[c-nsp] DMVPN and OSPF

Jay Nakamura zeusdadog at gmail.com
Thu Jul 30 15:32:58 EDT 2009 

Here is the config (edited for real IP info, passwords, etc)...

Hub - Main
aaa new-model
!
ip cef
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key **** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set AES128SHAComp esp-aes esp-sha-hmac comp-lzs
 mode transport
!
crypto ipsec profile IPSECPROFILE1
 set transform-set AES128SHA AES128SHAComp
!
!
!
interface Loopback0
 ip address 172.19.3.253 255.255.255.255
 ip nat inside
 ip virtual-reassembly
!
interface Tunnel1
 bandwidth 8000
 ip address 172.19.128.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nat inside
 ip nhrp authentication nhrpauth
 ip nhrp map multicast dynamic
 ip nhrp map multicast b.b.b.b
 ip nhrp map 172.19.128.2 b.b.b.b
 ip nhrp network-id 42
 ip nhrp holdtime 450
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf hello-interval 30
 ip ospf priority 200
 delay 1000
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key ****
 tunnel protection ipsec profile IPSECPROFILE1
!
interface GigabitEthernet0/0
 ip address a.a.a.a 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 172.19.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 1000
 mpls mtu 1508
 mpls ip
 standby 0 ip 172.19.0.1
 standby 0 preempt
 service-policy output VoIPPriority5
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip vrf forwarding voipout
 ip address v.v.v.v 255.255.255.252
!
interface GigabitEthernet0/1.200
 encapsulation dot1Q 200
 ip address 172.19.3.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 mpls ip
!
interface GigabitEthernet0/1.201
 encapsulation dot1Q 201
 ip address 172.19.3.9 255.255.255.248
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.500
 encapsulation dot1Q 500
 ip vrf forwarding dmz
 ip address 172.19.4.2 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 passive-interface default
 no passive-interface GigabitEthernet0/1
 no passive-interface GigabitEthernet0/1.4
 no passive-interface GigabitEthernet0/1.200
 no passive-interface GigabitEthernet0/1.201
 no passive-interface Tunnel1
 network 172.19.0.0 0.0.0.255 area 0
 network 172.19.3.0 0.0.0.7 area 0
 network 172.19.3.8 0.0.0.7 area 0
 network 172.19.3.64 0.0.0.3 area 0
 network 172.19.3.252 0.0.0.1 area 0
 network 172.19.128.0 0.0.0.255 area 0
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 172.19.0.3 remote-as 100
 neighbor 172.19.0.4 remote-as 100
 neighbor 172.19.3.3 remote-as 100
 !
 address-family ipv4
  neighbor 172.19.0.3 activate
  neighbor 172.19.0.4 activate
  neighbor 172.19.3.3 activate
  no auto-summary
  no synchronization
 exit-address-family
 !
 address-family vpnv4
  neighbor 172.19.0.3 activate
  neighbor 172.19.0.3 send-community both
  neighbor 172.19.0.4 activate
  neighbor 172.19.0.4 send-community both
  neighbor 172.19.3.3 activate
  neighbor 172.19.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf voipout
  redistribute connected
  redistribute static
  default-information originate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf dmz
  redistribute connected
  redistribute static
  default-information originate
  no synchronization
 exit-address-family
!
ip forward-protocol nd
< static host routes to remote routers on internet side>
ip route vrf dmz 0.0.0.0 0.0.0.0 172.19.4.1
ip route vrf voipout 0.0.0.0 0.0.0.0 w.w.w.w

ip nat inside source list NATIP interface GigabitEthernet0/0 overload
!
ip access-list extended NATIP
 deny   ip 172.19.0.0 0.0.255.255 172.19.0.0 0.0.255.255
 deny   ip 172.19.0.0 0.0.255.255 172.20.20.0 0.0.0.255
 permit ip 172.19.0.0 0.0.255.255 any

access-list 50 remark Management Access Network
<snip>


----- One of the spoke

version 12.4
no ip dhcp use vrf connected
ip cef
crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 2
crypto isakmp key **** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac
!
crypto ipsec profile AES128SHAProfile
 set transform-set AES128SHA
!
!
track 123 ip sla 2 reachability
!
!
interface Tunnel0
 bandwidth 1000
 ip address 172.19.128.9 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication nhrpauth
 ip nhrp map multicast a.a.a.a
 ip nhrp map 172.19.128.1 a.a.a.a
 ip nhrp map multicast b.b.b.b
 ip nhrp map 172.19.128.2 b.b.b.b
 ip nhrp network-id 42
 ip nhrp holdtime 450
 ip nhrp nhs 172.19.128.1
 ip nhrp nhs 172.19.128.2
 no ip route-cache cef
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf cost 104
 ip ospf hello-interval 30
 ip ospf priority 0
 delay 1000
 tunnel source Serial0/0/0
 tunnel mode gre multipoint
 tunnel key ****
 tunnel protection ipsec profile AES128SHAProfile
!
interface FastEthernet0/0
 ip address 172.17.28.3 255.255.252.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip ospf cost 2
 duplex auto
 speed auto
 standby 0 timers 1 3
 standby 2 ip 172.17.28.1
 standby 2 preempt
 standby 2 track Serial0/0/0 50
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address o.o.o.o 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 standby 3 ip u.u.u.u
 standby 3 preempt
 standby 3 track Serial0/0/0
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address c.c.c.c 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
router ospf 1
 log-adjacency-changes
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface Tunnel0
 network 172.17.28.0 0.0.3.255 area 0
 network 172.19.128.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 d.d.d.d
!
ip nat inside source list NATIP interface Serial0/0/0 overload
!
ip access-list extended NATIP
 deny   ip 172.17.28.0 0.0.3.255 172.17.0.0 0.0.255.255
 deny   ip 172.17.28.0 0.0.3.255 10.1.100.0 0.0.0.255
 deny   ip 172.17.28.0 0.0.3.255 10.1.200.0 0.0.0.255
 deny   ip 172.17.28.0 0.0.3.255 172.19.0.0 0.0.255.255
 permit ip 172.17.28.0 0.0.3.255 any
!
ip sla 2
 icmp-echo 172.17.28.2
 timeout 2000
 threshold 2
 frequency 3
ip sla schedule 2 life forever start-time now
access-list 50 remark Management Access Network
<snip>

On Thu, Jul 30, 2009 at 2:22 PM, Seth Mattinen<sethm at rollernet.us> wrote:
> Luan Nguyen wrote:
>> Care to post the configuration?  So maybe some of us who think that this
>> problem is interesting could plug it into dynamips and check it out for you?
>> Have you tried to remove the configuration and put it back?  Maybe add a few
>> loopback interfaces and advertise them?
>>
>
> I'd be interested to see it as well to compare it to mine which isn't
> exhibiting the problem.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list