cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7880
Views
0
Helpful
4
Replies

Why do we need to disable ip cef on routers with multiple tunnels?

etamminga
Spotlight
Spotlight

Hi,

We have a regional hub location that terminates a country-local DMVPN network. This regional hub is also a spoke in a global DMVPN network. We can only get routing between the two DMVPN's working if we disable ip cef.

Why do we need to disable ip cef to get routing working between the two tunnels?

IOS 12.4(24)T3 on a Cisco 1841.

Unfortunately we need to do this on just one router because of limited options on the WAN side from the SP (Nigeria).

Regards,

Erik

4 Replies 4

flashpointdevon
Level 1
Level 1

Wondering the same thing here, likely security. Looking forward to a response on this =\ wish I knew

Peter Paluch
Cisco Employee
Cisco Employee

Erik,

Can you perhaps post the configuration of the regional hub? Remove sensitive information but please keep the config otherwise complete.

Thank you!

Best regards,

Peter

This is the config. I replaced all security related elements.

In this config VLAN20 represents the outside world. Tunnel10/20 is the primary global DMVPN, Tunnel40 is the local DMVPN.

Traffic inbound from Tunnel40 cannot go out Tunnel10/20 when we enable IP CEF. Why is this?

(Traffic to/from the local site (Fa0/1) from either DMVPNs works with cef enabled or disabled)


Regards,

Erik

version 12.4
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname router
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-24.T5.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
no logging rate-limit
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
clock timezone GMT+1 1
dot11 syslog
ip source-route
ip gratuitous-arps
!
!
!
!
no ip cef
no ip bootp server
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script internet "" "ATDT*98*2#" TIMEOUT 60 CONNECT
!
!
!
!
archive
log config
hidekeys
!
crypto keyring CK_DMVPN_NLPAP
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxx
crypto keyring CK_DMVPN_NWDM
pre-shared-key address 172.27.0.0 255.255.0.0 key xxxx
crypto logging session
crypto logging ezvpn
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp profile CIP_DMVPN_NLPAP
keyring CK_DMVPN_NLPAP
match identity address 0.0.0.0
crypto isakmp profile CIP_DMVPN_NWDM
keyring CK_DMVPN_NWDM
match identity address 172.27.0.0 255.255.0.0
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set CIT_DMVPN_NLPAP esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set CIT_DMVPN_NWDM esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile CIP_DMVPN_NLPAP
set security-association lifetime seconds 300
set transform-set CIT_DMVPN_NLPAP
set isakmp-profile CIP_DMVPN_NLPAP
!
crypto ipsec profile CIP_DMVPN_NWDM
set security-association lifetime seconds 300
set transform-set CIT_DMVPN_NWDM
set isakmp-profile CIP_DMVPN_NWDM
!
!
!
!
ip telnet source-interface FastEthernet0/1
ip tftp source-interface FastEthernet0/1
ip ssh time-out 60
ip ssh source-interface FastEthernet0/1
ip ssh rsa keypair-name RSA_SSH
ip ssh version 2
!
track 10 ip sla 10 reachability
delay down 60 up 20
!
track 250 ip sla 250 reachability
delay down 60 up 20
!
track 500 ip sla 500 reachability
delay down 60 up 20
!
class-map match-all CMP_QoS_WANToWarriYard
match access-group name ACL_WANToWarriYard
class-map match-all CMP_QoS_NetworkControl
match ip precedence 6
class-map match-all CMP_QoS_WSUS
match access-group name ACL_WSUS
class-map match-all CMP_QoS_WANToOleroProject
match access-group name ACL_WANToOleroProject
class-map match-all CMP_QoS_Corporate
match access-group name ACL_PrivateIPRanges
!
!
policy-map PMP-QoS-DMVPN
class CMP_QoS_NetworkControl
bandwidth percent 10
class CMP_QoS_WSUS
bandwidth percent 25
fair-queue
random-detect
class CMP_QoS_Corporate
bandwidth percent 50
fair-queue
random-detect
class class-default
fair-queue
policy-map PMP-2MB-DMVPN
class class-default
shape average 2048000
service-policy PMP-QoS-DMVPN
policy-map PMP-4MB-DMVPN
class class-default
shape average 4096000
service-policy PMP-QoS-DMVPN
policy-map PMP-WarriYardAndOlero-DMVPN
class CMP_QoS_WANToWarriYard
bandwidth percent 48
service-policy PMP-QoS-DMVPN
class CMP_QoS_WANToOleroProject
bandwidth percent 48
service-policy PMP-QoS-DMVPN
policy-map PMP-WarriYard-DMVPN
class class-default
shape average 4096000
service-policy PMP-WarriYardAndOlero-DMVPN
!
!
!
!
interface Loopback0
description ACL_VS
no ip address
!
interface Loopback1
description 3GSignal=-99
no ip address
!
interface Loopback10
description Tunnel Loopback10
ip address 1.192.168.175 255.255.255.0
ip virtual-reassembly
!
interface Loopback20
description Tunnel Loopback20
ip address 1.192.178.175 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Tunnel10
description net-nlpap-dmvpn-bt
bandwidth 6144
ip address 10.192.198.175 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1420
ip flow ingress
ip flow egress
ip hold-time eigrp 10 60
ip nhrp authentication Bxxxx
ip nhrp group 6MBSpoke
ip nhrp map 10.192.198.1 xxxx
ip nhrp map multicast xxxx
ip nhrp network-id 335640
ip nhrp holdtime 300
ip nhrp nhs 10.192.198.1
ip nhrp registration timeout 120
ip nhrp shortcut
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip tcp adjust-mss 1380
ip summary-address eigrp 10 192.168.175.0 255.255.255.0 5
tunnel source Loopback10
tunnel mode gre multipoint
tunnel key 335640
tunnel protection ipsec profile CIP_DMVPN_NLPAP shared
!
interface Tunnel20
description net-nlpap-dmvpn-kpnfiber
bandwidth 6144
ip address 10.192.178.175 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1420
ip flow ingress
ip flow egress
ip hold-time eigrp 10 60
ip nhrp authentication XXXX
ip nhrp group 6MBSpoke
ip nhrp map 10.192.178.1 yyyy
ip nhrp map multicast yyyy
ip nhrp network-id 335630
ip nhrp holdtime 300
ip nhrp nhs 10.192.178.1
ip nhrp registration timeout 120
ip nhrp shortcut
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip tcp adjust-mss 1380
ip summary-address eigrp 10 192.168.175.0 255.255.255.0 5
tunnel source Loopback20
tunnel mode gre multipoint
tunnel key 335630
tunnel protection ipsec profile CIP_DMVPN_NLPAP shared
!
interface Tunnel40
description VDT DMVPN
bandwidth 4096
ip address 10.192.200.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1420
ip hold-time eigrp 20 60
ip nat inside
ip nhrp authentication xxxx
ip nhrp map multicast dynamic
ip nhrp map group 2MBSpoke service-policy output PMP-2MB-DMVPN
ip nhrp map group 4MBSpoke service-policy output PMP-4MB-DMVPN
ip nhrp map group SpokeWarry service-policy output PMP-WarriYard-DMVPN
ip nhrp network-id 7000
ip nhrp holdtime 300
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip tcp adjust-mss 1380
no ip split-horizon eigrp 10
tunnel source Vlan20
tunnel mode gre multipoint
tunnel key 7000
tunnel protection ipsec profile CIP_DMVPN_NWDM shared
!
interface FastEthernet0/0
description net-nwdm-nglos-pub
bandwidth 64000
bandwidth receive 128000
ip address zzzz 255.255.255.252
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
ip tcp adjust-mss 1436
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description LAN Lagos, Nigeria
ip address 192.168.175.1 255.255.255.0
ip access-group ACL_FastEthernet01_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
ip route-cache same-interface
ip tcp adjust-mss 1260
duplex auto
speed auto
hold-queue 100 out
!
interface FastEthernet0/0/0
description Lagos Wireless Internet VLAN
switchport access vlan 10
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
description Lagos Internet Access VDT
switchport access vlan 20
bandwidth 6144
duplex full
speed 100
no cdp enable
hold-queue 100 in
hold-queue 100 out
!
interface Cellular0/1/0
description net-pub-3g_UP
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
shutdown
dialer in-band
dialer idle-timeout 20000
dialer fast-idle 1
dialer enable-timeout 10
dialer wait-for-line-protocol 20
dialer wait-for-carrier-time 40
dialer string internet
dialer redial interval 30 attempts 1000
dialer-group 10
async mode interactive
no ppp lcp fast-start
ppp lcp delay 1
ppp chap hostname web
ppp chap password 7
ppp ipcp header-compression ack
ppp ipcp dns request accept
ppp ipcp address accept
!
interface Vlan1
no ip address
!
interface Vlan10
description net-nwdm-nglos-wireless-pub
ip address zzzzz 255.255.255.248
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
ip tcp adjust-mss 1436
!
interface Vlan20
description net-nwdm-nglos-VDT-pub
ip address zzzzz 255.255.255.252
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
ip tcp adjust-mss 1436
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 10
redistribute eigrp 20
passive-interface default
no passive-interface Loopback10
no passive-interface Loopback20
no passive-interface Tunnel10
no passive-interface Tunnel20
no passive-interface Tunnel40
offset-list eigrp-offset-failover-in in 500000 Tunnel20
offset-list eigrp-offset-failover-out out 500000 Tunnel20
network 10.192.168.0 0.0.0.255
network 10.192.178.0 0.0.0.255
network 10.192.198.0 0.0.0.255
network 10.192.200.0 0.0.0.255
network 192.168.175.0
no default-information in
no default-information out
no auto-summary
!
router eigrp 20
redistribute eigrp 10
passive-interface default
network 10.192.200.0 0.0.0.255
network 192.168.175.0
no default-information in
no default-information out
no auto-summary
!
ip local policy route-map RMP_LCR
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 zzzz 10 name VDT track 250
ip route 0.0.0.0 0.0.0.0 zzzz 20 name WiMAX track 500
ip route 0.0.0.0 0.0.0.0 zzzz 30 name VSAT
! some routes removed
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 300
ip nat inside source route-map RMP_3G_OVERLOAD interface Cellular0/1/0 overload
ip nat inside source route-map RMP_FIBER_OVERLOAD interface Vlan20 overload
ip nat inside source route-map RMP_VSAT_OVERLOAD interface FastEthernet0/0 overload
ip nat inside source route-map RMP_WIRELESS_OVERLOAD interface Vlan10 overload
!
ip access-list standard ACL_EIGRP_FILTER_Tun40_OUT

ip access-list standard ACL_SNMP

ip access-list standard ACL_VTY_IN

ip access-list standard eigrp-offset-failover-in

ip access-list standard eigrp-offset-failover-out

ip access-list extended ACL_3G_OVERLOAD

ip access-list extended ACL_CAP_IN

ip access-list extended ACL_CAP_OUT

ip access-list extended ACL_FIBER_OVERLOAD

ip access-list extended ACL_FastEthernet00_IN

ip access-list extended ACL_FastEthernet00_OUT

ip access-list extended ACL_FastEthernet01_IN

ip access-list extended ACL_PrivateIPRanges

ip access-list extended ACL_RMP_LCR_FIBER

ip access-list extended ACL_RMP_LCR_UMTS

ip access-list extended ACL_RMP_LCR_VSAT

ip access-list extended ACL_RMP_LCR_WIRELESS

ip access-list extended ACL_TEST

ip access-list extended ACL_VSAT_OVERLOAD

ip access-list extended ACL_WANToOleroProject

ip access-list extended ACL_WANToWarriYard

ip access-list extended ACL_WIRELESS_OVERLOAD

ip access-list extended ACL_WSUS
y
!
ip sla responder
ip sla 10
icmp-echo
frequency 10
ip sla schedule 10 life forever start-time now
ip sla 250
icmp-echo
frequency 10
ip sla schedule 250 life forever start-time now
ip sla 500
icmp-echo
frequency 10
ip sla schedule 500 life forever start-time now
access-list 10 permit any
access-list 110 remark ---------------------------------------------------------
access-list 110 remark Dialer-list 10, Cellular0/1/0
access-list 110 remark =--------------------------------------------------------
access-list 110 permit ip any any
dialer-list 10 protocol ip list 110
!
!
!
!
route-map RMP_FIBER_OVERLOAD permit 10
match ip address ACL_FIBER_OVERLOAD
match interface Vlan20
!
route-map RMP_3G_OVERLOAD permit 10
match ip address ACL_3G_OVERLOAD
match interface Cellular0/1/0
!
route-map RMP_WIRELESS_OVERLOAD permit 10
match ip address ACL_WIRELESS_OVERLOAD
match interface Vlan10
!
route-map RMP_LCR permit 10
match ip address ACL_RMP_LCR_VSAT
set ip next-hop
!
route-map RMP_LCR permit 250
match ip address ACL_RMP_LCR_FIBER
set ip next-hop
!
route-map RMP_LCR permit 500
match ip address ACL_RMP_LCR_WIRELESS
set ip next-hop
!
route-map RMP_VSAT_OVERLOAD permit 10
match ip address ACL_VSAT_OVERLOAD
match interface FastEthernet0/0
!
!
end

nglos-rtr01-nwdm# sh ver
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 02:52 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

nglos-rtr01-nwdm uptime is 1 week, 12 hours, 0 minutes
System returned to ROM by reload at 21:37:01 GMT+1 Tue Sep 20 2011
System restarted at 21:38:27 GMT+1 Tue Sep 20 2011
System image file is "flash:c1841-advipservicesk9-mz.124-24.T5.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 7.0) with 236544K/25600K bytes of memory.
Processor board ID FCZ1341C0YD
6 FastEthernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
1 Cellular interface
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

nglos-rtr01-nwdm# sh ip int brief
Interface IP-Address OK? Method Status Protocol
Async1 unassigned YES NVRAM down down
FastEthernet0/0 ---- YES NVRAM up up
FastEthernet0/1 192.168.175.1 YES NVRAM up up
FastEthernet0/0/0 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES unset down down
FastEthernet0/0/2 unassigned YES unset up down
FastEthernet0/0/3 unassigned YES unset up up
Cellular0/1/0 unassigned YES NVRAM administratively down down
Vlan1 unassigned YES NVRAM up down
Vlan10 ---- YES NVRAM up up
Vlan20 ---- YES NVRAM up up
NVI0 1.192.168.175 YES unset up up
Loopback0 unassigned YES NVRAM up up
Loopback1 unassigned YES NVRAM up up
Loopback10 1.192.168.175 YES NVRAM up up
Loopback20 1.192.178.175 YES NVRAM up up
Tunnel10 10.192.198.175 YES NVRAM up up
Tunnel20 10.192.178.175 YES NVRAM up up
Tunnel40 10.192.200.1 YES NVRAM up up

Peter Paluch
Cisco Employee
Cisco Employee

Erik,

In addition, are you using the NHRP Shortcut feature? Without this, you should not be able to create hierarchical DMVPNs - so if you are not using this feature, the failure to interconnect your two DMVPNs is quite logical.

Please read the following document for an overview and configuration information about the NHRP Shortcut Switching feature:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_nhrp.html

Best regards,

Peter

EDIT: Also please check the following documents:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps6525/ps9370/ps6658/dmvpn_design_guide.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: