07-24-2015 09:57 PM - edited 03-05-2019 01:56 AM
Hi,
I have an issue with our branch DMVPN. I am fist time here, so please bear with me about the method I am asking question.
Following are set :
We have Hub and Spoke DMVPN setup.
There are many Spoke has been setup without vrf and it is all working fine.
These setup are using ADSL PPOE to ISP.
when we setup with VRF, It seems the VRF is not working. (When we removed the VRF, seems DMVPN start to work as in normal scenario.
For VRF we set all necessary config.
Tunnel & Physical (Fa4) setup fine.
We have a static route point to ISP that works when VRF removed.
Under Tunnel interface we have :"tunnel vrf xxxxx" command
Under Physical outside facing interface we have "ip vrf forwarding xxxxx
I could confirm MTU setting and MTU mss setting fine (As it can work without VRF).
My question is, Is there we need anything additional to ask ISP to configure or add (Route) to support our VRF?.
if you have time let me understand what could be happening and why.
Thanks for your help.
Moor
07-26-2015 04:52 AM
Hello
"There are many Spoke has been setup without vrf and it is all working fine"
Do you have both the hub/spoke physical/tunnel interfaces in the same VRF or just the spoke ina VRF?
It may be you need to add a route into the vrf table to point to the global route table for a nexthop
example:
ip route vrf VRF 0.0.0.0 0.0.0.0 x.x.x.x global ( x.x.x.x = next hop towards hub nhrp NBMA address)
Can you post your config of the NHRP NHS/NHC and route tables - (vrf and global please)
res
Paul
07-26-2015 08:06 AM
Hi Paul,
Thanks for your time and effort in helping. Below are the config for your info. Kindly advise. Thanks. Also note that I am running with ADSL to Telco on PPPOE. The router I am using Cisco C881/K9.
Thanks again.
-----------------------------
!
ip vrf Test1-out
rd 100:1
!
crypto keyring ring vrf Test1-out
pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXXX
!
!
interface Tunnel0
description *** TUNNEL TO HUB ***
ip address 10.251.210.12 255.255.252.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1250
ip nhrp authentication ECLVPN
ip nhrp map 10.251.210.1 205.196.95.155
ip nhrp map multicast 205.196.95.155
ip nhrp map 10.251.210.2 205.196.95.156
ip nhrp map multicast 205.196.95.156
ip nhrp network-id 100001
ip nhrp holdtime 360
ip nhrp nhs 10.251.210.1
ip nhrp nhs 10.251.210.2
ip nhrp registration no-unique
keepalive 20 3
delay 1000
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100001
tunnel vrf Test1-out
tunnel protection ipsec profile XXXXXX
!
!
interface GigabitEthernet0/0
Desc *** DMVPN: OUT INTERNET
ip vrf forwarding Test1-out
ip address 122.181.248.12 255.255.255.0
duplex auto
speed auto
!
!
ip route vrf Test1-out 0.0.0.0 0.0.0.0 122.181.248.1
!
-------------------------------
07-26-2015 04:19 PM
Hello
"when we setup with VRF, It seems the VRF is not working. (When we removed the VRF, seems DMVPN start to work as in normal scenario."
Does the nhrp hub have vrf enabled?
Can you try the following:
no ip route vrf Test1-out 0.0.0.0 0.0.0.0 122.181.248.1
ip route 122.181.248.12 255.255.255.255 GigabitEthernet0/0
ip route vrf Test1-out 0.0.0.0 0.0.0.0 122.181.248.1 global
sh ip route | be Ga
sh ip route vrf-Test1 | be Ga
Sh dmvpn
sh ip nhrp detail
res
Paul
07-26-2015 04:19 PM
Hi Paul,
Again thanks for your time and the great help. Appreciated. I am about to get in doing the config as Telcon on site to connect the line. (Doing Remote).
"Does the nhrp hub have vrf enabled?"
Yes Paul it is. We have other sites (Old) currently running with VRF. I have encounter this problem specically when Telco Assign IP from /24 subnet rather then the small one such as adjacent ip we get from /29
Thanks and much appreciated.
07-27-2015 12:04 AM
Hello
I dont see NHRP being the issue here, more than the routing as the cause.
From your config, it looks like you have dual dmvpnhub sites and running nhrp phase 2.
However your static rounting doesnt look correct for VRF, I see a single default route set to the global routing table, but nothing for the vrf-hence when you take of vrf the DMVPN establishes and works.
Try the suggestion i previous posted and see if that helps
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide