tag:blogger.com,1999:blog-6199820924845657113.post781540942925813180..comments2023-11-24T12:45:51.283+04:00Comments on a blog for CCIE SP and Security ....: VRF aware DMVPN with dual ISP on Single HUB + autofailover (using iVRF and FVRF)Swapnenduhttp://www.blogger.com/profile/11696783522528518212noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-6199820924845657113.post-48827275708596414682018-10-06T20:12:05.959+04:002018-10-06T20:12:05.959+04:00Hi there! Thanks a lot for the shared opinion! You...Hi there! Thanks a lot for the shared opinion! Your thoughts are extremely vital and meaningful for each of us! Your support is appreciated! document based essay questionshttp://customcollegeessays.com/blog/document-based-essay-questions.htmlnoreply@blogger.comtag:blogger.com,1999:blog-6199820924845657113.post-36075260307395440232013-12-26T20:02:36.803+04:002013-12-26T20:02:36.803+04:00I think this is my favorite GNS3 lab so far, thank...I think this is my favorite GNS3 lab so far, thank you!Greg Hackney - CCIE R&S 41704noreply@blogger.comtag:blogger.com,1999:blog-6199820924845657113.post-64442796839637117752010-07-20T00:47:23.877+04:002010-07-20T00:47:23.877+04:00gmail i meant..gmail i meant..Swapnenduhttps://www.blogger.com/profile/11696783522528518212noreply@blogger.comtag:blogger.com,1999:blog-6199820924845657113.post-40859435539080545142010-07-20T00:46:42.516+04:002010-07-20T00:46:42.516+04:00Wht Source IP address you are matching to NAT? IT ...Wht Source IP address you are matching to NAT? IT should be the private LAN IP of the Spokes.<br /><br />Post me your configs and topology. <br /><br />This should work without VRF.<br /><br />Swap<br />ccie19804 AT gm@i@l dot COMSwapnenduhttps://www.blogger.com/profile/11696783522528518212noreply@blogger.comtag:blogger.com,1999:blog-6199820924845657113.post-2915940073636066802010-07-16T16:47:45.032+04:002010-07-16T16:47:45.032+04:00DMVPN and INTERNET VIA HUB ISSUES
----------------...DMVPN and INTERNET VIA HUB ISSUES<br />-------------------------------------<br /><br />Hello,<br /><br />I really wish that you can help me with the issue I have. If you have an e-mail I can send you the configs and drawing<br /><br />I explain. I have to test a Dual Hub - Dual DMVPN Layout for a customer before we configure it in real production.<br />The customer has some sites where routers are behind some ISP routers which are doing NAT.<br /><br />How things are configured:<br /><br />- All the traffic from spokes has to go via the Hub location so no local internet traffic on spokes.<br />- Hub 1 and Hub 2 sends a default route to spokes via EIGRP. But only Hub 1 is used.<br />- Hub 1 is the primary router for DMVPN. In case of hardware/Connection to Internet failure Hub 2 become active for DMVPN and Internet.<br />- Hub 1 and Hub 2 are both connected to one ISP and are Internet Gateway for spokes.<br />- Hub 1 and Hub 2 are configured with IOS Firewall.<br />- On spokes I have used VRF to seperate DMVPN routning table from Global routning table so I could receive a default route from Hub 1 and Hub 2 to route traffic from spokes to Internet via Hub location<br /><br /><br />What is working:<br /><br />- All spokes can have access to local LAN at Hub location.<br />- All spokes can do spoke to spoke<br />- Failover working for DMVPN<br />- Spokes NOT behind NAT ISP router (that is to say having the public IP address directly attached at their outside interface) can go to Internet via hub location and<br /> all packets are inspected correctly by the IOS firewall and Nat correctly<br /> <br />What is not working:<br /><br />- Spokes behind NAT ISP router cannot reach the Internet through Hub location. They can only reach local LAN at Hub location and do spoke to spoke.<br /> On hub router the IOS firewall sees the packets comming from theses spokes (behind NAT) with a source IP address which is the public IP address og the ISP router outside interface. Not the LAN private IP address behind spoke.<br /> Moreover packets are never natted. If I do some snifing on an Internet server the source private IP address is the LAN IP address of the LAN behind the spoke. That means that the Hub router never nat these packets.<br /> <br />How to solve this problem?<br /><br /> Well I don't know that is why I need your help/advices :-)<br /> I don't know if I should configure a VRF on the hub location also as maybe things gets mess up.<br /> The problem seems to be coming from NAT-T as the spokes which aren't behind NAT can find go on the Internet through Hub and both Cisco IOS inspection and NAT are working find.<br /> As I was testing today with the customer at the begining the spoke behind nat could ping different server on the Internet but not open a HTTP session. DNS was working find. The IOS Firewall was actually<br /> inspecting packets with the real private IP addresse. Then I thought that it was a MTU issue so I decided to ping out the Internet with bigger MTU size and suddenly the pings were not going through anymore.<br /> I could see on the Hub1 router that the IOS firewall was inspecting the public IP address again of the ISP NAT router at spoke side and not anymore the real private IP address. Really strange!<br /><br />Best Regards,<br />Laurentlaurenthttp://aitaseller.wordpress.com/noreply@blogger.com