Re: GRE Tunnel DMVPN without NHRP

sidp · ‎06-02-2022

Hi guys,

I have to realise the following situation and need some help.

I would like to use the same Tunnel interface on the hubs for all spokes.

When I check the "sh run int tun1" on both sites it shows up up but it also shows up up if I configure a wrong tunnel destionation on the spoke...

A ping from the spoke to Gi3 HSRP IP of the hubs works. OSPF doesn't work either but first GRE has to work.

How to check if the tunnel is really up?

How do I know on which of the two GRE hubs is the tunnel terminating (hsrp)?

GRE HUB

interface GigabitEthernet3
 description *** MPLS Interface ***
 vrf forwarding dmvpn
 ip address 10.30.11.3 255.255.255.240
 standby 0 ip 10.30.11.5
 standby 0 priority 120
 standby 0 preempt
 negotiation auto
!
interface Tunnel1
 description *** MPLS GRE Tunnels ***
 vrf forwarding dmvpn
 ip address 10.21.4.1 255.255.252.0
 no ip redirects
 ip ospf network point-to-multipoint
 ip ospf 10 area 1
 ip policy route-map Route_Firewall
 delay 10
 keepalive 10 3
 tunnel source GigabitEthernet3
 tunnel mode gre multipoint
!
router ospf 10 vrf dmvpn
router-id 1.1.1.1
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel2
!
ip route vrf dmvpn 0.0.0.0 0.0.0.0 10.30.11.10
ip route vrf dmvpn 10.12.0.0 255.255.255.240 10.30.11.10
!
route-map Route_Firewall permit 10 
match ip address Route_Firewall
match ip route-source 10
set ip next-hop 10.30.13.1

C867 Spoke

!
interface GigabitEthernet2
 description WAN Uplink
 ip address 10.15.0.199 255.255.255.0
 duplex auto
 speed auto
!
interface Tunnel1
 description *** MPLS Vorlage ***
 ip address 10.21.4.199 255.255.252.0
 no ip redirects
 ip ospf network point-to-multipoint
 ip ospf 10 area 1
 tunnel source GigabitEthernet2
 tunnel destination 10.30.11.5
!
router ospf 10
 router-id 10.15.0.199
 passive-interface default
 no passive-interface Tunnel1
 network 172.28.8.32 0.0.0.7 area 1
!
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 10.30.11.0 255.255.255.240 10.15.0.1

Karsten Iwen · ‎06-02-2022

I think you are trying to modify the protocols in a way it was not intended by Cisco. Why do you want to do that? In general I would say:

If you want to implement DMVPN, use it as intended with NHRP
For this use case a simple FlexVPN hub-and-spoke implementation could be a better solution
If you really don't want to use NHRP, I would go for simple DVTIs
For the redundancy, using two tunnels from each spoke (one to each hub) and letting the IGP do the rest will be much easier than using HSRP

sidp · ‎06-02-2022

C867 routers do not support NHRP...

Thanks I will check hub-and-spoke and DVTI which I did not know about.

My goal is a solution where I don't have to do any changes to the hubs even if I a add a new spoke.

Karsten Iwen · ‎06-02-2022

Both DVTIs and FlexVPNs will enable you to add spokes without touching the Hubs.

MHM Cisco World · ‎06-02-2022

so that explain issue here,
if C867 is not support NHRP then config these router with EasyVPN

https://www.networkstraining.com/configuring-easyvpn-between-cisco-routers/

so there will be two spoke one use DMPVN and other use EasyVPN

Karsten Iwen · ‎06-02-2022

EasyVPN is legacy and shouldn't be used any more. All alternatives are better.

MHM Cisco World · ‎06-02-2022

Yes but are C876 support DVTI ?
we restrict with this router model.

Karsten Iwen · ‎06-03-2022

On the Spoke-side, standard VTIs are used. They were introduced in IOS 12.3T and are supported on all IOS routers. Only the Hub needs the "D" in DVTI and the CSR1000 is capable of all of this and much more.

In addition to that I would not use GRE here but the native IPsec encapsulation. With that the line-protocol reflects the tunnel-status.

MHM Cisco World · ‎06-02-2022

see my above comment

sidp · ‎06-02-2022

Thanks guys.

I would prefer a Cisco independent solution which would also work with other routers.

MHM Cisco World · ‎06-02-2022

OK, this workaround I try to make it work,
for Hub use tunnel source will be the VIP of HSRP
for hub use tunnel vrf dmvpn <- since the tunnel source is different VRF than global

for spoke there is no change.

no need NHRP since there is no Spoke-Spoke connect there is only Spoke-Hub connect.

how we can check GRE tunnel,
in each Hub HSRP peer show interface brief this give you if this router have static tunnel to spoke or not.