DMVPN with 2 Hubs
(1) if I understand correctly - Phase 1 DMVPN is Star technology. Is it possible to use two hubs of the network?
(2) is it possible to use the router 1841 as Phase 1 DMVPN hub?
(3) imagine this network topology:
* PIX *-(static vpn tunnel)-> router 1841 (hub)-(dynamic vpn tunnel)-> rays.
I'm having problems with routing in VPN between PIX and rays through 1841?
In the attachment, see diagram.
Thnx in advance!
Hello
It should be possible. The tunnel between the PIX and Hub 2 is going to be a regular with PIX IPSEC tunnel configured with all networks to talk as destination the ACL crypto and vice versa on the hub. Hub 2 will have a static route for the private subnet route tis and PIX will be redestributed in the routing process so that it is announced to the rays. Please keep in mind that the protection tunnel profile you are configuring should have configured 'shared' keyword.
HTH,
Please rate if this can help.
Kind regards
Kamal
Tags: Cisco Security
Similar Questions
-
Migration phase 3 DMVPN with Central Hub
I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?
Kind regards
Mike
Mike,
DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)
That being said, the deployment is quite easy:
-Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves
-Redirect PNDH on the hubs.
Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).
Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.
The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.
M.
-
Hello
I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.
command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.
A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.
What should be the reason and how to fix it?
Sorry for my English, I'm new to dmvpn :)
Thanks in advance.
Hi George,.
I see two possible event which would explain the behavior that you are experiencing.
(a) change of State DMVPN.
(b) change in the routing table.
You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him. To begin, you must make sure that the DMVPN stay in a stable 'up' State.
You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.
I suggest to consult a few details of useful troubleshooting here:
http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...
Take a look at these details:
~~~
Interface: Tunnel100, IPv4 PNDH details
Type: talk, PNDH peers: 2,.# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.28.1.1 UP 1d21h S
1 192.168.1.2 172.28.1.2 UP 1d21h S~~~
You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.
If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.
If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable. "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.
There is a lot of support in my suggestions, because you have not posted the configuration :).
But it would be useful that you post the config. Good luck with your efforts.
Thank you
re775
-
DMVPN with digital ceritificates and Hub acts as a CA server
Hello guys,.
is there anyway to configure the DMVPN with digital certificates and change the router Hub to act as a CA server?
Thank you
Yes, you can do it, go ahead and set up your router, Hub, with the normal DMVPN configuration so that it becomes the hub. After doing that follow the link below to add public key infrastructure server features:
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gt_ioscs.html
And to register for the rays on the hub, use this link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080210cdc.shtml
Remember that regardless of the router Hub being the authority of CA, you must sign up for itself to allow the IKE PKI authentication.
-
How can I set up the AEBS as a router with sky Hub as a modem?
I have sky broadband with a Hub of Sky SR102-Z router. I had the problems of slow speed, and the tour engineer told me that it is caused by the interference of a wi - fi connection. I have an Airport Extreme Base Station that I stopped using when I got sky, but I now use it as a router (the Hub of sky is quite limited) connected to the Sky as the Modem concentrator. I would be grateful for any advice on how to set up the AEBS so that it fills the air Hub. Thank you.
I would be grateful for any advice on how to set up the AEBS so that it fills the sky Hub
If you want to use as a router AirPort Extreme... it would mean that hub Heaven must be reconfigured to act as a modem mode simple bridge.
Whether or not it's possible and even if it is possible... Whether or not the sky will support this type of installation are questions for heaven. So, you will need get clarification from heaven on this topic before you can proceed with the configuration of the AirPort Extreme.
You can keep in mind that the hubs of some suppliers cannot be reconfigured to make the function of the device as a modem mode simple bridge. If which is the case with the sky... then you will need to set up the AirPort Extreme in Bridge Mode and continue to let the Sky router as the network router, same function if the wireless may not be enabled on the hub of the sky.
-
How can I sync the keyboard wireless with the hub?
I have a 1 ms wireless keyboard. 0 has and can not find the right button to synchronize with the hub.
Can you help me?
JoAnne
I have a 1 ms wireless keyboard. 0 has and can not find the right button to synchronize with the hub.
Can you help me?
JoAnne
The designation "1. 0a"seems to be a version number, and not a model number. As a general rule, MS wireless keyboards have the numbers of models such as 1000, 3000, 6000, etc.. See, for example, http://www.microsoft.com/hardware/mouseandkeyboard/ProductList.aspx?type=Keyboard&additionalType=Sets&techId=WirelessTechnology
I think Microsoft "Documentation" for the products of its keyboard and mouse to be pretty pathetic, so even if you had provided the model number, chances are that the documentation would not help a lot.
Some of the products of Microsoft wireless keyboard and mouse have sync buttons and some do not. See http://support.microsoft.com/kb/838398 for some pictures and tips on the sync'ing of these products.
If your keyboard has a button, it will be small and should be ironed with something like a ball point pen. See this video: http://www.microsoft.com/showcase/en/us/details/c0b359ba-ead6-4298-aa46-6b943ffb8e2e
-
Problem with USB HUB using Windows 7 on Bootcamp
I have an iMac when I installed Win 7 with Bootcamp. I have problem with USB hub. If I connect USB devices (printer, iphone... etc...) directly to my computer, it works without any problem. But if I connect them through USB hub, that they do not work properly. The sound instantly invites you, but certain peripheral functions partially and some not at all. I tried several USB hubs... same problem for all. Any solution? Thanks a lot for your answer.
Hello
I suggest you to see link and check.
Tips for solving common driver problems
http://Windows.Microsoft.com/en-us/Windows7/tips-for-fixing-common-driver-problems
I also suggest you to contact the apple support and check.
-
DMVPN with dynamic failover HSRP/IPSEC
"DMVPN with dynamic failover HSRP/IPSEC."
Hi all. Is this possible? When you use a direct IPSEC LAN to LAN, you have a card encryption and when you secure the card encryption at the source of the tunnel interface, you configure "' crypto map
redundancy with State '." The DMVPN does not use encryption card, sound by using an IPSEC profile with protection of tunnel. How you configure stateful with HSRP IPSEC in this situation?
We're heading for a double cloud dmvpn topology with 2 heads dmvpn geographically separate. I want that every network head to have a redundancy HSRP, which can be done fairly easily. But I also want State IPSEC to be replicated for all security associations IPSEC do not fall in the case of a failover. Is it possible in this scenario and how?
Thanks a lot as always.
Hello again ;-)
There are currently no plan at the moment (that I know) to mix with State redundancy and anythign with protection of tunnel.
Frankly it is best to create redundancy in DMVPN termination on both turntable and relying on routing protocols - which I am sure you aware of so I won't bore you with details.
That said, my personal observation is - if you want a failover go to ASA, when you have routers, you have all these wonderful tools like VTI/GRE for IPsec that mix well with routing protocols, and MUCH MUCH more. It is very often to change some timers for routing protocol driven "failover" happen very quickly.
Marcin
-
DMVPN with VRF (redistribution a road by default via VRF)
Hi all
I was testing a DMVPN configuration so that users with POLES surfing the Internet on the Internet portal of the HUB. The SPOKE1PN is able to ping all internal IP addresses and route determination agrees. When he reached out to the Internet (HUB_INTGW) gateway, pings are okay, but traceroute requests time out. I was wondering if anyone has an idea. Here's my topology.
Basically, if SPOKE1PN pings to the Internet, it goes to SPOKE1, HUB1 via tu0, HUB1_INTGW and it gets overloaded NAT.
QUESTION (OK, TRACEROUTE DROPS AFTER OVERLOADED NAT PINGS)
SPOKE1PN #ping 202.0.0.2 rep 88
Type to abort escape sequence.
88, echoes ICMP 100 bytes to 202.0.0.2 sending, time-out is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
Success rate is 100 per cent (88/88), round-trip min/avg/max = 144/211/328 ms
SPOKE1PN #traceroute 202.0.0.2
Type to abort escape sequence.
The route to 202.0.0.2
1 192.168.1.1 88 MS 64 ms 16 ms
2 172.14.1.1 164 MS 92 MS 128 ms
3 10.1.0.254 152 MS 124 MS ms 116
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
SPOKE1
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname SPOKE1
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
memory iomem size 5
IP cef
!
IP vrf DMVPN
RD 1:1
!
crypto ISAKMP policy 1
BA aes 256
md5 hash
preshared authentication
Group 5
address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0
ISAKMP crypto keepalive 60 periodicals
!
Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes
!
Profile of crypto ipsec DMVPN
game of transformation-IPSEC-SET1
!
interface Tunnel0
IP vrf forwarding DMVPN
IP 172.14.1.2 255.255.255.0
no ip redirection
IP mtu 1416
property intellectual PNDH authentication cisco123
property intellectual PNDH card 172.14.1.1 200.0.0.2
map of PNDH IP multicast 200.0.0.2
property intellectual PNDH card 172.14.1.254 200.0.1.2
map of PNDH IP multicast 200.0.1.2
PNDH id network IP-99
property intellectual PNDH nhs 172.14.1.1
property intellectual PNDH nhs 172.14.1.254
source of tunnel FastEthernet0/1
multipoint gre tunnel mode
tunnel key 999
Protection ipsec DMVPN tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding DMVPN
IP 192.168.1.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 201.0.0.2 255.255.255.240
Speed 100
full-duplex
!
Router eigrp 1
Auto-resume
!
address ipv4 vrf DMVPN family
redistribute connected
network 172.14.1.0 0.0.0.255
network 192.168.1.0
No Auto-resume
autonomous system of-1
output-address-family
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 201.0.0.1
!
no ip address of the http server
no ip http secure server
!
control plan
!
Line con 0
line to 0
line vty 0 4
!
end
HUB1
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname HUB1
!
boot-start-marker
boot-end-marker
!
No aaa new-model
memory iomem size 5
IP cef
!
IP vrf DMVPN
RD 1:1
!
crypto ISAKMP policy 1
BA aes 256
md5 hash
preshared authentication
Group 5
address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0
ISAKMP crypto keepalive 60
!
Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes
No encryption ipsec nat-transparency udp-program
!
Profile of crypto ipsec DMVPN
game of transformation-IPSEC-SET1
!
interface Tunnel0
IP vrf forwarding DMVPN
IP 172.14.1.1 255.255.255.0
no ip redirection
IP mtu 1416
property intellectual PNDH authentication cisco123
dynamic multicast of IP PNDH map
PNDH id network IP-99
source of tunnel FastEthernet0/1
multipoint gre tunnel mode
tunnel key 999
Protection ipsec DMVPN tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding DMVPN
IP 10.1.0.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 200.0.0.2 255.255.255.240
Speed 100
full-duplex
!
Router eigrp 1
Auto-resume
!
address ipv4 vrf DMVPN family
redistribute connected
redistribute static
Network 10.1.0.0 0.0.0.255
network 172.14.1.0 0.0.0.255
No Auto-resume
autonomous system of-1
output-address-family
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 200.0.0.1
IP route vrf DMVPN 0.0.0.0 0.0.0.0 10.1.0.254
!
no ip address of the http server
no ip http secure server
!
control plan
!
Line con 0
line to 0
line vty 0 4
!
end
HUB1_INTGW
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname HUB1_INTGW
!
boot-start-marker
boot-end-marker
!
No aaa new-model
memory iomem size 5
IP cef
!
no ip domain search
!
Authenticated MultiLink bundle-name Panel
!
Archives
The config log
hidekeys
!
interface FastEthernet0/0
IP 10.1.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 200.0.1.2 255.255.255.240
NAT outside IP
IP virtual-reassembly
Speed 100
full-duplex
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 200.0.1.1
IP route 192.168.1.0 255.255.255.0 10.1.0.1
!
no ip address of the http server
no ip http secure server
overload of IP nat inside source list ACL_NATOVERLOAD interface FastEthernet0/1
!
IP access-list standard ACL_NATOVERLOAD
permit 10.1.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 172.14.1.0 0.0.0.255
!
control plan
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
!
end
Desmon,
If the works of ping I can bet you that it's a problem of how ICMP unreachable it will be via NAT (PAT in fact) in response to UDP with expired TTL.
Can you do a static NAT on HUB1_INTGW to the IP test and you should see a difference... BTW the debug ip packet is your friend, try it :-) on INTGW and INT_RTR
Marcin
-
Tunnel of speaks of talking DMVPN routing via hub
I have a DMVPN network with several linked sites and everything works fine, with one exception. Two sites (which can connect spoke to speak perfectly well to all other spoke routers in the network) can not directly connect and route the traffic through the hub. Routing tables (EIGRP) you will see the routes are properly being announced, however see the PNDH ip indicates the following
Router 1 (spoke router initiateing the connection)
10.31.248.246/32 by 10.31.248.246, created Tunnel10 00:00:25, expire 00:09:34
Type: dynamic, flags: implicit router
The NBMA Address: * address of Router 2 *.
(non-socket)
2 router (router talk recipient)
10.31.248.244/32 via 10.31.248.244
Tunnel10 created at 00:01:53, expire 00:01:12
Type: dynamic, flags: temporary
The NBMA Address: * address of our server DMVPN router *.
Any help to fix this would be extremely appreciated because the two offices are in Asia and our server router is the United States which means a round-trip time which should be approximately 50 ms between those offices is actually taking more than 400 ms
Hello
What happens, is that ROUTER1 already resolved correctly ROUTER2 via PNDH, but for some reason any cannot establish IPsec to send a response of PNDH to Router 2.
Can you check if ISAKMP/IPsec between these two routers trying to establish when you ping from one side to the other? My guess is you'll see MM_NO_STATE ;-)
M.
-
LaserJet Pro 200 color MFP m276nw no network connection with Linksys HUB
Hello
I install my Color LaserJet Pro 200 m276nw MFP to connect to my home network using a wired connection.
When directly connected to my router, the connection initializes and successfully receives an ip address. I was able to access all the functions connected to my router directly either wired or wireless network.
I also have an old Linksys hub and when the printer is connected to the hub, it does not initialize the network connection. The hub works with all the other sevice in my network, including a few game consoles and a Mac Mini.
Is there a network advance setting that I have to look?
Thank you
Hello
I don't know if an IP address conflict is my problem as it is not a problem with another device on the network. But it is certainly a kind of incompatibility.
I found a work around. I have an old LInksys WRT54GS router, I was about to sell and read that I could turn in a switch with a custom firmware, DD - WRT. After you have installed the custom firmware and following some instructions to configure in a switch (including setting a fixed IP address as you suggested), the router-turned-switch worked like a charm.
So, it is definitely an incompatibilities with the Linksys Hub EFAH05W. Maybe this printer don't like hubs. I read the hubs do not succeed as a router or a switch network traffic only.
-
Question DMVPN with double IPS links at the end of the branch
I have a Setup (see drawing) where I
Double TIS links at the end of the branch, with the wireless and the other with 3 G.
Wireless should always be the main path, when it works (it's a kind ship when it is in the port)
If I use OSPF, then it works fine the failover, but as soon as I enable IPSEC on the tunnel, then there are switched only once and it will not be repeated at the elementary level once again, without having to restart the router, and then it works for a failover once again.
I also use tracking, because there is no interface, it is down
Are there someone there is a working configuration, where ec. in the network head (normal installation) there is double tis links on the same router or ofcause the same as I.
I'm ready to use any kind of protocols so that it can work, so RIPv2 (preferred), EIGRP, OSPF, tracking, IP SLA
Who is 80.198.195.138?
The peer Hub address is 80.1.1.1 then you can ping this address when the main link is down?
It also seems that you have IPSec tunnel 0 UP but no 0 and 1-tunnel at the same time tunnel. Make sure you have the word of shared key on the hub, router that you use the same source for the two IPSec tunnel IP address.
This message means the IKE database between two routers is out of sync, but should recover on its own.
HTH
Laurent.
-
DMVPN double double Hub application for assistance?
Hello someone with experience DMVPN,.
Can you please have a look at my DMVPN queries in the attached document?
Thank you
Concerning
The Phuc
Hi the Phuc,
I found for you a fairly detailed design and implementation guide. Please read carefully and implement a test bench. I am sure that you will get support for specific issues if you are having problems.
http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
These documents are written with care and I have never encountered any problem with these reference implementations.
Also: Please do not formulate your questions in an attached document, making it difficult for us to give you answers.
Best regards, MiKa
-
DMVPN with invalid SPI recovery / DPD
Dear Experts,
I'm evaluating a networks of average design company DMVPN Phase 2 scope, trying to optimize the time of receovery after a failure and restoration of a DMVPN counterpart.
1. I just spent through a PDF of Cisco Live at a workshop of 2011 named "Advanced Concepts of DMVPN - BRK 4052".
It is said (without further explanation) that the invalid SPI recovery feature is not useful with DMVPN.
Can anyone explain, why?
2 DMVPN involves the use of the Tunnel (TP) Protection. I read the reviews that say that you can not use Dead Peer Detection (DPD) as well as the TP.
Unlike these reviews, Cisco DMVPN V1.1 design guide recommends a configuration container:
ISAKMP crypto keepalive 10
That means, I have to use DPD, but without "periodicals" KeepAlive? If so, could you explain?
Thank you very much!
Dear Sebastian,
1 SPI recovery means essentially that the answering router must meet the same initiator VPN router if the SPI was invalid, the response of the intervener would be an 'invalid' error to the initiator VPN.
Why it is not recommended for DMVPN?
Well, according to the previous description of SPI, imagine if someone upsets your router with rogue applications! with the resumption of active SPI, it means that your router would need to respond to all messages which he received with the message "Invalid Error", which basically means--> attack (Denial of Service Attack) back--> high CPU processing on your router.
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200
How is it that relates to DMVPN?
Well! DMVPN is mainly deployed with large number of rays! and even if no one attacks you! your rays can attack you
2. I don't think that having periodic KeepAlive is what we hear in the comments on demand or periodic KeepAlive is not really effect DMVPN.
I don't know what are the comments you've read, but I think you can use DPD! There have been some incompatabilites filed for tunnel KeepAlive, but as far as I know, nothing major was filed against ISAKMP KeepAlive.
HTH!
AMatahen
-
DMVPN with based remote access VPN client
Hi all
We DMVPN deployed to connect to our remote location now I want to configure the vpn remote access also with DMVPN tunnel so if somehow our DMVPN tunnel goes down we can connect to the router through vpn remote access client based around... I want experts to do the light on it is it possible or what are the technical challenges that I have to face in this regard.
Thank you
Salman Jamshed
Hello Salman,
It's 100% possible, there is no harm in having them both up on your router.
In fact, as you have said that it will provide an extra layer of redundancy if by chance the DMVPN tunnel breaks down.
That being said, you can go ahead and do it is a movement course
Julio
Maybe you are looking for
-
Firefox closes the tab bad while closing several pages.
It is really hard to describe... OK, let's say I want to look for the logo of firefox via google images. I found a lot of interesting and open results in different tabs. Now, I found a picture that I really like and close tabs that I no longer need.
-
transfer photos from an sd card on icloud or dropbox on a trip
I'm looking for a reliable way to do the following, without lugging my computer on a + 2 weeks of vacation: Upload photos from the SD and MicroSD card to my iPad. Do NOT delete these photos from an SD card. Have these photos then back-up for the clo
-
The BluRay drive firmware - DV7-3173nr
I just got a replacement for my computer drive laptop dv7-3173nr and I put it in, and I can't get the right drivers for it. The exact command I ordered is the one http://www.mydvddrives.com/replacement-for-HP-Pavilion-dv7-3173nr-SATA-BD-ROM-Blu-ray-c
-
need win 7 64 bit video drivers for HP Compaq 15-s006TU to control the brightness
-
I have these three questions of program after reinstallation of Windows Vista and tried (mostly unsuccessful) using Windows Easy Transfer to move and reinstall my programs and files. My computer had some problems before start, (it would be almost alw