Cisco series ASR DMVPN Phase 3 Support

Similar Questions

• DMVPN Phases

  I'm a little confused now, because I realized that I can't understand DMVPN phases.

  Can someone explain to me - what is the difference between Full-Terminal and Hub-and-Spoke network.

  (1) network hub-and-Spoke - all traffic DMVPN through HUB. is it not? and the difference between dynamic and static VPN is that IPSec tunnels are only created when necessary?

  (2) network terminal full - rays ask for the PNDH table hub and establish direct tunnels (traffic passes of talk of talks about his)?

  When this information is correct, so where can I find a guide to configuring DMVPN in mesh network full?

  I found this guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml , but it seems to me, this is example of Hub-and-Spoke!

  I thank very you much in advance!

  Hi Dimitri.

  Question 1:

  All traffic passes through HUB - OK

  The tunnels are only created when needed between rays - correct

  Question 2:

  Fix

  http://Cisco.com/en/us/Tech/tk583/TK372/technologies_white_paper09186a008018983e.shtml

  Please take a look at the link given above.

  Excerpt from the link above

  "PNDH offers the opportunity for the spoke routers learn dynamically outside physical interface other routers address talk network VPN." This means that a router speaks will be enough information to dynamically build an IPsec + tunnel love directly to the other spoke routers.

  The dynamic IP routing protocol running on the hub router can be configured to reflect the routes registered by one spoke back on the same interface for all other rays, but the leap following IP on these roads will usually be the hub router, not the router speaks where the hub has learned this route.

  The dynamic routing protocols (RIP, OSPF and EIGRP) need to be configured on the hub router to announce routes back to the love tunnel interface and define the next IP for the router hop speaks originating for the routes registered by one spoke when the road is called back to the other rays.

  Here are the requirements for Protocol routing configurations.

  RIP

  You should disable split horizon on the interface of tunnel love on the hub, otherwise, RIP will be registered through the love interface routes not regularize this same interface.

  No cutting of the ip horizon

  No other changes are needed. RIP will automatically use the original next IP Hop on the roads it advertises back on the same interface where she learned these routes.

  EIGRP

  You should disable split horizon on the interface of tunnel love on the hub, otherwise, EIGRP will broadcast routes recorded via the interface love not regularize this same interface.

  no ip split horizon eigrp

  By default, EIGRP will set the next hop IP for the router to hub for roads is advertising, even when advertising that these routes of return the same interface where he learns the. Therefore, you must in this case, the following configuration command to indicate to EIGRP to use the jump according to original when IP advertising of these roads.

  no ip next-hop-self eigrp

  Note: The no ip next-hop-self eigrp command will be available from Cisco IOS release 12.3 (2). For Cisco IOS versions 12.2 (13) T and 12.3 (2), you must do the following:

  * If the talk-to-spoke dynamic tunnels are not wanted, then the above command is not necessary.

  * If the talk-to-spoke dynamic tunnels are wanted, then you must use process switching on the interface of tunnel on the spoke routers.

  * Otherwise, you will need to use another protocol for routing on the DMVPN.

  OSPF

  Because OSPF is a routing protocol - the status of the connection, there is not any split horizon issues. Normally, for multipoint interfaces, you configure the OSPF network type to be point-to-multipoint, but this would entail OSPF add host routes to the routing on the spoke routers table. These host routes would cause packets to networks behind the other spoke routers to transmit via the hub, rather than directly transmitted to another talk. To work around this problem, configure the OSPF network type to be broadcast using the command.

  dissemination of IP ospf network

  You must also make sure that the hub, router will be the designated router (DR) for IPsec + love network. This is done by setting the priority OSPF is greater than 1 on the hub and 0 on the shelves.

  * Hub: ip ospf priorite2

  * Speaks: ip ospf priority 0

  * END OF THE SNIPPET *.

  Hope that explains.

  The rate of this post, if that helps.

  Gilbert

• Cisco 526 Wireless Express Mobility Controller supports AIR-LAP1140N?

  Does anyone know if Cisco 526 Wireless Express Mobility Controller supports the AIP-LAP-1140N Access Points?

  This isn't. The WLC526 supports only the AP521.

  HTH,

  Steve

• Cisco series ESP 540

  Hello

  The products of the line series ESP 540 (541w etc.) will always support the IPv6 features or remote VPN (SSL VPN or Cisco QuickVPN, for example)? If so, is there a time frame?

  Thank you

  Gabriel

  Hi Gabriel,

  Yes, frames are supported on both WAN and LAN GE interfaces.  You can choose from 1522, 2048, options of 10240 bytes.

  The product was first available on October 2010.

  Kind regards

  Andy

• Cisco Unified Communications Applications VMware Tools support

  I have an implementation of vsphere esxi 6.0U2.  Who is the host VMware Tools 10.0.6.

  When the upgrade of all my UC apps (CUCM, CUC, IMP, UCCX *.. it's extraordinary... because it will not refresh), initially, they showed the VMware tools running and updated.  But after a restart of the operating system of each.  VMware Tools is no longer running...

  Anyone can comment/comment.

  doc-wiki such as:

  - http://docwiki.cisco.com/wiki/Virtualization_for_Cisco_Unified_Communica...

  - http://docwiki.cisco.com/wiki/Virtualization_for_Unified_CM_IM_and_Presence

  Indicate that they support ESXi 6.0 and so the tools is surely supported...

  All the comments of someone?

  Anyone else linking 6.0 U2 vSphere, ESXi and pushed its tools to their UC applications?

  Hi Michael,

  I go ahead and prosecute TAC that there are a number of bugs related to the VMware Tools upgrade to any version 10.0. This is a bug in level 2 of gravity;

  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCux90747

  VMware Tools 10.0 update fails on 10.5/11.0 with selinux denials CUCM
  CSCux90747
  Symptom:
  VMware Tools upgrade fails due to various Selinux denials. VI-Client status of tools like is not running, not installed.

• Cisco series C Top Bar top in presentation Mode

  In presentation Mode, the C Series codec displays an overlay of bar status (IP address, Cisco logo, time etc..).

  Unfortunately, this can be a source of distraction or worse, can cover the parts of the presentation to the local public.

  Is it possible to remove this bar?

  Eric,

  This has been fixed in a later version of TC5.x, see below for more details.

  CSCtx15428 : bar the top is always visible, even in full screen and in calls

  Symptom:
  Banner with Cisco logo and clock widget appears on the display when in a call.
  Conditions:
  Running TC software before TC 5.0 and a connected over HDMI device loses connection and is re-connected.
  Workaround solution:
  Perform a reset of the device factory.
  Alternative procedure via GUI:
  (1) connect to the web interface of the codec.
  2) go to Advanced Configuration > output > HDMI > OverscanLevel
  (3) change the overscanlevel to high and save. The video will be reduced to the
  middle of the screen.
  (4) change the overscanlevel to zero, as it was before and save. The video will be
  return to normal.
  Widgets and Cisco header should be gone.

• Cisco IOS server certificate - is it supported on routers 857/877

  Please can someone confirm if the certificate of Cisco IOS server feature is supported on the Cisco 857 router. We have checked with the Software Advisor and no picture for the 857 when the server certificate of IOS feature is selected, but advancedIpservices image v 12.4 (11) T arrives to the 877.

  The two 857/877 supports IOS server Certificate

  to 857 you need the ADVANCED SECURITY feature set 12.3 (14) YT

  http://Tools.Cisco.com/ITDIT/CFN/dispatch?Act=feature&ImageID=619356&platformFamily=306&featureSet=8&featureSelected=2208&availSoftwares=iOS

  877 offers more IOSes with Certificate server supports when I chose the certificate server Cisco IOS feature with featured navigator I got a lot of IOSes supporting this feature

  Go to navigator feature

  http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

  Select search by function and select element Cisco IOS Certificate Server, you can filter the results by platform (857/877)

  M.

• DMVPN Phase II flow by HUB

  Hello!
  I have a questions about the phase II of DMVPN.
  -Why the first packets between the spokes will be flow through hub? How can I influence the quantity of this package, or at the time of this kind of flow direction?
  -It is mandatory to use no next hop eigrp is itself and no ip split horizon on Hub only, or the rays also?

  Thank you!

  It is not a three minutes, but up to three minutes if no IPSec tunnel don't talk-to-spoke cannot be established. Once the resolution PNDH finished, which is usually after only a few packets, the traffic is routed normally, and not by the hub. If the tunnel can be established for a reason, everything continues to go through the hub. All this is done for if ensure that there is no loss of connectivity in the initial installation or because of access problems speaking.

  In regards to the cache does not not not in the Center, my guess would be that this is done to ensure that connectivity is always to the rays before providing information that make authorities to the other nodes in the network, but it's speculation.

• Cisco 3750 X - 24 Port stacked: support VRF?

  Hello community,

  We have 2 x switch WS-C3750X-24 t-S that are stacked through StackWise cables.  We would like to activate VRF on it, but orders aren't there. We currently have a basic IP license (which I know is the reason). I tried to do some research and looking at the release notes, but the answer is not clear. I read that it is only available as a stand-alone and not stacked switch. Is - anyone out there know if this device is capable of making the VRF as a battery? If so, what are the requirements?

  Thank you

  Neocec

  Hello

  You can use this link to verify what image you want.

  Ref: http://www.Cisco.com/go/fn

  1 select 'Search by feature' and "Multi-VRF VRF Lite support"

  2. Select "" Cisco 3750 x".

  Finally, you will see that taken IOS support this feature. Then go to the download page (if you have the right to download.)

  HTH,

  Toshi

• DMVPN Phase 3 double cloud has spoke-to-Spoke communication

  Hello

  I would like to confirm/verify if Phase 3 allows rays in different areas of DMVPN communicate directly or that there is the talking-DMVPN-A routed through hubs talk-DMVPN-B? Any document on EAC authoritative on this specific scenario is greatly appreciated.

  Thank you.

  -Mike

  Mike,

  I may be off, does not not with the VPN for a year now, but that's.

  It really depends on what is a domain for you. Remember that the ID Network PNDH is locally important.

  In the end even network ID allows PNDH requests jump between different tunnels.

  If the network ID is different then the 'domain' is different and PNDH must not circulate between.

  For the rest, he is based on the road, it's just a matter of making conscious design decisions prior to deployment and a few tests.

  M.

• Cisco series C - Open Ports TCP 4043 & 4044

  Anyone can respond to what these ports do on C-Series codecs?

  They are generally used for the nearby identity resolution protocol and Protocol location tracking and known to be used by malicious software. Are they used for these protocols, can they be closed without loss of functionality. I have a client who has many systems placed on public networks and they wonder if this can be / should be done

  I looked in the paper without finding the answer:

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.PDF

  Any ideas?

  MW

  How are Mattias Hei, you?

  The firewall vcs guide here helps you.

  If I see just the tcp ports 4043 and 4044 are used for business communication (cisco contact 8) & upgrades.

  If no malware :-)

  You can be sure that you can close it from external networks. An intouch would most likely be

  plugged into the secondary port or the LAN in all cases.

  I do it vice versa, all close and open just need ssh and http (s) of networks including access management

  and allow only necessary media ports and signage from the outside.

  You will find that the media ports used TC5.1 ports in the Administrator's guide

  Value space:
  
      Dynamic: The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel
  
      is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
  
      Static: When set to Static the ports are given within a static predefined range [5555-6555].
  
      

• Cisco first 2.1 / 2.2 support for Cisco ise 1.3?

  Hi, I just tried to connect cisco IP 2.1 to cisco ISE 1.3, but fails.
  I read the Release Notes, only 1.2 ISE ist supported.
  But I was wondering that the ssl negotiation fails (I made a packet capture).
  So PI 2.1 has not tried to connect to the ise 1.3 via api, because of the connection fails during the ssl handshake.

  Anyway, does anyone know if ISE 1.3 will be supported with a PI or PI 2.2 version 2.1.x?

  ICC 2.1.2 supports up to 1.2 ISE.  ICC 2.2 release date is scheduled for December 2014.  Read below.

  Table 4 The Infrastructure first, Cisco and Cisco wireless version compatibility matrix

• CISCO SERIES: 1700 - Config will not save in NVRAM.

  I tried 'memory to write' a config and also attempted to save it to the startup-config, but every time I turned off and turned on, it does not record the prior config. Anyone know what could be the problem?

  Dear S,

  Are you through your problem?

  Hope Thisishanky and rburts soloution that worked, if you want, you can IM/PM me on yahoo.com my id is [email protected] / * /. Cool. If you still face any problem :)

  EM

• Migration phase 3 DMVPN with Central Hub

  I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?

  Kind regards

  Mike

  Mike,

  DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)

  That being said, the deployment is quite easy:

  -Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves

  -Redirect PNDH on the hubs.

  Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).

  Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.

  The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.

  M.

• Is it possible to use hub dual double cloud in Phase 1 DMVPN?

  Hello, I'm studying DMVPN in Phase 1. I'm doing a lab where I have 2 hubs and 2 spokes connected through 2 providers. In DMVPN phase 1, what I understand, destined for the tunnel must be configured manually (gre tunnel mode is point to point). But for each ray, I have 2 hubs. How can I specify addresses NBMA the two poles of the same tunnel interface IP spoke? I can only specify a single destination tunnel, then a hub.

  Hubs do not need four interfaces in this case, one by ISP is enough. You end up with the following connections by talk:

  Tun1-isps1 <->Tun1-isps1-Hub1
  Tun2-isps1 <->Tun1-isps1-Hub2
  Tun3-ISP2 <->Tun2-ISP2-Hub1
  Tun4-ISP2 <->Tun2-ISP2-Hub2