[165054] in North American Network Operators' Group
Re: Cisco DMVPN Configuration Question
daemon@ATHENA.MIT.EDU (Garrett Skjelstad)
Fri Aug 16 13:37:53 2013
In-Reply-To: <CALFTrnMS4YX4xSNbOYz5vab7mznaU8R7Y365m_de+b_xUA+O7w@mail.gmail.com>
From: Garrett Skjelstad <garrett@skjelstad.org>
Date: Fri, 16 Aug 2013 10:37:22 -0700
To: Ray Soucy <rps@maine.edu>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
No way around this with DMVPN.
Sent from my iPhone
On Aug 16, 2013, at 9:05, Ray Soucy <rps@maine.edu> wrote:
> Don't usually poke NANOG for a second pair of eyes, but got hit with an
> urgent need to get connectivity up on a small budget.
>
> I've run into a situation where I require multiple DMVPN spokes to be
> behind a single NAT IP (picture of things to come with CGN?)
>
> The DMVPN endpoint works fine behind NAT until a 2nd is added behind the
> same IP address. At that point the hub gets confused and I start seeing
> packet loss to the endpoints in a round-robin fashion.
>
> As far as I can see Cisco documentation says pretty clearly that each DMVPN
> spoke requires a unique IP address. Is there any way around this, or do I
> need to be looking at an alternative VPN solution?
>
> Hub config:
>
> ----8<----
> description DMVPN
> bandwidth 100000
> ip address 10.231.254.1 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast dynamic
> ip nhrp network-id 1
> ip nhrp redirect
> ip tcp adjust-mss 1360
> tunnel source ! removed
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> ----8<----
>
> Spoke:
>
> ----8<----
> interface Tunnel2
> description DMVPN
> bandwidth 100000
> ip vrf forwarding DMVPN
> ip address 10.231.254.10 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast ! removed
> ip nhrp map 10.231.254.1 ! removed
> ip nhrp network-id 1
> ip nhrp nhs 10.231.254.1
> ip nhrp shortcut
> ip tcp adjust-mss 1360
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> end
> ----8<----
>
> --
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
>
> T: 207-561-3526
> F: 207-561-3531
>
> MaineREN, Maine's Research and Education Network
> www.maineren.net
