Scribd Logo
Upload

Welcome to Scribd!

  • DMVPN Check

    Uploaded by

    shajeer515
    7 views3 pages
    checks to perform dmvpn

    Original Title

    Dmvpn Check

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    checks to perform dmvpn

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views3 pages

    DMVPN Check

    Uploaded by

    shajeer515
    checks to perform dmvpn

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    understand dmvpn and check the dmvpn state and go from there but here are

    general rules.

    Basic checks
    1. Compare Spokes nhs to Hubs tunnel IP address
    2. Make sure Spoke nhs is mapped to the tunnel ip address not the NBMA
    3. Make sure Spoke multicast address maps to Hub NMBA address
    4. check NHRP authentication passwords match between hub and spoke
    5. Check the tunnel source interfaces between hub and spoke
    6. Ensure you have reachability to Hub and vice versa to spoke
    7. ensure NAT-T is enabled if a NAT device exist in the path between Hub and Spoke

    ---Misconception Nat-T needs to be enable on Spoke device and Hub.. it doesnt


    need to be enabled on Nat device unless Spoke or hub is Nat device

    Isakmp

    sho run | s crypto

    1. Make sure DH groups are the same(usually 2, which is 1024 or 14 which is 2048)
    on hub and spoke

    2. Make sure iskamp key are the same on hub and spoke
    3. Verify the isakmp address is to the correct NBMA addres of peer hub or peer
    spoke(0.0.0.0 is wildcard poor practice in real world but great for exam unless
    specified not to use)

    4. Ensure enryption is the same under the ISAKMP policy

    IPSEC

    sho run | s crypto

    1. ensure that a tunnel mode is manually configured... usually transport is for R&S

    2. Ensure the transformer set encrytion and hash algorithms match for hub and
    spoke (esp-aes 128 is most often used for encryption followed by the hash)

    3. Ensure the transformer set NAME matches the name set in the ipsec profile

    4 Ensure that the IPSeC profile is applied to the tunnel (tunnel protection ipsec
    profile [IPSEC PROFILE NAME]

    ---misconception sometimes you may see the keyword "Shared" after the ipsec
    profile name... this just means than many tunnels can use the same IPSEC profile
    this should not cause you an issue.

    Routing
    ----------------

    1. DMVPN phase 3 ensure ip nhrp redirect is on Hub and ip nhrp shortcut are on
    spokes.

    --misconception you can use no ip split-horizon and no ip next-hop-self in DMVPN


    phase but should be unnecessary.

    2. IF no neighbor establish double check the NBMA multicast address on spoke...


    ensure it is not being blocked.

    3. if DMVPN phase 2.. configure no ip split-horizon for eigrp and no ip next-hop-self

    4. Make sure you are not advertising the NBMA address through the routing
    protocol being advertised over the tunnel. BLOCK IT FROM EITHER BEING
    REDISTRIBUTED OR FROM GOING OUT THE TUNNEL INTERFACE.

    5. Ensure you have the correct advertisements coming from the hub in specific
    routes, summary routes and/or default route.

    You might also like