Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2694
Views
0
Helpful
6
Replies

Dual ISP Hub and Spoke DMVPN

williamtwomey
Level 1
Level 1

‎09-18-2013 08:51 AM - edited ‎02-21-2020 07:09 PM

Hello All,

I am trying to build a DMVPN solution for two sites each with secondary ISPs.

The solution works "sort of", but doesn't seem very robust (sometimes a router reload is required if VPN doesn't come up after ISP failover)

I was wondering if anyone had any suggestions to my config below?

Thanks!

!!!!HUB!!!!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile dmvpn
 set security-association lifetime seconds 1800
 set transform-set aes256
 set pfs group5
!
crypto ipsec profile dmvpn2
 set security-association lifetime seconds 1800
 set transform-set aes256
 set pfs group5
!
!
interface Tunnel0
 ip address 10.255.255.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 53
 no ip split-horizon eigrp 53
 ip nhrp authentication secret1
 ip nhrp map multicast dynamic
 ip nhrp network-id 6
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 545
 tunnel protection ipsec profile dmvpn shared
!
interface Tunnel1
 ip address 10.255.254.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 53
 no ip split-horizon eigrp 53
 ip nhrp authentication secret1
 ip nhrp map multicast dynamic
 ip nhrp network-id 7
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 546
 tunnel protection ipsec profile dmvpn2 shared
!
interface Tunnel2
 ip address 10.255.253.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 53
 no ip split-horizon eigrp 53
 ip nhrp authentication secret1
 ip nhrp map multicast dynamic
 ip nhrp network-id 8
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 547
 tunnel protection ipsec profile dmvpn shared
!
interface Tunnel3
 ip address 10.255.252.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 53
 no ip split-horizon eigrp 53
 ip nhrp authentication secret1
 ip nhrp map multicast dynamic
 ip nhrp network-id 9
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 548
 tunnel protection ipsec profile dmvpn2 shared
!
interface FastEthernet0/0/0
 description Secondary ISP
 ip address 199.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface VLAN1
 description LAN
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 description Primary ISP
 ip address 200.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 53
 network 10.255.252.0 0.0.0.255
 network 10.255.253.0 0.0.0.255
 network 10.255.254.0 0.0.0.255
 network 10.255.255.0 0.0.0.255
 network 192.168.1.0
 eigrp stub connected
 no auto-summary
!
!
ip route 0.0.0.0 0.0.0.0 199.1.1.2 5
ip route 0.0.0.0 0.0.0.0 200.1.1.2 
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!!!SPOKE!!!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile dmvpn
 set security-association lifetime seconds 1800
 set transform-set aes256
 set pfs group5
!
crypto ipsec profile dmvpn2
 set security-association lifetime seconds 1800
 set transform-set aes256
 set pfs group5
!
!
!
interface VLAN1
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
!
interface Tunnel0
 ip address 10.255.255.5 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication secret1
 ip nhrp map 10.255.255.1 200.1.1.1
 ip nhrp map multicast 200.1.1.1
 ip nhrp network-id 6
 ip nhrp holdtime 300
 ip nhrp nhs 10.255.255.1
 ip nhrp registration timeout 30
 delay 1000
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 545
 tunnel protection ipsec profile dmvpn shared
!
interface Tunnel1
 ip address 10.255.254.5 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication secret1
 ip nhrp map 10.255.254.1 199.1.1.1
 ip nhrp map multicast 199.1.1.1
 ip nhrp network-id 7
 ip nhrp holdtime 300
 ip nhrp nhs 10.255.254.1
 delay 1500
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 546
 tunnel protection ipsec profile dmvpn shared
!
interface Tunnel2
 ip address 10.255.253.5 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication secret1
 ip nhrp map multicast 200.1.1.1
 ip nhrp map 10.255.253.1 200.1.1.1
 ip nhrp network-id 8
 ip nhrp holdtime 300
 ip nhrp nhs 10.255.253.1
 ip nhrp registration timeout 30
 delay 1000
 tunnel source FastEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 547
 tunnel protection ipsec profile dmvpn2 shared
!
interface Tunnel3
 ip address 10.255.252.5 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication secret1
 ip nhrp map multicast 199.1.1.1
 ip nhrp map 10.255.252.1 199.1.1.1
 ip nhrp network-id 9
 ip nhrp holdtime 300
 ip nhrp nhs 10.255.252.1
 delay 1500
 tunnel source FastEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 548
 tunnel protection ipsec profile dmvpn2 shared
!
interface FastEthernet0/0/0
description Secondary Internet
 ip address 201.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Primary Internet
 ip address 201.2.2.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 53
 distribute-list 1 out
 network 10.255.252.0 0.0.0.255
 network 10.255.253.0 0.0.0.255
 network 10.255.254.0 0.0.0.255
 network 10.255.255.0 0.0.0.255
 network 192.168.0.0
 offset-list 1 out 12800 Tunnel1
 eigrp stub connected
 no auto-summary
!
!
ip route 0.0.0.0 0.0.0.0 201.2.2.2
ip route 0.0.0.0 0.0.0.0 201.1.1.2 5
!
!
access-list 1 permit 192.168.0.0
access-list 1 permit 10.255.255.0 0.0.0.255
access-list 1 permit 10.255.254.0 0.0.0.255
access-list 1 permit 10.255.253.0 0.0.0.255
access-list 1 permit 10.255.252.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
Labels:
0 Helpful
6 Replies 6

williamtwomey
Level 1
Level 1

‎09-24-2013 06:14 AM

These tunnels work, but EIGRP will sometimes not update the route. Does anyone have any insight into EIGRP in a setup like this?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to williamtwomey

‎09-25-2013 12:43 AM

William,

1) Missing DPDs. That will explain "sometimes a reload is required"

invalid-SPI-recovery will not help much, but you can keep it configured.

2) Stub on hub side? That's a bit odd isn't it? It's in fact not a stub. My suggestion is go phase3 design way and advertise summaries from hub. But that's up to you.

M.

0 Helpful

williamtwomey
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-25-2013 05:41 AM

Hello,

Thanks for the response!

I left the stub on the hub while troubleshooting, it has since been removed.

By DPD, do you mean "crypto isakmp keepalive 10 periodic"? 

I've since added that (spoke and hub) and while the tunnels work great (they fail over, can ping 10.255.25x.x) the routes do not update which lead me to believe it's an EIGRP problem. Is there something else I should do for DPD?

Thanks again

Will

Can't edit the original post, so:

!Hub

crypto isakmp keepalive 10 periodic

router eigrp 53

network 10.255.252.0 0.0.0.255

network 10.255.253.0 0.0.0.255

network 10.255.254.0 0.0.0.255

network 10.255.255.0 0.0.0.255

network 192.168.1.0

no auto-summary

!Spoke

crypto isakmp keepalive 10 periodic

router eigrp 53

network 10.255.252.0 0.0.0.255

network 10.255.253.0 0.0.0.255

network 10.255.254.0 0.0.0.255

network 10.255.255.0 0.0.0.255

network 192.168.0.0

eigrp stub connected

no auto-summary

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to williamtwomey

‎09-25-2013 05:49 AM

10 seconds periodic might be to steep if you want to scale.

Non-periodic 30/5 work OK for DMVPN :-)

Yes the problem with prefixes is not core DMVPN problem, most likelt the RP doing something odd (hence my suggestion to check the stubbines)

Try with BGP? :-)

0 Helpful

Mlex1
Spotlight
Spotlight

‎12-26-2019 04:00 AM

Hello one question here on topology i want to configure second ISP but i can't if someone help me it will be wonderful thanks in advance, here in my topology with ISP1 my lab working and  i need isp2 for secondary what will i do 2f393ef6c4.png

Спрашивай все что хочешь
Preview file
78 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to Mlex1

‎12-26-2019 04:26 AM

Hi,
It would be better to start a new post for your issue.

You could setup a Dual Cloud DMPVN. Define 2 x tunnel interfaces, using a different tunnel source for each ISP and a separate network for the tunnel interface.
HTH
0 Helpful
Customers Also Viewed These Support Documents