Categories Routing

DMVPN dual hub with dual DMVPN network

I have implement a few DMVPN solutions recently and I thought that a post about dual DMVPN hub with dual DMVPN network would be interesting.

 

I will describe the configuration for a DMVPN solution with  dual hub and dual DMVPN network.

 

Below you will find the network diagram for this solution.

 

DMVPN Dual redundant hub - Dual DMVPN network

 

Here is a Cisco document where you can find the different DMVPN topology:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html

 

On the Cisco design zone, you will also find some relevant information.

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-branch-wan/index.html#~designs

 

 

I have already pre-configured all the basic configuration on the devices. I will only focus on the DMVPN configuration.

 

DMVPN configuration:

 

Configuration of the first HUB (R11 and R12):

Let’s start by configuring our first DMVPN HUB.

Here is the configuration on R11.

R11(config)#interface Tunnel1
R11(config-if)#ip add 10.10.100.11 255.255.255.0
R11(config-if)#ip nhrp authentication DMVPN1
R11(config-if)#ip nhrp map multicast dynamic
R11(config-if)# ip nhrp network-id 1
R11(config-if)# ip nhrp holdtime 300
R11(config-if)#ip nhrp redirect
R11(config-if)#ip tcp adjust-mss 1360
R11(config-if)# tunnel source Ethernet0/0
R11(config-if)# tunnel mode gre multipoint
R11(config-if)#tunnel key 1

 

Same on R12, we only change the IP address.

 

Configuration of the second HUB (R21 and R22):

Configuration for the second DMVPN HUB looks the same, we only use a different IP address for the tunnel interface.

Here is the configuration on R21.

R21(config)#interface Tunnel2
R21(config-if)#ip address 10.10.200.21 255.255.255.0
R21(config-if)#ip nhrp authentication DMVPN2
R21(config-if)#ip nhrp map multicast dynamic
R21(config-if)# ip nhrp network-id 2
R21(config-if)# ip nhrp holdtime 300
R21(config-if)#ip nhrp redirect
R21(config-if)#ip tcp adjust-mss 1360
R21(config-if)# tunnel source Ethernet0/0
R21(config-if)# tunnel mode gre multipoint
R21(config-if)#tunnel key 2

 

Same configuration on R22.

 

In order to get communication between the two hubs, we need to configure R21 and R22 to be spoke for the DMVPN network 1.

To do this, we configure another tunnel interface on both of them.

Here is the configuration on R21.

R21(config)#int tunnel1
R21(config-if)#ip address 10.10.100.21 255.255.255.0
R21(config-if)#ip nhrp authentication DMVPN1
R21(config-if)#ip nhrp map 10.10.100.11 1.1.1.11
R21(config-if)#ip nhrp map 10.10.100.12 1.1.1.12
R21(config-if)#ip nhrp map multicast 1.1.1.11
R21(config-if)#ip nhrp map multicast 1.1.1.12
R21(config-if)#ip nhrp network-id 1
R21(config-if)#ip nhrp holdtime 300
R21(config-if)#ip nhrp shortcut
R21(config-if)#ip nhrp nhs 10.10.100.11
R21(config-if)#ip nhrp nhs 10.10.100.12
R21(config-if)#ip tcp adjust-mss 1360
R21(config-if)#tunnel source Ethernet0/0
R21(config-if)# tunnel mode gre multipoint
R21(config-if)#tunnel key 1

 

Same configuration on R22, except for the IP address.

If we look at R11 and R12, we can see two dynamic tunnels to R21 and R22.

R11#sh dmvpn
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.21           10.10.100.21    UP 00:04:35     D
     1 1.1.1.22           10.10.100.22    UP 00:04:14     D

R12#sh dmvpn
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.1.21           10.10.100.21    UP 00:04:39     D
     1 1.1.1.22           10.10.100.22    UP 00:04:18     D

 

Configuration of the spokes:

Time to configure our spokes to be part of both DMVPN network.

For this, we will configure two tunnel interfaces on the routers.

Here is the configuration for R31.

R31(config)#int tunnel1
R31(config-if)#ip address 10.10.100.31 255.255.255.0
R31(config-if)#ip nhrp authentication DMVPN1
R31(config-if)#ip nhrp map 10.10.100.11 1.1.1.11
R31(config-if)#ip nhrp map 10.10.100.12 1.1.1.12
R31(config-if)#ip nhrp map multicast 1.1.1.11
R31(config-if)#ip nhrp map multicast 1.1.1.12
R31(config-if)#ip nhrp network-id 1
R31(config-if)#ip nhrp holdtime 300
R31(config-if)#ip nhrp shortcut
R31(config-if)#ip nhrp nhs 10.10.100.11
R31(config-if)#ip nhrp nhs 10.10.100.12
R31(config-if)#ip tcp adjust-mss 1360
R31(config-if)#tunnel source Ethernet0/0
R31(config-if)# tunnel mode gre multipoint
R31(config-if)#tunnel key 1
R31(config-if)#
R31(config-if)#int tunnel2
R31(config-if)#ip address 10.10.200.31 255.255.255.0
R31(config-if)#ip nhrp authentication DMVPN2
R31(config-if)#ip nhrp map 10.10.200.21 1.1.1.21
R31(config-if)#ip nhrp map 10.10.200.22 1.1.1.22
R31(config-if)#ip nhrp map multicast 1.1.1.21
R31(config-if)#ip nhrp map multicast 1.1.1.22
R31(config-if)#ip nhrp network-id 2
R31(config-if)#ip nhrp holdtime 300
R31(config-if)#ip nhrp shortcut
R31(config-if)#ip nhrp nhs 10.10.200.21
R31(config-if)#ip nhrp nhs 10.10.200.22
R31(config-if)#ip tcp adjust-mss 1360
R31(config-if)#tunnel source Ethernet0/0
R31(config-if)# tunnel mode gre multipoint
R31(config-if)#tunnel key 2

 

So, we have two tunnel interfaces with two hubs per tunnel.

 

Same configuration on R41 and R51.

Now that we have all our tunnels UP, we need to configure routing between all the devices.

 

 

Routing configuration:

 

I’m using EIGRP for the routing protocol.

 

EIGRP configuration on site 1:

 

On SW11, we configure EIGRP on all the interfaces.

SW11(config)#ip routing
SW11(config)#router eigrp 10
SW11(config-router)#network 10.10.0.0 0.0.255.255

 

On R11, we configure EIGRP on the interface to SW11 and on the tunnel interface.

R11(config)#router eigrp 10
R11(config-router)#net 10.10.1.2 0.0.0.0
R11(config-router)#net 10.10.100.11 0.0.0.0

 

We also need to disable split-horizon and next hop self on the tunnel interface.

R11(config)#int tu1
R11(config-if)#no ip split-horizon eigrp 10
R11(config-if)#no ip next-hop-self eigrp 10

 

Same type of configuration on R12.

 

EIGRP configuration on site 2:

Configuration on site 2 is similar to what we have on site 1.

On SW21, we configure EIGRP for all the interfaces.

SW21(config)#ip routing
SW21(config)#router eigrp 10
SW21(config-router)#net 10.10.0.0 0.0.255.255
SW21(config-router)#net 10.20.0.0 0.0.255.255

 

On R21, we configure EIGRP on the interface to SW21 and on the two tunnel interfaces.

R21(config)#router eigrp 10
R21(config-router)#net 10.20.1.1 0.0.0.0
R21(config-router)#net 10.10.100.21 0.0.0.0
R21(config-router)#net 10.10.200.21 0.0.0.0

 

We also need to disable split-horizon and next hop self on the HUB tunnel interface (Tu2).

Same type of configuration on R22.

 

 

EIGRP configuration on the spokes:

 

EIGRP configuration on the spokes is basic. It is common to make the spokes EIGRP stub.

Here is the configuration on R31.

R31(config)#router eigrp 10
R31(config-router)#net 10.10.30.1 0.0.0.0
R31(config-router)#net 10.10.31.1 0.0.0.0
R31(config-router)#net 10.10.100.31 0.0.0.0
R31(config-router)#net 10.10.200.31 0.0.0.0
R31(config-router)#eigrp stub

 

Same configuration on R41 and R51.

 

Here we are, we now have connectivity between all the locations.

Let’s take a look at the routing table on R51.

R51#sh ip route eigrp
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 21 subnets, 3 masks
D        10.10.1.0/24 [90/26905600] via 10.10.100.12, 00:05:03, Tunnel1
                      [90/26905600] via 10.10.100.11, 00:05:03, Tunnel1
D        10.10.10.0/24 [90/26905856] via 10.10.100.12, 00:05:03, Tunnel1
                       [90/26905856] via 10.10.100.11, 00:05:03, Tunnel1
D        10.10.11.0/24 [90/26905856] via 10.10.100.12, 00:05:03, Tunnel1
                       [90/26905856] via 10.10.100.11, 00:05:03, Tunnel1
D        10.10.12.0/24 [90/26905856] via 10.10.100.12, 00:05:03, Tunnel1
                       [90/26905856] via 10.10.100.11, 00:05:03, Tunnel1
D        10.10.20.0/24 [90/26905856] via 10.10.200.22, 00:05:03, Tunnel2
                       [90/26905856] via 10.10.200.21, 00:05:03, Tunnel2
D        10.10.21.0/24 [90/26905856] via 10.10.200.22, 00:05:03, Tunnel2
                       [90/26905856] via 10.10.200.21, 00:05:03, Tunnel2
D        10.10.22.0/24 [90/26905856] via 10.10.200.22, 00:05:03, Tunnel2
                       [90/26905856] via 10.10.200.21, 00:05:03, Tunnel2
D        10.10.30.0/24 [90/28185600] via 10.10.200.31, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.200.31, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.100.31, 00:05:03, Tunnel1
                       [90/28185600] via 10.10.100.31, 00:05:03, Tunnel1
D        10.10.31.0/24 [90/28185600] via 10.10.200.31, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.200.31, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.100.31, 00:05:03, Tunnel1
                       [90/28185600] via 10.10.100.31, 00:05:03, Tunnel1
D        10.10.40.0/24 [90/28185600] via 10.10.200.41, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.200.41, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.100.41, 00:05:03, Tunnel1
                       [90/28185600] via 10.10.100.41, 00:05:03, Tunnel1
D        10.10.41.0/24 [90/28185600] via 10.10.200.41, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.200.41, 00:05:03, Tunnel2
                       [90/28185600] via 10.10.100.41, 00:05:03, Tunnel1
                       [90/28185600] via 10.10.100.41, 00:05:03, Tunnel1
D        10.20.1.0/30 [90/26905600] via 10.10.200.21, 00:05:03, Tunnel2
D        10.20.1.4/30 [90/26905600] via 10.10.200.22, 00:05:03, Tunnel2

 

As you can see we have 4 routes known for the spokes subnets.

This will need some tuning.

 

EIGRP tuning:

 

What I want here is to only use the DMVPN network 1 for the communication between the spokes.

Traffic should be routed over tunnel 2 only if the HUB on site 1 is down.

I will use the delay to make sure EIGRP prefer to route over tunnel 1.

Let’s test on R51.

R51(config)#int tu2
R51(config-if)#delay 50000

 

Now the routes are only seen via the interface tunnel 1.

R51#sh ip route eigrp
      10.0.0.0/8 is variably subnetted, 21 subnets, 3 masks
D        10.10.1.0/24 [90/26905600] via 10.10.100.12, 00:00:09, Tunnel1
                      [90/26905600] via 10.10.100.11, 00:00:09, Tunnel1
D        10.10.10.0/24 [90/26905856] via 10.10.100.12, 00:00:09, Tunnel1
                       [90/26905856] via 10.10.100.11, 00:00:09, Tunnel1
D        10.10.11.0/24 [90/26905856] via 10.10.100.12, 00:00:09, Tunnel1
                       [90/26905856] via 10.10.100.11, 00:00:09, Tunnel1
D        10.10.12.0/24 [90/26905856] via 10.10.100.12, 00:00:09, Tunnel1
                       [90/26905856] via 10.10.100.11, 00:00:09, Tunnel1
D        10.10.20.0/24 [90/28185856] via 10.10.100.21, 00:00:09, Tunnel1
                       [90/28185856] via 10.10.100.21, 00:00:09, Tunnel1
D        10.10.21.0/24 [90/28185856] via 10.10.100.21, 00:00:09, Tunnel1
                       [90/28185856] via 10.10.100.21, 00:00:09, Tunnel1
D        10.10.22.0/24 [90/28185856] via 10.10.100.21, 00:00:09, Tunnel1
                       [90/28185856] via 10.10.100.21, 00:00:09, Tunnel1
D        10.10.30.0/24 [90/28185600] via 10.10.100.31, 00:00:09, Tunnel1
                       [90/28185600] via 10.10.100.31, 00:00:09, Tunnel1
D        10.10.31.0/24 [90/28185600] via 10.10.100.31, 00:00:09, Tunnel1
                       [90/28185600] via 10.10.100.31, 00:00:09, Tunnel1
D        10.10.40.0/24 [90/28185600] via 10.10.100.41, 00:00:09, Tunnel1
                       [90/28185600] via 10.10.100.41, 00:00:09, Tunnel1
D        10.10.41.0/24 [90/28185600] via 10.10.100.41, 00:00:09, Tunnel1
                       [90/28185600] via 10.10.100.41, 00:00:09, Tunnel1
D        10.20.1.0/30 [90/28185600] via 10.10.100.21, 00:00:09, Tunnel1
                      [90/28185600] via 10.10.100.21, 00:00:09, Tunnel1
D        10.20.1.4/30 [90/28185600] via 10.10.100.22, 00:00:09, Tunnel1
                      [90/28185600] via 10.10.100.22, 00:00:09, Tunnel1

 

Let’s do the same on R31 and R41.

 

 

So, I have finish with this DMVPN dual HUB dual network implementation.

You can still improve this design with route summarization, ipsec protection on the tunnel interface.

 

 

Thank you for reading.

Feel free to comment this post if you have remarks or questions.

 

 

DMVPN Dual redundant hub – Dual DMVPN network

Leave a Reply

Your email address will not be published.