Solved: Re: VRF-LITE and DMVPN

rasmus.elmholt · ‎03-07-2019

Hi there.

I am trying to configure a DMVPN overlay and want to create multiple VRFs in this overlay.

On the hub router are all the tunnels terminated on the same interface in Global Routing but with different network-ids.

But when I try and get the spokes to connect it seems like the tunnels are hitting the wrong VRFs.

Hub

vrf definition VRF-VARME-IC
 rd 180:180
 !
 address-family ipv4
 exit-address-family
!
vrf definition VRF-EL-IC
 rd 160:160
 !
 address-family ipv4
 exit-address-family
!
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
!
! Interface towards a firewall in vrf VRF-EL-IC
!
interface GigabitEthernet0/0/0.860
 encapsulation dot1Q 860
 vrf forwarding VRF-EL-IC
 ip address 10.66.160.2 255.255.255.0
!
! Interface towards a firewall in vrf VRF-VARME-IC
!
interface GigabitEthernet0/0/0.880
 encapsulation dot1Q 880
 vrf forwarding VRF-VARME-IC
 ip address 10.66.180.2 255.255.255.0
!
! Interface in Global Routing used to terminated all tunnels from the spokes.
!
interface GigabitEthernet0/0/1
 ip address 10.66.60.198 255.255.255.0
 negotiation auto
!
interface Tunnel160
 vrf forwarding VRF-EL-IC
 ip address 192.168.160.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password1
 ip nhrp map multicast dynamic
 ip nhrp network-id 160
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
!
interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast dynamic
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/0.880
 tunnel mode gre multipoint
!

on the spokes I have the following configuration, but it seems like the DMVPN doesn't match the correct tunnel on the hub end.

vrf definition VRF-VARME-IC
 rd 180:180
 !
 address-family ipv4
 exit-address-family
!
!
interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.79 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast 10.66.60.198
 ip nhrp map 192.168.180.1 10.66.60.198
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp nhs 192.168.180.1
 ip nhrp shortcut
 ip tcp adjust-mss 1420
 tunnel source Ethernet0
 tunnel mode gre multipoint
!
#ping vrf VRF-VARME-IC ip 192.168.180.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.180.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

On the hub I get the following error. telling me the tunnel is created in VRF-EL-IC and not VRF-VARME-IC:

#debug nhrp 
NHRP protocol debugging is on
!
Mar  7 14:21:40.634: NHRP: Receive Registration Request via Tunnel160 vrf VRF-EL-IC(0x3), packet size: 105
Mar  7 14:21:40.634: NHRP: Registration request is being forwarded. Current NAT logic does'nt work for forwarded registrations
Mar  7 14:21:40.634: NHRP: Attempting to forward to destination: 192.168.180.1 vrf: VRF-EL-IC(0x3)
Mar  7 14:21:40.634: NHRP: IP route lookup(not mandatory idb) yielded Null0, nhop 192.168.180.1 for 192.168.180.1 vrf VRF-EL-IC(0x3) netid: 160 intf: 0
Mar  7 14:21:40.634: NHRP: NHRP Forward: unable to get NHRP IDB

I have read some places that it is not possible to terminate multiple VRF tunnels on the same Global Routing interface, but I have to run 2547oDMVPN to make it work.

By the way: Everything works if I only have one of the tunnels and VRFs active on the hub router. But everything breaks down when I create the second tunnel interface.

Deepak Kumar · ‎03-08-2019

Hi,

Let's start some discussion on based on your configuration:

Spoiler

! Interface in Global Routing used to terminated all tunnels from the spokes.
!
interface GigabitEthernet0/0/1
 ip address 10.66.60.198 255.255.255.0
 negotiation auto

! Interface in Global Routing used to terminated all tunnels from the spokes. ! interface GigabitEthernet0/0/1 ip address 10.66.60.198 255.255.255.0 negotiation auto

Means Gig0/0/1 is the WAN interface. Let start the configuration based on your requirement.

HUB Router configuration:

interface Tunnel160
 vrf forwarding VRF-EL-IC
 ip address 192.168.160.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password1
 ip nhrp map multicast dynamic
 ip nhrp network-id 160
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
 tunnel key 1

interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast dynamic
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
tunnel source GigabitEthernet0/0/1 
tunnel mode gre multipoint
 tunnel key 2

Spoke Router Configuration:

interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.79 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast 10.66.60.198
 ip nhrp map 192.168.180.1 10.66.60.198
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp nhs 192.168.180.1
 ip nhrp shortcut
 ip tcp adjust-mss 1420
 tunnel source Ethernet0
 tunnel mode gre multipoint
 tunnel key 2

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

balaji.bandi · ‎03-07-2019

Looking at high level, can you cross check below interfaces ?

interface Tunnel160
 vrf forwarding VRF-EL-IC
 ip address 192.168.160.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password1
 ip nhrp map multicast dynamic
 ip nhrp network-id 160
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/1    <-------- this
 tunnel mode gre multipoint
!
interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast dynamic
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/0.880   <---- This 
 tunnel mode gre multipoint
!

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rasmus.elmholt · ‎03-08-2019

Hi there,

My mistake had it all configured for GI 0/0/1 as the source interface.

But read somewhere that it was not possible to have multiple tunnel VRFs terminated on the same interface in Global Routing and started to move the tunnel termination on tunnel 180 to a VRF interface.

But the result was the same.

So now it looks like this:

interface Tunnel160
 vrf forwarding VRF-EL-IC
 ip address 192.168.160.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password1
 ip nhrp map multicast dynamic
 ip nhrp network-id 160
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
!
interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast dynamic
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
!

balaji.bandi · ‎03-08-2019

check this thread may have similar solution what you looking ( when i get chance i will test and let you know over weekend)

https://community.cisco.com/t5/routing/gre-egress-interface-selection/td-p/2709472

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rishrapsody1 · ‎03-08-2019

You can make this work in below mentioned way, if possible:
1. Add a secondary IP on your interface GigabitEthernet0/0/1 in the same ISP pool(global vrf)
2. Source any one tunnel with that secondary IP address instead of GigabitEthernet0/0/1
3. Make changes on Spoke Multicast mapping accordingly.

Deepak Kumar · ‎03-08-2019

Hi,

Let's start some discussion on based on your configuration:

Spoiler

! Interface in Global Routing used to terminated all tunnels from the spokes.
!
interface GigabitEthernet0/0/1
 ip address 10.66.60.198 255.255.255.0
 negotiation auto

! Interface in Global Routing used to terminated all tunnels from the spokes. ! interface GigabitEthernet0/0/1 ip address 10.66.60.198 255.255.255.0 negotiation auto

Means Gig0/0/1 is the WAN interface. Let start the configuration based on your requirement.

HUB Router configuration:

interface Tunnel160
 vrf forwarding VRF-EL-IC
 ip address 192.168.160.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password1
 ip nhrp map multicast dynamic
 ip nhrp network-id 160
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
 tunnel key 1

interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.1 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast dynamic
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1420
tunnel source GigabitEthernet0/0/1 
tunnel mode gre multipoint
 tunnel key 2

Spoke Router Configuration:

interface Tunnel180
 vrf forwarding VRF-VARME-IC
 ip address 192.168.180.79 255.255.255.0
 no ip redirects
 ip mtu 1460
 ip nhrp authentication password2
 ip nhrp map multicast 10.66.60.198
 ip nhrp map 192.168.180.1 10.66.60.198
 ip nhrp network-id 180
 ip nhrp holdtime 60
 ip nhrp nhs 192.168.180.1
 ip nhrp shortcut
 ip tcp adjust-mss 1420
 tunnel source Ethernet0
 tunnel mode gre multipoint
 tunnel key 2

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

rasmus.elmholt · ‎03-11-2019

Hi everyone,

Thank you for the help. I followed this guide that did exactly what I wanted to do:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/ngwane/ngwanedmvpn.pdf

When I added the tunnel key command end deleted all the configuration and reapplied it, everything started working.

Thanks.