cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2162
Views
0
Helpful
12
Replies

DMVPN Dual ISPs with EIGRP

sam19800816
Level 1
Level 1

Hi expert,

I am facing a eigrp routing issues , Has anyone kindly assist...

The topology as below, each router only has two tunnels and run in same eigrp AS

Here is my question in red with underline : 

R2: sh ip ro 

D    192.168.30.0/24 [90/310172416] via 192.168.1.1, 01:08:05, Tunnel1
                                      [90/310172416] via 192.168.0.3, 01:08:05, Tunnel0

R3: sh ip ro 

D    192.168.20.0/24 [90/310172416] via 192.168.1.1, 01:12:25, Tunnel1
                                     [90/310172416] via 192.168.0.2, 01:12:25, Tunnel0


The result see above is not my expect , as i understand :
at R2 192.168.30.0 learn from Tunnel1 should be via192.168.1.3 not red one
at R3 
192.168.20.0 learn from Tunnel1 should be via 192.168.1.2 not red one
because of via 192.168.1.1 , that's mean the traffic must through R1 (spoke to HUB) not Spoke to Spoke , am i right ?
I hope the route between R2 and R3 can always use spoke to spoke tunnel 

I also checked nhrp and ipsec status , anything looks work
 properly except the eigrp route i mention above.

Here is configuration:

R1:
interface Loopback0
 ip address 192.168.10.254 255.255.255.0
!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 ip accounting output-packets
 ip hold-time eigrp 1 35
 no ip next-hop-self eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 10
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 tunnel source 172.16.15.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!         
interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip accounting output-packets
 no ip next-hop-self eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 10
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 tunnel source 172.17.15.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN

router eigrp 1
 network 192.168.0.0
 network 192.168.1.0
 network 192.168.10.0
 no auto-summary

R2:
interface Tunnel0
 ip address 192.168.0.2 255.255.255.0
 no ip redirects
 ip hold-time eigrp 1 35
 no ip next-hop-self eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map 192.168.0.1 172.16.15.2
 ip nhrp map multicast 172.16.15.2
 ip nhrp network-id 1
 ip nhrp holdtime 10
 ip nhrp nhs 192.168.0.1
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 tunnel source 172.16.25.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!
interface Tunnel1
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map 192.168.1.1 172.17.15.2
 ip nhrp map multicast 172.17.15.2
 ip nhrp network-id 2
 ip nhrp holdtime 10
 ip nhrp nhs 192.168.1.1
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 tunnel source 172.17.25.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN

router eigrp 1
 network 192.168.0.0
 network 192.168.1.0
 network 192.168.20.0
 no auto-summary

R3
interface Loopback0
 ip address 192.168.30.254 255.255.255.0
!
interface Tunnel0
 ip address 192.168.0.3 255.255.255.0
 no ip redirects
 ip hold-time eigrp 1 35
 no ip next-hop-self eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map 192.168.0.1 172.16.15.2
 ip nhrp map multicast 172.16.15.2
 ip nhrp network-id 1
 ip nhrp holdtime 10
 ip nhrp nhs 192.168.0.1
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 tunnel source 172.16.35.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!
interface Tunnel1
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map 192.168.1.1 172.17.15.2
 ip nhrp map multicast 172.17.15.2
 ip nhrp network-id 2
 ip nhrp holdtime 10
 ip nhrp nhs 192.168.1.1
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 tunnel source 172.17.35.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN

router eigrp 1
 network 192.168.0.0
 network 192.168.1.0
 network 192.168.30.0


 


 

12 Replies 12

AllertGen
Level 3
Level 3

Hello, .

Do you have the same isakmp key for all devices (for example when R2 wants connect to R3 the key must be crypto isakmp key cisco123 address 172.16.35.2)? Also at our network we don't have "no ip next-hop-self eigrp" line at the spoke routers and it works well. Can you try delete them (but not sure that'll help you)?

Hi AllertGen 
thanks for your feedback , actually i am using "crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0"  for hub and all spokes
i think ipsec is not a problem , i also tried to remove "no ip next-hop-self eigrp 1" from spokes. 

but it doesn't work

thanks

Hi, sam19800816.

I'm trying look at your configuration more deeply to find a source of the problem. I see that your topology at the scheme is different from your configuration. At each router you have 1 ISP and 2 tunnel interfaces (look at tunnel source. The Interface is the same). Also all your tunnels have the same priority at the EIGRP so mb there is some type of protection that prevents using spoke to spoke communication (beecause at this rate you'd be have 2 routes to another spoke with the same priority and to the same IP addres, but by 2 different NHRP clouds).

Also does your tunnels works well? As I know you can't use the same ipsec profile at the same device at the different tunnel interfaces without command "shared" at the end of the line.

Can you also show output of commands:

sh dmvp

sh ip egrp topology

sh ip nhrp

 

And if you really want test a network as you showed above at the scheme you need create one more interface at each router. It can be physical interface or sub interface by .# at the end of physical interface (for example Gi0/0.1, but don't forget to use command encapsulation iside the sub interface) or by VRF.

Hi AllertGen ,

Each each router's tunnel0 and tunnel1 are work well , they all can ping each other ip as well via tunnel 0 and tunnel 1 (192.168.0.0/24 & 192.168.1.0/24)
and also at each router has two physical interface connect to different ISP.

In this topology ,my purpose is when spoke to spoke , they will has two routes via two NHRP cloulds , i keep the same eigrp priority at each router just for equal cost load sharing ,the more important thing is the next hop IP.

Actually , The ipsec function is not my concern so far,  i just try your suggestion add the "shared" at the end of the line , its still has same result , but as i understand , if there is any wrong with ipsec profile, the tunnel won't work well , am i right ?

Thanks for your kind assist

Here is some show result at each router , hope that's helpful.


R1

R1#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.15.2     YES NVRAM  up                    up      
FastEthernet0/1            172.17.15.2     YES NVRAM  up                    up      
Loopback0                  192.168.10.254  YES NVRAM  up                    up      
Tunnel0                    192.168.0.1     YES NVRAM  up                    up      
Tunnel1                    192.168.1.1     YES NVRAM  up                    up    

R1#sh dmvpn 

Tunnel0, Type:Hub, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.16.25.2     192.168.0.2    UP    never D    
     1     172.16.35.2     192.168.0.3    UP    never D    
 
Tunnel1, Type:Hub, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.17.25.2     192.168.1.2    UP    never D    
     1     172.17.35.2     192.168.1.3    UP    never D 
 

R1#sh ip eigrp top

P 192.168.10.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
P 192.168.0.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 297372416
        via 192.168.0.3 (297372416/128256), Tunnel0
        via 192.168.1.3 (297372416/128256), Tunnel1
P 192.168.20.0/24, 2 successors, FD is 297372416
        via 192.168.0.2 (297372416/128256), Tunnel0
        via 192.168.1.2 (297372416/128256), Tunnel1

R1#sh ip nhrp 
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 20:53:39, expire 00:00:07
  Type: dynamic, Flags: unique nat registered used 
  NBMA address: 172.16.25.2 
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 20:53:38, expire 00:00:08
  Type: dynamic, Flags: unique nat registered used 
  NBMA address: 172.16.35.2 
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 4d17h, expire 00:00:07
  Type: dynamic, Flags: unique nat registered used 
  NBMA address: 172.17.25.2 
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 4d17h, expire 00:00:08
  Type: dynamic, Flags: unique nat registered used 
  NBMA address: 172.17.35.2 

 

R2

R2#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.25.2     YES NVRAM  up                    up      
FastEthernet0/1            172.17.25.2     YES NVRAM  up                    up      
Loopback0                  192.168.20.254  YES NVRAM  up                    up      
Tunnel0                    192.168.0.2     YES NVRAM  up                    up      
Tunnel1                    192.168.1.2     YES NVRAM  up                    up      

R2#sh dmvpn 
Tunnel0, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.16.15.2     192.168.0.1    UP    4d17h S    
     1     172.16.35.2     192.168.0.3    UP    never D    
 
Tunnel1, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.17.15.2     192.168.1.1    UP    4d17h S    
     1     172.17.35.2     192.168.1.3    UP    never D    
 

R2#sh ip eigrp topology 

P 192.168.10.0/24, 2 successors, FD is 297372416
        via 192.168.0.1 (297372416/128256), Tunnel0
        via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 310172416
       192.168.0.3 via 192.168.0.1 (310172416/297372416), Tunnel0
        via 192.168.1.1 (310172416/297372416), Tunnel1
P 192.168.20.0/24, 1 successors, FD is 128256
        via Connected, Loopback0

R2#sh ip nhrp 
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d20h, never expire 
  Type: static, Flags: nat used 
  NBMA address: 172.16.15.2 
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 00:00:14, expire 00:00:51
  Type: dynamic, Flags: router nat 
  NBMA address: 172.16.35.2 
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d20h, never expire 
  Type: static, Flags: nat used 
  NBMA address: 172.17.15.2 
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 00:00:12, expire 00:00:53
  Type: dynamic, Flags: router nat 
  NBMA address: 172.17.35.2

 

R3

R3#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.35.2     YES NVRAM  up                    up      
FastEthernet0/1            172.17.35.2     YES NVRAM  up                    up      
Loopback0                  192.168.30.254  YES NVRAM  up                    up      
Tunnel0                    192.168.0.3     YES NVRAM  up                    up      
Tunnel1                    192.168.1.3     YES NVRAM  up                    up      

R3#sh dmvpn        

Tunnel0, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.16.15.2     192.168.0.1    UP    4d17h S    
     1     172.16.25.2     192.168.0.2    UP    never D    
Tunnel1, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.17.15.2     192.168.1.1    UP    4d17h S    
     1     172.17.25.2     192.168.1.2    UP    never D    
 

R3#sh ip eigrp topology 

P 192.168.10.0/24, 2 successors, FD is 297372416
        via 192.168.0.1 (297372416/128256), Tunnel0
        via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel1
P 192.168.30.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
P 192.168.20.0/24, 2 successors, FD is 310172416
       192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
        via 192.168.1.1 (310172416/297372416), Tunnel1

R3#sh ip nhrp 
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d17h, never expire 
  Type: static, Flags: nat used 
  NBMA address: 172.16.15.2 
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 00:00:43, expire 00:00:22
  Type: dynamic, Flags: router nat 
  NBMA address: 172.16.25.2 
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d17h, never expire 
  Type: static, Flags: nat used 
  NBMA address: 172.17.15.2 
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 00:01:02, expire 00:00:48
  Type: dynamic, Flags: router nat implicit used 
  NBMA address: 172.17.25.2 


 

Hi, sam19800816.

Yes, it was my mistake, because I didn't notice difference at the second octet. You really use 2 different ISP.

 

Also by your EIGRP topology I see that all works well. Here is example from R3:

P 192.168.20.0/24, 2 successors, FD is 310172416
       192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
        via 192.168.1.1 (310172416/297372416), Tunnel1

Tunnel0, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.16.15.2     192.168.0.1    UP    4d17h S    
     1     172.16.25.2     192.168.0.2    UP    never D    
Tunnel1, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.17.15.2     192.168.1.1    UP    4d17h S    
     1     172.17.25.2     192.168.1.2    UP    never D    

In normal mode when there is no traffic between spokes they don't create tunnels between each other. So, try send ICMP from R3 to R2 and right after this look at sh cry isakmp sa. There must be new connection between spokes. Also you can use traceroute right after sending ICMP to check that spoke to spoke traffic goes directly.

Hi AllertGen ,

I also think EIGRP seems works well via Tunnel 0 and Tunnel1 between each router ,
i also send ICMP traffic at each router to create dynamic tunnel.

For example by R3 eigrp topology below, what i want to figure out that why second
successor is not via 192.168.1.2  ?   

 

As my trac result from spoke to another spoke , because of they both has two
successors , when R3 choice Tunnel 1 via 192.168.1.1 to R2 , the traffic will
always pass through R1 not goes directly by dynamic tunnel.

My goals is spoke to spoke must goes directly by dynamic tunnel
via tunnel0 and tunne1 , it's no problem via tunnel0 so far, but via tunnel1
still has wrong next-hop ip (192.168.1.1)


P 192.168.20.0/24, 2 successors, FD is 310172416
       192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
        via 192.168.1.1 (310172416/297372416), Tunnel1

Many thanks!!

Hi, sam19800816.

Just for checking. If you turn off tunnel0 (at all routers) the traffic via tunnel1 still goes trought R1?

And how did you check that via tunnel1 the traffic is going trough R1? Can you show eigrp topology when direct dynamic channel is up via tunnel1 (when tunnel0 is not shut down)? Also can you use command "show ip eigrp topology 192.168.20.0/24" (example is for R3) for this?

Best Regards.

Hi AllertGen ,

It was interesting ,If i shutdown tunnel0 at all router , the traffic between R2 and R3 will became goes directly , will not via R1 , everything is works well just like tunnel0 , but if tunnel 0 and tunnel1 both up at same time , only tunnel1 has route problem that i mention above.

Before i am checking traffic , I configed "ip accouting out packet" on Tunnel0 at R1 , then did icmp test from R2 to R3 or R3 to R2 use 192.168.x.x as source , finally use "show ip accounting" i can found there is no any record , but if confiured "ip accouting out packet" on Tunnel1 did same test , will see R2 and R3 connection record by " show ip accounting " , so its mean that R2 and R3 is not goes directly by tunnel1.

 

 

here is eigrp topology and sh dmvpn at R3, same as i posted last time
tunnel0 and tunnel1 both up , you can see all has 2 peers at tunnel0 and
tunnel1.

P 192.168.20.0/24, 2 successors, FD is 310172416
       192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
        via 192.168.1.1 (310172416/297372416), Tunnel1

Tunnel0, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.16.15.2     192.168.0.1    UP    4d17h S    
     1     172.16.25.2     192.168.0.2    UP    never D    
Tunnel1, Type:Spoke, NHRP Peers:2, 
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     172.17.15.2     192.168.1.1    UP    4d17h S    
     1     172.17.25.2     192.168.1.2    UP    never D    

Hi, sam19800816.

I think the source of the problem is one EIGRP process for all tunnels. So your R1 gets a routing from R2 via tunnel0 and sends it to R3 via tunnel1. But at this case he sends that this route acceseble trough R1, because tunnel0 and tunnel1 in the different dmvpn clouds. Try to use different eigrp process for each dmvpn cloud.

But I'm not sure how will work route balance at this case because at this topology R2 can see R3 with the same metric via both eigrp clouds. But, well, you already have the same situation but with one eigrp cloud.

Best Regards.

Hi, sam19800816!

Have you resolved this case?

I have the same problem and configuring Diferent AS's do  not solve the problem like sugested by AllertGen.

Anyone have some tips?

Best regards.

 

rtnet_4820
Level 1
Level 1

It is because you are using repeatedly the "no ip next-hop-self eigrp 1" at spokes as well as HUB. So when spokes send the update to the remote spokes they PRESERVE the Next-Hop address as the Hub address.

So Just remove the "no ip next-hop-self eigrp 1" from the spokes....

​Hi rtnet_4820

Thanks for your feedback , I have tried to remove  "no ip next-hop-self eigrp 1" from all spokes

but it doesn't work , the eigrp route on spokes doesn't change

Here is spokes "sh ip ro" result ,

R2:

D    192.168.30.0/24 [90/310172416] via 192.168.1.1, 00:37:06, Tunnel1 // it should be 192.168.1.3
                     [90/310172416] via 192.168.0.3, 00:37:06, Tunnel0

R3:

D    192.168.20.0/24 [90/310172416] via 192.168.1.1, 00:37:27, Tunnel1 // it should be 192.168.1.2
                     [90/310172416] via 192.168.0.2, 00:37:27, Tunnel0

thanks