cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1684
Views
0
Helpful
2
Replies

Configuration Dual DMVPN

teymur azimov
Level 1
Level 1

Hi dears. I configurated 1 hub and 3 spokes with dmvpn. all them are ok and working. now i want to add second router as hub for redundancy and configurated second tunnel at this router for redundancy tunnel.

my working hub and spoke routers configuration:

HUB1:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6

cisco123

address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set TTS esp-aes 256 esp-sha-hmac

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile customer

description .:: IPSec profile for DMVPN ::.

set security-association lifetime seconds 120

set transform-set TTS

!

!interface Tunnel0

ip address 172.30.30.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

no ip split-horizon eigrp 90

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile customer

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.0.0.1 255.255.255.0

ip access-group OUTSIDE2INSIDE in

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

ip address 192.168.60.1 255.255.255.0

ip inspect in2out in

duplex auto

speed auto

!

!

router eigrp 90

network 172.30.30.1 0.0.0.0

network 192.168.60.1 0.0.0.0

!

!

ip route 0.0.0.0 0.0.0.0 192.168.60.2  (core switch ip address:192.168.60.2)

Spoke 1:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key

cisco123

address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 120

!

!

crypto ipsec transform-set TTS esp-aes 256 esp-sha-hmac

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile customer

description .:: IPsec Profile for DMVPN ::.

set security-association lifetime seconds 120

set transform-set TTS

!

!

interface Tunnel0

ip address 172.30.30.5 255.255.255.0

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp map multicast 10.0.0.1

ip nhrp map 172.30.30.1 10.0.0.1

ip nhrp network-id 1

ip nhrp nhs 172.30.30.1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel destination 10.0.0.1

tunnel key 0

tunnel protection ipsec profile customer

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.0.0.5 255.255.255.0

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/1.8

description User

encapsulation dot1Q 8

ip address 192.168.22.1 255.255.255.0

!

interface GigabitEthernet0/1.9

description Voice

encapsulation dot1Q 9

ip address 172.17.3.1 255.255.255.0

!

router eigrp 90

network 172.17.3.1 0.0.0.0

network 172.30.20.5 0.0.0.0

network 172.30.30.5 0.0.0.0

network 192.168.22.1 0.0.0.0

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Tunnel0

this is my working configuartion. i want to configurated dual dmvpn with hsrp. mY qusetions is that>

what configuartion i need do at second hub2 router?

what configuartion i need do at spokes?

what default route's i must be config at spokes?

thanks

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

This document will answer all of the questions you have

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks a lot. i understand that i must be configurated tunnel also at hub2 and add this tunnel all my spokes that are clear for me. only one issue i confused. now working configuration as you see my default router to tunnel0  at spokes , if i add second tunnel at spokes router what how i add that and think the redundancy process??

thanks