Hello Community,

 

I have been searching around this evening for a good DMVPN Phase-3 Hierarchical DMVPN network design that has a central hub, regional hubs, and regional spokes.  Most of the examples I found did not suit my needs so I decided to lab the configuration using GNS3 and share it with the community here.  I hope this example is helpful to others. 

 

The importance of this example is to show how DMVPN Phase 3 shortcut paths can be dynamically established between the sites within and across the regions. I also look at route summarization to simplify the routing tables across the environment.

 

The diagram below is the example topology. The Central router acts as an intermediate hub between two regional hubs, Hub1 and Hub2.  Spoke1 is a spoke site within Region1 and Spoke2 is a spoke site within Region2.  The red lines show DMVPN static tunnels which connects the spokes sites to their closest hub and also interconnects the hubs.  The black lines physical connection from the DMVPN routers to a common IP cloud, emulating the Internet or a similar underlying infrastructure. 

 

 

This lab example was built using IOL images running 15.6.3M3 code. 

 

The first configuration I will explore is an environment where summarization is not configured and full routes are shared across the cloud. It is important to note that the DMVPN cloud is a single instance using the same DMVPN tunnel key and NHRP Network ID.  This is important for NHRP indirection/redirect to work properly.

 

The following are the tunnel configurations for the central and regional hubs.  An important item to note that is the NHRP shortcut and redirect commands. The commands help NHRP understand the functional role of the router in the DMVPN topology.  If the router is a spoke, apply the “ip nhrp shortcut” command. If the router is a hub, apply the “ip nhrp redirect” command.  If the router is both a spoke and hub, such as Hub1 and Hub2 in the example topology, then apply both commands.

 

Hub1

interface Tunnel0
 ip address 10.0.0.32 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1    ! <- allows the hub to share routes its

                                !    learns from other hubs or spokes 
 ip nhrp authentication test
 ip nhrp map multicast dynamic  ! <- allows NHRP to learn EIGRP

                                !    neighbors dynamically 
 ip nhrp network-id 100000      ! <- must be the same across the cloud

                                !    for spoke-to-spoke 
 ip nhrp nhs 10.0.0.1 nbma 172.17.0.1 multicast ! <- this is a static

                                                !    NHRP map to 

                                                !    interconnect a 

                                                !    regional hub to

                                                !    the central hub
 ip nhrp shortcut               ! <- important on spokes
 ip nhrp redirect               ! <- important on hubs
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000              ! <- must be the same across the cloud

                                !    for spoke-to-spoke
 tunnel protection ipsec profile profile-dmvpn

 

Hub2

interface Tunnel0
 ip address 10.0.0.64 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 10.0.0.1 nbma 172.17.0.1 multicast
 ip nhrp shortcut               ! <- important on spokes
 ip nhrp redirect               ! <- important on hubs
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile profile-dmvpn

 

Central

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp redirect               ! <- important on hubs
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile profile-dmvpn

 

The spoke tunnels configuration are similar but not the same

 

Spoke1

interface Tunnel0
 ip address 10.0.0.33 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication test
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 10.0.0.32 nbma 172.17.0.32 multicast
 ip nhrp shortcut               ! <- important on spokes
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile profile-dmvpn

 

Spoke2 

interface Tunnel0
 ip address 10.0.0.65 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication test
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 10.0.0.64 nbma 172.17.0.64 multicast
 ip nhrp shortcut               ! <- important on spokes
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile profile-dmvpn

 

The result of this configuration is that all sites have visibility about the local /24 loopbacks in the network.  This is a sample of the Spoke1 routing table. 

 

Spoke_1# show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override, p - overrides from PfR

 

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

L        10.0.0.33/32 is directly connected, Tunnel0

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.0.0/24 is directly connected, Ethernet0/0

L        172.17.0.33/32 is directly connected, Ethernet0/0

D     192.168.1.0/24 [90/28288000] via 10.0.0.32, 00:00:59, Tunnel0

D     192.168.32.0/24 [90/27008000] via 10.0.0.32, 00:00:44, Tunnel0

      192.168.33.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.33.0/24 is directly connected, Loopback1

L        192.168.33.1/32 is directly connected, Loopback1

D     192.168.64.0/24 [90/29568000] via 10.0.0.32, 00:00:32, Tunnel0

D     192.168.65.0/24 [90/30848000] via 10.0.0.32, 00:00:32, Tunnel0

 

It is important to understand that while each site has EIGRP routes for every other site, only the DMVPN Spoke to Regional Hub and Regional Hub to Central Hub Tunnels are established. 

 

central_hub#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        T1 - Route Installed, T2 - Nexthop-override

        C - CTS Capable

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 172.17.0.32           10.0.0.32    UP 00:47:33     D <- to Spoke1

     1 172.17.0.64           10.0.0.64    UP 00:45:52     D <- to Spoke2

 

hub_1#show dmvpn

...

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub/Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 172.17.0.1             10.0.0.1    UP 00:48:41     S <- to Central Hub

     1 172.17.0.33           10.0.0.33    UP 00:40:00     D <- to Spoke1

 

spoke_1#show dmvpn

...

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 172.17.0.32           10.0.0.32    UP 00:40:16     S <- to Hub1

 

When spoke-to-spoke traffic occurs, the initial packets will be forwarded through the next hop hub based on the current routing table.  For example, if Spoke1 pings Spoke2, the initial routing table shows reachability for via 10.0.0.32 which is Hub1. Once NHRP resolution completes, a new next hop override is installed as shown below.

 

spoke_1#ping 192.168.65.1 source Loopback 1  <- from Spoke1 to Spoke2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.65.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.33.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/8/12 ms

 

spoke_1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        T1 - Route Installed, T2 - Nexthop-override

        C - CTS Capable

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 172.17.0.32           10.0.0.32    UP 00:48:59     S

     2 172.17.0.65           10.0.0.65    UP 00:00:08   DT1 <- new dynamic

                                                               route to

                                                               Spoke2

                             10.0.0.65    UP 00:00:08   DT2 <- new dynamic

                                                               override to

                                                               Spoke2

 

spoke_1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override, p - overrides from PfR

 

Gateway of last resort is not set

 

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

L        10.0.0.33/32 is directly connected, Tunnel0

H        10.0.0.65/32 is directly connected, 00:00:15, Tunnel0

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.0.0/24 is directly connected, Ethernet0/0

L        172.17.0.33/32 is directly connected, Ethernet0/0

D     192.168.1.0/24 [90/28288000] via 10.0.0.32, 00:32:02, Tunnel0

D     192.168.32.0/24 [90/27008000] via 10.0.0.32, 00:31:47, Tunnel0

      192.168.33.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.33.0/24 is directly connected, Loopback1

L        192.168.33.1/32 is directly connected, Loopback1

D     192.168.64.0/24 [90/29568000] via 10.0.0.32, 00:31:35, Tunnel0

D   % 192.168.65.0/24 [90/30848000] via 10.0.0.32, 00:31:35, Tunnel0

 

Notice the “%” indicator next to the Spoke2 route.  While the route was already in the table, a new shortcut tunnel is now present and able to carry traffic directly between Spoke1 and Spoke2.

 

Spoke2 shows a similar status even though the traffic originated from Spoke1.  The output below shows a new dynamic tunnel and next hop override established from Spoke2 to Spoke1.

 

spoke_2#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        T1 - Route Installed, T2 - Nexthop-override

        C - CTS Capable

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     2 172.17.0.33           10.0.0.33    UP 00:04:14   DT1

                             10.0.0.33    UP 00:04:14   DT2

     1 172.17.0.64           10.0.0.64    UP 00:51:48     S

 

spoke_2#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override, p - overrides from PfR

 

Gateway of last resort is not set

 

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

H        10.0.0.33/32 is directly connected, 00:04:20, Tunnel0

L        10.0.0.65/32 is directly connected, Tunnel0

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.0.0/24 is directly connected, Ethernet0/0

L        172.17.0.65/32 is directly connected, Ethernet0/0

D     192.168.1.0/24 [90/28288000] via 10.0.0.64, 00:36:07, Tunnel0

D     192.168.32.0/24 [90/29568000] via 10.0.0.64, 00:35:52, Tunnel0

D   % 192.168.33.0/24 [90/30848000] via 10.0.0.64, 00:35:52, Tunnel0

D     192.168.64.0/24 [90/27008000] via 10.0.0.64, 00:35:40, Tunnel0

      192.168.65.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.65.0/24 is directly connected, Loopback1

L        192.168.65.1/32 is directly connected, Loopback1

 

It is important to note that no new EIGRP neighbors were formed as a result of the spoke-to-spoke tunnel establishment. 

 

spoke_1#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H   Address          Interface              Hold Uptime   SRTT   RTO  Q  Seq

                                                   (sec)         (ms)       Cnt Num

0   10.0.0.32        Tu0                      14 00:55:11   27  1362  0  19

 

spoke_2#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H   Address          Interface              Hold Uptime   SRTT   RTO  Q  Seq

                                                   (sec)         (ms)       Cnt Num

0   10.0.0.64        Tu0                      14 00:54:04   20  1362  0  55

 

As the number of sites in a region increases, the routing table size and complexity will increase. To help control this issue route summarization can be implemented at the central and regional hubs.  In this case the 192.168.0.0 can be nicely grouped into a enterprise summary route at the Central router with prefix 192.168.0.0/16 and regional summary routes at each of the hubs with 192.168.32.0/19 and 192.168.64.0/19. The important aspect of this example to consider is that the regional summary routes do not overlap or cause ambiguity.  In this configuration, an overlapping summary can cause traffic to be black holed.

 

The following output shows the summary configurations applied to the hub tunnel interfaces.

 

central_hub#show run interface tunnel 0 | include ^interface|summary

interface Tunnel0

 ip summary-address eigrp 1 192.168.0.0 255.255.0.0

 

hub_1#show run interface tunnel 0 | include ^interface|summary

interface Tunnel0

 ip summary-address eigrp 1 192.168.32.0 255.255.224.0

 

hub_2#show run interface tunnel 0 | include ^interface|summary

interface Tunnel0

 ip summary-address eigrp 1 192.168.64.0 255.255.224.0

 

 

The following output shows the Spoke1 routing table and DMVPN tunnel status before any spoke-to-spoke traffic occurs. Notice that all of the 192.168.x.0/24 routes from the other sites have been replaced by two prefixes, the 192.168.0.0/16 enterprise and 192.168.32.0/19 regional summaries.  

 

spoke_1#show ip route

...

 

Gateway of last resort is not set

 

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

L        10.0.0.33/32 is directly connected, Tunnel0

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.0.0/24 is directly connected, Ethernet0/0

L        172.17.0.33/32 is directly connected, Ethernet0/0

D     192.168.0.0/16 [90/28288000] via 10.0.0.32, 00:13:33, Tunnel0

D     192.168.32.0/19 [90/27008000] via 10.0.0.32, 00:21:11, Tunnel0

      192.168.33.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.33.0/24 is directly connected, Loopback1

L        192.168.33.1/32 is directly connected, Loopback1

 

spoke_1#show dmvpn

...

 

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 172.17.0.32           10.0.0.32    UP 01:25:27     S

 

spoke_1#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H   Address          Interface              Hold Uptime   SRTT   RTO  Q  Seq

                                                   (sec)         (ms)       Cnt Num

0   10.0.0.32        Tu0                      12 01:25:33   31  1362  0  31

 

When spoke-to-spoke demand traffic occurs, the initial traffic is carried via the summary routes through the hubs.  In parallel, an NHRP resolution is found and a dynamic tunnel is formed.  The output below shows the new route installed in the routing table and the new tunnel relationship.  The output also shows that no new EIGRP neighbors occur during this process.

 

spoke_1#ping 192.168.65.1 source Loopback 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.65.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.33.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/11 ms

 

spoke_1#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        T1 - Route Installed, T2 - Nexthop-override

        C - CTS Capable

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 172.17.0.32           10.0.0.32    UP 01:37:05     S

     2 172.17.0.65           10.0.0.65    UP 00:00:05   DT1 <- new NHRP route

                                                               installed

                             10.0.0.65    UP 00:00:05   DT1

 

spoke_1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override, p - overrides from PfR

 

Gateway of last resort is not set

 

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

L        10.0.0.33/32 is directly connected, Tunnel0

H        10.0.0.65/32 is directly connected, 00:00:13, Tunnel0

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.0.0/24 is directly connected, Ethernet0/0

L        172.17.0.33/32 is directly connected, Ethernet0/0

D     192.168.0.0/16 [90/28288000] via 10.0.0.32, 00:25:28, Tunnel0

D     192.168.32.0/19 [90/27008000] via 10.0.0.32, 00:33:06, Tunnel0

      192.168.33.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.33.0/24 is directly connected, Loopback1

L        192.168.33.1/32 is directly connected, Loopback1

H     192.168.65.0/24 [250/255] via 10.0.0.65, 00:00:13, Tunnel0

 

spoke_1#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H   Address          Interface              Hold Uptime   SRTT   RTO  Q  Seq

                                                   (sec)         (ms)       Cnt Num

0   10.0.0.32        Tu0                      14 01:37:34   31  1362  0  31

 

spoke_2#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        T1 - Route Installed, T2 - Nexthop-override

        C - CTS Capable

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

 

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     2 172.17.0.33           10.0.0.33    UP 00:00:20   DT1 <- new NHRP route

                                                               installed

                             10.0.0.33    UP 00:00:20   DT1

     1 172.17.0.64           10.0.0.64    UP 01:36:03     S

 

spoke_2#show ip route

...

 

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

H        10.0.0.33/32 is directly connected, 00:00:27, Tunnel0

L        10.0.0.65/32 is directly connected, Tunnel0

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.0.0/24 is directly connected, Ethernet0/0

L        172.17.0.65/32 is directly connected, Ethernet0/0

D     192.168.0.0/16 [90/28288000] via 10.0.0.64, 00:25:41, Tunnel0

H     192.168.33.0/24 [250/255] via 10.0.0.33, 00:00:27, Tunnel0

D     192.168.64.0/19 [90/27008000] via 10.0.0.64, 00:32:21, Tunnel0

      192.168.65.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.65.0/24 is directly connected, Loopback1

L        192.168.65.1/32 is directly connected, Loopback1

 

 

The full router configurations are shown below for your convenience

 

 

hostname central_hub

!

ip cef

!

crypto isakmp policy 1

 encr aes 256

 hash sha256

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0

!

crypto ipsec transform-set transform-dmvpn esp-aes 256 esp-sha-hmac

!

crypto ipsec profile profile-dmvpn

 set transform-set transform-dmvpn

!

interface Loopback1

 ip address 192.168.1.1 255.255.255.0

!

interface Tunnel0

 ip address 10.0.0.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 no ip split-horizon eigrp 1

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp redirect

 ip summary-address eigrp 1 192.168.0.0 255.255.0.0

 tunnel source Ethernet0/0

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile profile-dmvpn

!

interface Tunnel1

 no ip address

 ip summary-address eigrp 1 192.168.0.0 255.255.0.0

!

interface Ethernet0/0

 ip address 172.17.0.1 255.255.255.0

!

!

router eigrp 1

 network 10.0.0.0

 network 192.168.0.0 0.0.255.255

!

end

 

 

hostname hub_1

!

ip cef

!

crypto isakmp policy 1

 encr aes 256

 hash sha256

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0

!

crypto ipsec transform-set transform-dmvpn esp-aes 256 esp-sha-hmac

!

crypto ipsec profile profile-dmvpn

 set transform-set transform-dmvpn

!

interface Loopback1

 ip address 192.168.32.1 255.255.255.0

!

interface Tunnel0

 ip address 10.0.0.32 255.255.255.0

 no ip redirects

 ip mtu 1400

 no ip split-horizon eigrp 1

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 10.0.0.1 nbma 172.17.0.1 multicast

 ip nhrp shortcut

 ip nhrp redirect

 ip summary-address eigrp 1 192.168.32.0 255.255.224.0

 tunnel source Ethernet0/0

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile profile-dmvpn

!

interface Ethernet0/0

 ip address 172.17.0.32 255.255.255.0

!

router eigrp 1

 network 10.0.0.0

 network 192.168.0.0 0.0.255.255

!

end

 

hostname hub_2

!

ip cef

!

crypto isakmp policy 1

 encr aes 256

 hash sha256

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0

!

crypto ipsec transform-set transform-dmvpn esp-aes 256 esp-sha-hmac

!

crypto ipsec profile profile-dmvpn

 set transform-set transform-dmvpn

!

interface Loopback1

 ip address 192.168.64.1 255.255.255.0

!

interface Tunnel0

 ip address 10.0.0.64 255.255.255.0

 no ip redirects

 ip mtu 1400

 no ip split-horizon eigrp 1

 ip nhrp authentication test

 ip nhrp map multicast dynamic

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 10.0.0.1 nbma 172.17.0.1 multicast

 ip nhrp shortcut

 ip nhrp redirect

 ip summary-address eigrp 1 192.168.64.0 255.255.224.0

 tunnel source Ethernet0/0

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile profile-dmvpn

!

interface Ethernet0/0

 ip address 172.17.0.64 255.255.255.0

!

router eigrp 1

 network 10.0.0.0

 network 192.168.0.0 0.0.255.255

!

end

 

hostname spoke_1

!

ip cef

!

crypto isakmp policy 1

 encr aes 256

 hash sha256

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set transform-dmvpn esp-aes 256 esp-sha-hmac

!

crypto ipsec profile profile-dmvpn

 set transform-set transform-dmvpn

!

interface Loopback1

 ip address 192.168.33.1 255.255.255.0

!

interface Tunnel0

 ip address 10.0.0.33 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication test

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 10.0.0.32 nbma 172.17.0.32 multicast

 ip nhrp shortcut

 tunnel source Ethernet0/0

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile profile-dmvpn

!

interface Ethernet0/0

 ip address 172.17.0.33 255.255.255.0

!

router eigrp 1

 network 10.0.0.0

 network 192.168.0.0 0.0.255.255

!

end

 

 

hostname spoke_2

!

ip cef

!

crypto isakmp policy 1

 encr aes 256

 hash sha256

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set transform-dmvpn esp-aes 256 esp-sha-hmac

!

crypto ipsec profile profile-dmvpn

 set transform-set transform-dmvpn

!

interface Loopback1

 ip address 192.168.65.1 255.255.255.0

!

interface Tunnel0

 ip address 10.0.0.65 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication test

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 10.0.0.64 nbma 172.17.0.64 multicast

 ip nhrp shortcut

 tunnel source Ethernet0/0

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile profile-dmvpn

!

interface Ethernet0/0

 ip address 172.17.0.65 255.255.255.0

!

router eigrp 1

 network 10.0.0.0

 network 192.168.0.0 0.0.255.255

!

end

 

 

hostname Internet

!

ip cef

!

bridge irb

!

interface Ethernet0/0

 no ip address

 bridge-group 1

!

interface Ethernet0/1

 no ip address

 bridge-group 1

!

interface Ethernet0/2

 no ip address

 bridge-group 1

!

interface Ethernet0/3

 no ip address

 bridge-group 1

!

interface Ethernet1/0

 no ip address

 bridge-group 1

!

bridge 1 protocol ieee

!

end