Friday, December 18, 2009

Cisco DMVPN - useful commands

Once you have a Cisco dmvpn deployment up and running there are some useful commands that you should know to figure out what is going on. Primarily these are no different then the routing and vpn command sets you already know and use. Commands like:
show ip interface brief
show ip eigrp neighbor
show crypto isakmp sa
show crypto ipsec sa
show ip route

The dmvpn specific commands would be:
show dmvpn {detail}
sh ip nhrp {brief}

If you have multiple dmvpn tunnel configuration on the router (the spoke is connected to two different dmvpn hubs) then:
show dmvpn interface tunnel {number}
is a useful command to know what peers and routes are coming from which dynamic tunnel.

I think one of the toughest things with dmvpn compared to a static ipsec/gre/eigrp configuration is that you don't have a specific logical tunnel for each remote router that is connecting. This can cause two problems, it is tough to know what sites are having issues and it is hard to get specific bw parameters out of the router without watching crypto maps. With a static ipsec/gre/eigrp configuration you can graph the tunnel interface and know how much traffic that tunnel is consuming at any given moment. With dmvpn this is a much tougher thing to do as the tunnel are transit and only up when they are needed between spoke locations. The only constant is the tunnel between the spoke and the hub/hubs.

To be honest, the thing I love the most about dmvpn is the fact that it behaves from a routing perspective very much like a fullmesh mpls deployment which are very common today. So a dmvpn solution is an excellent mpls backup solution that leverages local Internet access connections while not requiring odd routing tricks to make the sites behave correctly. For voice deployments with remote offices or soho sites it is an excellent solution and gives the remote site all the characteristics and advantages of a fullmesh site but with the cost effective bw of high speed Internet access available today.
- Ed

No comments: