Archive

Posts Tagged ‘dmvpn’

Dual Hub Dual DMVPN

January 21, 2011 1 comment

The scenario is to provide redundant DMVPN connection for the spokes.
We using two tunnel on every spokes.

Dual Hub Dual DMVPN

HUB1:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSF esp-3des esp-sha-hmac
!
crypto ipsec profile PROFILE
set transform-set TRANSF
!
interface FastEthernet1/0
ip address 100.100.1.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/1
ip address 10.10.1.1 255.255.255.0
duplex full
speed 100
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
ip nhrp authentication NHRPAUTH
ip nhrp map multicast dynamic
ip nhrp network-id 100
no ip split-horizon eigrp 10
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PROFILE
!
router eigrp 10
network 10.10.1.1 0.0.0.0
network 172.16.0.1 0.0.0.0
network 192.168.1.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.1.1 0.0.0.0 area 0
!

HUB2:
crypto isakmp policy 200
hash md5
authentication pre-share
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set DM2TRANS esp-des esp-md5-hmac
!
crypto ipsec profile DM2PRF
set transform-set DM2TRANS
!
interface Tunnel0
ip address 172.16.100.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
ip nhrp authentication DM2NHRP
ip nhrp map multicast dynamic
ip nhrp network-id 2011
no ip split-horizon eigrp 1
no ip split-horizon eigrp 10
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2011
tunnel protection ipsec profile DM2PRF
!
interface Loopback0
ip address 192.168.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 100.100.0.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 10
network 172.16.100.1 0.0.0.0
network 192.168.0.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.0.1 0.0.0.0 area 0
!

SPOKE1:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFFORM esp-3des esp-sha-hmac
crypto ipsec transform-set DM2TRANSFORM esp-des esp-md5-hmac
!
crypto ipsec profile DM2PROFILE
set transform-set DM2TRANSFORM
!
crypto ipsec profile PROFILE
set transform-set TRANSFFORM
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication NHRPAUTH
ip nhrp map 172.16.0.1 100.100.1.1
ip nhrp map multicast 100.100.1.1
ip nhrp network-id 100
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PROFILE
!
interface Tunnel1
ip address 172.16.100.2 255.255.255.0
no ip redirects
ip nhrp authentication DM2NHRP
ip nhrp map 172.16.100.1 100.100.0.1
ip nhrp map multicast 100.100.0.1
ip nhrp network-id 2011
ip nhrp nhs 172.16.100.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2011
tunnel protection ipsec profile DM2PROFILE
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface FastEthernet1/0
ip address 100.100.2.1 255.255.255.0
duplex full
speed 100
!
router eigrp 10
network 172.16.0.2 0.0.0.0
network 172.16.100.2 0.0.0.0
network 192.168.2.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.2.1 0.0.0.0 area 0
!

SPOKE2:
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 200
hash md5
authentication pre-share
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSF esp-3des esp-sha-hmac
crypto ipsec transform-set DMV2 esp-des esp-md5-hmac
!
crypto ipsec profile DMV2PROF
set transform-set DMV2
!
crypto ipsec profile IPSECPRF
set transform-set TRANSF
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip nhrp authentication NHRPAUTH
ip nhrp map multicast 100.100.1.1
ip nhrp map 172.16.0.1 100.100.1.1
ip nhrp network-id 100
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile IPSECPRF
!
interface Tunnel100
ip address 172.16.100.3 255.255.255.0
no ip redirects
ip nhrp authentication DM2NHRP
ip nhrp map 172.16.100.1 100.100.0.1
ip nhrp map multicast 100.100.0.1
ip nhrp network-id 2011
ip nhrp nhs 172.16.100.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2011
tunnel protection ipsec profile DMV2PROF
!
interface Loopback0
ip address 192.168.3.1 255.255.255.255
!
interface FastEthernet1/0
ip address 100.100.3.1 255.255.255.0
duplex full
speed 100
!
router eigrp 10
network 172.16.0.3 0.0.0.0
network 172.16.100.3 0.0.0.0
network 192.168.3.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.3.1 0.0.0.0 area 0
!

Ok. Now we estimate that the configuration running well. The two DMVPN cloud is establish. And we choose the HUB1 as the primary HUB. So we must make route selection. In this case we using EIGRP as the IGP for the DMVPN.

By default, every spokes will have 2 equal routes to the every loopback interfaces of the other spokes. Because we already choose Hub1 as the primary, so we give the lower delay for the Hub1 tunnel interface. Every spokes will prefer the DMVPN1 Tunnel (which connected to the Hub1) as the primary path to the loopback networks behind the other spokes.

HUB1:
interface Tunnel0
delay 49999
!

SPOKE2#sh ip route eigrp
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.1.0 [90/297246976] via 172.16.0.1, 00:01:26, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:01:26, Tunnel100
192.168.1.0/32 is subnetted, 1 subnets
D 192.168.1.1 [90/297372416] via 172.16.0.1, 00:01:26, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172160] via 172.16.0.2, 00:01:26, Tunnel0

Below is the DMVPN relevant condition of the Spoke2:

SPOKE2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1, Tunnel0 created 02:45:34, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.1.1
172.16.100.1/32 via 172.16.100.1, Tunnel100 created 02:45:32, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.0.1

SPOKE2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.1.1 100.100.3.1 QM_IDLE 1014 0 ACTIVE
100.100.3.1 100.100.0.1 QM_IDLE 1016 0 ACTIVE

SPOKE2#ping 192.168.2.1 sou 192.168.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/398/756 ms
SPOKE2#

SPOKE2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.2.1 100.100.3.1 QM_IDLE 1017 0 ACTIVE
100.100.1.1 100.100.3.1 QM_IDLE 1014 0 ACTIVE
100.100.3.1 100.100.0.1 QM_IDLE 1016 0 ACTIVE

IPv6 Crypto ISAKMP SA

SPOKE2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1, Tunnel0 created 02:46:32, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.1.1
172.16.0.2/32 via 172.16.0.2, Tunnel0 created 00:00:13, expire 01:55:58
Type: dynamic, Flags: router
NBMA address: 100.100.2.1
172.16.100.1/32 via 172.16.100.1, Tunnel100 created 02:46:30, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.0.1
SPOKE2#
SPOKE2#

SPOKE2#sh ip route eigrp
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.1.0 [90/297246976] via 172.16.0.1, 00:03:12, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:03:19, Tunnel100
192.168.1.0/32 is subnetted, 1 subnets
D 192.168.1.1 [90/297372416] via 172.16.0.1, 00:03:13, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172160] via 172.16.0.2, 00:02:33, Tunnel0
SPOKE2#

Now, we try to shutdown the WAN interface of the HUB1, so the DMVPN2 will active and HUB2 will acting as the active hub.

We use ping tool to measure the transition time from DMVPN1 to the DMVPN2:

SPOKE2#ping 192.168.2.1 rep 100000 sou 192.168.3.1

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!!

Let’s we switch to the HUB1:

HUB1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HUB1(config)#int f1/0
HUB1(config-if)#shut
*Jan 20 17:21:49.963: %OSPF-5-ADJCHG: Process 1, Nbr 100.100.3.2 on FastEthernet
1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Jan 20 17:21:51.955: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state
to administratively down
*Jan 20 17:21:51.959: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa1/0 Physical Port Administrative State Down
*Jan 20 17:21:52.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Jan 20 17:21:54.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Jan 20 17:21:54.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.0.2 (Tunnel0) is down: interface down
*Jan 20 17:21:54.695: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.0.3 (Tunnel0) is down: interface down

We switch back to the Spoke2 to check the transition time from the DMVPN1 to DMVPN2:

SPOKE2#ping 192.168.2.1 rep 100000 sou 192.168.3.1

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!…..!!
*Jan 20 13:01:40.183: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.0.1 (Tunnel0) is down: holding time expired!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (141/146), round-trip min/avg/max = 224/589/1104 ms

After the transition, now we check the DMVPN relevant condition on the Spoke2:

SPOKE2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1, Tunnel0 created 02:48:15, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.1.1
172.16.0.2/32 via 172.16.0.2, Tunnel0 created 00:01:57, expire 01:54:15
Type: dynamic, Flags: router
NBMA address: 100.100.2.1
172.16.100.1/32 via 172.16.100.1, Tunnel100 created 02:48:14, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.0.1

SPOKE2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.2.1 100.100.3.1 QM_IDLE 1017 0 ACTIVE
100.100.1.1 100.100.3.1 MM_NO_STATE 0 0 ACTIVE
100.100.1.1 100.100.3.1 MM_NO_STATE 1014 0 ACTIVE (deleted)
100.100.3.1 100.100.0.1 QM_IDLE 1016 0 ACTIVE

SPOKE2#sh ip route eigrp
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:05:01, Tunnel100
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172416] via 172.16.100.2, 00:00:48, Tunnel100

Now we see that Spoke2 using DMVPN2 where the Hub2 act as the primary Hub to connect to the loopback interfaces behind the Spoke1:

SPOKE2#ping 192.168.2.1 sou 192.168.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 372/436/516 ms

Ok. Now the DMVPN2 used by every Spokes router to connect each other.

Now we try to switch back the DMVPN1 as the primary connection by activate the WAN interface of the Hub1. Then we can see that the spokes using DMVPN1 again as the primary connection:

SPOKE2#sh ip route eigrp
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.1.0 [90/297246976] via 172.16.0.1, 00:00:30, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:00:30, Tunnel100
192.168.1.0/32 is subnetted, 1 subnets
D 192.168.1.1 [90/297372416] via 172.16.0.1, 00:00:30, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172160] via 172.16.0.2, 00:00:30, Tunnel0