From: Mark Cairns (m.a.cairns@gmail.com)
Date: Wed Feb 11 2009 - 12:09:01 ARST
If you want to run DMVPN with a load balanced hub design, you must run
12.4(15)T6 or later. There is an internal bug where the NHRP cache and IPSec
get out of sync and you can experience asymmetrical routing for spoke to
spoke traffic. In this case traffic from Spoke A to Spoke B would go
directly between the sites while return traffic would go Spoke B to Hub B to
Hub A to Spoke A. This occurs for traffic between spokes that are load
balanced to different hubs. The initial tunnel builds and works correctly
but as refresh timers get out of sync, the NHRP resolution breaks in one
direction and causes the traffic to route through the hubs. You can see a
DMVPN log message that repeats on Spoke B for a resolution error when this
occurs.
Good luck,
Mark
#17755, Security
On Wed, Feb 11, 2009 at 1:42 AM, voice guru <guru.voice@gmail.com> wrote:
> Thank you all for the input and good suggestions.. so the conclusion here
> is
> as follows:
>
> L2 Encryption
>
> AFAIK it wouldn't work over MPLS cloud, the L2 encryptors would need point
> to point connectivity.
>
> MBGP with Controlling your own routing domain
>
> Fairly reasonable but again we are sharing most of the info with SP and
> usually SPs dont allow outsiders to play with their boxes. May not be
> possible in our environment
>
> DMVPN
>
> Looks the only option available to me but requires a very care full design
> and implementation strategy. any expert advice in this regard.
>
> Thank you all for your input.
>
> Thanks,
> Guru
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST