Distribute list on DMVPN spoke

Hi,
I would need to apply a distribute list on a DMVPN spoke and not sure if that DL needs to be applied at the tunnel interface or the physical interface where the tunnel is sourced. Please let me know if you have any thoughts.
This is how the configuration looks at other branches that do not have DMVPN configured:
access-list 1 deny 0.0.0.0
access-list 1 permit any
access-list 2 permit 0.0.0.0
access-list 2 deny any
router eigrp 1
distribute-list 2 in FastEthernet0/0
distribute-list 1 out FastEthernet0/0
Thanks,

If you want to control your routing between the spoke and the hub, you have to apply it for the tunnel-interface. Or more general: With the interface that is enabled for the routing-protocol.
And you should look at the prefix-lists instead of distribute-lists. They are much more flexible once you get used to them.
http://www.cisco.com/en/US/partner/tech/tk365/technologies_q_and_a_item09186a008012dac4.shtml#fourteen
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Similar Messages

MPLS BGP routes push to DMVPN spokes

I have an MPLS with BGP. I also have sites that are not connected directly to the MPLS, but have a s2s VPN to hub sites that are connected to the MPLS and that way they access the MPLS resources. I need to communicate the route changes to the MPLS when the DMVPN fails-over to another hub.
Currently this is my config:
Datacenter (MPLS only)
interface GigabitEthernet0/1
description MPLS
ip address 192.168.0.34 255.255.255.252
interface Vlan2
ip address 192.168.96.2 255.255.255.0
router bgp 65511
bgp log-neighbor-changes
network 192.168.96.0
neighbor 192.168.0.33 remote-as 65510
Hub site 1 (MPLS + internet)
interface Tunnel200
ip address 10.99.99.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication auth
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile dmvpn
interface GigabitEthernet0/1
description MPLS
ip address 192.168.1.2 255.255.255.0 secondary
ip address 192.168.0.2 255.255.255.252
router bgp 65001
bgp log-neighbor-changes
network 192.168.1.0
network 192.168.21.0
!10.99 clients are DMVPN spokes
neighbor 10.99.99.3 remote-as 99010
neighbor 10.99.99.3 route-reflector-client
neighbor 10.99.99.21 remote-as 99001
neighbor 10.99.99.21 route-reflector-client
!as 65000 is the MPLS PE
neighbor 192.168.0.1 remote-as 65000
Hub Site 2, has the same configuration, except for local ip address and router BGP ID.
Spoke site:
interface Tunnel200
ip address 10.99.99.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication auth
ip nhrp map 10.99.99.1 PUBLIC_IP_HUB_1
ip nhrp map 10.99.99.16 PUBLIC_IP_HUB_2
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp nhs 10.99.99.1 priority 1
ip nhrp nhs 10.99.99.16 priority 5
ip nhrp nhs fallback 60
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile dmvpn
interface GigabitEthernet0/1
description Internal
ip address 192.168.3.1 255.255.255.192
router bgp 99010
bgp log-neighbor-changes
network 192.168.3.0
neighbor 10.99.99.1 remote-as 65001
neighbor 10.99.99.16 remote-as 65013
On this spoke site
#sh ip route
B 192.168.1.0/24 [20/0] via 10.99.99.1, 00:47:01
which is the HUB network, but the rest of the MPLS routes are not "learned".
What am I missing?
Thanks!

Hi Jon, I've ommited the configuration of the MPLS provider routers in between. The DC is connected to a router that has the AS 65510.
DC:CPE---PE:{MPLS}PE---CPE:HUB---{internet}---Spoke
The DC is ok getting the network information via BGP:
#sh ip route
B 192.168.3.0/24 [20/0] via 192.168.0.33, 3d05h
B 192.168.21.0/24 [20/0] via 192.168.0.33, 3d05h
#sh ip bgp 192.168.21.0
BGP routing table entry for 192.168.21.0/24, version 559
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
65510 3549 6140 3549 65000
192.168.0.33 from 192.168.0.33 (###.###.###.###)
Origin IGP, localpref 100, valid, external, best
#sh ip route 192.168.21.0
Routing entry for 192.168.21.0/24
Known via "bgp 65511", distance 20, metric 0
Tag 65510, type external
Last update from 192.168.0.33 3d05h ago
Routing Descriptor Blocks:
* 192.168.0.33, from 192.168.0.33, 3d05h ago
Route metric is 0, traffic share count is 1
AS Hops 5
Route tag 65510
MPLS label: none
Spoke:
#sh ip bgp
BGP table version is 494, local router ID is 192.168.21.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.129.32/27 10.99.99.16 0 65013 65012 3549 ?
*> 192.168.96.0 10.99.99.16 0 65013 65012 3549 6745 65510 ?
#sh ip route 192.168.96.0
Routing entry for 192.168.96.0/24
Known via "bgp 99001", distance 20, metric 0
Tag 65013, type external
Last update from 10.99.99.16 00:02:11 ago
Routing Descriptor Blocks:
* 10.99.99.16, from 10.99.99.16, 00:02:11 ago
Route metric is 0, traffic share count is 1
AS Hops 5
Route tag 65013
MPLS label: none
#sh ip bgp 192.168.96.0
BGP routing table entry for 192.168.96.0/24, version 465
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 2
65013 65012 3549 6745 65510
10.99.99.16 from 10.99.99.16 (10.2.16.1)
Origin incomplete, localpref 100, valid, external, best
The route is not being updated to the rest of the routers, and the 192.168.21.0 network is still announced via the old route.
(from spoke)
ping 192.168.96.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.96.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
From DC
#traceroute 192.168.21.1
Type escape sequence to abort.
Tracing the route to 192.168.21.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.0.33 [AS 65510] 0 msec 0 msec 0 msec
2 172.50.1.33 [AS 65510] 56 msec 36 msec 36 msec
3 10.80.1.1 [AS 3549] 44 msec 44 msec 44 msec
4 10.80.1.2 [AS 3549] 172 msec 172 msec 168 msec
5 172.50.1.1 [AS 3549] 168 msec 168 msec 172 msec
6 172.50.1.2 [AS 3549] 180 msec 180 msec 176 msec
7 192.168.0.2 [AS 65000] 172 msec 172 msec 168 msec <- old route, should be 192.168.0.9
8 192.168.0.2 [AS 65000] !H * !H

Nexus: multiple ip distribute-list eigrp statements allowed ?

Hi,
I need to clarify if Nexus 7K (NX-Os 6.1(3) ) supports multiple "ip distribute-list eigrp" statements in interface configuration.
Currently, there is already one statement to only allow default GW (0.0.0.0) routing information be sent.
I need to allow a few more specific routes to be shared with the facing device.
Can i have several distribute-list statements on the same interface ?
Or it it mandatory to handle this at the ip prefix-list level with multiple allow/deny rules.
I'm in a situation where i want to ammend the configuration without modifying existing objects or have to removed those who turned unused.
According to Cisco general EIGRP documentation, multiple seems to be accepted.
However, GNS3 simulator with a 7200VXR show that the new statement replaces the former one !
Moreover, Nexus logic is often different and i didn't capture any clear statement for this in Nexus specific documentation.
Needless to says that I have no test plateforme and no possibility to test that for the moment.
If someone can confirm it's supported, i would appreciate.
Thx

Hi,
I don't have a setup where I can try to see if this actually has the effect you're after, but you can certainly apply more than one distribute-list to an interface.
N7K-2(config-if)# ip distribute-list eigrp DIST_LIST route-map FRED outN7K-2(config-if)# ip distribute-list eigrp DIST_LIST1 route-map FRED1 outN7K-2(config-if)# ip distribute-list eigrp DIST_LIST2 route-map FRED2 outN7K-2(config-if)# sh run int eth3/1!Command: show running-config interface Ethernet3/1!Time: Mon Feb 3 23:04:01 2014 version 5.2(1)interface Ethernet3/1 ip address 1.1.1.1/24 ip distribute-list eigrp DIST_LIST route-map FRED out ip distribute-list eigrp DIST_LIST1 route-map FRED1 out ip distribute-list eigrp DIST_LIST2 route-map FRED2 out no shutdown N7K-2(config-if)#
Regards

Distribute-list with ripv2 problem

Hi All,
I want filter even routing table but it can't work on RIP v2
access-list 1 deny 192.168.0.0 0.0.254.255
access-list 1 permit any
router rip
version 2
distribute-list 1 out FastEthernet0/0
no auto-summary
It can't work.
It can work when I change access-list from "access-list 1 deny 192.168.0.0 0.0.254.255" to "access-list 1 deny 192.168.0.0 0.0.255.255".
But on EIGRP all ok
P.S. ip classless is enable
Thanks everybody

Hi
R2 and R3 run RIPv2
I try the distribute-list on R3 to R2 is OK.
But I try distribute-list out to eigrp or interface and the access-list can't work.
If change to "access-list 1 permit 193.0.0.0 0.255.255.255" and it can work fine.
I can't understand on R2
"distribute-list 1 out eigrp 1
access-list 1 permit 193.0.0.0 0.254.255.255" ==> can't work
"distribute-list 1 out eigrp 1
access-list 1 permit 193.0.0.0 0.255.255.255" ==> work fine
Tks!

EIGRP and Distribute-list commands

I am reviewing one of our WAN routers, on an infrastructure I have recently inherated, and noted an EIGRP configuration which doesn't make much sense to me. I'm wondering if I misunderstand the intent. The WAN router has the following EIGRP configuration:
router eigrp 102
variance 4
redistribute connected
redistribute static
network 10.0.0.0
network 172.1.0.0
network 172.20.0.0
network 172.22.0.0
network 172.24.0.0
network 172.25.0.0
network 172.27.0.0
network 172.30.0.0
network 192.9.200.0
network 192.9.201.0
network 192.168.0.0
network 192.168.2.0
maximum-paths 2
default-metric 64 200 255 1 1500
distribute-list 20 out Serial3/0.41
distribute-list 20 out Serial3/0.76
distribute-list 20 out Serial3/0.100
distribute-list 20 out Serial3/0.104
distribute-list 20 out Serial3/0.106
distribute-list 20 out Serial3/0.107
distribute-list 20 out Serial3/0.111
distribute-list 20 out Serial3/0.112
distribute-list 20 out Serial3/0.113
distribute-list 20 out Serial3/0.117
distribute-list 20 out Serial3/0.118
distribute-list 20 out Serial3/0.131
distribute-list 20 out Serial3/0.170
distribute-list 20 out Serial3/0.175
distribute-list 20 out Serial3/0.186
distribute-list 20 out Serial3/0.190
distribute-list 20 out Serial3/0.191
distribute-list 20 out Serial3/0.198
distribute-list 20 out Serial3/0.199
distribute-list 20 out Serial3/0.205
distribute-list 20 out Serial3/0.210
distribute-list 20 out Serial3/0.226
distribute-list 20 out Serial3/0.251
distribute-list 20 out Serial3/0.621
distribute-list 20 out Serial3/0.629
distribute-list 20 out Serial3/0.637
distribute-list 20 out Serial3/0.647
distribute-list 20 out Serial3/0.658
distribute-list 20 out Serial3/0.663
distribute-list 20 out Serial3/0.677
distribute-list 20 out Serial3/0.696
distribute-list 20 out Serial3/0.700
distribute-list 20 out Serial3/0.719
distribute-list 20 out Serial3/0.733
distribute-list 20 out Serial3/0.762
distribute-list 20 out Serial3/0.763
distribute-list 20 out Serial3/0.771
distribute-list 20 out Serial3/0.772
distribute-list 20 out Serial3/0.776
distribute-list 20 out Serial3/0.783
distribute-list 20 out Serial3/0.801
distribute-list 20 out Serial3/0.803
distribute-list 20 out Serial3/0.810
distribute-list 20 out Serial3/0.822
distribute-list 20 out Serial3/0.830
distribute-list 20 out Serial3/0.832
distribute-list 20 out Serial3/0.853
distribute-list 20 out Serial3/0.855
distribute-list 20 out Serial3/0.880
distribute-list 20 out Serial3/0.915
distribute-list 20 out Serial3/0.1000
no auto-summary
eigrp log-neighbor-changes
However, access list 20 is constructed as follows:
access-list 20 permit 0.0.0.0
access-list 20 deny any
If you have a distribute-list statement within EIGRP but the ACL permits 0.0.0.0, does that make any incoming/outgoing updates passive in any way? The remote routers connected to the WAN have no passive/no passive configuration parameters. Only the core WAN routers do.
Please advise.

Marking a remote stub does not, today, restrict what routes are advertised to the stub router, they just limit the queries to the stub routers. So, you'd still need the hub side distribute list to block the routes out to the stubs. A distribute list doesn't block queries, by the way, it just limits knowledge of routing information, which impacts how far a query will go.... You should definitely make the remotes stubs to reduce the query range, in other words, even with this distribute list configured.
At any rate, there is a feature planned for the future to make it where you could turn on an option at the stub router to make the hub router automatically filter everything but the default out.
HTH....
Russ

Explanation about gateway in distribute-list?

Hi All
I have a question. Anyone can give me an explanation about distribute-list? What is meaning of "gateway" ? Thank you
ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list allowlist seq5 permit 192.168.1.1/32
router rip
network 172.18.0.0
distribute-list prefix max24 gateway allowlist in
gateway prefix-list-name
(Optional) Name of the prefix list to be applied to the gateway of the prefix being updated.

prefix-list is used generally when you want to control the routes(prefixes) that is being sent or received to neighbors in routing protocols like RIP,EIGRP,BGP, it can also be .for route tagging etc.
In prefix list for example
a.b.c.d/x ge y le z
x bits should always match in prefix while the subnets should be <= than (le) z and >=(ge) y
10.1.0.0/16 le 24 ge 16 will have 10.1.0.0/18 but no 10.1.1.127/25.
Distribute-list to used to suppress the routes either in inbound or outbound direction. Say from other end of eigrp neighbor router you are receiving x,y,z routes, but you want only x in your RIB. So you can deny route y and z. Similarly your router is advertising routes to its neighbor and you want to hide some routes from them, you can do so with help of distribute-list.
Gateway keyword is used to specify the neighbor from/to you are denying/sending routes. In simple term you have two RIP neighbors you want to send route only to one particular neighbor but not other one.

ASA 8.2 Distribute-List Wildcards

If I were to use a distribute-list under an EIGRP process with a /19, would it inject /24 routes that fall within that scope? I know the "wildcard" concept does not work the same way on ASAs as it does on IOS Routers.

I think that you should actually configure a policy NAT that anyone coming from the 192.168.1.0/24 destine to the 10.2.2.0/24 should be translated to 10.1.1.254.
access-list VPN-POLICY-NAT permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (ril) 2 access-list VPN-POLICY-NET outside
global (inside) 2 10.1.1.254
access-list policy_nat permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,ril) 10.2.2.0 access-list policy_nat
Run the packet tracer and let me know if it works
Value our effort and rate the assistance!

Distribute list in Nexus 7K to allow only default route

Hi All,
We are about to migrate our core routers into two Nexus 7Ks with four VDCs each.
I was planning to permit only the default route (0.0.0.0) into the building aggregation switch (Cisco 6509). I planned to use distribute-list as I have done it in IOS and I could allow it through any specific interface I want.
Well, how do I do that in Nexus 7K? I don't see any distrubute list option. I can use prefix list, but then how do I specify the particular interface?
Many thanks in advance.
Mondal
CCIE #29034

Well, I found my own answer!
Here is the command that goes on the Interface. I kept typing IP eigrp and hence did not get any option! Thanks for looking. You do offset-list the same way.
ip distribute-list eigrp Test1 route-map EigrpTest in

Distribute List Nexus 7000 / OSPF

I was trying to limit the routes that our ospf should learn, same on 6500 as "distribute-list".
It´s on a VRF.
on http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_OSPF_Comparison it says that it isn´t possible.
Any ideas? Is it true? Should I use just redistribute list?
Thanks

########UPDATE########
Since version 6.x Cisco added a feature called table-map.
It works like distributed lists and did what I needed. We are using it already. Info at link above:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_ospf.html#pgfId-1361896
Maybe it helps.
So to make configuration...
1) I need to make a prefix-list
ip prefix-list Filter_List_in seq 10 permit 10.20.30.40/32
ip prefix-list Filter_List_in seq 20 permit 10.30.20.26/32
ip prefix-list Filter_List_in seq 30 permit 10.40.30.20/32
2) Make a route map and use prefix-list.
route-map Permit_in permit 10
match ip address prefix-list Filter_List_in
3) And apply on ospf (show run).
router ospf 10
vrf VRFOSPF
    router-id 10.0.0.21
    network 10.20.208.21/32 area 0.0.0.0
    redistribute static route-map RM_static
    area 0.0.0.0 authentication message-digest
    area 0.0.0.0 filter-list route-map Permit_in in
    log-adjacency-changesrouter ospf 10
And clear neighbors. (IPs were changed)
When I use the show ip ospf policy... filter in... => no match
route-map Permit_in permit 10
match ip address prefix-list Filter_List_in        C: 0      M: 0
Total accept count for policy: 0
Total reject count for policy: 0
I couldn´t figure why it isnt working.
I also tried to apply the filter list going to (config t --> vrf context VRFOSPF --> router ospf 10 --> and apply the filter list).
Any Ideas?
Edited:
"To filter prefixes advertised in type 3 link-state advertisements (LSAs) between Open Shortest Path First (OSPF) areas of an Area Border Router (ABR),"
"The NX-OS does support inter-area Type-3 LSA/route filtering using the filter-list command configured under the OSPF routing instance."
We will create a ABR on nexus to apply filter-list
Thanks for help.

VPN server on 871 already functioning as DMVPN spoke?

Last week I was sitting in an hotel far away from my family. I wanted to use Skype or MSNMessenger to contact them with Webcam. It didn't work, because there was some huge firewall, blocking several ports. So I decided to setup a VPN server @home, so I could access to everything I wanted, and not be blocked by the firewall of an islamic state... :-)
My 871w @home is functioning as a DMVPN spoke which works well.
Is it possible to contact my router from far away, and then be able to access the internet and my home-lan?
If someone can point me to a (simple :-) config, I will be very thankful...

Try these links:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml
http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd803e7ee9.shtml

DMVPN spoke to spoke not established

In the topology attached I am advertising tunnel ip and loopbacks for the specific hub and spokes in their eigrp , there is connectivity between all but still Eigrp routes are not coming and its flapping.ISAKMP is on , tunnel is also up.I am also attaching hub and spoke configs and topology for your reference.
This is the error message:
7:09.791: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:57:11.351: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.12.1, prot=50, spi=0x77DF7896(2011134102), srcaddr        in use settings ={Transport, }
        conn id: 29, flow_id: SW:29, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4405256/3495)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
*Mar 1 00:57:21.895: YPTO-6-PRINTABORT: deletion caused early termination of show output for identity
R1#
*Mar 1 00:09:49.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:09:50.051: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency
*Mar 1 00:11:00.311: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:11:00.775: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is up: new adjacency
*Mar 1 00:11:09.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:11:11.551: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

Cisco DMVPN Spoke ISP Redundancy

Hi Dears,
I want to configure DMVPN on cisco routers. I want to configure dual ISP at spoke's. ADSL link is primary and 3g is backup and configure dmvpn.
How i configure in HUB and Spoke sites? I want to use Eigrp protocol.

Hi Teymur,
You can configure a single tunnel interface on the spoke, primary hub and the secondary hub for dual hub and dual isp on spoke.
Use EEM script for failover between your ISP connections and can configure both hubs on the same tunnel interface.
Introduce delay on the secondary hub tunnel interface so that it is less preferred.
Spoke Tunnel configuration :
interface Tunnel0
bandwidth 1000
ip address 10.10.0.12 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.10.0.1 172.16.1.1
ip nhrp map 10.10.0.2 172.16.1.2
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.10.0.1 <---- Primary Hub
ip nhrp nhs 10.10.0.2 <---- Secondary Hub
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
Primary Hub
interface Tunnel0
ip address 10.10.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
Secondary Hub
interface Tunnel0
ip address 10.10.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
delay 1500 <--- Increase the delay so that the routes learnt from this is less prefered
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
For Dual ISP failover on Spoke :
Configure tracking with IP SLA monitor. Then use EEM script to change the source and route of the tunnel when the track fails.
If Ethernet0/0 is the primary WAN interface and Ethernet0/1 is the backup then you can use the below template.
track 1 ip sla 1 reachability
ip sla 1
icmp-echo <Primary Next-hop IP> source-interface Ethernet0/0
threshold 3000
timeout 3000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla responder
event manager applet Failto-secondary-tunnel
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "shut"
action 1.4 cli command "tunnel source Ethernet0/1"
action 1.5 cli command "no shut"
action 1.6 cli command "exit"
action 1.7 cli command "ip route 0.0.0.0 0.0.0.0 <backup next-hop ip>"
action 1.8 cli command "ip route 0.0.0.0 0.0.0.0 <Primary next-hop ip> 10"
action 1.9 cli command "end"
event manager applet Comeback-primary-tunnel
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "shut"
action 1.4 cli command "tunnel source Ethernet0/0"
action 1.5 cli command "no shut"
action 1.6 cli command "exit"
action 1.7 cli command "ip route 0.0.0.0 0.0.0.0 <Primary next-hop ip>"
action 1.8 cli command "ip route 0.0.0.0 0.0.0.0 backup next-hop ip> 10"
action 1.9 cli command "end"
Hope that helps

DMVPN spoke problem

Hi,
One of the spoke routers (871 ISR c870-advipservicesk9-mz.124-24.T8.bin) randomly loses DMVPN
connection to Hub1 (2901 ISR). When connection is lost Hub's real IP address is reachable, IPSec
Phase 1 and 2 seems ok, spoke's tunnel interface IP shows registered.
"show crypto ipses sa" on spoke shows 0 decaps, encaps value increments.
On Hub1 both decaps and encaps values of tunnel with spoke are incremented. Another DMVPN tunnel
on the same spoke to Hub2 is working fine.
Any ideas?

I can tell you that auto-enroll will not work unless your CA server is set to grant auto and currently has a shadow (rollover cert) ready to install. However that does not expalin whay the manual process failed. You need to address that before you attemp to correct the Auto-Enroll.

DMVPN spoke to spoke connection

Hi Everyone,
Need to confirm on DMVPN say if R1 is hub and R2 and R3 are spoke.
IF R2 need to talk to R3 it will use NHRP and will go to R3 via R1 ?
Is there any way that R2 can talk to R3 directly using NHRP?
Regards
MAhesh

You mix some functionalities here:
NHRP is used in DMVPN to register the spokes on the hub and give them the possibility to ask the hub for actual spoke-addresses. With that, NHRP is always between the spokes and the hub. just see this as control-traffic. There is no need to takl spoke-to-spoke here.
When the spoke is aware of the public IP of a different spoke it want's to talk to, then the IPSec-connection is buid directly between the spokes.
Sent from Cisco Technical Support iPad App

DMVPN - Spoke to spoke direct tunnel

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

Distribute list on DMVPN spoke

Similar Messages

Maybe you are looking for