EIGRP in a NBMA hub and spoke configuration ?

Similar Messages

• ASA Hub-and-spoke VPN dhcp-relay

  Hi!
  Have anyone implemented a solution with a hub-and-spoke IPSEC VPN (running ASA) with dhcp relay for the inside clients on the spoke. With the DHCP server on the hub site?
  Normal LAN-LAN IPSEC VPN is a bit cumbersome to configure something like below: 
  SPOKE
  <snip>
  access-list CRYPTO_ALLOWED extended permit ip INSIDE-NETWORKS any
  #ALL INTERNET ACCESS GOES THROUGH THE SPOKE SITE
  access-list CRYPTO_ALLOWED extended permit udp host OUTSIDE_IF_ADDR host HUB_DHCP_SERVER_ADDR eq bootps
  access-list CRYPTO_ALLOWED extended permit udp host OUTSIDE_IF_ADDR host HUB_DHCP_SERVER_ADDR eq bootpc
  nat (INSIDE,OUTSIDE) source static CRYPTO_ALLOWED CRYPTO_ALLOWED destination static OSKO-INTERNET OSKO-INTERNET route-lookup
  dhcprelay DHCP-SERVER outside
  dhcprelay enable INSIDE
  dhcprelay setroute INSIDE
  dhcprelay timeout 60
  HUB
  <snip>
  access-list CRYPTO_ALLOWED_TO_SPOKE extended permit ip 0.0.0.0 0.0.0.0 HUB_NETWORKS
  access-list CRYPTO_ALLOWED_TO_SPOKE extended permit udp host HUB_DHCP_SERVER_ADDR host SPOKE_OUTSIDE_ADDR eq 67
  access-list CRYPTO_ALLOWED_TO_SPOKE extended permit udp host HUB_DHCP_SERVER_ADDR host SPOKE_OUTSIDE_ADDR eq 68
  nat (INSIDE,OUTSIDE) source static ANY ANY destination static SPOKE_NETWORKS SPOKE_NETWORKS
  nat (INSIDE,OUTSIDE) source static HUB_DHCP_SERVER_ADDR HUB_DHCP_SERVER_ADDR destination static SPOKE_OUTSIDE_ADDR SPOKE_OUTSIDE_ADDR
  ### HUB INTERNET ACCESS ##
  nat (OUTSIDE,OUTSIDE) source dynamic SPOKE_NETWORKS interface
  I can't really apply this to a hub-and-spoke configuration.
  Any ideas?
  Regards
  Daniel

  Thanks. That's what I thought. I'm trying to configure this a my lab and having trouble though. Here's what I am trying to accomplish: HUB should communication with spoke1 and spoke2 via ipsec vpn using their own internal addresses HUB: 192.100.10.0/24, SPOKE1 10.142.0.0/24, SPOKE2 10.25.0.0/24) Communication between SPOKE1 and SPOKE2 should be nat'ed by the HUB so SPOKE2's addresses appear to be 172.16.128.0/24. SPOKE1's interesting traffic rule will allow the entire 172.16.128.0 255.255.128.0 subnet. Any new SPOKE's will use another subnet of that network. In my head I think I might need to let SPOKE2 NAT it's own traffic before it gets to HUB, but I'm dealing with multiple different devices as spokes so I want to handle everything on the HUB. Ideally the HUB would translate all traffic in both directions so both business partners and clients would only need one supernet in their interesting traffic rules.

• Fram Relay hub and spoke scenario

  See the attachment please
  Requirements:
  1.Using only physical interfaces configure a Frame Relay hub-and-spoke network between RTA and RTB and RTC, RTB as the hub.
  2.Traffic from RTA destined for RTC should transit RTB, and vice versa.
  3.Use only the DLCIs specified in the diagram.
  4.Do not use any Dynamic layer 3 to layer 2 mappings over these frame Relay connections.
  5.Do not send any redundant broadcast traffic from the spokes to the hub.
  RTB (Hub):
  interface Serial0/0
  ip address 3.1.1.2 255.255.255.0
  encapsulation frame-relay
  frame-relay map ip 3.1.1.1 200 broadcast
  frame-relay map ip 3.1.1.3 300 broadcast
  no frame-relay inverse-arp
  RTA (Spoke):
  interface Serial0/0
  ip address 3.1.1.1 255.255.255.0
  encapsulation frame-relay
  frame-relay map ip 3.1.1.2 22 broadcast
  frame-relay map ip 3.1.1.3 22
  no frame-relay inverse-arp
  RTC (Spoke):
  interface Serial1/0
  ip address 3.1.1.3 255.255.255.0
  encapsulation frame-relay
  frame-relay map ip 3.1.1.2 33 broadcast
  frame-relay map ip 3.1.1.1 33
  no frame-relay inverse-arp
  My queries:
  A- Does he use these two statements because (frame-relay map ip 3.1.1.3 22 and frame-relay map ip 3.1.1.1 33 ) of requirement number 2 ?
  B- Doesn’t he use keyword “broadcast” in these two statements (frame-relay map ip 3.1.1.3 22 and frame-relay map ip 3.1.1.1 33) because of requirement 5?
  C- Does that mean if requirement 5 is not there we should have used “broadcast“ keyword ?
  D- Does not that contradict with what Cisco syas: “The broadcast keyword is commonly used with the frame relay map command” ?
  E- By using these two statements (frame-relay map ip 3.1.1.3 22 and frame-relay map ip 3.1.1.1 33) doesn’t my network become full mesh? but if you look to the diagram it is partial mesh ?

  Answers to your queries:
  A. Correct
  B. Correct
  C. That depends. In most cases, it is a good idea to have broadcasts on, especially when using routing protocols like OSPF which send traffic to multicast destinations. I would habe it on most times.
  D. The recommendation from Cisco is not contradictory. The lab scenario is making you do something quite specific so you have to follow that. You don't always have to follow requirements in order to make things work.
  E. No. Full-mesh refers to a full mesh of PVCs. If there was a PVC from A to C it would be full mesh.
  Hope that helps - pls rate the post if it does.
  Paresh

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• VPN hub and spoke topology, hub using two interfaces

  Hi,
  I'm facing a problem with Cisco ASA 5500 running software 8.4.
  I know, i know, VPN hub and spoke was already discussed many times. But all these discussions are about a hub using only one interface, the outside/public interfcae.
  My topology is slightly different.
  LAN-A - VPN peer A <--> (Internet) <--> (outside if)-ASA-B-(inside if) <--> (corporate network) <--> (outside if)-ASA-C-(inside if) <--> LAN-C
  VPN communication should flow between LAN-A and LAN-C.
  Phase I and phase II are working on both tunnels (A-B, B-C). Therefore cryptomaps should be right.
  IPsec SA for tunnel A-B is explicit for LAN-A and LAN-C.
  IPsec SA for tunnel B-C connects any with LAN-C.
  What I can see on ASA-B is incoming traffic from LAN-A on tunnel A-B.
  That does not trigger an SA for tunnel B-C!
  Traffic initiated from LAN-C, I can see on ASA-B as incoming traffic, SA for LAN-A to LAN-C is build up on tunnel B-C.
  Traffic seems to enter tunnel A-B as I can see outgoing traffic on ASA-B.
  Of course, NAT exemption is configured for traffic between LAN-A and LAN-C.
  Why doesn't incoming traffic from LAN-A initiate SA on tunnel B-C?
  It looks like incoming traffic from LAN-A enters ASA-B and is dropped or send anywhere but the right direction.
  I admit I'm clueless.
  Any help would be appreciated.
  Thanks folks.

  Analyzing the config files you revealed the inactiv NAT exemption for traffic flow between LAN-A and LAN-C.
  Furthermore a static route fro LAN-C out the inside interface was missing.
  Fixing both communication works fine.
  Thanks for the real good support.

• AD & DNS setting for Hub and spoke network

  Hi,
  We have multiple sites connectd through VPN (Hub and spoke network). Following is the site information
  Head Office (DC) ----- contoso.com ------ 192.168.100.2
  Site1 (ADC) ----- site1.contoso.com ------192.168.101.2
  Site2(RODC)----contoso.com ------192.168.102.2
  Site3(ADC)-----contoso.com ------- 192.168.103.2
  site4(ADC)-----site4.contoso.com-----192.168.104.2
  site5(ADC)-----contoso.com -------192.168.105.2
  i am trying to ping DC (contoso.com) from site4 & site site1 sometimes it's getting reply from site5 and site3 not from HO.
  How can i configure all request go to HO (192.168.100.2).
  for any other information please ask me.
  Regards,
  Kumar

  Hello,
  do you ping the domain name or the DC name? If domain name, what you see is normal, a DC will be chosen via DNS round robin and NOT a DC in that site.
  Also assure that you have configured AD sites and services according to
  http://technet.microsoft.com/en-us/library/cc730868.aspx
  http://technet.microsoft.com/en-us/library/cc755768.aspx
  http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• BPEL 10.1.2 hub-and-spoke or distributed architecture?

  Hi,
  I'm currently wrestling with the following question:BPEL 10.1.2 hub-and-spoke or distributed architecture?
  Hi,
  I'm currently wrestling with the following question:
  An ESB as per definition of e.g. Forrester should be capable of supporting a distributed bus architecture. From my understanding this distributed bus architecture is achieved by installing some sort of ESB component(s) on all machines that are participating in this infrastructure, together forming a ‘bus’.
  As I understand the BPEL 10.1.2 product basically offers two categories of functionality: orchestration and integration. Does this integration part offer ESB alike functionality and more specific allows for a distributed bus architecture? As far as I can see the BPEL 10.1.2 offers limited ESB alike functionality and only supports a hub-and-spoke architecture.
  Other threads in this forum talk about using BPEL 10.1.2 together with InterConnect in order to foresee in ESB functionality. What does InterConnect add to the BPEL 10.1.2 integration functionality?
  As of SOA suite 10.1.3 these products have been split up into a BPEL product and an ESB product. Is the ESB product in SOA suite 10.1.3 a combination of the integration from BPEL 10.1.2 and InterConnect? Is this new ESB product able to support a distributed architecture?
  I’m very much in favor of a distributed architecture compared to hub-and-spoke, as hub-and-spoke requires a very solid and redundant system that is going to handling all message traffic and other functions. When moving towards a SOA giving an ESB a back-bone role, I’m not very keen on introducing a single system that should actually make up this ESB. Distributed would mean all machines are taking care of some basic functions resulting in a fully functional ESB, even when one or more machines are down.
  Am I making sense with this? I would like to know how others are looking at these topics.
  Regards,
  Gershon Janssen

  We are struggling with this issue too. The "all-pervasive" vision of the ESB visionaries, in my opinion, means that every node in my enterprise architecture should have access to the bus and I should be able to orchestrate anything that is running on any node in my architecture. We were told to think of an ESB as the equivalent of the hardware bus in computers. From that perspective I thought that:
  (1) BPEL and ESB functions would add a marginal increment to the licensing cost of an app server - I should be able to afford an "all-pervasive" architecture.
  (2) BPEL and ESB functions would add a "marginal increment" to the memory and resource foot-print. Again, I should be able to afford an "all-pervasive" architecture.
  Are these two satisfied by Oracle's products ? Some vendors don't seem to support the above two. In that case there is a disconnect between the marketing and technology departments of the vendors. What am I missing ?
  If BPEL engines and ESBs are priced very high, based on economics we will end up with a hub-and-spoke model.
  Thanks

• Multiple Spanning Tree in a Hub and Spoke topology?

  My company is planning to implement Multiple Spanning tree into our hub and spoke topology. Is that possible?
  Should I divide up the vlans into instances based on assigned switch or assigned department?
  Thank You.

  hi, everyone,
  i have search a internet draft to describe this situation, "Using an LSA Options Bit to Prevent Looping in BGP/MPLS IP VPNs", from "http://www.ietf.org/internet-drafts/draft-ietf-ospf-2547-dnbit-03.txt"
  does anyone can tell me how can disable this function and clear the "DN" bit on a cisco router? thanks very much.

• Hub and Spoke between SA540 and RV120

  Hello.
  I want to build a "hub and spoke" topology for one of my clients.
  For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL.
  For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP.
  The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes.
  Some spokes will have to connect to each other, via the HUB.
  I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
  Alain

  Alain,
  I would contact someone with the enterprise group with the questions on which enterprise router to use with your topology; I would expect a Cisco ASA5505 or ASA5510 with proper licensing would accomplish this at main office and cisco 800 series at remote offices. For your spokes(remote offices) the RV120 or RVS4000 should work fine if you are trying to route traffic from remote office to main office only. If you are looking to route traffic from remote office to main office then to another remote office. You would need to go all enterprise small business devices. In our small business routers we can’t specify to route traffic to another subnet across the IPSec tunnel. When we make the IPSec tunnel it creates the routes in routing table to the remote host. So we can only route traffic to directly connect IPSec tunnel host. If you need further clarification you can give us a call.
  SBSC
  1-866-606-1866
  TAC (Enterprise Group)
  1-800-553-2447
  Main office (ASA5505 – ASA5510) --- (Cisco 800 Series) = Remote office
  Please clarify with enterprise group.
  Thanks
  Jasbryan
  Cisco Support Engineer
  .:|:.:|:.

• Hub and Spoke IPSec VPN

  Guys,
  When it comes to creating a site to site VPN on Cisco IOS, I have a clear understanding of that from a 1-1 perspective4. However, I now need to extend that site to site VPN to have now more like a hub and spoke, 1 to many.
  So basically for a 1 to 1 site mapping I would do something like below. I would appreciate some suggestions on how to extend this or redesign it to suit. Thanks
  crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key nik address 0.0.0.0 0.0.0.0
  crypto ipsec transform-set mySet ah-md5-hmac
  crypto map myMap 5 ipsec-isakmp
  set peer xx.0.0.2
  set transform-set mySet
  match address CW-VIC
  interface FastEthernet0/0
  ip address xx.0.0.2 255.255.255.x
  duplex auto
  speed auto
  crypto map myMap
  ip access-list extended VPN-TRAF
  permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

  Guys,
  I've figured this out.
  For anyone else in the future having this issue
  While you cannot add more than one crypto map to the interface, you can add numbers at the end of the map.
  --- PEER 1
  crypto map myMap 5 ipsec-isakmp
  set peer X0.0.0.2
  set transform-set mySet
  match address 100
  access-list 100 permit ip 172.30.0.0 0.0.255.255 172.17.10.0 0.0.0.255
  --- PEER 2
  crypto map myMap 20 ipsec-isakmp
  set peer Y0.0.0.2
  set transform-set mySet
  match address 102
  access-list 102 permit ip 172.30.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  Hope this helps someone in the future

• IPv6 WAN Adresses on DMVPN Hubs and Spokes

  Hi,
  I have one question about IPv6 and DMVPN. Let's assume we have a DMVPN Hub Site running IPv6 IP addresses on the WAN Interfaces and Spoke Sites running either IPv4 or IPv6 IP adresses on their WAN Interfaces.
  In IPv4 only Networks, the Tunnel Konfiguration looked like that:
  interface Tunnel 1
  <...>
  ip nhrp map multicast <IPv4 NMBA>
  ip nhrp map 10.0.10.1 <IPv4 NMBA>
  There are IPv6 nhrp commands as well, but they can only map an IPv6 Address to an IPv4 NMBA:
  interface Tunnel1
  <...>
  ipv6 nhrp map multicast <IPv4 NMBA>
  ipv6 nhrp map <IPv6 Tunnel Adress> <IPv4 NMBA>
  I'm wondering how you would configure DMVPN for a network using IPv6 on their WAN Interfaces ??
  Best regards,
  Thomas

  Thomas,
  VTI1(config-if)#ip nhrp map 1.2.3.4 ?  A.B.C.D     IP NBMA address  A.B.C.D     IP mask of destination  X:X:X:X::X  IPv6 NBMA address
  and
  VTI1(config-if)#ipv6 nhrp map 2001:db8::1/128 ?  A.B.C.D     IPv4 NBMA address  X:X:X:X::X  IPv6 NBMA address
  I _seem_to_remember_ this was added in 15.2T  but can't find it back.
  M.

• Best practises for Hub and spoke Metro Etherent network

  Hi there,
  It is my first MAN deployment. I will use the 6513 as the core switch and the 3550 as the edge switches to the customer.
  The customer has 9 locations. The customer asked for interconnection between the 9 locations and his Data center in his HQ.
  Additionally his Internet connection is at the HQ too.
  What is the best practice to architect this solution addressing security? How I deploy VLANs (like one vlan for the internet, one vlan for each department, one management vlan. Etc)
  Any advises

  Hi Sam,
  Let me add my two cents here, when speaking about MAN deployments the name of the game is MPLS, so I guess you are using the same on your Cat 6500s and connecting your customers on 3550s using Vlans.
  Regarding your questions:
  a) Upgrading Ethernet to L3 for traffic shaping: This is basically done at 3550, so I suppose that's what you intend to do, plus you will be letting Spokes talk to only Hub site, so inter Vlan, atleast between Hub and each spoke will be required, hence inter valn routing. Other way is to configure P2P circuits between Hub site with Vlan mapping (per spoke) and Spoke sites with Port mapping, in this scenario Inter Vlan routing is not a necessity.
  b) Security: This depends on what exact architecure you have deployed, in my case I have simply installed a Gateway router with BGP peering with PEs, a separate VRF alongwith redistribution does the trick.
  Hope I addresses the query correctly, let me know if that helped..
  Cheers
  ~sultan

• Dual ISP Hub and Spoke DMVPN

  Hello All,
  I am trying to build a DMVPN solution for two sites each with secondary ISPs.
  The solution works "sort of", but doesn't seem very robust (sometimes a router reload is required if VPN doesn't come up after ISP failover)
  I was wondering if anyone had any suggestions to my config below?
  Thanks!
  !!!!HUB!!!!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile dmvpn set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!crypto ipsec profile dmvpn2 set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!!interface Tunnel0 ip address 10.255.255.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 6 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 545 tunnel protection ipsec profile dmvpn shared!interface Tunnel1 ip address 10.255.254.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 7 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 546 tunnel protection ipsec profile dmvpn2 shared!interface Tunnel2 ip address 10.255.253.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 8 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 547 tunnel protection ipsec profile dmvpn shared!interface Tunnel3 ip address 10.255.252.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 9 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 548 tunnel protection ipsec profile dmvpn2 shared!interface FastEthernet0/0/0 description Secondary ISP ip address 199.1.1.1 255.255.255.0 duplex auto speed auto!interface VLAN1 description LAN ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet0/1 description Primary ISP ip address 200.1.1.1 255.255.255.0 duplex auto speed auto!router eigrp 53 network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 192.168.1.0 eigrp stub connected no auto-summary!!ip route 0.0.0.0 0.0.0.0 199.1.1.2 5ip route 0.0.0.0 0.0.0.0 200.1.1.2 !!control-plane!line con 0line aux 0line vty 0 4 login!!end
  !!!SPOKE!!!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile dmvpn set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!crypto ipsec profile dmvpn2 set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!!!interface VLAN1 ip address 192.168.0.1 255.255.255.0 no ip redirects!interface Tunnel0 ip address 10.255.255.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret1 ip nhrp map 10.255.255.1 200.1.1.1 ip nhrp map multicast 200.1.1.1 ip nhrp network-id 6 ip nhrp holdtime 300 ip nhrp nhs 10.255.255.1 ip nhrp registration timeout 30 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 545 tunnel protection ipsec profile dmvpn shared!interface Tunnel1 ip address 10.255.254.5 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication secret1 ip nhrp map 10.255.254.1 199.1.1.1 ip nhrp map multicast 199.1.1.1 ip nhrp network-id 7 ip nhrp holdtime 300 ip nhrp nhs 10.255.254.1 delay 1500 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 546 tunnel protection ipsec profile dmvpn shared!interface Tunnel2 ip address 10.255.253.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret1 ip nhrp map multicast 200.1.1.1 ip nhrp map 10.255.253.1 200.1.1.1 ip nhrp network-id 8 ip nhrp holdtime 300 ip nhrp nhs 10.255.253.1 ip nhrp registration timeout 30 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 547 tunnel protection ipsec profile dmvpn2 shared!interface Tunnel3 ip address 10.255.252.5 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication secret1 ip nhrp map multicast 199.1.1.1 ip nhrp map 10.255.252.1 199.1.1.1 ip nhrp network-id 9 ip nhrp holdtime 300 ip nhrp nhs 10.255.252.1 delay 1500 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 548 tunnel protection ipsec profile dmvpn2 shared!interface FastEthernet0/0/0description Secondary Internet ip address 201.1.1.1 255.255.255.0 duplex auto speed auto!interface GigabitEthernet0/1 description Primary Internet ip address 201.2.2.1 255.255.255.0 duplex auto speed auto!router eigrp 53 distribute-list 1 out network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 192.168.0.0 offset-list 1 out 12800 Tunnel1 eigrp stub connected no auto-summary!!ip route 0.0.0.0 0.0.0.0 201.2.2.2ip route 0.0.0.0 0.0.0.0 201.1.1.2 5!!access-list 1 permit 192.168.0.0access-list 1 permit 10.255.255.0 0.0.0.255access-list 1 permit 10.255.254.0 0.0.0.255access-list 1 permit 10.255.253.0 0.0.0.255access-list 1 permit 10.255.252.0 0.0.0.255!!control-plane!!line con 0line aux 0line vty 0 4 login!!end

  Hello,
  Thanks for the response!
  I left the stub on the hub while troubleshooting, it has since been removed.
  By DPD, do you mean "crypto isakmp keepalive 10 periodic"? 
  I've since added that (spoke and hub) and while the tunnels work great (they fail over, can ping 10.255.25x.x) the routes do not update which lead me to believe it's an EIGRP problem. Is there something else I should do for DPD?
  Thanks again
  Will
  Can't edit the original post, so:
  !Hub
  crypto isakmp keepalive 10 periodic
  router eigrp 53
  network 10.255.252.0 0.0.0.255
  network 10.255.253.0 0.0.0.255
  network 10.255.254.0 0.0.0.255
  network 10.255.255.0 0.0.0.255
  network 192.168.1.0
  no auto-summary
  !Spoke
  crypto isakmp keepalive 10 periodic
  router eigrp 53
  network 10.255.252.0 0.0.0.255
  network 10.255.253.0 0.0.0.255
  network 10.255.254.0 0.0.0.255
  network 10.255.255.0 0.0.0.255
  network 192.168.0.0
  eigrp stub connected
  no auto-summary

• The best solution? Hub-and-spoke, Peer-to-peer, Multi-cast?

  By the best solution, I mean in terms of price and quality (latency, minimum lag, etc)
  App type: Video conferencing
  Platforms: PC, Mobile (Android, iOS) [If mobile support would reduce performance or increase costs, I am willing to scrap it]
  Users: There will be 5 - 30 users logged into the service in the same room at a time. And a maximum of  5 - 7 users in that room will have their webcam's on at any given time.
  My main concern is performance, Since I might make it a paid service in the future, I don't think users would pay for something that has a lot of lag or trailing effects.
  So I was hoping to get some advice on how I should set it up and pros and cons in respect to LCCS

  Hi Sam,
  Let me add my two cents here, when speaking about MAN deployments the name of the game is MPLS, so I guess you are using the same on your Cat 6500s and connecting your customers on 3550s using Vlans.
  Regarding your questions:
  a) Upgrading Ethernet to L3 for traffic shaping: This is basically done at 3550, so I suppose that's what you intend to do, plus you will be letting Spokes talk to only Hub site, so inter Vlan, atleast between Hub and each spoke will be required, hence inter valn routing. Other way is to configure P2P circuits between Hub site with Vlan mapping (per spoke) and Spoke sites with Port mapping, in this scenario Inter Vlan routing is not a necessity.
  b) Security: This depends on what exact architecure you have deployed, in my case I have simply installed a Gateway router with BGP peering with PEs, a separate VRF alongwith redistribution does the trick.
  Hope I addresses the query correctly, let me know if that helped..
  Cheers
  ~sultan

• USB Hub and FireWires Configuration

  How can I identify if my USB hub and FireWires are the authentic configuration? I have 2 hubs connected and am not sure what the configuration is like from Apple and whether someone is connected to my iMac.

  Nobody could connect to your USB or Firewire without a cable, only way some could connect to your Mac would be with a cable, or Wifi/Arport to your computer or router.