Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1907
Views
0
Helpful
3
Replies

FVRF+DMVPN

FRasuli01
Level 1
Level 1

‎12-30-2014 01:49 AM - edited ‎03-05-2019 12:28 AM

Hello,

I've got a problem

Cisco 7200 as a Hub

hostname HUB
!
ip vrf Crypto
 rd 100:1
!
!
!
!
!
ip cef
!
!
!
crypto keyring VPN vrf Crypto
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 20
 authentication pre-share
crypto isakmp profile VPN-Crypto
   vrf Crypto
   keyring VPN
   match identity address 0.0.0.0 Crypto
!
!
crypto ipsec transform-set dmvpn_ts esp-3des esp-sha-hmac
!
crypto ipsec profile MGRE
 set transform-set dmvpn_ts
 set isakmp-profile VPN-Crypto
!
!
!
!
!
!
interface Tunnel15
 description DMVPN Tunnel Interface
 bandwidth 1000000
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication test123
 ip nhrp map multicast dynamic
 ip nhrp network-id 236
 ip nhrp holdtime 600
 ip nhrp interest none
 ip ospf network point-to-multipoint
 cdp enable
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel path-mtu-discovery
 tunnel vrf Crypto
 tunnel protection ipsec profile MGRE
!
interface FastEthernet0/0
 description Connection to Connection to WAN
 ip vrf forwarding Crypto
 ip address 182.15.233.1 255.255.255.252
 speed auto
 duplex auto
!
router eigrp 1
 !
 address-family ipv4 vrf Crypto
  network 10.10.10.0 0.0.0.255
  autonomous-system 1
 exit-address-family
 auto-summary
!
!
!

control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

 

 

Spoke:

Spoke#sh run

hostname Spoke
!
!
!
!
ip cef
!
!
!
!

!
crypto keyring VPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp profile VPN-Crypto
   keyring VPN
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn_ts esp-3des esp-sha-hmac
!
crypto ipsec profile MGRE
 set transform-set dmvpn_ts
 set isakmp-profile VPN-Crypto
!
!
!
!
!
!
interface Tunnel15
 description DMVPN Tunnel Interface
 bandwidth 10000
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication beeline
 ip nhrp map multicast 182.15.233.1
 ip nhrp map 10.10.10.1 182.15.233.1
 ip nhrp network-id 2
 ip nhrp holdtime 600
 ip nhrp interest 5
 ip nhrp nhs 10.10.10.1
 ip ospf network point-to-multipoint
 qos pre-classify
 cdp enable
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile MGRE
!
interface FastEthernet0/0
 ip address 182.15.233.2  255.255.255.252
 speed auto
 duplex auto
!
!
!
router eigrp 1
 network 10.10.10.0 0.0.0.255
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 182.15.233.1
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

 

 

Hub can not ping his own interface 182.15.233.1...... What am I doing wrong?

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎01-05-2015 05:38 AM

Hi,

Just to be sure - have you tried the command ping vrf Crypto 182.15.233.1 ? Recall that without the vrf keyword, you are routing the pings according to the global routing table, not the Crypto VRF.

If this does not help, can you please post the output of the show ip int brief and show ip route vrf Crypto commands?

Best regards,
Peter

0 Helpful

FRasuli01
Level 1
Level 1
In response to Peter Paluch

‎01-26-2015 02:42 AM

Spoke#sh run
Building configuration...

Current configuration : 1879 bytes
!
! Last configuration change at 14:52:24 UTC Mon Jan 26 2015
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Spoke
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
crypto keyring VPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp profile VPN-Crypto
   keyring VPN
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn_ts esp-3des esp-sha-hmac
!
crypto ipsec profile MGRE
 set transform-set dmvpn_ts
 set isakmp-profile VPN-Crypto
!
!
!
!
!
!
interface Tunnel15
 description DMVPN Tunnel Interface
 bandwidth 10000
 ip address 172.28.236.2 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication beeline
 ip nhrp map multicast 172.28.233.1
 ip nhrp map 172.28.236.1 172.28.233.1
 ip nhrp network-id 2
 ip nhrp holdtime 600
 ip nhrp interest 5
 ip nhrp nhs 172.28.236.1
 ip ospf network point-to-multipoint
 qos pre-classify
 cdp enable
 tunnel source FastEthernet1/1
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile MGRE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 ip address 172.28.233.2 255.255.255.252
 speed auto
 duplex auto
!
!
router eigrp 1
 network 172.28.236.0 0.0.0.255
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.28.233.1
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

 

 

 

 

HUB#sh run
Building configuration...

Current configuration : 2024 bytes
!
! Last configuration change at 14:52:38 UTC Mon Jan 26 2015
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip vrf Crypto
 rd 100:1
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
crypto keyring VPN vrf Crypto
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 20
 authentication pre-share
crypto isakmp profile VPN-Crypto
   vrf Crypto
   keyring VPN
   match identity address 0.0.0.0 Crypto
!
!
crypto ipsec transform-set dmvpn_ts esp-3des esp-sha-hmac
!
crypto ipsec profile MGRE
 set transform-set dmvpn_ts
 set isakmp-profile VPN-Crypto
!
!
!
!
!
!
interface Tunnel15
 description DMVPN Tunnel Interface
 bandwidth 1000000
 ip address 172.28.236.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication test123
 ip nhrp map multicast dynamic
 ip nhrp network-id 236
 ip nhrp holdtime 600
 ip nhrp interest none
 ip ospf network point-to-multipoint
 cdp enable
 tunnel source FastEthernet1/1
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel path-mtu-discovery
 tunnel vrf Crypto
 tunnel protection ipsec profile MGRE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 description Connection to Connection to WAN
 ip vrf forwarding Crypto
 ip address 172.28.233.1 255.255.255.252
 speed auto
 duplex auto
!
!
router eigrp 1
 !
 address-family ipv4 vrf Crypto
  network 10.10.10.0 0.0.0.255
  autonomous-system 1
 exit-address-family
 auto-summary
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

HUB#

 

 

 

 

Spoke#ping 172.28.233.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.233.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/48/124 ms
Spoke#ping 172.28.233.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.233.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Spoke#ping 172.28.236.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.236.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Spoke#ping 172.28.236.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.236.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

 

 

 

HUB#ping 172.28.236.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.236.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
HUB#ping 172.28.236.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.236.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
HUB#ping 172.28.233.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.233.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
HUB#ping 172.28.233.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.233.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

 

 

HUB#sh ip route vrf Crypto

Routing Table: Crypto
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      172.28.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.28.233.0/30 is directly connected, FastEthernet1/1
L        172.28.233.1/32 is directly connected, FastEthernet1/1

 

Spoke#sh ip route vrf Crypto
% IP routing table vrf Crypto does not exist

 

 

Spoke#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES unset  administratively down down
FastEthernet1/0        unassigned      YES unset  administratively down down
FastEthernet1/1        172.28.233.2    YES manual up                    up
Tunnel15               172.28.236.2    YES manual up                    up

 

 

HUB#
HUB#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES unset  administratively down down
FastEthernet1/0        unassigned      YES unset  administratively down down
FastEthernet1/1        172.28.233.1    YES manual up                    up
Tunnel15               172.28.236.1    YES manual up                    up

 

 

 

0 Helpful

themhuyen
Level 1
Level 1
In response to FRasuli01

‎12-21-2017 05:01 AM

HUB router is configured for vrf, therefore, the ping should be initiated from the vrf Crypto.

 

HUB# ping vrf Crypto 172.28.233.2

 

0 Helpful
Customers Also Viewed These Support Documents