Wednesday, May 9, 2012

Single DMVPN cloud with 2 hub(each service different IP segment))

Hi All,

Many of you interested in DMVPN as a backup solution for MPLS or might be even as Primary connection between branches and HQ. Many site guides how to configure DMVPN with dual HUB or DUAL DMVPN with dual HUB.

But in here , im going to explain DMVPN with dual HUB, BUT both HUB servicing different IP segment. Many of us come in to scenario that have multiple HQ, all of them servicing different IP segment, and different application. When it necessary for Branches to communicate all HUB at the same time, we often think of having DUAL DMVPN , 1 for each HUB. Yes you able to do this, but to simplify your work, you can just add-in few command to achieve this under Single DMVPN.
Original post i took from Cisco, and modified.


My sample using OSPF.

HUB1 config:

 !
 hostname Hub1
 !
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key cisco47 address 0.0.0.0
 !
 crypto ipsec transform-set trans2 esp-des esp-md5-hmac
  mode transport
 !
 crypto ipsec profile vpnprof
  set transform-set trans2
 !
 interface Tunnel0
  bandwidth 1000
  ip address 10.0.0.1 255.255.255.0
  ip mtu 1400
  ip nhrp authentication test
  ip nhrp map multicast dynamic
  ip nhrp network-id 100000
  ip nhrp holdtime 600
  ip ospf network broadcast
  ip ospf priority 2
  delay 1000
  tunnel source Ethernet0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpnprof
 !
 interface Ethernet0
  ip address 172.17.0.1 255.255.255.0
 !
 interface Ethernet1
  ip address 192.168.0.1 255.255.255.0
 !
 router ospf 1
  network 10.0.0.0 0.0.0.255 area 1
  network 192.168.0.0 0.0.0.255 area 0
 !
 
 
 
HUB2 Config:
 
version 12.3
 !
 hostname Hub2
 !
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key cisco47 address 0.0.0.0
 !
 crypto ipsec transform-set trans2 esp-des esp-md5-hmac
  mode transport
 !
 crypto ipsec profile vpnprof
  set transform-set trans2
 !
 interface Tunnel0
  bandwidth 900
  ip address 10.0.0.2 255.255.255.0
  ip mtu 1400
  ip nhrp authentication test
  ip nhrp map 10.0.0.1 172.17.0.1
  ip nhrp map  multicast 172.17.0.1
  ip nhrp map multicast dynamic
  ip nhrp network-id 100000
  ip nhrp holdtime 600
  ip nhrp nhs 10.0.0.1
  ip ospf network broadcast
  ip ospf priority 1
  delay 1000
  tunnel source Ethernet0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpnprof
 !
 interface Ethernet0
  ip address 172.17.0.5 255.255.255.0
 !
 interface Ethernet1
  ip address 192.168.1.1 255.255.255.0
 !
 router ospf 1
  network 10.0.0.0 0.0.0.255 area 1
  network 192.168.1.0 0.0.0.255 area 0

 






SPOKE1 config:




version 12.3
 !
 hostname Spoke1
 ! 
 crypto isakmp policy 1
  authentication pre-share 
 crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
 !
 crypto ipsec transform-set trans2 esp-des esp-md5-hmac
  mode transport
 !
 crypto ipsec profile vpnprof
  set transform-set trans2
 !
 interface Tunnel0
  bandwidth 1000
  ip address 10.0.0.11 255.255.255.0
  ip mtu 1400
  ip nhrp authentication test
  ip nhrp map multicast 172.17.0.1
  ip nhrp map 10.0.0.1 172.17.0.1
  ip nhrp map multicast 172.17.0.5
  ip nhrp map 10.0.0.2 172.17.0.5
  ip nhrp network-id 100000
  ip nhrp holdtime 300
  ip nhrp nhs 10.0.0.1
  ip nhrp nhs 10.0.0.2
  ip ospf network broadcast
  ip ospf priority 0
  delay 1000
  tunnel source Ethernet0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpnprof
 !
 interface Ethernet0
  ip address dhcp hostname Spoke1
 !
 interface Ethernet1
  ip address 192.168.2.1 255.255.255.0
 !
 router ospf 1
  network 10.0.0.0 0.0.0.255 area 1
  network 192.168.2.0 0.0.0.255 area 1
 !


 


 


 











Posted by





at




















Labels:

















5 comments:








  1. JohnApril 18, 2013 at 6:30 PM
    I tried your config, but when Hub 1 goes down, so do the remotes connected to Hub 2?
    ReplyDelete
  2. UnknownApril 22, 2013 at 1:14 AM
    Hi John, 

    By right spoke have connected to two hub simultaneously. At any point, if one hub down, another will continue to provide the routing. But If you need 2nd hub to provide same routing as Hub1, then Hub1 and Hub2 must be connected to same LAN. In my scenario above, I assume Hub1 is Primary Data Center, and Hub2 is Secondary Data Center which servicing different servers.
    ReplyDelete
  3. UnknownJune 7, 2013 at 7:33 AM
    I am having an issue with the IPSec tunnels not terminating when a Hub site goes down.  I am seeing both sides of the tunnel stay up even though the connection is failing. 

    Have you ever ran into this before.  
    ReplyDelete
  4. AnonymousAugust 20, 2013 at 12:43 PM
    The configuration works but what if i want hub1 to communicate directly with hub 2 instead of traversing via spoke because right now when i want hub 1 to talk to hub 2, it first goes to spoke 1 and then to hub 2.
    ReplyDelete
  5. UnknownJanuary 16, 2017 at 7:28 PM
    what do i do if i want use 1 hub active 1 hub backup 
    ReplyDelete


































        

      









Subscribe to:
Post Comments (Atom)