Tuesday, 27 October 2009

DMVPN - Dual Hub and Dual Spoke with HSRP - Howto

Hi again,

This is the practical to this lab: here

First the boring stuff, setting up IP connectivity:

R1

interface FastEthernet1/0
description WAN
ip address 10.0.1.1 255.255.255.0
interface FastEthernet1/1
!
description LAN
ip address 192.168.1.1 255.255.255.0
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 10.0.1.99
!


R2

interface FastEthernet1/1
description lan
ip address 192.168.1.2 255.255.255.0
!
interface FastEthernet1/0
description wan
ip address 10.0.2.2 255.255.255.0
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 10.0.2.99
!


R10

!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
!
interface FastEthernet1/0
description wan
ip address 10.0.10.10 255.255.255.0
!
interface FastEthernet1/1
description lan
ip address 192.168.2.10 255.255.255.0
delay 1000
!


R11

interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface FastEthernet1/0
description wan
ip address 10.0.11.11 255.255.255.0
!
interface FastEthernet1/1
description lan
ip address 192.168.2.11 255.255.255.0
delay 1050
!
ip route 0.0.0.0 0.0.0.0 10.0.11.99
!

R20

!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
!
interface FastEthernet1/0
description wan
ip address 10.0.20.20 255.255.255.0
!
interface FastEthernet1/1
description lan
ip address 192.168.3.20 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.20.99
!





Let start with HSRP on Hubs:

R1

interface FastEthernet1/1
description LAN
ip address 192.168.1.1 255.255.255.0
delay 1000
duplex full
speed auto

!virtual ip
standby 1 ip 192.168.1.254
!Virtual set priority for this router higher than R2
standby 1 priority 20
!If R1 has a highier priority become the active router
standby 1 preempt
standby 1 name HAGroup
!If Fa1/0 fails R1 is useless and needs to become standby
standby 1 track FastEthernet1/0
!


R2

interface FastEthernet1/1
description lan
ip address 192.168.1.2 255.255.255.0
delay 1050
duplex auto
speed auto
standby 1 ip 192.168.1.254
standby 1 priority 19
standby 1 preempt
standby 1 name HAGroup
standby 1 track FastEthernet1/0
!



The above setup is almost identical at Site2 (the other site with HSRP)

Now on to the Tunnels and the DMVPN networks itself. Here is the basic layout of the network:


As you can see, we are infact running two DMVPN networks, and each spoke as an interface to each network.

Lets do the Hubs first:

R1


interface Tunnel0
!IP of tunnel interface
ip address 172.12.123.1 255.255.255.0
!Stop IP from taking "shortcuts"
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
!Unique to the network, same number on each hub,spoke
ip nhrp network-id 1
ip nhrp holdtime 450
ip tcp adjust-mss 1360
!Needed for EIGRP
no ip split-horizon eigrp 100
!Tweak EIGRP metrics to prefer this router
delay 1000
!Tunnels out interface
tunnel source FastEthernet1/0
!Set tunnel mode
tunnel mode gre multipoint
!Each tunnel has its own "password"
tunnel key 100000
!Add IPSec
tunnel protection ipsec profile TUN-PROFILE


Notice that R1 is the Hub spoke for 172.12.123.0/24 network

R2

!
interface Tunnel0
ip address 172.12.124.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
!tweak EIGRP metric so that R1 is preferred
delay 1050
tunnel source FastEthernet1/0
tunnel mode gre multipoint
!Password
tunnel key 100001
tunnel protection ipsec profile TUN-PROFILE
!


Now R20

First tunnel to join network 1

interface Tunnel0
ip address 172.12.123.20 255.255.255.0
ip mtu 1400
ip nhrp map 172.12.123.1 10.0.1.1
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 172.12.123.1
ip tcp adjust-mss 1360
tunnel source FastEthernet1/0
tunnel destination 10.0.1.1
tunnel key 100000
tunnel protection ipsec profile TUN-PROFILE
!

Second Tunnel to join network 2

!
interface Tunnel1
ip address 172.12.124.20 255.255.255.0
ip mtu 1400
ip nhrp map 172.12.124.2 10.0.2.2
ip nhrp network-id 2
ip nhrp holdtime 450
ip nhrp nhs 172.12.124.2
ip tcp adjust-mss 1360
tunnel source FastEthernet1/0
tunnel destination 10.0.2.2
tunnel key 100001
tunnel protection ipsec profile TUN-PROFILE
!



Now R10

!network 1 -->
interface Tunnel0
ip address 172.12.123.10 255.255.255.0
ip mtu 1400
ip nhrp map 172.12.123.1 10.0.1.1
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 172.12.123.1
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet1/0
tunnel destination 10.0.1.1
tunnel key 100000
tunnel protection ipsec profile TUN-PROFILE
!
!
!Network 2 ----->
interface Tunnel1
ip address 172.12.124.10 255.255.255.0
ip mtu 1400
ip nhrp map 172.12.124.2 10.0.2.2
ip nhrp network-id 2
ip nhrp holdtime 450
ip nhrp nhs 172.12.124.2
ip tcp adjust-mss 1360
tunnel source FastEthernet1/0
tunnel destination 10.0.2.2
tunnel key 100001
tunnel protection ipsec profile TUN-PROFILE
!


R11

!Network 1 --->
interface Tunnel0
ip address 172.12.123.11 255.255.255.0
ip mtu 1400
ip nhrp map 172.12.123.1 10.0.1.1
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 172.12.123.1
ip tcp adjust-mss 1360
delay 1050
tunnel source FastEthernet1/0
tunnel destination 10.0.1.1
tunnel key 100000
tunnel protection ipsec profile TUN-PROFILE
!Network 2--->
interface Tunnel1
ip address 172.12.124.11 255.255.255.0
ip mtu 1400
ip nhrp map 172.12.124.2 10.0.2.2
ip nhrp network-id 2
ip nhrp holdtime 450
ip nhrp nhs 172.12.124.2
ip tcp adjust-mss 1360
tunnel source FastEthernet1/0
tunnel destination 10.0.2.2
tunnel key 100001
tunnel protection ipsec profile TUN-PROFILE
!



Now EIGRP network configuration, notice how we do not bring in the WAN network:
R1

router eigrp 100
network 1.1.1.1 0.0.0.0
network 172.12.123.0 0.0.0.255
network 192.168.1.0
no auto-summary
!

R2

router eigrp 100
network 2.2.2.2 0.0.0.0
network 172.12.124.0 0.0.0.255
network 192.168.1.0
no auto-summary
!

R20

router eigrp 100
network 20.20.20.20 0.0.0.0
network 172.12.123.0 0.0.0.255
network 172.12.124.0 0.0.0.255
network 192.168.3.0
no auto-summary
!

R10

!
router eigrp 100
network 10.10.10.10 0.0.0.0
network 172.12.123.0 0.0.0.255
network 172.12.124.0 0.0.0.255
network 192.168.2.0
no auto-summary
!

R11

!
router eigrp 100
network 11.11.11.11 0.0.0.0
network 172.12.123.0 0.0.0.255
network 172.12.124.0 0.0.0.255
network 192.168.2.0
no auto-summary
!


IPSec Configuration is almost identical for each router so here is just one example:

!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TUN-TRANSFORM esp-aes esp-sha-hmac
!
crypto ipsec profile TUN-PROFILE
set transform-set TUN-TRANSFORM
!



And that should be it!

Here is a video of me with the lab,trying to break it!

DMVPN - High Availability - Testing Failure from Richard Vimeo on Vimeo.



Enjoy!
at

9 comments:

  1. Unknown2 November 2009 at 06:57

    Hi Roggy,

    Question for you. What parts of the DMVPN do you prioritize over the Internet? I have a similar setup and I've prioritized CS6 / DSCP 48 for control traffic to the spoke and from the hub. Anything else you'd recommend?

    ReplyDelete
  2. Roggy2 November 2009 at 14:26

    Most phones etc will tag will DSCP 46/EF so that should be a priority queue, also UDP 16384-32767 should be in there somewhere too (cisco rtp)

    ReplyDelete
  3. Barry R22 December 2010 at 11:46

    I reviewed your blog and demo for dual-hub, 2 DMVPN design. Great info, and the demo video was very helpful.

    I was wondering if the same capability could be provided with the same physical design, but using 1 DMVPN/subnet instead of 2, in the case of primary/secondary failover with no load-sharing between the redundant links. Seems like this should be possible since the routing decisions are being made via HSRP/EIGRP, but want to make sure I wasn't missing something.

    Thanks!!

    PS. Do you offer online classes?

    Barry

    ReplyDelete
  4. Oszkar25 August 2011 at 21:34

    Hi Roggy

    NHRP network ID is locally significant only. It can be different on each router.


    Great post!

    ReplyDelete
  5. Bill15 April 2012 at 23:01

    thanks roggy! i'd like to ask if we could use tunnel mode gre multipoint instead of tunnel destination? Thanks

    ReplyDelete
  6. Bill16 April 2012 at 00:09

    Let's say the branch sites are going to HUB1 when reaching the Lan side of it, how do I change the path so that it will use the HUB2 to reach the Lan side of the Hub site from the remote sites?

    ReplyDelete
  7. Unknown18 December 2014 at 08:49

    Dear learner,
    If you don’t know anything about DMVPN, check out these links: DMVPN Configuration

    ReplyDelete
  8. Unknown17 June 2015 at 22:04

    Hello Roggy;

    I was browsing the Internet and I saw your blog about DMVPN, I saw someone mentioning a video that was created for DMVPN and I was wondering if that video is still available.

    Thanks;

    Juan

    ReplyDelete
  9. Unknown22 May 2016 at 20:15

    There are many spokes on the wheel of life.
    First, we're here to explore new possibilities. See the link below for more info.


    #spokes
    www.ufgop.org

    ReplyDelete