09-25-2013 02:59 AM - edited 03-04-2019 09:08 PM
Hi,
i am configuraing DMVPN with ospf at my head office and rip at spoke router
i am able to reach head office network from spoke routers but from hub i am not able to reach the spoke routers even though the tunnel is up
here the config is
HUB Router
-----------------------------------------------------------------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key asicovpn address 0.0.0.0 0.0.0.0
!
!
interface Tunnel0
ip address 172.20.20.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication asicovpn
ip nhrp map multicast dynamic
ip nhrp map multicast 172.20.20.1
ip nhrp network-id 254
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 199
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 78.93.37.134 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.12.124 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
router ospf 10
redistribute rip metric 22222 subnets
network 192.168.12.0 0.0.0.255 area 0
!
router rip
version 2
redistribute ospf 10 metric 1
network 172.20.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 78.93.37.129
!
-----------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------
Spoke Router
------------------------------------------------------------------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key asicovpn address 78.93.37.134
!
!
!
interface Tunnel0
bandwidth 1000
ip address 172.20.20.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication asicovpn
ip nhrp map multicast dynamic
ip nhrp map multicast 78.93.37.134
ip nhrp map 172.20.20.1 78.93.37.134
ip nhrp network-id 254
ip nhrp nhs 172.20.20.1
tunnel source FastEthernet4
tunnel destination 78.93.37.134
tunnel key 199
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.75.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
router rip
version 2
network 172.20.0.0
network 192.168.75.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2000 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 78.93.37.134 255.255.255.255 192.168.1.1
!
access-list 2000 deny ip any 192.168.12.0 0.0.0.255
access-list 2000 deny ip any 192.168.13.0 0.0.0.255
access-list 2000 deny ip any 192.168.118.0 0.0.0.255
access-list 2000 deny ip any 192.168.114.0 0.0.0.255
access-list 2000 deny ip any 192.168.115.0 0.0.0.255
access-list 2000 deny ip any 192.168.116.0 0.0.0.255
access-list 2000 deny ip any 192.168.117.0 0.0.0.255
access-list 2000 deny ip any 192.168.21.0 0.0.0.255
access-list 2000 deny ip any 192.168.33.0 0.0.0.255
access-list 2000 deny ip any 192.168.41.0 0.0.0.255
access-list 2000 permit ip any any
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
the NAT on spoke router is to prevent internet traffic to go on tunnel
for that i have to remove default route , but in this case when i am removing default route all traffic going to internet from local DSL
can anyone help me please...
Solved! Go to Solution.
09-25-2013 12:58 PM
Hi,
You cannot really filter ospf routes. Even you filter the route from routing table, it will still in OSPF database, and will be advertise out to the ospf neighbor. Instead of filtering the routes, you can consider summarize the routes, so only see the summarized routers in the RIB.
HTH,
Lei Tian
09-25-2013 04:21 AM
Hi,
What do you have of 'show ip route 192.168.75.0' on the hub? On the spoke, do you want internet go through the tunnel or local DSL?
HTH,
Lei Tian
09-25-2013 05:18 AM
Hi Lei,
Thank you for the reply....
now every thing working fine i don't know how, but the route on hub is like below
Router#sh ip route 192.168.75.1
Routing entry for 192.168.75.0/29
Known via "rip", distance 120, metric 1
Redistributing via ospf 10, rip
Advertised by ospf 10 metric 22222 subnets
Last update from 172.20.20.2 on Tunnel0, 00:00:04 ago
Routing Descriptor Blocks:
* 172.20.20.2, from 172.20.20.2, 00:00:04 ago, via Tunnel0
Route metric is 1, traffic share count is 1
yes i want the internet traffic go through DSL only , not on Tunnel
once again i will paste the config which is working
HUB
-------------------------------------------------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key asicovpn address 0.0.0.0 0.0.0.0
!
!
!
!
!
!
interface Tunnel0
ip address 172.20.20.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication asicovpn
ip nhrp map multicast dynamic
ip nhrp map multicast 172.20.20.1
ip nhrp network-id 254
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 199
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 78.93.37.134 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.12.124 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
router ospf 10
redistribute rip metric 22222 subnets
network 192.168.12.0 0.0.0.255 area 0
!
router rip
version 2
redistribute ospf 10 metric 10
network 172.20.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 78.93.37.129
!
!
-----------------------------------------------------------------------------------------------------------------------------------------
SPOKE
------------------------------------------------------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key asicovpn address 78.93.37.134
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 172.20.20.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication asicovpn
ip nhrp map multicast dynamic
ip nhrp map multicast 78.93.37.134
ip nhrp map 172.20.20.1 78.93.37.134
ip nhrp network-id 254
ip nhrp nhs 172.20.20.1
tunnel source FastEthernet4
tunnel destination 78.93.37.134
tunnel key 199
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.75.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
router rip
version 2
network 172.20.0.0
network 192.168.75.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2000 interface FastEthernet4 overload
ip route 78.93.37.134 255.255.255.255 192.168.1.1
!
access-list 2000 deny ip any 192.168.12.0 0.0.0.255
access-list 2000 deny ip any 192.168.13.0 0.0.0.255
access-list 2000 deny ip any 192.168.118.0 0.0.0.255
access-list 2000 deny ip any 192.168.114.0 0.0.0.255
access-list 2000 deny ip any 192.168.115.0 0.0.0.255
access-list 2000 deny ip any 192.168.116.0 0.0.0.255
access-list 2000 deny ip any 192.168.117.0 0.0.0.255
access-list 2000 deny ip any 192.168.21.0 0.0.0.255
access-list 2000 deny ip any 192.168.33.0 0.0.0.255
access-list 2000 deny ip any 192.168.41.0 0.0.0.255
access-list 2000 permit ip any any
09-25-2013 08:10 AM
09-25-2013 10:35 AM
Hi,
i filtered the inbound routes and now the routing table looks clean and clear
is this the correct way to filter, i don't know whether any routing loops will occur , please correct me if i am missing anything
router ospf 10
distributed list 10 in
access-list 10 permit 192.168.0.0 0.0.63.255
access-list 10 permit 192.168.112.0 0.0.7.255
access-list 10 permit 10.10.10.0
09-25-2013 12:58 PM
Hi,
You cannot really filter ospf routes. Even you filter the route from routing table, it will still in OSPF database, and will be advertise out to the ospf neighbor. Instead of filtering the routes, you can consider summarize the routes, so only see the summarized routers in the RIB.
HTH,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide