Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​DMVPN - Dual Hub Single Cloud Phase 3 with IPsec Profile

Picture
This example is DMVPN Phase 3 with Dual Hubs with a single cloud or subnet. CSR1 and R3 are the hubs and CSR8, CSR9 and CSR10 are the spokes.

What is basically done is CSR1 is added as a hub router and then each spoke is configured to point to CSR1 as another hub, so 2 hubs are defined and peered with. 

CSR1
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set IKEV2_TSET esp-3des 
 mode tunnel
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
interface Tunnel1
 ip address 10.1.1.1 255.255.255.0
 no ip redirects
 no ip split-horizon eigrp 10
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 ip summary-address eigrp 10 10.1.0.0 255.255.0.0
 tunnel source GigabitEthernet1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN
!
router eigrp 10
 network 10.1.0.0 0.0.255.255



CSR8
interface Tunnel1
 ip address 10.1.1.8 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
 ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
 tunnel source GigabitEthernet1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN



CSR9
interface Tunnel1
 ip address 10.1.1.9 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
 ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
 tunnel source GigabitEthernet3
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN



CSR10
interface Tunnel1
 ip address 10.1.1.10 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.3 nbma 103.0.0.3 multicast
 ip nhrp nhs 10.1.1.1 nbma 101.0.0.10 multicast
 tunnel source GigabitEthernet1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN



CSR1#show dmvpn detail 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel1 is up/up, Addr. is 10.1.1.1, VRF "" 
   Tunnel Src./Dest. addr: 101.0.0.10/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "DMVPN" 
   Interface State Control: Disabled
   nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 3

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 108.0.0.8              10.1.1.8    UP 00:44:37     D        10.1.1.8/32
    1 109.0.0.9              10.1.1.9    UP 00:03:16     D        10.1.1.9/32
    1 110.0.0.10            10.1.1.10    UP 00:03:09     D       10.1.1.10/32



​CSR1#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1011  101.0.0.10      109.0.0.9              ACTIVE 3des md5    psk  5  23:54:54     
       Engine-id:Conn-id =  SW:11

1010  101.0.0.10      108.0.0.8              ACTIVE 3des md5    psk  5  23:13:33     
       Engine-id:Conn-id =  SW:10

1012  101.0.0.10      110.0.0.10             ACTIVE 3des md5    psk  5  23:55:01     
       Engine-id:Conn-id =  SW:12
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto