Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
0
Replies

Configuration DMVPN Primary and P2P Secondary (EIGRP)

ed.lee
Level 1
Level 1

‎03-13-2018 07:02 PM - edited ‎03-05-2019 10:06 AM

Hi, has anyone ever implimented multipoint DMVPN as primary via ISP and then utilized a P2P connection as a secondary/backup.  I am trying to understand how failover works should work with this type of Primary and Backup configuration.  I guess what I am confused is that with DMVPN, there is a tunnel 0 that is tied to a tunnel source.  How can it failover to the secondary P2P connection (which is a wifi bridge)?  Is IPSLA required?  Configuration example below.  Thanks for any assistance  


version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
logging buffered 65536
no logging console
no logging monitor
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
!
ip cef
!
!
!
ip dhcp excluded-address 172.16.152.1 172.16.152.40
ip dhcp excluded-address 172.16.204.1 172.16.204.20
!
ip dhcp pool vendor
network 172.16.204.0 255.255.255.192
default-router 172.16.204.1
dns-server 8.8.8.8
lease 4
!
ip dhcp pool LAN
network 172.16.152.0 255.255.255.0
default-router 172.16.152.1
dns-server 10.128.64.241 10.129.64.241
domain-name ad.lefrak.com
option 43 hex f108.0a80.0045.0a81.0043
!
!
!
no ip bootp server
no ip domain lookup
ip domain name ad.lefrak.com
ip inspect log drop-pkt
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 15
ip inspect name g0/0-inspect-out dns
ip inspect name g0/0-inspect-out ftp
ip inspect name g0/0-inspect-out http
ip inspect name g0/0-inspect-out https
ip inspect name g0/0-inspect-out tftp
ip inspect name g0/0-inspect-out icmp
ip inspect name g0/0-inspect-out sip
ip inspect name g0/0-inspect-out sip-tls
ip inspect name g0/0-inspect-out h323
ip inspect name g0/0-inspect-out pptp
ip inspect name g0/0-inspect-out tcp
ip inspect name g0/0-inspect-out udp
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint local
enrollment selfsigned
serial-number
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1281072392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1281072392
revocation-check none
rsakeypair TP-self-signed-1281072392
!
redundancy
!
!
!
!
!
ip ssh version 2
!
track 1 ip sla 1 reachability
delay down 45
!
track 2 ip sla 1 reachability
delay down 45
!
track 11 ip sla 1
default-state up
!
class-map match-any VoiceSignaling
match protocol sip
match protocol h323
match protocol rtcp
class-map match-all RTP
match protocol rtp
!
policy-map QOS
class VoiceSignaling
set dscp af41
policy-map QoS
class RTP
priority percent 5
set dscp ef
class VoiceSignaling
bandwidth percent 2
set dscp cs3
class class-default
set ip precedence 0
fair-queue
policy-map SHAPE_16M
class class-default
shape average 16000000
service-policy QoS
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key lefrakdmvpn address 0.0.0.0
crypto isakmp keepalive 10 3 periodic
!
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set dmvpn
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.255.0.101 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 202.72.172.2
ip nhrp map 10.255.0.1 202.72.172.2
ip nhrp map 10.255.0.2 202.73.173.2
ip nhrp map multicast 202.73.173.2
ip nhrp network-id 1
ip nhrp nhs 10.255.0.1
ip nhrp nhs 10.255.0.2
ip nhrp shortcut
ip nhrp redirect
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WiFi_Bridge-to-LFC
ip address 10.130.0.21 255.255.255.252
no ip redirects
no ip proxy-arp
ip flow ingress
load-interval 30
delay 500
shutdown
duplex auto
speed auto
service-policy output SHAPE_16M
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Spectrum
ip address 172.254.x.x 255.255.255.248
ip access-group 120 in
ip flow ingress
ip nat outside
ip inspect g0/0-inspect-out out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description Trunk-to-switch
switchport mode trunk
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan100
description *** Internal Network ***
ip address 172.16.152.1 255.255.255.0
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan200
description Vendor
ip address 172.16.204.1 255.255.255.192
ip access-group vendor in
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 1
network 172.16.152.0 0.0.0.255
network 172.16.204.0 0.0.0.63
redistribute eigrp 2
!
!
router eigrp 2
network 10.130.0.21 0.0.0.0
network 10.255.0.0 0.0.0.255
redistribute eigrp 1 metric 15 1000 255 1 1492 route-map EIGRP1-to-EIGRP2
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map WAN1 interface GigabitEthernet0/0 overload
ip nat inside source route-map WAN2 interface GigabitEthernet0/2 overload
ip route 202.72.172.2 255.255.255.255 GigabitEthernet0/2 172.254.x.x track 1
ip route 202.73.173.2 255.255.255.255 GigabitEthernet0/2 172.254.x.x track 1
ip route 4.2.2.2 255.255.255.255 10.130.0.22
ip route 8.8.8.8 255.255.255.255 172.254.x.x
!
ip access-list standard snmpREAD
permit 10.129.1.14
permit 10.129.1.13
remark READgroup
permit 10.129.64.110
permit 10.128.1.39
permit 10.128.1.38
deny any log
ip access-list standard snmpWRITE
permit 10.129.1.14
permit 10.129.1.13
remark WRITEgroup
permit 10.129.64.110
permit 10.128.1.39
permit 10.128.1.38
deny any log
!
ip access-list extended NAT
deny ip 172.16.152.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.152.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.16.152.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended VLAN200-NAT-EXCLUSION
deny ip 172.16.204.0 0.0.0.63 10.0.0.0 0.255.255.255
deny ip 172.16.204.0 0.0.0.63 172.16.0.0 0.15.255.255
deny ip 172.16.204.0 0.0.0.63 192.168.0.0 0.0.255.255
permit ip 172.16.204.0 0.0.0.63 any
ip access-list extended vendor
permit icmp any any echo-reply
permit ip 172.16.204.0 0.0.0.63 host 172.16.202.193
deny ip 172.16.204.0 0.0.0.63 172.16.204.0 0.0.0.63
deny ip 172.16.204.0 0.0.0.63 10.0.0.0 0.255.255.255
deny ip 172.16.204.0 0.0.0.63 172.16.0.0 0.15.255.255
deny ip 172.16.204.0 0.0.0.63 192.168.0.0 0.0.255.255
permit ip any any
!
!
ip prefix-list static-to-eigrp seq 5 permit 192.168.0.0/16
ip prefix-list static-to-eigrp seq 10 permit 10.0.0.0/9
ip prefix-list static-to-eigrp seq 15 permit 172.16.0.0/15
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
threshold 4000
frequency 6
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface GigabitEthernet0/0
threshold 4000
frequency 6
ip sla schedule 2 life forever start-time now
!
route-map EIGRP1-to-EIGRP2 deny 10
match route-type external
!
route-map EIGRP1-to-EIGRP2 permit 20
!
route-map NAT-TO-INET permit 20
match ip address VLAN200-NAT-EXCLUSION
!
route-map NAT permit 10
match ip address NAT
!
route-map WAN1 permit 10
description WiFi_Bridge-to-LFC
match ip address 100
match interface GigabitEthernet0/0
!
route-map WAN2 permit 10
description Spectrum2_to_Inet
match ip address 100
match interface GigabitEthernet0/2
!
route-map static-to-eigrp permit 10
match ip address prefix-list static-to-eigrp
!
!
snmp-server group READgroup v3 auth read view1
snmp-server group WRITEgroup v3 auth write view1
snmp-server view view1 internet included
snmp-server view view1 mib-2 included
snmp-server view view1 system included
snmp-server view view1 interfaces included
snmp-server view view1 chassis included
snmp-server ifindex persist
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card