DMVPN Caveats

From Baranoski.ca
Revision as of 13:59, 29 May 2019 by Casey (talk | contribs) (Created page with "==NBMA Address Conflicts== DMVPN routers must have a unique NBMA address. Any address conflict will interrupt traffic to a remote site, or possibly cause other erratic behavi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

NBMA Address Conflicts

DMVPN routers must have a unique NBMA address. Any address conflict will interrupt traffic to a remote site, or possibly cause other erratic behavior.

Where you would see this is in the situation where you have DMVPN routers behind another device that is doing NAT (ie. an LTE or DSL modem). If you have standardized on a certain line of modems, and the modems are a DHCP server for their LAN interface, it is very likely that two or more DMVPN routers will get the same private IP address on their WAN interfaces. See below:

HUB1#sho ip nhrp 10.10.10.3
10.10.10.3/32 via 10.10.10.3
   Tunnel1 created 4d14h, expire 00:02:28
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 192.168.0.2

When there are no conflicts, DMVPN is smart enough to use the actual public IP of the modem to reach the DMVPN router behind the NAT. However, when there is a conflict, I can only assume that DMVPN thinks the two or more routers are all the same router.

To work around this issue, do one of the following:

  • statically set the private WAN IP on the DMVPN routers, and keep them unique
  • many modems have an "IP Passthrough" option, where a single host behind the modem receives the public IP that is assigned to the WAN of the modem