This example is DMVPN Phase 3 with Dual Hubs with a single cloud or subnet. CSR1 and R3 are the hubs and CSR8, CSR9 and CSR10 are the spokes.
What is basically done is CSR1 is added as a hub router and then each spoke is configured to point to CSR1 as another hub, so 2 hubs are defined and peered with.
CSR1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set DMVPN
!
interface Tunnel1
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
router eigrp 10
network 10.1.0.0 0.0.255.255
CSR8
interface Tunnel1
ip address 10.1.1.8 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
CSR9
interface Tunnel1
ip address 10.1.1.9 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
tunnel source GigabitEthernet3
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
CSR10
interface Tunnel1
ip address 10.1.1.10 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
CSR1#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 10.1.1.1, VRF ""
Tunnel Src./Dest. addr: 101.0.0.10/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 3
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 108.0.0.8 10.1.1.8 UP 00:44:37 D 10.1.1.8/32
1 109.0.0.9 10.1.1.9 UP 00:03:16 D 10.1.1.9/32
1 110.0.0.10 10.1.1.10 UP 00:03:09 D 10.1.1.10/32
CSR1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1011 101.0.0.10 109.0.0.9 ACTIVE 3des md5 psk 5 23:54:54
Engine-id:Conn-id = SW:11
1010 101.0.0.10 108.0.0.8 ACTIVE 3des md5 psk 5 23:13:33
Engine-id:Conn-id = SW:10
1012 101.0.0.10 110.0.0.10 ACTIVE 3des md5 psk 5 23:55:01
Engine-id:Conn-id = SW:12
What is basically done is CSR1 is added as a hub router and then each spoke is configured to point to CSR1 as another hub, so 2 hubs are defined and peered with.
CSR1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set DMVPN
!
interface Tunnel1
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
router eigrp 10
network 10.1.0.0 0.0.255.255
CSR8
interface Tunnel1
ip address 10.1.1.8 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
CSR9
interface Tunnel1
ip address 10.1.1.9 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
tunnel source GigabitEthernet3
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
CSR10
interface Tunnel1
ip address 10.1.1.10 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
CSR1#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 10.1.1.1, VRF ""
Tunnel Src./Dest. addr: 101.0.0.10/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 3
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 108.0.0.8 10.1.1.8 UP 00:44:37 D 10.1.1.8/32
1 109.0.0.9 10.1.1.9 UP 00:03:16 D 10.1.1.9/32
1 110.0.0.10 10.1.1.10 UP 00:03:09 D 10.1.1.10/32
CSR1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1011 101.0.0.10 109.0.0.9 ACTIVE 3des md5 psk 5 23:54:54
Engine-id:Conn-id = SW:11
1010 101.0.0.10 108.0.0.8 ACTIVE 3des md5 psk 5 23:13:33
Engine-id:Conn-id = SW:10
1012 101.0.0.10 110.0.0.10 ACTIVE 3des md5 psk 5 23:55:01
Engine-id:Conn-id = SW:12