Replacing the DMVPN hub router

Similar Messages

• DMVPN Hub Router Placement

  Any docs regarding best practices for placement of DMVPN Hub router. Should it be placed behind firewall, in a DMZ off of firewall or in parallel to firewall.
  Thanks in advance for any input.

  Paul,
  Check out Cisco Validated Design Solutions for best practices. Especially, the one for "Secure WAN".
  http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/networking_solutions_products_genericcontent0900aecd805f65bf.html
  Regards,
  Arul
  *Pls rate if it helps*

• DMVPN HUB router behind NAT

  we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
  if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"
  Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
  i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

  Here is some additional infor to help
  hub config:
  interface Tunnel0
   bandwidth 512
   ip address "hubtunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1
  crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
  crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
   mode transport
  crypto ipsec profile net1
   set transform-set "mytransformset"
  Spoke config:
  crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
  crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
   mode tunnel
  crypto ipsec nat-transparency spi-matching
  crypto ipsec profile net1
   set transform-set "mytransformset"
  interface Tunnel0
   bandwidth 512
   ip address "spoketunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast "Remote IP"
   ip nhrp map "hubtunnelIP" "Remote IP"
   ip nhrp network-id 1
   ip nhrp nhs "hubtunnelIP"
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1 shared

• DMVPN Hub Router QoS

  Hello DMVPN Experts,
  As we knew DMVPN Hub routers can have per-tunnel QoS configuration for the spokes.
  But I am not sure the QoS configuration for the Hub site itself. I assume it should be seperated from the per-tunnel QoS and the service-policy should be applied at the physical WAN interfaces and tunnel interfaces? Need help please. Some sample configuration would be appreciated.
  Thanks
  Cedar

  Hi Joseph,
  I am afraid I am having a bit difficulty to understand and would like to hear more if you don't mind.
  We are on the same page that Per-Tunnel QoS let the spokes to control the traffics toward the hub site, which is considered inbound traffic from the WAN/Tunnel interfaces of hub router point of view. However, in order to control the inbound and/or outbound traffic of the WAN/Tunnel interfaces of the hub router, how should we configure seperate QoS configuration other than Per-Tunnel QoS templates, if we should? 
  Here is what I know so far based on ASR1000 document.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/asr1000/sec-conn-dmvpn-xe-3s-asr1000-book/sec-conn-dmvpn-per-tunnel-qos.html
  Restrictions for Per-Tunnel QoS for DMVPN
  • The class default shaper with the QoS service policy on a physical interface that is applied to the DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper on physical interfaces, and shaper on VLAN/subinterfaces.
  • QoS on a physical interface is limited only to the class default shaper on the physical interface. No other QoS configurations on the physical interface are supported when two separate QoS policies are applied to the physical and tunnel interfaces.
  • Addition of a QoS policy with a class default shaper on a physical interface is not supported when multiple QoS policies are utilized.
  • You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.
  • The class default shaper policy map on the main interface must be applied before the tunnel policy map is applied.
  • The class default shaper policy map must contain only the class class-default and shape commands.
  • The main interface policy map is checked for validity only when a QoS service policy is applied on the tunnel interface. The main interface policy map is not checked during a tunnel move or modification.
  • Adding new classes or features to the main interface policy map is not supported. Doing so, however, will not be blocked.
  After reading the above document, my understanding is that
  1. We could have seperate policy map for physical WAN interface.
  2. The policy-map for the physical WAN interface is limited to a class default shaper only.
  3. The policy-map for physical WAN interface must be applied at the physical WAN interface before the tunnel policy-maps are applied at the tunnel interface.
  But I am not 100% sure if it's correct.
  Thanks,
  Cedar

• DMVPN Hub router with static NAT

  Hi everyone,
  I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
  1) Can I stablish the DMVPN between the routers with that firewall in the middle?
  2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
  3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
  Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
  Gustavo

  !

• Can time capsule replace the Verizon MI424WR router as router?

  Im looking at getting a time capsule from apple and i was wondering if it can replace the MI424WR router. when i first got fios, they said i had to get rid of my old router so im a bit weary about switching.

  Yes, I believe you can
  See as need be: http://www.verizonfioswiki.com/index.php/Using_Your_Own_Router
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• Will a time capsule work connected to a Sky wireless router, or should time capsule replace the Sky wireless router

  I cant work out whether I should connect my new time capsule to my existing Sky wireless boadbannd router, or does the time capsule kit replace my Sky
  router .I would really appreciate a none technical answer to my dilema before I open the box.

  It depends on what the sky router exactly is..
  If it is a modem, then you definitely have to keep it.. is it satellite or some sort of wireless internet??
  If it is a router that plugs into an existing modem then in all  likelihood the TC can replace it.
  If the sky router can be bridged then the sky router can be kept but the TC work as the router.
  And finally even if the sky router is locked and you cannot do anything.. the TC can still work as a bridged device to provide backup and wireless connection within your network.
  So however the situation it is possible to use your TC.

• Running DMVPN Hub and Spoke on same router?

  My client has a project in which traffic flow is hierarchial in nature.  Using DMVPNs, the design is for a "center" router to be a DMVPN spoke to the cloud above it, and a DMVPN Hub to the cloud below it.  I have tried to lab this up, but no success.  I initially build the center router as a DMVPN spoke to teh upper cloud and all is well.  As soon as I had the second tunnel config (as the DMVPN hub to the lower cloud), the first tunnel goes down and my EIGRP flaps.  Im running EIGRP across the DMVPN tunnels.  The two DMVPN clouds are using different network IDs and are running separate EIGRP routing instances.
  I can post configs if desired - just wanted to see if anyone is doing this or knows whether it is possible. 
  Jeff          

  Hi,
  I know it is possible using two DMVPN clouds, but it seems that you need DMVPN phase 3 in this situation. This is suitable for the hierarchical model you want. Take a look at the following link
  http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
  Hope this helps.

• DMVPN Default routes (over internet and over tunnel)

  Hello all,
  I want to implement a DMVPN (using OSPF) solution in which all routers are connected to the internet and all of then have dynamic IP addresses (except hub). Because of this each router have a default gateway pointing to the ISP IP address.
  With this solution I want a spoke to skope topology and I also want all customer internet traffic to go via central site. The problem is that I need a defaut route to reach other spokes and this way traffic to internet via central site does not use the tunnel.
  Is there any feature that alow to overcome this situation?
  Regards,
  João Carvalho

  Absolutely. You can do this easily with VRF Lite. Configure a separate VRF for your customer, place the tunnel interface and the customer's VLAN into the VRF and run your OSPF process within the VRF. This allows the router's global routing table to keep a default gateway to the ISP, but lets you define the customer's default gateway as the DMVPN hub. I have a dual-hub DMVPN network with a couple of hundred sites using exactly this approach.

• Bt Infinity Hub replacment and reseting hub questi...

  Hi all
  I was wanting to ask a couple of questions about the hub
  Q1 I have read many times on here that when people have speed problems to reset the home hub to sort it out. The question is why ? I would of thought reseting the openreach modem would sort out your speeds and not the home hub router as its just a router why would the hub effect your speeds and how does reseting the hubg fix this ?
  Q2 I have read that you can use other routers with a wan port to replace the home hib which i own a netgear DGN3700 which i have not tried yet. I herd this can increse or decrease your line speeds is this true and if so how as i thought again the modem would do this and not the router ?
  Q3 I have had my bt infinity installed for 3 days and wanted to know is it best to wait for the 10 days for the line to get a fixed speed before replacing the home hub with your own router ot does this not make any difference to your line syncs, can it effect the 10 day line test period.
  any help on the subject would be great
  thanks
  [URL=http://www.speedtest.net][IMG]http://www.speedtest.net/result/2759601729.png[/IMG][/URL]

  what do you mean power the modem ofF with the dsl cable ?
  so what your saying is i need a good replacment router to make sure there is no bottleneck to the modem to keep getting my 76mb speeds
   i was lokking at the
  netgear DGN3700v2
  or
  Asus RT-AC66U
          RT-AC56U
          RT-N66U
  the bt hub 4 is ok but wanted somthing with a few more options. would there be anyproblems if i replaced the hub 4 ? should i wait till my 10days of line testing to be over first before i replace the router.
  you said Hubs appear to slow down sometimes as they are remotely managed by BT via motive.com is this the same for any hub not just BTs hubs.
  why are they remotely managed anyway ?
  thanks
  [URL=http://www.speedtest.net][IMG]http://www.speedtest.net/result/2759601729.png[/IMG][/URL]

• How do you replace a Virgin wireless router with a time capsule?

  Hi Folks
  i have just bought a brand new 1tb time capsule yesterday and im trying to connect it too my virgin modem and replace the virgin wireless router i already have.....i thought it would be an easy setup of just plugging in the ethernet cable into the time capsule..but this has not worked??..can this be done?? i have restarted all devices too!...i am now clueless!
  the the time capsule has backed up my hard drive (mac book pro) with no problems!
  kind regards
  kathdol

  Are you talking about a separate modem and Virgin router, rather than their wretched 'Superhub' (modem and router combined) - the latter is a whole different can of worms.
  Assuming the former, you should be able to remove the Virgin router and plug your Time Capsule into the modem: you will need to power down the modem and leave it for a few minutes (to forget the MAC address of the Virgin router), then plug in the TC and power up the modem. Make sure that the TC is set to 'Share a public IP number', not 'Distribute a range of IP numbers' or 'Bridge mode'. (If the interface is the same as the Airport Express it's 'Manual Setup'>'Internet' (in the toolbar)>Internet settings.

• DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

  Hi Guys,
  I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
  The Design :
  Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
  ||
  ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
  ||
  Switch
  ||
  LAN
  Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
  I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
  I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
  Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
  Thanks,
  Aj.

  Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
  All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
  1) what RProtocol r u using?
  a) It's OSPF
  2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
  a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
      (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
      (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
  3) are your tunnels config correctly? try show crypto ipsec sa
  a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
  4) on your hub'spoke do a debug ip icmp
  a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
  I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
  Additional to the info above, Please also note :
  I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
  So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
  From HUB router I'm able to ping clients behind Spokes.
  Does that give any Ideas ?
  Thanks in Advance.
  Aj.

• DMVPN Hub on HSRP standby router

  I was wondering if a DMVPN Hub was able to provide redundancy on an HSRP standby router.
  I currently have an active tunnel to the standby, but am unable to update EIGRP..
  Thank You in adavnce..

  Check GRE keepalives is enabled or not, if enabled remove that, then check the routing updates.
  Check whether you allowed ESP, UDP 500, UDP 4500 and GRE on your access-list.
  Also Adjust the MTU size, using the cmd ?ip tcp adjust-mss 1360?
  Try these links:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#eigrp
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a0080087026.html

• My itunes 11 Home sharing is not working with my windows 7 PC and iPad it shows up on iPad and when I go to share the music app does loading for 3 mins and crashes I am using a virgin super hub router please please please help

  My itunes 11 Home sharing is not working with my windows 7 PC and iPad it shows up on iPad and when I go to share the music app does loading for 3 mins and crashes I am using a virgin super hub router please please please help

  My itunes 11 Home sharing is not working with my windows 7 PC and iPad it shows up on iPad and when I go to share the music app does loading for 3 mins and crashes I am using a virgin super hub router please please please help

• I recently replaced my dead airport router with a netgear91-5g router and synced it successfully to my Lexmark Pro 915 printer and my computer and yet when I try to print wirelessly I get the message: "printer not connected; printer offline".

  I recently replaced my dead airport router with a Netgear91-5g router and synced it successfully to my Lexmark Pro 915 printer and my computer; yet when I try to print wirelessly I get the message: "printer not connected; printer offline". Lexmark support verified that my printer was connected to the new router and the problem was with the computer's printer configuration and they could reconfigure it online if I paid for their "Premium Support" services ($119 for one year, 3 fixes). I declined, feeling sure that this is something I could do if I knew how. Could it be an incompatability issue with OS 10.8.3?

  You saved me $$$ that I can ill afford on my fixed income. I was very unhappy with the "support" from Lexmark... what a rip off!  Thank you dwb!