suppose i have 2 hub location and one spoke and i want to config DMVPN between them and want to keep 1 HUB as active and 2nd HUb as passive then how its possible.
View 2 RepliesI'm working on a new DMVPN configuration with one 3745 at the hub site and a 1941 the spoke. I have internet through gsm for the primary line at the spoke and a dsl line for backup on spoke.I have one tunnel interfaces on both the hub and the spoke.Currently my VPN tunnel is coming up fine , however we are planing to do an ISP failover at spoke side . since in the tunnel interface i can only define one "tunnel source interface" which is gsm cellular interface , i don;t know how to use my another ISP for the same tunnel interface as it will always initiate traffic from gsm.
do i have to create another tunnel interface with same hub site , or do i need another hub as backup? is their any other way to create loopback interface and initiate the traffic from that loopback?
I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).
HUB-----------SPOKE1
|
|
|
SPOKE 2
HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2.
Here is my show isakmp sa and ipsec sa on HUB
ciscoasa# sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
[Code].....
If i connected the latop to brand new out of the box ASA 5505 through consloe cable and i have a config file on this laptop from other ASA5505, is there anyway i can upload that config file into startup-config of this new ASA5505 through console cable, without using TFTP or FTP?
View 5 Replies View RelatedI have a Cisco 2811 router and when I turn of the router the running config is lost. I have to the following to get the router running of the start-up config settings.
router#copy start-up running-config
I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers. From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks. Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible. I've attached the hub and 2 spokes below. The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?
View 1 Replies View Relatedi am trying to set up a tunnel connection between twO 2800 routers A<->B
1) destination ip is-204.x.x.x-ROUTER A2) source ip is 166.x.x.22-ROUTER B The router B has the modem connected to GE0/1 whose interface ip is 166.x.x.22 The ip-forward-protocol nd is configured as below
ip route 204.x.x.x 255.255.255.255 166.x.x.21
Also tunnel 1 configuration,isakmp policy are configured properly when i run show crypto isakmp sa it shows MM_NO_STATE,i checked the preshared key on both ends and they are same.whenever i remove the ip address of the interface Ge0/0 and ip route i can ping the 166.x.x.21 which is the modem gateway.when i revert back the configuration to the above ,the ip 166.x.x.21 cannot be pinged,the dsl connection is live though.ways to fix this so that i can make this tunnel state to QM_IDLE?
I want to build a "hub and spoke" topology for one of my clients. For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL. For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP. The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes. Some spokes will have to connect to each other, via the HUB. I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
View 7 Replies View RelatedImagine MPLS network. Total of 4 sites.
HQ-HUB is the only site with access to the Internet.
So if Site1 or Site2 or Site3 need to access the Internet, traffic will have to go through HQ-HUB and from there reach the Internet.I have routes 2851's on the spoke sites. Which command or mechanism you would explore in this case to make the spoke sites point to the HQ-HUB to reach the Internet?
Would you do this based on DNS settings or getting an access-list & static route defining when the spoke routers traffic need to go the internet, point to the HUB-HQ as the default?
I am having real problems trying to build resiliency into a hub and spoke frame relay scenario. I know the hub is a single point of failure. Is there any way to put some resilience into the network? There is 4 attached branch offices.
View 8 Replies View RelatedI'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
I have set-up the 3 remote access groups:
Group 1 - subnet 192.168.1.48/28Group 2 - subnet 192.168.2.0/25Group 3 - subnet 192.168.3.0/25
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
[code].....
Is there any suggested upper limit to a single EIGRP hub-and-spoke design (i.e. with a single central router)?
Router is a 2900 ISR
I'm vaguely aware of a similar design limitation with OSPF areas where no single area should contain more than 40 - 80 routers. Could be heresay...
Is there any suggested upper limit to a single EIGRP hub-and-spoke design (i.e. with a single central router)?Router is a 2900 ISR,I'm vaguely aware of a similar design limitation with OSPF areas where no single area should contain more than 40 - 80 routers.
View 8 Replies View RelatedThere use to be Cisco 851 routers, but lately these routers are replaced with Cisco 861-K9 routers, and these 861 routers doesn't support DMVPN, instead 851 use to be.
Is there any license file we can upload in 861 router for DMVPN capability, if yes may i know the SKU # for that. We have some customers having 6-7 locations and they are planning to have 2 more locations, we implement already DMVPN in there network, if we go with the 87X or 88X router there price is almost double the price of 861.
I have a problem with my routers (cisco 1941)I'm running a DMVPN network (Hub and spoke)All the hubs are connected to the 2 hubs. With 4 tunnels. (each hub has 2 interfaces to the spokes. the spokes only have one interface to the hubs, so I splitted them and so I now have 4 dmvpn tunnels). one of the interfaces on a hub malfuntioned and because of that the customers had problems with logging in and sending packets. I made this kind of structure because of when one of the tunnels failed the spoke could use the 3 others... BUT, what happened here was that the spoke still tried to use all 4 of the tunnels and because of that I had 25% package loss!So this didn't work. Now I read about IP SLA, but I was wondering of this could work? (I cannot test it on spare routers, and I don't want to implement it and risking a total network failure...) and how to configure it. Should I make 4 different sla processes which I should all 4 track? And when I make the ip routes, how should I make or configure it so that 1 of the tunnels/interfaces fails that the spoke would addapt the routes?
View 1 Replies View RelatedI have a setup with two Cisco 877's – 1 for the hub and 1 for the spoke. The hub has a static WAN IP and the spoke has a dynamic WAN IP. The two sites are tunneled with DMVPN and cert auth for connections via Cisco VPN Client (terminating on hub router). All routes between the two sites work fine – I can see through both ends via LAN IPs and tunnel IPs. I can connect externally through Cisco VPN Client and RDP into PC's on the spoke end via local IPs.
My issue is: I want a port forward on the hub router, pointing to the IP (172.16.1.X) of a device on the spoke end. So using the WAN IP of the hub router, I can reach a host on the spoke side. At this point I cannot get this to work and feel it's related to a NATing issue. Here is my current config for both sites:
HUB Router:
!crypto pki server vpn-ca database level names issuer-name CN=*** CA,OU=*** Services,O=*** lifetime crl 336 lifetime certificate 7305 lifetime ca-certificate 7305 lifetime enrollment-request 1000 database url nvram!
crypto pki trustpoint vpn-server enrollment url http://172.16.0.1:80 usage ike serial-number none fqdn none ip-address ***WAN IP*** revocation-check crl rsakeypair vpn-server 2048 auto-enroll 70 regenerate!
crypto pki trustpoint vpn-ca revocation-check crl rsakeypair vpn-ca!
[code]....
I have a DMVPN network with 2 hubs (2821's). This setup is used for VoIP applications over the Internet for teleworkers. At the main hub site I used to have only 1 Internet feed which was DSL with a static IP. Now I have 2 WAN feeds for this site - 1 FTTB w/ PPPoE & the DSL with static IP. Since this site also hosts a PRI, I want all voice communications to go through the FTTB link instead of the DSL for obvious reasons, but keep the DSL as DMVPN Hub for all NHRP lookups as this link has a static IP address & is very stable. We originally put the PRI router as a DMVPN spoke which connected through the FTTB link, with another router acting as the DMVPN hub on the DSL link. This was obviously a waste of machinery. I want to combine both routers into one. So I tried something like this (don't laugh):
Gi0/0 to FTTB (Dialer1 connects to Internet)
Gi0/1 to DSL (Public IP towards 877 demarc)
Tun0 attaches to Dialer1 public IP and connects to other spokes, no VRF
Tun1 attaches to Gi0/1 public IP and acts as DMVPN hub (ip nhrp map multicast dynamic) under VRF "Hub"
EIGRP AS 1 is set up twice, once under router eigrp 1, and the other using router eigrp 2 using an address-family under the Hub VRF.This kinda works but obviously Tun0 & Tun1 do not speak to each other. I also had to remove the ip nhrp map instruction that pointed to Hub1 on Tun0, as this was causing a weird condition in the router where it was repeatedly trying to connect a tunnel to itself, and crash the router because the NHRP process would go haywire. So my users must rely on the Hub2 to get a NHRP lookup for the PRI site. If Hub2 goes down, everything works in the network except for tunnel connections to the FTTB link. I'd rather not have to configure 2 tunnels on each spoke router unless I really have to.
I am trying to spec out some routers for a small DMVPN network.I was thinking 2801's for my hub routers.will these run DMVPN out of the box or do they need additional hardware modules?according to the below linkyou need a "AIM-VPN/SSL-2" module in order for it to work, but then according to"The Cisco 2800 Series supports IPSec Digital Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES) 128, AES 192, and AES 256 cryptology without consuming an AIM slot."
View 1 Replies View RelatedBuilding a dmvpn network with 2911 hub router.Anyone have a clue how many simultaneous vpn connections can be used? The amount of transferred data is very small.
View 1 Replies View RelatedWe have 7606 router without any ipsec module on it,so i check the ios and it has all commands in interface tunnel for configuring the dmvpn multipoint tunnel and also protection profile for ipsec! so i have this question: do we can run dmvpn between this router and our wan routers wich are 3845.
View 2 Replies View RelatedWhat router would you choose to setup 1500 dmvpn tunnels (mGRE/ipsec)? so this router will be my hub and the hub will have 1500 tunnels.this router with this many tunnels will have to be able to provide excellent service to all spokes/tunnels.the spokes will mainly use the tunnels for business, transfering small files and some email I would say they may transfer 500megabyte of data per day but that's the absolute maximum.
View 4 Replies View RelatedI have 5 cisco 1812 routers that i set up in a hub-spoke dmvpn configuration between 5 sites. All routers have a secondary internet connection . Could i set up a second tunnel interface on each router to create a backup dmvpn that will use this secondary internet connection? i use EIGRP for routing.
View 2 Replies View RelatedI have three Hub routers that I'm wanting to compare DMVPN scalabiltiy capabilities (3825 versus 3945 and 3845). I know it must be there somewhere and I'm just not looking in the right place. But I've read and read and read about DMVPN designs and I'm not finding anything. This is turning into a time killer. What are the DMVPN limitations of these three routers are?
View 6 Replies View RelatedNew to the forum and not much Cisco IOS experience let alone on the security side of things. I know how to navigate the IOS and can do basic switching and routing just fine. My company currently has a DMVPN setup w/ about 10 tunnels going back to the hub. We have 4 more sites they want me to setup and I keep getting stuck at the crypto maps. I have been reading about VPN's, DMVPN's , etc. for days now but can't find any examples of how we are configured. The priority of our crypto maps start at 65536 and go up. Default max is 65335 from what I have read, and I cannot assign a priority that high statically. [code]
View 3 Replies View Related I'm trying to configure and DMVPN architecture with two routers ASR1006 to server a bank remote offices, one ASR in CO building and the other in CA building (CO: Operational Center; CA: Recovery Center).Each ASR have two LAN connections to internal network and two WAN links to remote office. Each WAN links belongs to differents provider.Each remote office has a router with two WAN links connected to that WAN providers.We are configuring the DMVPN considering two primary tunnels in the CO building and two failover tunnels in CA building.We made the configuration (schemas and configuration attached) but we only get two tunnels up at a time. We cannot ping from office router to four tunnels interfaces in both hubs.
We made some test disabling some tunnels and we could get communication only with two tunnels interfaces. We got communication through tunnels when we have just two.We want to have the four tunnels for high availability. We would like to know how to troubleshoot and make a design review because the examples and documentations are very limited.
Trying to setup a DMVPN on out existing equipment that is currently running all point to point vpn connections. basicly its not working. my best guess is something with the config is interfering but i'm not sure the remote router (881) is always comming back with MM_NO_STATE and the main router(2901) is either MM_NO_STATE or MM_SETUP.
I added the config for the 881, 2901 and a debug crypto isakmp and debug crypto ipsec from both routers. I have verified the Keys are correct and it is not blocking port 500. if i issue a sh crypto isakmp policy they are the same on both routers. if you need me to post anything else i will, one note i removed the configs that were part of the point to point tunnls on the 2901 router.
Is DMVPN supported on Cisco 7200 XVR NPE-400, and would the NPE-400 module support QoS, multicast etc. I found an old doc mentioning DMVPN and this specific module.
View 1 Replies View RelatedI am setting up a DMVPN between several dozen sites using 2800, 2900 and 3900 series ISRs. The DMVPN Design Guide recommends current 12.4 or 12.4T IOS, but the DG was last updated in July 2008. I cannot seem to find any recommendations newer than this. I'm hoping Cisco or the community can give me an updated recommendation.
View 5 Replies View Relatedone of my customers wants to implement VoIP in his existing DMVPN Network Topology. I have read about the "Per-Tunnel QoS for DMVPN" but when it comes to configure it on my hub router (Cisco 7206VXR with c7200p-advsecurityk9-mz.124-15.T14.bin) I am lacking the option to set the "ip nhrp map group" command.
My question now is, is it generally not supported by the 7206VXR platform? Or can I get the option by upgrading the IOS to a newer version? If so, which one could I use ?
I have Cisco 877-K9 router which sits behind an ASA 5510 FW. The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa. I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site. I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
i have a general Question regarding buildings SA´s between two peers.Can I establish more than one SA between two Peers with the same IP Address?Actually I have 3 DMVPN´s running in parallel in different VRF´s using the same SA.They have all the same IPSEC encryption AES256.Now I need to reduce the encryption to 3DES in one of the three DMVPN´s.Is that possible or do I need a differnet IP Address so that the SA Pair is unique?Thats how I stared, with a Phase 2 failure that it is not acceptable.
crypto keyring preshared
pre-shared-key address x.x.x.x key ....ncvnbxcnbLsaYiKtxc4ex4U99Tn...
pre-shared-key address x.x.x.x key ....qerqwerJLsaYiKtxc4ex4U99Tn...
pre-shared-key address 0.0.0.0 0.0.0.0 key ....JLsaYiKtxewrc4ex4U99Tn...
[code]....
I configured a 2811 series router for dmvpn. My two tunnels are up but one of the tunnel is flapping with this message.
View 4 Replies View RelatedImagine you have 5 sites, one router each site (2851 as CE) connected to MPLS network. All sites have max 3xT1.Requirement:In case CE router or circuit to MPLS fails in any of those sites, I need to provide backup circuit to reach MPLS network.
Proposal:Bring one Internet circuit to each of those sites and create DMVPN to every site.
Question:Let's say Site1-MPLS circuit goes donwn.
Then all traffic from Site1-MPLS should flow thru the IPSec tunnel to all other MPLS sites. Am I right that the traffic coming from Site1-MPLS will ingress via the 2851 CE routers, correct? Is this the typical design? How to accomplish this, I'd like to setup a lab to simulate it.