Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1105
Views
0
Helpful
1
Replies

DMVPN Assistance

Brian Beisel
Level 1
Level 1

‎08-21-2014 12:39 PM - edited ‎03-12-2019 07:19 AM

All,

I am trying to bring a CSR 1000v running at AWS into my existing DMVPN topology.

I thought I'd reach out here as I wait for the electronic delivery of the 100MB license that I ordered from my Cisco partner (so that I can obtain support).

I am not (and do not have) a strong networking resource on staff.  I either hack my way through it or engage my Cisco partner for more advanced needs.

When they built out our DMVPN topology three years ago, they provided me with a simple template to use for when I brought a new location online and into the DMVPN topology.

Attached is the template that they provided and I have made some modifications in an attempt to bring the CSR into the topology.

I've followed the guide and made some adjustments as much as possible.  I've got the elastic IP configured and can hit the router remotely. I am not applying the gig0 or gig1 examples you see in the attached template.

Here are the interfaces on the CSR.  

interface VirtualPortGroup0
 ip unnumbered GigabitEthernet1
!
interface GigabitEthernet1
 ip address dhcp
 negotiation auto
!
interface GigabitEthernet2
 ip address 10.200.2.14 255.255.255.0
 negotiation auto
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
ip http secure-server

I've gotten the tunnels up but they seem to drop every few minutes and I also lose connectivity to the CSR, typically after entering the EIGRP commands.

My core DMVPN routers terminate onto a sub interface on an ASA.

The VPC I am trying to bring into the fold is 10.200.0.0/16 with two private subnets and two public subnets.

10.200.0.0/22 - Private

10.200.4.0/22 - Private

10.200.100.0/24 - Public

10.200.101..0/24 - Public

I know there are some caveats to adjust for accordingly with the CSR at AWS, and as a novice I am having a little trouble wrapping my head around it.

Ideally I would like to be able to route to the public and private subnets in the VPC but would be happy just being able to get to the Private ones.

I have a call scheduled with my Cisco partner for assistance but not until September 2.  I was hoping that maybe someone here would be willing to give me a hand in the meantime.  I am right at that point where something that takes a seasoned route/switch person 10 minutes to do, takes me a couple of hours as I hack my way through it.

Thanks in advance for any assistance.

Regards,

Brian

 

Labels:
Preview file
5 KB
0 Helpful
1 Reply 1

Frank DeNofa
Cisco Employee
Cisco Employee

‎08-26-2014 08:50 AM

Brian,

 

For the most part, configuring your CSR as a DMVPN spoke should be very similar to your other spoke configuration. I can see that you mention the tunnel seems to come up but goes down intermittently, especially after modifying the EIGRP configuration. One thing that I'm noticing in your configuration is that you have both EIGRP next hop self and split horizon disabled. With DMVPN, your spokes should always have next hop self and split horizon enabled while your hub will always have next hop disabled. For next hop self, this may or may not be enabled on the hub depending on the intended operation. I would suggest enabling these features on your CSR to see if that resolves some of the issue. Here's an older DMVPN guide which has some sample configuration and details pertaining to DMVPN and EIGRP working together: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dynmulti

 

Secondly, looking at the VPC subnets, we can see that the four subnets you have configured are part of the same 10.200.0.0/16 subnet. It's possible that adding the 10.200.0.0/16 network command (which could summarize both your private and public subnets) to your EIGRP configuration could be causing some strange routing issues, though I would suggest the changes mentioned above before looking into this.

 

Lastly, there are a few documents in the "Documents" section of the "CSR for Amazon" support forums page which have a significant amount of information for configuring DMVPN on an AWS CSR. It might be worth taking a quick look at these as well.

 

HTH,

Frank

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents