problem i have is I dont have a Static IP, both ends are Dynamic.
Is this possible with DMVPN/IPSEC?
The Problem i have setting it up is:-
interface Tunnel0
ip nhrp map 10.1.1.1 90.26.32.11 - I can only seem to choose a IP Address and not a hostname?
I really need to do something like:
interface Tunnel0
ip nhrp map 10.1.1.1 90.26.32.11 vpn.domain.com
I have read a few things now but some people are saying it is possible, some are saying it is not. I cant seem to find any example for Dynamic at both ends though.
Many Thanks for any Help in Advance
TME