DMVPN Caveats

From Baranoski.ca
Jump to navigation Jump to search

NBMA Address Conflicts

DMVPN routers must have a unique NBMA address. Any address conflict will interrupt traffic to a remote site, or possibly cause other erratic behavior.

Where you would see this is in the situation where you have DMVPN routers behind another device that is doing NAT (ie. an LTE or DSL modem). If you have standardized on a certain line of modems, and the modems are a DHCP server for their LAN interface, it is very likely that two or more DMVPN routers will get the same private IP address on their WAN interfaces. See below: 

HUB1#sho ip nhrp 10.10.10.3
10.10.10.3/32 via 10.10.10.3
   Tunnel1 created 4d14h, expire 00:02:28
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 192.168.0.2

When there are no conflicts, DMVPN is smart enough to use the actual public IP of the modem to reach the DMVPN router behind the NAT. However, when there is a conflict, I can only assume that DMVPN thinks the two or more routers are all the same router.

To work around this issue, do one of the following:

  • Statically set the private WAN IP on the DMVPN routers, and keep them unique
  • Many modems have an "IP Passthrough" option, where a single host behind the modem receives the public IP that is assigned to the WAN of the modem


Routes Inadvertently Matching The NBMA Address

As noted above, a remote DMVPN router might be behind a modem doing NAT, and the router gets a private IP. Also noted above, in normal operation, DMVPN is smart enough to use the real public WAN IP and not the NBMA address to reach the remote router. There is an exception to this: more specific routes.

It is common practice to null route private IP space on a router that faces the Internet. This prevents leakage of traffic destined to private IPs that are otherwise not found in the private network from getting punted to the default gateway. Similarly, one might create static routes on their DMVPN hub router for all private IP space pointing to the first router on the hub LAN. This way, any private IP that is not found through DMVPN will get punted to the hub's LAN.

In both of these examples, traffic destined to a route router behind a modem will be sent to the null interface or to the LAN router at the hub.

To get around this, do one of the following:

  • Use the IP Passthrough option of the modem to get a public IP
  • Remove or tighten up the static routes
  • Use a routing protocol instead of static routes
Retrieved from "https://baranoski.ca/index.php?title=DMVPN_Caveats&oldid=428"