Quantcast
Channel: IEOC - INE's Online Community
Viewing all 10744 articles
Browse latest View live

DMVPN, all possible variants

$
0
0

Just to share all possible variants of DMVPN.

I tested all these 6 variants and works. Documentation at Cisco is not accurate.

 

1 - DMVPN for IPv4 and IPv6 over IPv4 (no crypto)

 

HUB:

interface Tunnel0

 ip address 155.1.0.5 255.255.255.0

 ip mtu 1400

 ip nhrp authentication cisco123

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip nhrp holdtime 300

 ip tcp adjust-mss 1360

 ipv6 address FE80::5 link-local

 ipv6 address 2001:155:1::5/64

 ipv6 mtu 1400

 ipv6 tcp adjust-mss 1360

 ipv6 nhrp authentication cisco123

 ipv6 nhrp map multicast dynamic

 ipv6 nhrp network-id 1

 ipv6 nhrp holdtime 300

 tunnel source GigabitEthernet1.100

 tunnel mode gre multipoint

 tunnel key 1

end

 

Spokes:

interface Tunnel0

 ip address 155.1.0.1 255.255.255.0

 ip mtu 1400

 ip nhrp authentication cisco123

 ip nhrp nhs 155.1.0.5 nbma 169.254.100.5 multicast

 ip nhrp network-id 1

 ip nhrp holdtime 300

 ip tcp adjust-mss 1360

 ipv6 address FE80::1 link-local

 ipv6 address 2001:155:1::1/64

 ipv6 mtu 1400

 ipv6 tcp adjust-mss 1360

 ipv6 nhrp authentication cisco123

 ipv6 nhrp nhs 2001:155:1::5 nbma 169.254.100.5 multicast

 ipv6 nhrp network-id 1

 ipv6 nhrp holdtime 300

 tunnel source GigabitEthernet1.100

 tunnel mode gre multipoint

 tunnel key 1

end

 

Note: 

2 - DMVPN for IPv6 and IPv4 over IPv6, add/change

  ip nhrp nhs 155.1.0.1 nbma 2001:169:254:100::5 multicast

  ipv6 nhrp nhs 2001:155:1::5 nbma 2001:169:254:100::5 multicast  

  tunnel mode gre multipoint IPv6 (hub and spokes)

 

3 - DMVPN for only IPv4, remove IPv6 commands

 

4 - DMVPN for only IPv6, remove IPv4 commands and add/change

  ipv6 nhrp nhs 2001:155:1::5 nbma 2001:169:254:100::5 multicast  

  tunnel mode gre multipoint IPv6 (hub and spokes)

 

5 - DMVPN for only IPv6 over IPv4, remove IPv4 commands

 

6 - DMVPN for only IPv4 over IPv6, remove IPv6 commands and add/change

  ip nhrp nhs 155.1.0.1 nbma 2001:169:254:100::5 multicast

  tunnel mode gre multipoint IPv6 (hub and spokes)


How to get started for CCIE R&S

$
0
0

I searcched but can't find an answer to this.

I have an all access pass....not sure how to get started on CCIE R&S - i.e. which videos match up with Cisco's CCIE v5 blueprint?

Any suggestions would be helpful.

 

Thanks in advance,

Kurt

EIGRP Unequal Cost Load Balancing (maths)

$
0
0

the SG has

interface GigabitEthernet1.67
 delay 25
!
interface GigabitEthernet1.146
 delay 131
!
router eigrp 100
 variance 5

This question's mathmatics baffles me.  I have not done algebra since 1997.

I understand what needs to be done - but I do not underderstand the maths.

The solution guide goes from here (relavtive to this topic - dont worry about equal cost on R1)

The total delay of this path is 40 microseconds, or 4 tens of microseconds. Scaled by 256, R1 would be advertising 1024. Because R3's Feasible Distance of 1024 is equal to R6’s Feasible Distance, this path cannot be considered a Feasible Successor.

is this a typo?

to here:

Because the minimum configurable delay value is 10 microseconds, which is already the default for all Ethernet links, and based on task requirements, we need to modify R6's delay values on its VLAN 67 and VLAN 146 interfaces, so that metric through R1 is five times bigger than metric through R7.

then the formuale - which I do not know how to solve.  - was the 250 arbitary?

5 * [Delay(Gi1.9) + Delay(Gi1.79) + Delay(Gi1.67)] = [Delay(Gi1.9) + Delay(Gi1.79) + Delay(Gi1.37) + Delay(Gi1.13) + Delay(Gi1.146)].
5 * [10 + 10 +Delay(Gi1.67)] = [10 + 10 + 10 + 10 + Delay(Gi1.146)]].

I understand that the second line is a simplification of the first - but then how do you get the actual values for the delay on the interface? - It then suggests 250 - but I do not see the algebra workings:

If, for example, we configure delay on R6's VLAN 67 interface to be 250, in simple math we need to configure a delay value of 1310 on R6's VLAN 146 interface. This also means that configuring a variance of 5 will be enough so that both routes for VLAN 9 are installed in the routing table of R6 with the requested load distribution.

 - was the 250 arbitary? - or does it have a direct correlation with the feasability condition - and if so how was it calculated? - I dont mean its obviously 25 x 10s of microseconds - I mean was this pulled out of a hat - could we have used. 500 and 2620 ?

250 + 20 = 270 * 5 which correlates to 1310 + 40 = 1350 

But how was this worked out using maths to satisfy both the feasability condition and the 5 X load balancing ? guess work - or real algebra?

Thanks !

 

VIRL or CML?

$
0
0

Hi everyone,

I'm hoping to build a virtual lab environment in which multiple students have access to their individual pods of about 6-7 routers, and all of the "pods" of virtual routers are contained within a single host server.  I'd like this server to support maybe up to 15-pods, so we're talking about a maximum of 105-virtual routers running simultaneously, but each grouping of 6-7 routers being kept isolated from each other.

I've never built anything like this and when it comes to server managment or vmWare I'm a complete newbie.

I'm thinking that VIRL or CML might work for what I need.  Any thoughts or real-world experience with either of these that you'd care to share?

 

Thanks!

ospf path selection about inter-area routes

$
0
0

Hi; 

 

I want to ask a simple question about OSPF. I've setup some topologies in which OSPF has treated different on them with regards to path selection on inter-area routes. As I know and even have tested before, if an OSPF router wants to reach an Inter-area route, it sends packets to the closest ABR, regardless of the end-to-end metric. but in some cases I'm facing with different bevavoir. maybe I've tested in different IOSs. so which one is the Cisco OSPF rule about inter-area routes? sending packets to the nearest ABR router or using the path that has lowest metric from the router to the inter-area route itself? tnx. 

OSPF ASBR Summary Not-Advertise vs NSSA-Only

$
0
0

There was a task on one of the OSPF labs that stated to filter a route from all areas other than area 3 using a summary statement.

 

I used the summary-address 160.1.10.10 255.255.255.254 nssa-only command which accomplished what the task asked as the route was filtered from all areas except area 3.

 

The solution provided used the summary-address 160.1.10.10 255.255.255.255 not-advertise command.

 

Both solved the task at hand and my verification checked out (route was only filtered where it was supposed to be and I could ping the loopback from all devices in area 3), nothing else was affected.

 

My question is, was my answer wrong? It fulfilled all the tasks at meant all constraints. I would provide the exact question so that full test question legal speak could be investigated to see if there was some keyword that I missed but I am not sure if I am allowed to do so. The lab was the OSPF NSSA ABR External Prefix Filtering lab. I have read the question 10 times and cannot find anything.

 

 

The only thing I found was that if I used a /32 with the NSSA command, R5 loses reachability to the prefix while it still has it in its routing table because it uses the null route. If I use a /31 summary which I did, everything works fine. The question did not explicitly state to use a /32, that's just what the answer they gave had.

 

I keep hearing the mantra that as long as the verification checks out and you follow all constrains it does not matter how you solve the problem.

 

 My concern is that when I sit the exam, if I do something this it will cost me the question.

 

 

Any input?

 

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

CSR1000V Ignoring No Commands?

$
0
0

I have been noticing a lot lately while doing the INE OSPF labs on their CSR100v's that when I issue the no form of certain commands, the router will not remove the command or worse will only remove a section of it.

 

For example:

 

R5#sh run | s router ospf

router ospf 1

 area 3 nssa

 summary-address 0.0.0.0 0.0.0.0 not-advertise

 network 150.1.5.0 0.0.0.255 area 0

 network 155.1.0.0 0.0.0.255 area 0

 network 155.1.5.0 0.0.0.255 area 3

 network 155.1.45.0 0.0.0.255 area 0

 network 155.1.58.0 0.0.0.255 area 3

 neighbor 155.1.0.4

 neighbor 155.1.0.3

 neighbor 155.1.0.2

 neighbor 155.1.0.1

R5#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R5(config)#router ospf 1

R5(config-router)#no  summary-address 0.0.0.0 0.0.0.0 not-advertise

R5(config-router)#do sh run | s router ospf

router ospf 1

 area 3 nssa

 summary-address 0.0.0.0 0.0.0.0 not-advertise

 network 150.1.5.0 0.0.0.255 area 0

 network 155.1.0.0 0.0.0.255 area 0

 network 155.1.5.0 0.0.0.255 area 3

 network 155.1.45.0 0.0.0.255 area 0

 network 155.1.58.0 0.0.0.255 area 3

 neighbor 155.1.0.4

 neighbor 155.1.0.3

 neighbor 155.1.0.2

 neighbor 155.1.0.1

R5(config-router)#no summary-address 0.0.0.0 0.0.0.0

R5(config-router)#do sh run | s router ospf

router ospf 1

 area 3 nssa

 network 150.1.5.0 0.0.0.255 area 0

 network 155.1.0.0 0.0.0.255 area 0

 network 155.1.5.0 0.0.0.255 area 3

 network 155.1.45.0 0.0.0.255 area 0

 network 155.1.58.0 0.0.0.255 area 3

 neighbor 155.1.0.4

 neighbor 155.1.0.3

 neighbor 155.1.0.2

 neighbor 155.1.0.1

 

 

I clearly told the router to remove the summary statement but it would not until dropped the option on the end.

 

Other times with nssa commands in particular, if I use the no form of the command with all the options, the router will just remove the options and not the main command.

 

Any ideas why this is happening?

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

 

No Practice Test Access Code for CCIE R&S v5.0 OCG Vol 1 and 2 Premium Editions

$
0
0

Hi All, 

Just wondering if anyone has any experience with my situation..

I have bought both CCIE R&S v5.0 OCG Premium Edition eBook/Practice Test VOL 1 and 2 few months back.

These should come with Access Codes so I can activate the practice tests one the test engine.

But in my case, The access codes won't show up in the "My account -> Digital Products area". I tried to contact the "Cisco Press" using their "contact us" page.. but so far no one seems to care to reply.

 Has anyone here run in to the same issue ? Who did you contact to get the sorted in the end?

 I'm not sure whom to contact when the official "contact us" is not responding.

 Any insight would be much appreciated.


Strange behavior in CCNP:Switch lab

$
0
0

This is just weird (and maybe I should be in one of the Rack-rental subfora, if so, sorry).

 

I have been working my way though the lab workbook tonight, and on loading the config for lab1.4, I imediately see the following output on my console (I have only included one sample of identical syslog outputs and config stanzas, however I see the same messages from all the inter-switchlinks):

 

Switch-1

*Mar  1 00:25:02.785: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/10 (3), with Switch-2 FastEthernet0/10 (2).

(Same message for all 6 of the interswitch links):

Switch-2

*Mar  1 00:18:07.663: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/10 (3), with Switch-1 FastEthernet0/10 (2).

Switch-3
*Mar  1 00:18:11.435: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/15 (3), with Switch-1 FastEthernet0/15 (2).

So one would think that the switches are simply mis-configured.. but this is not so!  All the ports have the same base config (which was carried over from the last exercise, 1.3:

 

interface FastEthernet0/14

switchport access vlan 2

 switchport trunk encapsulation dot1q

 switchport mode dynamic desirable

switchport trunk native vlan 3
I finally resorted to simply returning the native vlan to vlan 1 (with the command no switchport trunk vlan 3), which worked. But this makes no sense at all. Any thoughts? And again: I had made no changes to the config supplied by INE with the 300-115 Workbook. I don't get it. To put it mildly.

Connecting Switches to ESXi

$
0
0
Hello,

I need help with what the connection should be like. I Have 20 CSR1000v VM installed already on ESXi 5.5, but I am having issues with what connection goes to the internet and which goes to the ESXi.

And what config is suppose to be on the switch that connects to the ESXi server.

I will think it is just to configure the port as a trunk port.

Regards

Gbolahan Adefila

Am I the only one totally bombing these?

$
0
0

Am I the only one totally bombing these?  I feel like any subject I give attention to in order to better myself at it, I end up regressing on one or two others.

Ex.  My DMVPN, IPSec, and Multicast are not where they need to be, so I focus on them for a solid week or two at least.  Then when I go back to something I'm competant at, it's like square one.  Anyone got any advice?  I try to re-visit subjects I haven't messed with in awhile each week (like QoS this week, DMVPN next week, then a brush up on QoS the next week etc) but get totally exposed during the full TS labs.

 

Thanks.

OSPF: "Routing bit is set" not showed on csr1000v 15.4.2

$
0
0

Hi,

In the lab "OSPF Forwarding Address Suppression" LSA-7 is translated to LSA-5. The tasks shows you how you can clear the FA with the suppress-fa keyword. This all works as expected, except that the line "routing bit is set" is missing.

I tried a clean config and pasted the workbook solution in the router. My setup behaves like the solution in the workbook, except for the line "routing bit is set"

As the route is installed in the routing table as expected I now believe this is a display bug.

Any idea's?

Thanks,

Erwin

netfw sampler question

$
0
0

Dears,
I have to configure the following example:
Configure netflow that displays the 3 top-talkers for ICMP traffic and randomly sample traffic at a rate of one-out-of 5 packets. I have found the below two methods to configure it. Can someone please explain the difference:

1st:
----
flow-sampler ICMP
 mode random one-out-of 5
ip access-list e ICMP_ACL
 permit icmp any any
class-map ICMP_CMAP
 match access-group ICMP_ACL
policy-map ICMP_PMAP
 class ICMP_CMAP
  netflow-sampler ICMP
ip flow-top-talkers
 top 3
 sort-by packets
 match class-map ICMP

2nd:
-----
flow-sampler ICMP
 mode random one-out-of 5
ip flow-top-talkers
 top 3
 sort-by packets
 match protocol 1
 match flow-sampler ICMP

 

software to draw network topology !

$
0
0

hi INE

 

if you do not mind, could you please tell me what is the software you use to draw your topologies !?


thanks, 

PoE still in new "SWITCH" exam?

$
0
0

Hi everyone,

I've noticed that in the CCNP Switch 300-115 blueprint on the Cisco website, there is no mention of PoE (Power over Ethernet). However in the Cisco Press Official 300-115 Switch Certification Guide it DOES have a section on PoE.

Has anyone on this forum taken the new test yet and can confirm, or deny, if you saw any questions related to PoE?

Thanks!

Keith


Issue with FCOE E-ports on N7k

$
0
0

Hi, 

I am trying to configure vfc in storage vdc on n7k, but getting some errors. I would be grateful if you could support me and let me know what is required to make it working. Thank you.

DEFAULT VDC-CONFIG:
============================================
vdc N7KA-vdc1 id 1
 limit-resource module-type f1
 cpu-share 5
 allocate interface Ethernet4/1-4
!
vdc storage id 4 type storage
 limit-resource module-type f1
 allow feature-set fcoe
!
vdc storage id 4
 allocate fcoe-vlan-range 100 from vdcs N7KA-vdc1
 allocate shared interface Ethernet4/1-4

STORAGE VDC-CONFIG:
!============================================
vlan 1,100
vlan 100
 fcoe vsan 100
!
vsan database
 vsan 100
!
interface Ethernet4/1
 no shutdown

!============================================

 

Now when I first create VFC and configure it as E, I cannot bind it to interface:

storage(config)# int vfc1
storage(config-if)# switchport mode e
storage(config-if)# bind int e4/1
ERROR: fcoe_mgr: VFC not bound (err_id 0x42070009)

 

When I do it in the opposite order, I am getting error as well:
storage(config)# int vfc1
storage(config-if)# bind int e4/1
storage(config-if)# switchport mode e
vfc1: (error) configuration of this port mode not allowed

Can you advise if there is any limitation (I got the same issue on N7K-F132XP-15 & N7K-F248XP-25E, I am running n7000-s2-dk9.6.2.8a.bin) or config change required to make it working?  

Maybe is it related with dedicated/shared interfaces:

N7KA-vdc1(config-if)# sh int e4/1
Ethernet4/1 is up
admin state is up, Dedicated(Shared) Interface
!
storage# sh int e4/1
Ethernet4/1 is up
admin state is up, Shared Interface

If so, how to change it (when I tried to change it in Eth VDC I am getting info that rate-mode is fixed, when I apply it on storage vdc, it looks like command is not accepted - i.e. it is not in the config). 

Thank you,
hidd 

Multicast over DMVPN

$
0
0

I'm trying to test pim dense mode over dmvpn and the results i got shocked me. As per classic nbma behaviour, when a spoke sends a prune message, the other spokes cannot hear it and can't send prune overrides. So, the traffic is pruned if at least 1 spoke doesn't want it.

However this is the result i got from the testing it

Topology Description

A DMVPN exists between R1,R2 and R3 over the subnet 172.16.123.0/24. A sender 172.16.1.6 is connected at the hub and sending multicast traffic to the group 226.6.6.6. A receiver exists behind R2 at 172.16.25.5. No receivers exist behind R3.

Summary of my findings 
- R3 sends prune to R1
- R1 forward the prune back to R2 and R3, it wants to prune the group (172.16.1.6,226.6.6.6) ---- This is where things got interesting!
- R2 replies with a join back to R1 for (172.16.1.6,226.6.6.6) - Prune override (expected)
- R1 doesn't prune the traffic


I noticed that each time R3 sends a prune, R1 forwards the prune out to R2 also. R2 replies with a prune override and the result is that the traffic is not pruned.

Is this an optimization for PIM Dense mode to run well over nbma or am i missing something here.

R3 sends prune
Jan 17 09:44:17.092: PIM(0): Insert (172.16.1.6,226.6.6.6) prune in nbr 172.16.123.1's queue
*Jan 17 09:44:17.092: PIM(0): Building Join/Prune packet for nbr 172.16.123.1
*Jan 17 09:44:17.092: PIM(0):  Adding v2 (172.16.1.6/32, 226.6.6.6) Prune
*Jan 17 09:44:17.092: PIM(0): Send v2 join/prune to 172.16.123.1 (Tunnel0)


R1 forwards the prune to both R2 and R3, R3 gets it but ignores it
Jan 17 09:44:17.111: PIM(0): Received v2 Join/Prune on Tunnel0 from 172.16.123.1, not to us
*Jan 17 09:44:17.112: PIM(0): Prune-list: (172.16.1.6/32, 226.6.6.6)

R1 forwards the prune to both R2 and R3, but R2 replies with prune override (join)
Jan 17 09:44:17.115: PIM(0): Received v2 Join/Prune on Tunnel0 from 172.16.123.1, not to us
*Jan 17 09:44:17.115: PIM(0): Prune-list: (172.16.1.6/32, 226.6.6.6)
*Jan 17 09:44:17.115: PIM(0): Set join delay timer to 500 msec for (172.16.1.6/32, 226.6.6.6) on Tunnel0
*Jan 17 09:44:17.534: PIM(0): Insert (172.16.1.6,226.6.6.6) join in nbr 172.16.123.1's queue
*Jan 17 09:44:17.535: PIM(0): Building Join/Prune packet for nbr 172.16.123.1
*Jan 17 09:44:17.535: PIM(0):  Adding v2 (172.16.1.6/32, 226.6.6.6) Join
*Jan 17 09:44:17.535: PIM(0): Send v2 join/prune to 172.16.123.1 (Tunnel0)

As a Result, R1 doesn't prune the traffic
*Jan 17 09:44:17.539: PIM(0): Received v2 Join/Prune on Tunnel0 from 172.16.123.2, to us
*Jan 17 09:44:17.540: PIM(0): Join-list: (172.16.1.6/32, 226.6.6.6)
*Jan 17 09:44:17.540: PIM(0): Update Tunnel0/172.16.123.2 to (172.16.1.6, 226.6.6.6), Forward state, by PIM SG Join

 

QoS: Burst Committed rate in policing or traffic shaping

$
0
0

Hi all,

 

I am looking into the calculation for burst committed during my studies specifically for policing and traffic shaping. In 2 very similar questions as part of the v5 workbook, the burst size needs to be calculated relating to a policing instance then a traffic shaping instance, but the formulas to answer the question are different.

 

I am slightly confused as to why we have these differences, I understand the overall formula is Bc = CIR (bps) * Tc (ms) / 1000 = ... bytes? Shouldn’t this be used across the board?

 

Questions specifically and math behind it listed below for completeness:

 

Policing

Ensure that the burst size is large enough to accommodate normal and excess burst durations of 200ms and 300ms at a rate of 128Kbps.

Bc = 128000*0.2/8=3200 bytes

Be = 128000*0.3/8=4800 bytes

Bc = CIR (bps) * Tc (0.2 ((200 ms)) / 8 = 3200 bytes

 

Traffic Shaping

Configure MQC shaping on R6 to limit the sending rate on its link to VLAN 146 to 384Kbps.

Use a burst interval (Tc) of 20ms.

Bc=CIR*Tc/1000

384000 x 20 / 1000 = 7680 

 

I just need some clarity as to why I do one format for policing then another for traffic shaping? 

Any help would be much appreciated Smile

Thanks

 

Eric

History enable

$
0
0

Please how do i enable history for configuration commands in cisco ios.

Thanks

DMVPN ESP Tunnel Over NAT

$
0
0

motivated by http://ieoc.com/forums/p/31591/251685.aspx#251685 i decided to lab the effects of esp in tunnel mode over nat.

Topology

R2---------10.0.23.2--------------------10.0.23.3-------------R3----------------10.0.34.3-------------10.0.34.4---------------R4

R3 NAT
access-list 10 permit 10.0.23.0 0.0.0.255
ip nat inside source list 10 interface Ethernet0/1 overload

R2 Tunnel Config

interface Tunnel0
 ip address 192.168.24.2 255.255.255.0
 no ip redirects
 ip nhrp network-id 10
 ip nhrp nhs 192.168.24.4 nbma 10.0.34.4 multicast
 ip nhrp registration timeout 10
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile P
end

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.0.34.4
crypto ipsec transform-set ESP esp-aes esp-md5-hmac
 mode tunnel
crypto ipsec profile P
 set transform-set ESP

R3 Tunnel and crypto config

interface Tunnel0
 ip address 192.168.24.4 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile P
end

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set ESP esp-aes esp-md5-hmac
 mode tunnel
crypto ipsec profile P
 set transform-set ESP

Results of the nhrp mapping on the hub (R4)

192.168.24.2/32 via 192.168.24.2
   Tunnel0 created 00:29:39, expire 01:59:51
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 10.0.23.2 ------------------------------This is meant to show claimed address normally... why????

However traffic forwarding between the hub and spoke use the correct nbma ip 10.0.34.3 (outside ip of nat router)

This is debug on the NAT router
*Jan 23 18:57:33.123: NAT*: o: udp (10.0.34.4, 4500) -> (10.0.34.3, 4500) [10595] - the correct destination is used
*Jan 23 18:57:33.123: NAT*: s=10.0.34.4, d=10.0.34.3->10.0.23.2 [10595]

However the correct destination doesn't show up on the hub in the nhrp or cef table

IOU4(config-router)#do sh ip cef 192.168.24.2 inter
192.168.24.2/32, epoch 0, flags attached, refcount 5, per-destination sharing
  sources: Adj
  subblocks:
   Adj source: IP midchain out of Tunnel0, addr 192.168.24.2 B4FE5B78
    Dependent covered prefix type adjfib, cover 192.168.24.0/24
  ifnums:
   Tunnel0(22): 192.168.24.2
  path B348A708, path list B32AC01C, share 1/1, type adjacency prefix, for IPv4
  attached to Tunnel0, adjacency IP midchain out of Tunnel0, addr 192.168.24.2 B4FE5B78
  output chain: IP midchain out of Tunnel0, addr 192.168.24.2 B4FE5B78 punt==========THIS PART LOOK WEIRD?????

Upon changing the transform set to transport mode on both routers

sh ip nhrp

192.168.24.2/32 via 192.168.24.2
   Tunnel0 created 00:00:08, expire 01:59:58
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 10.0.34.3
    (Claimed NBMA address: 10.0.23.2)  ==============this is the correct output

sh ip cef

192.168.24.2/32, epoch 0, flags attached, refcount 5, per-destination sharing
  sources: Adj
  subblocks:
   Adj source: IP midchain out of Tunnel0, addr 192.168.24.2 B4FE5B78
    Dependent covered prefix type adjfib, cover 192.168.24.0/24
  ifnums:
   Tunnel0(22): 192.168.24.2
  path B36A8F00, path list B32AC01C, share 1/1, type adjacency prefix, for IPv4
  attached to Tunnel0, adjacency IP midchain out of Tunnel0, addr 192.168.24.2 B4FE5B78
  output chain: IP midchain out of Tunnel0, addr 192.168.24.2 B4FE5B78 IP adj out of Ethernet0/0, addr 10.0.34.3 B4FE5CA8=================Correct output

Experts please???




 

Viewing all 10744 articles
Browse latest View live