cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2271
Views
5
Helpful
12
Replies

DMVPN over IPVPN/MPLS

Ahmed Shaheen
Level 1
Level 1

Hi,

i am a CCNA and 2 year experience in networks, i am preparing for CCNP cert.

I am quite frustrated for the past couple of months, i am not able to reach for a solution on my problem and i wish i could get any help from here.

ok, here we go.

we are 20+ branches with single DMVPN HUB, running WAN over IPVPN, however with our ISP it has been decided to run it over OSPF 1 process.

this is the only routing protocol running on my HUB and spoke routers,

router ospf 1

network 10.200.1.x 0.0.0.252 <-- WAN interface "fa0/1"

network 1.1.1.x 0.0.0.0 <-- Tunnel interface "tun1"

network 10.1.100.x 0.0.0.255 <-- LAN interface "fa0/0"

deep inside me i know that the above is wrong, as this is distributing as well the local lan to the ISP.

when i show ip route, i can see all our LAN for 20+ sites are showing through our ISP WAN IP Address.

this is wrong, as i've learnt by reading more about DMVPN routes has to be learnt from tunnel interfaces.

i've tried to have another OSPF process but i was not succeeding, i've also tried EIGRP but with another failure.

if more details is still required, please ask me.

i want to have an ideal network infrastructure in my organization, as i am working on a redunduncy plan and i want to solve this before i implement the backup solution.

thanks in advance.

AA

more over, i've spent

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

You don't advertise the WAN subnet over OSPF if the tunnel source is the WAN interface. That would create loop and the DMVPN tunnel would not be up. In the show ip route, you should be seeing all the remote LAN through the tunnel interface instead of through WAN if the DMVPN tunnel is UP.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

thanks for the quick reply however i am not able to open the link

Forbidden File or Application

The file or application you are trying to access may require additional entitlement or you are trying to access a file with an invalid name. Additional entitlement levels are granted based on a users relationship with Cisco on a per-application basis.   

still the same

Forbidden File or Application

The file or application you are trying to access may require additional entitlement or you are trying to access a file with an invalid name. Additional entitlement levels are granted based on a users relationship with Cisco on a per-application basis.

Try to open the URL on a different browser. Sometimes, it gave that error message somehow. It gives me the same error when i use firefox, but it opens OK in IE.

tried, but still same.

thank you Edison,

however, after reviewing the document and after going through halijenn's comments there is somthing i have to say,

i have to publish WAN interface on ospf 1 because this is configured along with ISP otherwise the cloud wont perform.

howcome i should not publish it on ospf? what are alternatives?

i've tried having another ospf on one of spokes as well as the hub putting only LAN and tunnel interfaces, but ospf was not working for a reason.

regards,

ok from the above discussion i understand that you need to have full reachablity between your hub and remote sites using WAN addressing only

this is done using ospf 1

and in the network command use only the network and the subnet between each router and the ISP ( to get advertised by the ISP to other sites)

for LAN communications you need configure another ospf process

advertise in this ospf the tunnel network and the LAN in each site

in the tunnel configuration of on each remote site you will map the multicast and the tunnel ip of the hub  to the WAN ip address of the hub router

( the WAN IP address of the hub and all other sites will be reachable via the ospf process 1 through the ISP )

once the tunnel up between the remote site and the hub the new added ospf process will be established and the routing between the LANs will be over the tunnel

make sure you have all the tunnels including the hub to be cofigure with ospf network type as broadcast

and the priority in each tunnel interface of the remote sites only to be set to 0 to make sure the hub will be the DR

you could refer to the bellow document as well for more details about configuring the routing protocols over the DMVPN

https://supportforums.cisco.com/docs/DOC-8356

good luck

if helpful Rate

hi marwan,

thanks for your help, however when i tried the same as i mentioned before, something goes wrong.

below is how i did the config

interface Tunnel15

ip address LAN/24

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1416

ip nhrp authentication key

ip nhrp map HUB-Tunnel IP HUB-WAN IP

ip nhrp map multicast HUB-WAN IP

ip nhrp network-id 11

ip nhrp holdtime 600

ip nhrp nhs HUB-Tunnel IP

ip nhrp nhs

ip ospf priority 0

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 11

tunnel protection ipsec profile myprofile

router ospf 1 <-- ISP routing process

network ISP WAN/30 area 0

router ospf 2 <-- process added by me

network LAN/24 area 0

network Tunnel/32 area 0

same additional OSPF process added on hub.

but OSPF is not starting, i cant see routes initiated on the new ospf process.

first

what you mean in the tunnel IP LAN/24

let say your LAN interface ip 10.1.1.10/24

and tunnel interface ip is 20.1.1.10

Spok:

tunnel 0

ip add 20.1.1.10 255.255.255.0

ip ospf network broadcast

ip ospf priority 0

router ospf 2

network 10.1.1.10 0.0.0.0 area 0

network 20.1.1.10 0.0.0.0 area 0

Hub:

LAN 100.1.1.1/24

tunnel 20.1.1.1/24

tunnel 0

ip add 20.1.1.1 255.255.255.0

ip ospf network broadcast

ip ospf priority 100

router ospf 2

network 100.1.1.1 0.0.0.0 area 0

network 20.1.1.1 0.0.0.0 area 0

i am assuming your DMVPN tunnel is up

use show ip nhrp

show crypto ipsec profile

if its still not working please post your config here (one spoke and the hub )

good luck

Review Cisco Networking for a $25 gift card