Solved: Dual DMVPN, dual hub

incognito · ‎05-17-2019

Hi everyone

I have a extraordinary question

I have one hub and many spokes already configured (single DMVPN, EIGRP, IPSec)

And i want to reconfigure my network as Dual HUB, dual DMVPN. Is it possible to make one of the spokes to be HUB2 and still stay as a spoke? Example: Spoke 1 = Hub2+Spoke1. How the config would look like?

for more information open the attached image please (black line is existing network and red arrows are network what I want to create)

Existing config:

Hub

interface Tunnel1
description ## Interface VPN Cloud ##
ip address 172.10.10.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp network-id 1
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
!

Spoke 1

interface Tunnel1
description ## Interface VPN Cloud ##
ip address 172.10.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast X.X.X.X
ip nhrp map 172.10.10.1 X.X.X.X
ip nhrp network-id 1
ip nhrp nhs 172.10.10.1
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint

Giuseppe Larosa · ‎05-19-2019

Hello Incognito,

what you need to do is the following:

a) on Spoke1 = Hub2 shut down interface tunnel1 the mGRE tunnel to DMVPN1.

allocate a private IP subnet like 10.10.12.0/30 to be used on the point to point tunnel

configure the tunnel with

interface tunnel 12

description HUB2 To HUB1 tunnel

ip address 10.10.12.2 255.255.255.255.252

tunnel source x.x.x.x

tunnel destination y.y.y.y

no shut

Under router eigrp process add a network statement for the new subnet

router eigrp 100

network 10.10.12.0 0.0.0.3

!

b)

on HUB1

create the tunnel 12

interface tunnel 12

description HUB1 To HUB2 tunnel

ip address 10.10.12.1 255.255.255.255.252

tunnel source y.y.y.y

tunnel destination x.x.x.x

no shut

Under router eigrp process add a network statement for the new subnet

router eigrp 100

network 10.10.12.0 0.0.0.3

!

c)

For encryption you should use the tunnel protection command with an IPSec profile.

However, I'm not sure it is supported on a point to point GRE tunnel.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-17-2019

Hello Incognito,

>> And i want to reconfigure my network as Dual HUB, dual DMVPN. Is it possible to make one of the spokes to be HUB2 and still stay as a spoke? Example: Spoke 1 = Hub2+Spoke1. How the config would look like?

Well in real world Spoke1 would be remote far away from the Central site.

You should think of using a dedicated HUB for the second DMVPN.

Then of course you need to provide a routed link between HUB1 and HUB2 with EIGRP running over it.

This allows to cover some fault cases as spoke to spoke dynamic tunnel setup is limited to a single DMVPN.

see the following design guide on page 16

https://community.cisco.com/legacyfs/online/legacy/3/9/5/26593-DMVPNbk.pdf

Hope to help

Giuseppe

incognito · ‎05-18-2019

Thank you
And you recommend me to use another new hub and do not use the spoke as a hub? And my plan is unreal?

Giuseppe Larosa · ‎05-18-2019

Hello incognito,

yes I would recommend deploying a dedicated router as new HUB for new DMVPN

The reason is that for covering some type of faults you need routing between the two HUB routers.

Hope to help

Giuseppe

incognito · ‎05-18-2019

What if I just configure gre tunnel between hub and spoke1 (in this case hub2)??

Giuseppe Larosa · ‎05-18-2019

Hello Incognito,

if you use a dedicated point to point GRE tunnel protected by IPSec to connect HUB1 and new HUB2 = spoke1, and you remove spoke1/HUB2 from DMVPN1, I think it is a reasonable design.

You need to run EIGRP over the new tunnel between the two HUB routers.

Hope to help

Giuseppe

incognito · ‎05-19-2019

Thank you! if you don't mind, can you briefly write how the configuration will look? I imagine but I don’t know how to configure on hub1 and spoke1=hub2. And GRE tunnel between them? I’m confused...

Giuseppe Larosa · ‎05-19-2019

Hello Incognito,

what you need to do is the following:

a) on Spoke1 = Hub2 shut down interface tunnel1 the mGRE tunnel to DMVPN1.

allocate a private IP subnet like 10.10.12.0/30 to be used on the point to point tunnel

configure the tunnel with

interface tunnel 12

description HUB2 To HUB1 tunnel

ip address 10.10.12.2 255.255.255.255.252

tunnel source x.x.x.x

tunnel destination y.y.y.y

no shut

Under router eigrp process add a network statement for the new subnet

router eigrp 100

network 10.10.12.0 0.0.0.3

!

b)

on HUB1

create the tunnel 12

interface tunnel 12

description HUB1 To HUB2 tunnel

ip address 10.10.12.1 255.255.255.255.252

tunnel source y.y.y.y

tunnel destination x.x.x.x

no shut

Under router eigrp process add a network statement for the new subnet

router eigrp 100

network 10.10.12.0 0.0.0.3

!

c)

For encryption you should use the tunnel protection command with an IPSec profile.

However, I'm not sure it is supported on a point to point GRE tunnel.

Hope to help

Giuseppe

incognito · ‎05-20-2019

Thank you so much! Thank you for taking your time!