05-14-2012 03:51 PM
Hi Guys,
Looking for a solution here, i want to have site to site vpns where indicated by the comm link lightening bolts, only concentrating on Site 1 for now, Site 2 and the other 15 remote offices would be the same, but just focusing on Site 1 for simplicity.
Head Office 1 and TELCO 1 are the priority, TELCO 1 supplies us with 5Mbps links to all remote offices where TELCO 2 supplies us links down to about 512k, it is a backup only.....
- Head Office1 being the priority, in the event of Head Office 1 going down, the vpn would switch over to head office 2 through TELCO 1
- in the event that TELCO 1 went down, TELCO 2 would take over, again head office 1 being priority and in the event of Head Office 1 and TELCO 1 went down, Head office 2 through TELCO2 would take over
- there is a L2 10Gbps link between Head Office 1 and 2 for replication
Any ideas guys
This is a real scenario. Thought it might be an interesting challenge for us to solve ;-)
Thanks for your help!
05-14-2012 05:28 PM
This is what DMVPN was designed for. Dual hub DMVPN is what you'll want to implement and with route-maps and IP SLA tracking it will cover everything you've asked for.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-20-2012 03:08 PM
Thanks Kevin,
I have implimented a dual hub, dual DMVPN on a test network, and all is working fine, except for one thing, all remote office routers are in area 1 which is an nssa with connected networks redistributed into ospf, and the head office routers WAN interface and tunnels are also in area 1, with area 1 nssa no-summary, but i cannot for the life of me define a different metric on the auto injected default routes......please put me out of my misery!
To explain myself a little better, when on a remote router, i get the same cost default route for both head office 1 and 2.
What i want is head office 1 to be the primary and head office 2 to be backup......
Any ideas?
PS id love to change to EIGRP, but with our multivendor environment.....not a chance ;-(
Thanks in advance!
05-20-2012 03:17 PM
Got it,
Area 1 nssa default-information-originate metric X
Sweet!
05-20-2012 05:43 PM
Good stuff, glad everything is working well. One other thing you could have done to use one link as primary and the other as failover without messing with ospf would be to use route-maps with IP SLA tracking. When the reachability tracking shows the primary link as down your route-map would use the failover link (if verify-reachability is configured).
There are many ways to do things I'm glad that your current solution is satisfying your requirements.
Great job!
Sent from Cisco Technical Support iPhone App
05-20-2012 06:08 PM
Ok, thanks kevin, but i have a new problem, i was getting some weird routing tables on the head office 2 router and ultimatly id prefer spoke to spoke connectivity, so i am experimenting with a dual hub single DMVPN cloud solution, but i have flapping neighbors on the secondary hub router, it seems that the router is unable to send multicasts successfully from what i can see through debugs and pings of 224.0.0.5, it will receive them, but it is unable to reach the neighbors with its hellos. so they die....any ideas?
Config of Hub 1 and 2 and a spoke below.....
PS, i have attached them in txt files for ease of reading.....
PSS Hub 1 is working perfectly, but if i loose it, all neighbors drop and the whole network dies, let me know if you need any sh commands etc
thanks
PSSS if i can get this to work, we will be buying 36 New Cisco routers! yay! if not, juniper is lurking!!! noooooooooooooooo
05-20-2012 06:38 PM
Hi Warren,
Sounds like an interesting problem though I do not have the time to go through your configurations tonight (Wife will murder me).
I will lab this up tomorrow and respond with my results.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-20-2012 06:59 PM
Thanks a tonne Kevin, i really appreciate it, and i know how you feel with the death threats....lol
05-21-2012 10:57 AM
Hi Warren,
Haven't gotten around to getting these configs in the lab yet but just looking over your configurations during lunch you may try adjusting the tunnel configuration on your SPOKE's tunnel 1 interface to reflect the change below.
You currently have…
Ip nhrp map 10.251.20.1 10.251.1.2
And
Ip nhrp nhs 10.251.20.1
You should have…
Ip nhrp map 10.251.10.2 10.251.1.2
And
Ip nhrp nhs 10.251.10.2
Try to see if this helps resolve your issue, it makes sense that it would considering it points to hub2 which is where you are having problems.
Please post back your results and if need be I will gladly continue troubleshooting.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-27-2012 09:33 PM
Hi Guys,
I am almost there, i have gone back to a dual hub dual cloud hub and spoke topology because it best suits our business needs, i am using eigrp in the cloud and redistributing into ospf (head office protocol) because all our switches are HP and using OSPF, OSPF was far too painful to work with in the DMVPN scenario, and as long as i'm careful, which i have been, lol (tagging redistributed routes and preventing them from coming back in through the other core router...all should be fine.
Now its all running great, but with one problem, if i shut down our primary core router (hub1), all remote sites point to the secondary core router (hub2) on their second tunnel interface .....which is great!, everything is pingable, network is stable as expected.......but, when i bring hub 1 back up, the spokes do not reconverge on hub 1, a ISAKMP SA isnt even formed! not until i reboot a spoke, then it will point to hub 1.....obviously not a desirable scenario...
So my question, what can i do to make the hub initiate the sa back to the spokes if it dies and comes back up?
below are cutdown configs of hub 1, hub 2 and a spoke for your purusal...
Thanks heaps in advance!
Warren
Hub 1
********************************************************
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set setA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set setA
!
!
!
interface Tunnel1
bandwidth 10000
ip address 10.0.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
no ip split-horizon eigrp 100
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile vpnprof
!
!
interface FastEthernet0/1
ip address 10.251.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
redistribute ospf 100 metric 50 1500 255 1 1500 route-map ospf-to-eigrp
network 10.0.1.1 0.0.0.0
no auto-summary
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
redistribute eigrp 100 metric 50 subnets route-map eigrp-to-ospf
network 10.250.1.1 0.0.0.0 area 0
!
!
route-map eigrp-to-ospf deny 10
match tag 20
!
route-map eigrp-to-ospf permit 20
set tag 10
!
route-map ospf-to-eigrp deny 10
match tag 10
!
route-map ospf-to-eigrp permit 20
set tag 20
!
!
Hub 2
********************************************************************************
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set setA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set setA
!
!
!
interface Tunnel2
bandwidth 10000
ip address 10.0.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco2
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
no ip split-horizon eigrp 100
delay 1050
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile vpnprof
!
!
interface FastEthernet0/1
ip address 10.251.1.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
redistribute ospf 100 metric 1000 1500 255 1 1500 route-map ospf-to-eigrp
network 10.0.2.1 0.0.0.0
no auto-summary
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
redistribute eigrp 100 metric 100 subnets route-map eigrp-to-ospf
network 10.253.1.1 0.0.0.0 area 0
!
!
route-map eigrp-to-ospf deny 10
match tag 20
!
route-map eigrp-to-ospf permit 20
set tag 10
!
route-map ospf-to-eigrp deny 10
match tag 10
!
route-map ospf-to-eigrp permit 20
set tag 20
!
Spoke
**************************************************************************
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set setA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set setA
!
!
!
interface Tunnel1
bandwidth 1000
ip address 10.0.1.90 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 10.0.1.1 10.251.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.0.1.1
delay 1000
tunnel source FastEthernet0/1
tunnel destination 10.251.1.1
tunnel key 1
tunnel protection ipsec profile vpnprof
!
interface Tunnel2
bandwidth 1000
ip address 10.0.2.90 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco2
ip nhrp map 10.0.2.1 10.251.1.2
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 10.0.2.1
delay 5000000
tunnel source FastEthernet0/1
tunnel destination 10.251.1.2
tunnel key 2
tunnel protection ipsec profile vpnprof
!
!
interface FastEthernet0/1
ip address 10.251.1.90 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.0.1.90 0.0.0.0
network 10.0.2.90 0.0.0.0
network 10.0.90.1 0.0.0.0
no auto-summary
!
08-12-2012 06:21 AM
Blank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide