Dual DMVPN

Hi!
I have set up a net where the spokes can use either a ethernet or a serial interface to connect to the network. The spokes will then need two tunnel definitions. The Hub also has two tunnel definitions (same source interface with a secondary address). Tunnels to the hub works great. Dynamic spoke to spoke tunnels are established in both cases but the traffic from the second tunnel (serial) wont use the dynamic tunnel and flows over the hub.
And by the way is there a solution to get dynamic spoke to spoke tunnels between different tunnel interfaces?
/Mats

Hi!
1. I have mobile nodes that connects to an ISP. The mobile nodes can connect with either ethernet or serial interface (not at the same time) but can change connection type when they move to a new location. The mobile nodes get connected through the ISP using DMVPN to a static mobile node also connected to the ISP.
2. The mobile network uses OSPF and the ISP uses ISIS, routes are between the two networks are using BGP. Routes are only imported/exported at the static mobile node.
3. See above, but the mobile nodes will get their IP address from the ISP using DHCP for ethernet and SLARP for serial interfaces. The interface connected is then used as tunnel source.
/Mats

Similar Messages

  • Dual-DMVPN Design with Dual Hubs on a single router ??

    Hi All,
    In DMVPN, in Dual-DMVPN Design with Dual Hubs , can a single router perform the role of dual hubs.
    The router has two different internet links. It is intended that when one link goes down, spokes shud connect to the same router onto the other active internet connection. Is this possible ?

    Since no one has answered yet, I'll give you the practical answer.
    You'll have issues with IPSec and static routing. "DMVPN" itself probably wouldn't have an issue, but it would depend on IPSec and routing to work.
    It is easier, by far, to put in a second router. And when you factor in your time to try to make it work (and it may not work), the second router is less expensive.
    Rob

  • Different between Dual hub-dual DMVPN cloud Vs Dual hub-single DMVPN cloud

    please explain
    different between Dual hub-dual DMVPN cloud Vs Dual hub-single DMVPN cloud

    Thanks Paul, I have looked over this design guide as this was the fist place i went.  however, i cannot find a configuration example for dual hub/single cloud.
    i see the high level design and know you can do it.   but it doesnt show what the configuration would look like...unless i am just reading over it.
    Thanks

  • Configuration Dual HUB Dual Dmvpn

    Hi Dears
    i configurate simple  DMVPN on my network. Now i want to configurate Dual HUB Dual DMVPN.
    i can not find any good configuration documentation how config that.
    please provide me a link or any pdf fot configuration DUal HUB Dual Dmvpn .
    thanks.

    Thanks Paul, I have looked over this design guide as this was the fist place i went.  however, i cannot find a configuration example for dual hub/single cloud.
    i see the high level design and know you can do it.   but it doesnt show what the configuration would look like...unless i am just reading over it.
    Thanks

  • Dual-DMVPN with Dual Hubs

    Are there any routing issues when using mGRE interfaces on spokes. I need spoke-to-spoke connectivity. Obviously if I opt for p-pGRE interfaces then traffic from spoke-to-spoke will have to go via one of the hubs.
    I understand there was a limitation in IOS whereby mGRE interfaces on spokes prevented it from learning many routes via the hub.
    tia
    Ajaz

    Since no one has answered yet, I'll give you the practical answer.
    You'll have issues with IPSec and static routing. "DMVPN" itself probably wouldn't have an issue, but it would depend on IPSec and routing to work.
    It is easier, by far, to put in a second router. And when you factor in your time to try to make it work (and it may not work), the second router is less expensive.
    Rob

  • Dual DMVPN Dual Hub Request for Help?

                       Hello Anyone with DMVPN experience,
                        Can you please have a look at my DMVPN queries in the attached document?
                        Thank you
                        Regards
                        Phuc Le

    Hi Phuc Le,
    I found for you a quite detailed design and implementation guide. Please read carefully and implement a test bed. I'm sure you will get support for specific issues if you run into problems.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
    These documents are carefully written and I never encountered any problems with such reference implementations.
    Also: Please don't formulate your questions in an attached document, this makes it diffucult for us to give you answers.
    Best regards, MiKa

  • DMVPN fast convergence with ebgp and capacity planning

    Hi.
    In a dual hub/dual dmvpn design, EBGP is running over the GRE DMVPN tunnel (without ipsec/NO encryption). Once the main hub is down, it takes so long for the spokes to detect the primary hub is down (bgp hold down timer) and then converge to the secondary hub.
    Apart from the bgp timers tunning, is there any other way to achieve fast convergence? and without overutilizing resources? (memory/cpu).
    The hub routers are ASR1001 and there will be ~70 dmvpns, with ~100 spokes per DMVPN.
    Thanks,
    Carlos.

    Marcin,
    After deleting the command "if-state nhrp" from both tunnels, I see that one of the tunel changes it state to up/up and I can recover reachability to the remote hub.
    R21#show ip int brief
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0/0            unassigned      YES NVRAM  administratively down down
    FastEthernet1/0            172.16.254.3    YES DHCP   up                    up
    FastEthernet1/1            unassigned      YES NVRAM  administratively down down
    Loopback0                  21.21.21.21     YES manual up                    up
    Tunnel178                  178.178.178.21  YES NVRAM  up                    down
    Tunnel179                  179.179.179.21  YES manual up                    up
    R21#config t
    Enter configuration commands, one per line.  End with CNTL/Z.
    R21(config)#int tun 178
    R21(config-if)#no if
    R21(config-if)#no if-state nh
    R21(config-if)#no if-state nhrp
    R21(config-if)#int tun 179
    R21(config-if)#no if-state nhrp
    R21(config-if)#
    *Jun 27 00:18:06.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel178, changed state to up
    R21(config-if)#^Z
    R21#show ip
    *Jun 27 00:18:16.103: %SYS-5-CONFIG_I: Configured from console by console
    R21#show ip int brief
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0/0            unassigned      YES NVRAM  administratively down down
    FastEthernet1/0            172.16.254.3    YES DHCP   up                    up
    FastEthernet1/1            unassigned      YES NVRAM  administratively down down
    Loopback0                  21.21.21.21     YES manual up                    up
    Tunnel178                  178.178.178.21  YES NVRAM  up                    up
    Tunnel179                  179.179.179.21  YES manual up                    up
    R21#show ip nhrp nhs detail
    Legend: E=Expecting replies, R=Responding, W=Waiting
    Tunnel178:
    178.178.178.1   E priority = 0 cluster = 0  req-sent 6  req-failed 0  repl-recv 0 (01:11:41 ago)
    Tunnel179:
    179.179.179.1  RE priority = 0 cluster = 0  req-sent 1020  req-failed 0  repl-recv 522 (00:00:01 ago)
    R21#
    From the last output of "show ip nhrp nhs detail" I see only peer from tunel 179 is marked as RE: Responding, Expecting replies. Want to know why the peer from tunel 178 is not also in that state?
    I can ping both nbma (physical) and virtual (tunnel) ip address of both hubs.
    ########## Ping to hub 1 nbma (physical) address:
    R21#ping vrf dmvpn 200.0.0.178
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 200.0.0.178, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 200/303/436 ms
    ########## Ping to hub 2 nbma (physical) address:
    R21#ping vrf dmvpn 201.0.0.178
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 201.0.0.178, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 144/220/268 ms
    ########## Ping to hub 1 virtual (tunnel) address:
    R21#ping 178.178.178.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 178.178.178.1, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 164/186/228 ms
    ########## Ping to hub 2 virtual (tunnel) address:
    R21#ping 179.179.179.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 179.179.179.1, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 228/395/560 ms
    R21#
    R21#show ip nhrp nhs detail
    Legend: E=Expecting replies, R=Responding, W=Waiting
    Tunnel178:
    178.178.178.1   E priority = 0 cluster = 0  req-sent 74  req-failed 0  repl-recv 0 (01:15:08 ago)
    Tunnel179:
    179.179.179.1  RE priority = 0 cluster = 0  req-sent 1088  req-failed 0  repl-recv 590 (00:00:02 ago)
    R21#
    Thanks,
    Carlos Trujillo.

  • DMVPN - improve network performance

    Hi All,
    We have a dual hub dual dmvpn cloud network running EIGRP or about 50 and 100 sites in the coming future.
    I have configured it in a way for 25 spokes to designate hub1 as primary and the other 25 spokes to designate hub2 as its primary link.
    To load balance.
    I need some help on sugguestion or recommendations on how to improve its network performance.
    This is to anticipate queries by customer running systems&apps complaining why is the link too slow after implementing dmvpn
    Is there any parameters that can be fine tuned to help increase its performance?
    Please advise.
    Thanks

    Hello, I know this thread is old but it is exactly relevant to what i have now. We have implemented the dual hub dual dmvpn solution over the last year on our remote sites. The head ends are 7200s w/C7200P-ADVSECURITYK9-M, Version 12.4(24)T3 and the remotes are 1700s (slowly being replaced with 1800s) and 1800 series routers. there are about 60 sites, most of them riding over Comcast cable (preferred) or Verizon DSL. Many of our sites have both, where comcast is primary and DSL is secondary, so on these sites there are 4 tunnels. Our connections are getting very slow. For instance, at one site they have paid for 50mb cable connection, which, when plugged directly into the cable modem, reaches those speeds. When going through the tunnel back to our core, where we have mutiple GB ISP connections out to the internet, they are getting 2mb download speeds.  Actually, they don't even have to be going out to the internet, just hitting our internal servers in the core is slow for them. We started testing multiple sites and it seems all of them are getting very slow compared to the service they have. In looking at the troubleshooting options available you listed above, I am very curious about making sure none of the devices are oversubscribed. Since we have no spoke to spoke connections I am assuming that this troublshooting should be done on the 7200s. What commands would be good to run to check for oversubscription on the 7200s regarding CPU and crypto accelerator? Also, when you mention QoS, where does this get applied? I am familar with manual QoS config for voice and video, but how does it relate to VPN? Is there anything else i can look at/modify that will help alleviate the slowness of these tunnels? Any help would be greatly appreciated!!
    Thank you,
    Noel

  • Recommendation for IP MTU setting with DMVPN

    I have a dual DMVPN setup which works fine, apart from a performance issue. Its probable that this is a packet fragmentation issue as I'm seeing many reassambled fragments on my encryption routers. The IP MTU value on the tunnel is 1436, as recommend by R Deal in his VPN configuration guide. If I remove the IP MTU 1436 command, and let IOS select its own value that returns 1472 for IP MTU.
    Reading up on Cisco.com various values are mentioned, 1400, and 1440. As this is a production network under change control I'm after recommendations from other working networks, to get this fixed.
    I'm also using MSS adjustment for TCP setting a value of 1360, and have a route-map to clear the DF bit in TCP and UDP frames.
    I'm using IPSec transport mode, and there are no NAT boundaries for the IPSec to cross.

    Hello aacole,
    Although I don't have a problem with MTU as such, performance is an issue. I believe this can be improved by tuning MTU configuration even if it's a little bit. Did you manage to reach optimal working figures and settings for MTU on DMVPN?
    tia
    Ajaz

  • Dual hub with one hub :-S

    Hi,i know the title is absurde .
    that is my topology :
    there are two links between router R1 (Hub) and router R4 (ISP) :
    The primary DMVPN cloud should be with the primary link (150.0.0.0/24)
    The secondary DMVPN cloud should be with the secondary link (150.0.1.0/24)
    the HUB must have one tunnel interfaces for each physical interface,so we need two tunnel interfaces .
    If i choose Dual  hub dual dmvpn cloud that mean that  i must have two tunnel interfaces for each spoke.
    If i choose Dual  hub single dmvpn cloud that mean that i must have just one tunnel interface for each spoke.
    the Hub must always use the primary link,to reach spokes1 (we are in the primary DMVPN cloud).
    but if the primary link goes down the second must be used by the hub and we move to the second DMVPN cloud .
    the ISP should use the secondary link only if the primary is down .
    a default route should be configured on the ISP to reach Internet.
    Is this possible (correct) ?,if yes :
    which model is the best : dual hub dual dmvpn cloud or dual hub single dmvpn cloud?
    how can i configure the ISP to use the secondary link only if the primary is down?
    if we have two hubs,how/why  the spokes prefer the primary hub?
    in this situation: how the spokes will prefer the primary DMVPN cloud (the primary Link)?

    You should. Both drives should show up if you press F12 at the ThinkPad POST screen (along with other attached bootable media).
    W520: i7-2720QM, Q2000M at 1080/688/1376, 21GB RAM, 500GB + 750GB HDD, FHD screen
    X61T: L7500, 3GB RAM, 500GB HDD, XGA screen, Ultrabase
    Y3P: 5Y70, 8GB RAM, 256GB SSD, QHD+ screen

  • OSPF with ipsec VTI interface goes down before dead timer.

    I have a strange issue that OSPF will initially start working, hellos are exchanged both ways but then after about 3 – 6 hellos one of the sides stops getting them and the ipsec VTI tunnel drops on router A even before the dead timer reaches 0. Is this default behavior, when OSPF is over a VTI interface if it doesn’t receive hellos is drops the tunnel?
    I’m at a loss as to what is going on since it looks like only one neighbor stops receiving hellos, router A, for a brief period of time. This VTI tunnel is going over another provider’s FW and they have assured me the tunnel destination/source ips are wide open they also sent me the ACL and I can verify this. The weird thing is if I enable EIGRP it works great with no issues. On router B I am using the same source/ip unnumbered  interface on multiple VTI tunnels to to other destinations but this shouldn’t cause any issues I don’t think. I have never had an issue like this and from what I can tell the router A just stops briefly getting hellos after 3 – 6 initial hellos and drops the protocol on the VTI interface. If I set the dead timer on router A long enough it will stop receiving hellos but stay up and then after a while you get “LOADING to FULL” as the hellos start coming in again.  Again the tunnel goes over a cisco 800 which I have no control over it and a potential FW before that but I saw the ACL and ip is being allowed. I was thinking this could be a trolling issue on the FW but it doesn’t explain why EIGRP works.  FYI I was having a recursive routing issue before but I have since fixed that and the issue still continues.
    ********  it turns out that i was using the same source ip on multiple tunnels. IPsec would get confused with packets coming in and would deliver packets to the wrong tunnel interface. This was solved but using the key command with a different key number on each set of tunnels with the shared profile command
    "If more than one mGRE tunnel is configured on a router that use the same tunnel source address, the shared keyword must be added to the tunnel protection command on all such tunnel interfaces. Each mGRE tunnel interface still requires a unique tunnel key, NHRP network-ID, and IP subnet address. This is common on a branch router when a dual DMVPN cloud topology is deployed. "
    Router A:
    router ospf 1
    router-id 10.213.22.2
    passive-interface default
    network x.x.97.26 0.0.0.0 area 0
    interface Tunnel1
    ip unnumbered GigabitEthernet0/1
    ip virtual-reassembly in
    ip tcp adjust-mss 1398
    ip ospf network point-to-point
    load-interval 30
    tunnel source GigabitEthernet0/1
    tunnel mode ipsec ipv4
    tunnel destination x.x.173.109
    tunnel path-mtu-discovery
    tunnel protection ipsec profile VTI-to-NB
    router B:
    router ospf 1
    router-id 172.17.2.6
    priority 1
    redistribute static subnets route-map Lan-static-RM
    passive-interface default
    no passive-interface Tunnel1
    no passive-interface Tunnel4
    no passive-interface Tunnel5
    network x.x.173.109 0.0.0.0 area 0
    network 172.17.2.6 0.0.0.0 area 0
    network 192.168.1.47 0.0.0.0 area 0
    interface Tunnel4
    ip unnumbered GigabitEthernet0/2
    ip virtual-reassembly in
    ip tcp adjust-mss 1398
    ip ospf network point-to-point
    load-interval 30
    tunnel source GigabitEthernet0/2
    tunnel mode ipsec ipv4
    tunnel destination x.x.97.26
    tunnel path-mtu-discovery
    tunnel protection ipsec profile VTI_NB_to_dorrance_prv
    end
    thanks P

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    I haven't studied your config, but I can tell you I have production environment using OSPF across VTI  (and GRE, and GRE/IPSec and DMVPN) tunnels without issue.  I.e. so OSPF can be okay with VTI tunnels.

  • VPN tunnels for multiple sites

    Hi, i am building new vpn tunnels for multple sites using 2 ASR 1004, and 100 remote devices cisco 2800 routers.
    I am thinking of using getvpn to do it, am i thinking correct ????? can i use DMVPN ???? what is else there ???
    thanks 

    Is there a need for branch to branch communication?  If so, I would go with the DMVPN option using a single tier, dual DMVPN cloud topology which will allow for spoke to spoke communication.
    Matt

  • Design question - best order of implementation

    Please see attached an existing core network infrastructure design. I am planning to implement the following:
    1. A secondary DMVPN hub (dual DMVPN hub)
    2. A secondary ASA (active/active configuration)
    3. A secondary ISP (BGP multihoming)
    What would be the best/right order to start implementing these technologies?
    Thanks,

    Hello jimiohara,
    jimiohara wrote:
    The question I have is what would be the best way to store these constant parameters as strings so they can be retrieved using a single identifier such as the graphs type or class name(bearing in mind there are about 20+ different graphs)?I am not really sure, whether I understand the question right? But why not using a hash table (e.g. HashMap). In this key/value-list you can store whatever you like. The key only have to be "hashable" (implement equals() and hashCode(), e.g. String!!!). If you want to use TreeMap you also have to define an order with Comparable or Comparator.
    Or use the Properties-class where the key and the value are always Strings.
    regards
    tk

  • Dual cloud dual hub single tier dmvpn with backup service provider

    Hi,
    I have a design issue with a WAN network. I have decided to use dual cloud dual hub single tier DMVPN topology (ref. to http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf - "Dynamic Multipoint VPN (DMVPN) Design Guide"). I have tested in lab 2 hubs and 3 spokes, applying the mentioned technology. Everything is OK, when the primary hub fails, there is only 1-3 seconds loss (3 pings).
    The problem is that each spoke and hub will have 2 service providers for WAN - primary and backup. I am still wondering which design is better and more stable to implement - using more DMVPN clouds (for the backup service provider network) or creating static IPSEC GRE tunnels in the backup links?
    Is there a guide for this case?
    What is the best practice in this case?
    Thanks in advance,
    Mladen

    Dynamic spoke-to-spoke requires your spoke routers to have mGRE tunnel interfaces. If you ever have a spoke which sources 2 tunnels from the same physical interface, you have a problem: how to resolve which tunnel is an incoming NHRP request for?
    My DMVPN is a bit different in that the crypto is GETVPN on the physical interface. There is a crypto-map applied to the physical interface and it has 2 entries which correspond to the GETVPN crypto-groups for each tunnel.
    I resolved this issue by making one of the 2 tunnels on each spoke router mGRE and the 2nd one point to point. the mGRE tunnel is preferred as primary (we use eBGP through the tunnel, so routes received through the mGRE tunnel are local-pref'd high and we AS path prepend routes advertised out the point-to-point tunnel)
    I haven't gone back and tested what happens when you have a spoke which has 2 tunnels sourced from the same interface and another spoke with 2 tunnels sourced from the same interface or from 2 different physical interfaces. The concern is that you may get a situation where one router uses Tunnel 2 for dynamic spoke-to-spoke tunneling, and the other uses Tunnel1, and that the dynamic tunnel setup fails because the crypto map cannot properly decide which crypto group to use for the incoming traffic on the router where 2 tunnels use the same physical interface.

  • DMVPN DUAL HUB SINGLE CLOUD CONFIGURATION EXAMPLE

    Hi,
    I am looking for a simple configuration for a dmvpn network running eigrp with two hubs on a single cloud.
    Do i just create two nhs entries, nhrp map entries, and two multicast entries on the spoke router tunnel interfaces?  And on the hub routers add a delay on the tunnel interfaces for the one i prefer to be the secondary?
    I am looking for confirmation and any other tweaks i need to make. i cant seem to find any examples.
    Thanks in advance!!

    Thanks Paul, I have looked over this design guide as this was the fist place i went.  however, i cannot find a configuration example for dual hub/single cloud.
    i see the high level design and know you can do it.   but it doesnt show what the configuration would look like...unless i am just reading over it.
    Thanks

Maybe you are looking for

  • Scanning multiple pages to one file

    I have a C310a All in One printer/scanner.  My computer uses OS X 10.9 and all the drivers are updated.  Is there a way to scan multiple pages to one file.  I have tried the three methods mentioned in the HP bulletin for Mavericks but I can only scan

  • Selling Current iPhone -- Help!

    hi, i apologize in advance if any of these questions are stupid... i wanna sell my current iphone (8gb) and get the new 3G one in july -- i dont use microsoft outlook or anything, but from what ive read, i think all of my pics/contacts/settings are s

  • KP06 Second Budget / Plan Costs

    Is it possible to upload/enter a second 'budget' in SAP besides KP06? The reason: We reforcast our budget each month and would like to have the reforcast in SAP. Markus

  • How to install konqueror?

    Good day~ I want konqueror as a web browser, but I'm not in a KDE environment. Could anyone tell me which package I need to install? The less the better.. Thx.

  • BPEL 2.0 tech preview

    How can we enable the tech preview for BPEL 2.0? According to this blog, BPEL 2.0 support was supposed to be available in 11.1.1.3 in preview mode: http://blogs.oracle.com/soabpm/2010/03/11gr1_patchset_2_111130_soa_fe.html Any hints?