The Journey of a Network Engineer

Sep 10 2013   4:15AM GMT

How to configure Cisco DMVPN? Part-3

Sulaiman Syed Profile: Sulaiman Syed

We have seen how in the first part how DMVPN works, the dynamic tunnels and how we can peer Spokes to each other to allow direct traffic. But all will fail if our Hub goes down, as it is critical in keeping the DMVPN network up. For redundancy Dual Hub DMVPN networks were designed, we would look at such network in this entry. The Diagram shows how we will use CE1 and CE5 routers to be Hubs, while the rest of routers to be Spokes. Let’s have a look at the network used for this:

 photo DualDMVPN_zps8afce7eb.png

We have not protected our traffic in part 1, so in this entry we would protect our tunnels with IPsec. Let’s see a sample configurations i made for IPsec

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 0 test123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec profile ASA
set security-association lifetime seconds 120
set transform-set strong

Here, we are using single key to authenticate everyone, of course this is a bad design security wise, i highly recommend NOT to do it. we created a profile calling it ASA, this profile will be associated in the tunnel interface to protect the tunnel.

int tu 1
tunnel protection ipsec profile ASA

For the dual Hub configrations, few lines need to be added to the Hubs. they are highlighted in different color in the configs below: CE1#show run int tu 1 Building configuration…

Current configuration : 358 bytes
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map multicast 10.0.0.30
ip nhrp map 192.168.1.5 10.0.0.30
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile ASA
end

Similar configs are required at the other Hub (CE5).  Lets see the configs below:

CE5#show run int tu1
Building configuration…

Current configuration : 358 bytes
!
interface Tunnel1
ip address 192.168.1.5 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map multicast 10.0.0.14
ip nhrp map 192.168.1.1 10.0.0.14
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile ASA
end

The Spokes now need to be configured for both Hubs:

!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 10.0.0.14  // Hub one
ip nhrp map multicast 10.0.0.14       // Hub one
ip nhrp map multicast 10.0.0.30      // Hub two
ip nhrp map 192.168.1.5 10.0.0.30 // Hub two
ip nhrp network-id 10
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.5
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile ASA // ipsec
end

I hope this post was informative. If there are any questions, just let me know.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: