DMVPN Hub Router QoS

Similar Messages

• DMVPN Hub Router Placement

  Any docs regarding best practices for placement of DMVPN Hub router. Should it be placed behind firewall, in a DMZ off of firewall or in parallel to firewall.
  Thanks in advance for any input.

  Paul,
  Check out Cisco Validated Design Solutions for best practices. Especially, the one for "Secure WAN".
  http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/networking_solutions_products_genericcontent0900aecd805f65bf.html
  Regards,
  Arul
  *Pls rate if it helps*

• Replacing the DMVPN hub router

  We are replacing our current 2921 router, Version 15.2(4)M2, with a 3925 Version 15.2(4)M6. It is the DMVPN hub router for 6 spoke routers. We cut and pasted the configuration from the old router to the new. We confirmed internet connectivity from clients on the inside. But none of the DMVPN tunnels will set up. As we were in a very short maintenance window we did not have a lot of time to troubleshoot and had to revert to the old router. Is there some procedure we need to implement to force the tunnels to come up?

  Because you are changing the Hardware and copy past the config. Spokes will not re register themselves at HUB until you reset them again. Then they will register themselves again in the NHRP table at the new HUB..

• DMVPN HUB router behind NAT

  we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
  if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"
  Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
  i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

  Here is some additional infor to help
  hub config:
  interface Tunnel0
   bandwidth 512
   ip address "hubtunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1
  crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
  crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
   mode transport
  crypto ipsec profile net1
   set transform-set "mytransformset"
  Spoke config:
  crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
  crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
   mode tunnel
  crypto ipsec nat-transparency spi-matching
  crypto ipsec profile net1
   set transform-set "mytransformset"
  interface Tunnel0
   bandwidth 512
   ip address "spoketunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast "Remote IP"
   ip nhrp map "hubtunnelIP" "Remote IP"
   ip nhrp network-id 1
   ip nhrp nhs "hubtunnelIP"
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1 shared

• DMVPN Hub router with static NAT

  Hi everyone,
  I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
  1) Can I stablish the DMVPN between the routers with that firewall in the middle?
  2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
  3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
  Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
  Gustavo

  !

• DMVPN Design: Multi-Hub, Router Per-Tunnel QoS

  Some DMVPN questions:
  1) A site I've worked with has about 7 hubs and 5 spokes. This looks at best a bit odd to me. The Cisco design docs all have at most 2 hub sites. Is more than 2 DMVPN hub sites a good idea / bad idea? Pros / cons / drawbacks? I've googled this topic heavily, found little.
  2) If two sites are DMVPN hub sites that have NHRP map statements for  each other, can they both be doing the Per-Tunnel QoS feature to get some QoS shaping towards each other?
  3) What is recommended for DMVPN QoS in general? And for a spoke site where the hub site is doing the Per-Tunnel QoS? Just put some QoS on the physical link?

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

  Hi Guys,
  I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
  The Design :
  Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
  ||
  ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
  ||
  Switch
  ||
  LAN
  Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
  I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
  I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
  Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
  Thanks,
  Aj.

  Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
  All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
  1) what RProtocol r u using?
  a) It's OSPF
  2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
  a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
      (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
      (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
  3) are your tunnels config correctly? try show crypto ipsec sa
  a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
  4) on your hub'spoke do a debug ip icmp
  a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
  I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
  Additional to the info above, Please also note :
  I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
  So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
  From HUB router I'm able to ping clients behind Spokes.
  Does that give any Ideas ?
  Thanks in Advance.
  Aj.

• Running DMVPN Hub and Spoke on same router?

  My client has a project in which traffic flow is hierarchial in nature.  Using DMVPNs, the design is for a "center" router to be a DMVPN spoke to the cloud above it, and a DMVPN Hub to the cloud below it.  I have tried to lab this up, but no success.  I initially build the center router as a DMVPN spoke to teh upper cloud and all is well.  As soon as I had the second tunnel config (as the DMVPN hub to the lower cloud), the first tunnel goes down and my EIGRP flaps.  Im running EIGRP across the DMVPN tunnels.  The two DMVPN clouds are using different network IDs and are running separate EIGRP routing instances.
  I can post configs if desired - just wanted to see if anyone is doing this or knows whether it is possible. 
  Jeff          

  Hi,
  I know it is possible using two DMVPN clouds, but it seems that you need DMVPN phase 3 in this situation. This is suitable for the hierarchical model you want. Take a look at the following link
  http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
  Hope this helps.

• DMVPN Hub on HSRP standby router

  I was wondering if a DMVPN Hub was able to provide redundancy on an HSRP standby router.
  I currently have an active tunnel to the standby, but am unable to update EIGRP..
  Thank You in adavnce..

  Check GRE keepalives is enabled or not, if enabled remove that, then check the routing updates.
  Check whether you allowed ESP, UDP 500, UDP 4500 and GRE on your access-list.
  Also Adjust the MTU size, using the cmd ?ip tcp adjust-mss 1360?
  Try these links:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#eigrp
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a0080087026.html

• DMVPN per tunnel QOS. show policy-map multipoint not working

  Hi All,
  I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
  I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
  I have configured the interface like so.
  interface Tunnel1
  ip address 10.255.255.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication xxx
  ip nhrp map multicast dynamic
  ip nhrp map group ADSL1 service-policy output ADSL1
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  no ip split-horizon
  ip ospf 1 area 0
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VPN
  end
  policy-map ADSL1
  class class-default
    shape average 1000000
    service-policy Classes
  policy-map Classes
  class Silver
    bandwidth percent 25
    fair-queue
  class Gold
    bandwidth percent 50
    fair-queue
  class Scavanger
    bandwidth percent 5
  class class-default
    fair-queue
  The output of show dmvpn detail shows it has applied the QOS rule.
  NG-SR-WE-RT-2#show dmvpn detail
  Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
      N - NATed, L - Local, X - No Socket
      # Ent --> Number of NHRP entries with same NBMA peer
      NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
      UpDn Time --> Up or Down Time for a Tunnel
  ==========================================================================
  Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
     Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
     Protocol/Transport: "multi-GRE/IP", Protect "VPN"
     Interface State Control: Disabled
  Type:Hub, Total NBMA Peers (v4/v6): 1
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
      1  x.x.x.x    10.255.255.2    UP    1d18h    D    10.255.255.2/32
  NHRP group: ADSL1
  Output QoS service-policy applied: ADSL1
  but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand.  Even when i write it in by hand it outputs blank.
  I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
  Is my feature set too low?
  Cheers,
  Simon

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• DMVPN: HUB's behind a LoadBalancer and Spoke-Spoke communication

  Hallo,
  we are planning a scaling DMVPN network for around 2000 spokes.
  Is it possible to install the HUB's behind a Load Balancer so that they are reachable only through 1 VIP address and ALSO the possibility of a direkt spoke-spoke communication when needed?
  I only found Phase 2 and SLB for HUBs but
  without a spoke-spoke communication.
  http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313ca3.pdf
  see page 13 there is what we like to have but with the extension of spoke-spoke communication.
  regards
  Karlheinz

  I have been waiting for Cisco to get the spoke-spoke functionality working for this DMVPN HUBs behind load balancer environment. The traditional DMVPN with multiple HUBs does not really scale well, plus it is not very stable routing and NHRP wise.
  Would you care to tell more about your solution. As far as I know on a HUB you cannot have one tunnel for spoke to HUB connections and the other just for HUB-HUB, the NHRP requests from the spokes to find out about the other spoke public IP will not be forwarded between the tunnel interfaces on the HUB

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• DMVPN Hub Behind ASA

  Can somebody please send me a known working snippet of ASA config to support a DMVPN hub NAT'd behind an ASA. I tried for 2 days even with TAC and I was finally forced to put my DMVPN Hub out on the Internet with the IOS FW.
  Basically the issue I was seeing was that ISAKMP would almost complete at the spoke, try to go to QM_IDLE and then start the ISAKMP process over. Tried different code revs, etc. The ASA is running 8.0.3. Works great as long as the ASA was not in the path.
  Any help is appreciated.

  Hey there I am trying to do the same type of setup with a 3845 behind an ASA5510/Sec plus and I am getting similar results.
  I have access-lists permitting:
  - ESP, ISAKMP, GRE, and 4500 to the router on the inside.
  Have you made in head way to a solution?

• DMVPN Default routes (over internet and over tunnel)

  Hello all,
  I want to implement a DMVPN (using OSPF) solution in which all routers are connected to the internet and all of then have dynamic IP addresses (except hub). Because of this each router have a default gateway pointing to the ISP IP address.
  With this solution I want a spoke to skope topology and I also want all customer internet traffic to go via central site. The problem is that I need a defaut route to reach other spokes and this way traffic to internet via central site does not use the tunnel.
  Is there any feature that alow to overcome this situation?
  Regards,
  João Carvalho

  Absolutely. You can do this easily with VRF Lite. Configure a separate VRF for your customer, place the tunnel interface and the customer's VLAN into the VRF and run your OSPF process within the VRF. This allows the router's global routing table to keep a default gateway to the ISP, but lets you define the customer's default gateway as the DMVPN hub. I have a dual-hub DMVPN network with a couple of hundred sites using exactly this approach.

• DMVPN Hub with Dual ISPs

  I have one Hub Router, I have 2 ISPs and would like to set it up as a dual hub. I have configured two tunnel interfaces on the hubs and spokes, set the  ipsec profile to shared, etc.
  What i was trying to do was route-map the traffic for the two tunnel  interfaces out of the relevant interfaces and came up with the following:
  route-map ROUTE-DMVPN permit 10
  match interface Tunnel1
  set ip default next-hop xxxxx
  route-map ROUTE-DMVPN permit 20
  match interface Tunnel2
  set ip default next-hop xxxxx
  and then set that as a local policy route-map on the router.
  The first section matches packets and works, the second does not. Is what I am trying to do possible? Or Do I need to be more sophisticated in my design?
  Thanks in advance!

  OK, here is something I came up really fast in my lab.
  Note that it does NOT contain best practices or some required configurations and is only meant to show a concept.
  Here is the situation
  hub ===== two links ==== "ISP" -----one link ---- spoke
  hub physical:
  10.1.1.0/24 (ISP1)
  10.2.2.0/24 (ISP2)
  spoke physical:
  10.3.3.0/24
  two DMVPN clouds:
  172.16.1.0/24
  172.16.2.0/24
  Hub lan:
  99.99.99.0/24
  spoke lan:
  88.88.88.0/24
  Hub configuration:
  interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0interface Ethernet1/0 ip vrf forwarding ISP2 ip address 10.2.2.1 255.255.255.0interface Ethernet2/0 ip address 99.99.99.1 255.255.255.0interface Tunnel1 ip address 172.16.1.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp server-only delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 1endinterface Tunnel2 ip address 172.16.2.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 2 delay 2000 tunnel source Ethernet1/0 tunnel mode gre multipoint tunnel key 2 tunnel vrf ISP2endrouter eigrp 100 network 99.99.99.0 0.0.0.255 network 172.16.1.0 0.0.0.255router eigrp 101 network 99.99.99.0 0.0.0.255 network 172.16.2.0 0.0.0.255ip route 0.0.0.0 0.0.0.0 10.1.1.254
  ip route vrf ISP2 0.0.0.0 0.0.0.0 10.2.2.254
  Spoke config:
  interface Ethernet0/0 ip address 10.3.3.1 255.255.255.0endinterface Tunnel1 ip address 172.16.1.2 255.255.255.0 no ip redirects ip nhrp map multicast 10.1.1.1 ip nhrp map 172.16.1.1 10.1.1.1 ip nhrp network-id 1 ip nhrp nhs 172.16.1.1 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 1endrouter eigrp 100 network 88.88.88.0 0.0.0.255 network 172.16.1.0 0.0.0.255router eigrp 101 network 88.88.88.0 0.0.0.255 network 172.16.2.0 0.0.0.255
  Some outputs:
  spoke#sh ip eigrp topology 99.99.99.0/24EIGRP-IPv4 Topology Entry for AS(100)/ID(172.16.2.2) for 99.99.99.0/24  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 25881600  Descriptor Blocks:  172.16.1.1 (Tunnel1), from 172.16.1.1, Send flag is 0x0      Composite metric is (25881600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 11000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.1EIGRP-IPv4 Topology Entry for AS(101)/ID(172.16.2.2) for 99.99.99.0/24  State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295  Descriptor Blocks:  172.16.2.1 (Tunnel2), from 172.16.2.1, Send flag is 0x0      Composite metric is (26137600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 21000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.1spoke#sh ip nhrp detail
  172.16.1.1/32 via 172.16.1.1
     Tunnel1 created 00:16:33, never expire
     Type: static, Flags: used
     NBMA address: 10.1.1.1
  172.16.2.1/32 via 172.16.2.1
     Tunnel2 created 00:16:33, never expire
     Type: static, Flags: used
     NBMA address: 10.2.2.1
  spoke#                  
  and
  hub#sh ip eigrp topology 88.88.88.0/24EIGRP-IPv4 Topology Entry for AS(100)/ID(172.16.2.1) for 88.88.88.0/24  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 25881600  Descriptor Blocks:  172.16.1.2 (Tunnel1), from 172.16.1.2, Send flag is 0x0      Composite metric is (25881600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 11000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.2EIGRP-IPv4 Topology Entry for AS(101)/ID(172.16.2.1) for 88.88.88.0/24  State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295  Descriptor Blocks:  172.16.2.2 (Tunnel2), from 172.16.2.2, Send flag is 0x0      Composite metric is (26137600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 21000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.2hub#show ip nhrp detail
  172.16.1.2/32 via 172.16.1.2
     Tunnel1 created 00:16:09, expire 01:43:50
     Type: dynamic, Flags: unique registered
     NBMA address: 10.3.3.1
  172.16.2.2/32 via 172.16.2.2
     Tunnel2 created 00:16:09, expire 01:43:50
     Type: dynamic, Flags: unique registered
     NBMA address: 10.3.3.1