As we add scale to our DMVPN deployment, the first way to do that is to configure a new hub and then add the additional hub config to the spoke tunnel. The spokes then form IPsec VPN connections and IGP peerings to the hubs. Since this is a single cloud with dual hubs, that means that will be dual routes learned on the spoke side.
CSR9
interface Tunnel1
ip address 10.1.1.9 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 1
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet3
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set ESP_AES esp-aes esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE
set transform-set ESP_AES
IOS33
interface Tunnel1
ip address 10.1.1.33 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 10.1.1.22 122.0.0.22
ip nhrp map multicast 122.0.0.22
ip nhrp map 10.1.1.9 29.0.0.9
ip nhrp map multicast 29.0.0.9
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22
ip nhrp nhs 10.1.1.9
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
CSR11
interface Tunnel1
ip address 10.1.1.11 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22 nbma 122.0.0.22 multicast
ip nhrp nhs 10.1.1.9 nbma 29.0.0.9 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
IOS25
interface Tunnel1
ip address 10.1.1.25 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22 nbma 122.0.0.22 multicast
ip nhrp nhs 10.1.1.9 nbma 29.0.0.9 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
IOS25#show ip eigrp 1 neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.1.9 Tu1 11 00:20:20 134 1362 0 144
0 10.1.1.22 Tu1 12 13:01:15 1067 5000 0 216
IOS25#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
122.0.0.22 25.0.0.25 QM_IDLE 1001 ACTIVE
29.0.0.9 25.0.0.25 QM_IDLE 1003 ACTIVE
IOS25#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 29.0.0.9 port 500
Session ID: 0
IKEv1 SA: local 25.0.0.25/500 remote 29.0.0.9/500 Active
IPSEC FLOW: permit 47 host 25.0.0.25 host 29.0.0.9
Active SAs: 2, origin: crypto map
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 122.0.0.22 port 500
Session ID: 0
IKEv1 SA: local 25.0.0.25/500 remote 122.0.0.22/500 Active
IPSEC FLOW: permit 47 host 25.0.0.25 host 122.0.0.22
Active SAs: 2, origin: crypto map
IOS33#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 172.16.103.24 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3072] via 172.16.103.24, 1d12h, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
D 10.3.9.0/24 [90/26880256] via 10.1.1.9, 1d00h, Tunnel1
D 10.3.22.0/24 [90/26880256] via 10.1.1.22, 1d00h, Tunnel1
D 10.4.9.0/24 [90/26880256] via 10.1.1.9, 1d00h, Tunnel1
D 10.4.22.0/24 [90/26880256] via 10.1.1.22, 1d00h, Tunnel1
D 10.11.19.0/24 [90/28160256] via 10.1.1.22, 1d00h, Tunnel1
[90/28160256] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.102.12.0/24 [170/28160512] via 10.1.1.22, 1d00h, Tunnel1
[170/28160512] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.102.15.0/24 [170/28160512] via 10.1.1.22, 1d00h, Tunnel1
[170/28160512] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.102.25.0/24 [170/28160256] via 10.1.1.22, 1d00h, Tunnel1
[170/28160256] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.255.10.0/24
[170/3072] via 172.16.103.24, 1d00h, GigabitEthernet0/0
19.0.0.0/32 is subnetted, 1 subnets
D 19.19.19.19 [90/28288256] via 10.1.1.22, 1d00h, Tunnel1
[90/28288256] via 10.1.1.9, 1d00h, Tunnel1
20.0.0.0/32 is subnetted, 1 subnets
D EX 20.20.20.20 [170/28288256] via 10.1.1.22, 1d00h, Tunnel1
[170/28288256] via 10.1.1.9, 1d00h, Tunnel1
22.0.0.0/32 is subnetted, 1 subnets
D 22.22.22.22 [90/27008000] via 10.1.1.22, 1d00h, Tunnel1
24.0.0.0/32 is subnetted, 1 subnets
D 24.24.24.24 [90/130816] via 172.16.103.24, 1d00h, GigabitEthernet0/0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.101.0/24 [90/26880512] via 10.1.1.22, 1d00h, Tunnel1
[90/26880512] via 10.1.1.9, 1d00h, Tunnel1
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.9 57 msec
10.1.1.22 71 msec
10.1.1.9 26 msec
2 10.1.1.11 62 msec 50 msec 106 msec
3 10.11.19.19 46 msec * 59 msec
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.11 37 msec 25 msec 28 msec
2 10.11.19.19 23 msec * 42 msec
IOS33#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
122.0.0.22 172.16.103.33 QM_IDLE 1002 ACTIVE
29.0.0.9 172.16.103.33 QM_IDLE 1004 ACTIVE
211.0.0.11 172.16.103.33 QM_IDLE 1005 ACTIVE
IOS33#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 211.0.0.11 port 4500
Session ID: 0
IKEv1 SA: local 172.16.103.33/4500 remote 211.0.0.11/4500 Active
IPSEC FLOW: permit 47 host 172.16.103.33 host 211.0.0.11
Active SAs: 4, origin: crypto map
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 29.0.0.9 port 4500
Session ID: 0
IKEv1 SA: local 172.16.103.33/4500 remote 29.0.0.9/4500 Active
IPSEC FLOW: permit 47 host 172.16.103.33 host 29.0.0.9
Active SAs: 2, origin: crypto map
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 122.0.0.22 port 4500
Session ID: 0
IKEv1 SA: local 172.16.103.33/4500 remote 122.0.0.22/4500 Active
IPSEC FLOW: permit 47 host 172.16.103.33 host 122.0.0.22
Active SAs: 2, origin: crypto map
CSR9
interface Tunnel1
ip address 10.1.1.9 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 1
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet3
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set ESP_AES esp-aes esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE
set transform-set ESP_AES
IOS33
interface Tunnel1
ip address 10.1.1.33 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 10.1.1.22 122.0.0.22
ip nhrp map multicast 122.0.0.22
ip nhrp map 10.1.1.9 29.0.0.9
ip nhrp map multicast 29.0.0.9
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22
ip nhrp nhs 10.1.1.9
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
CSR11
interface Tunnel1
ip address 10.1.1.11 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22 nbma 122.0.0.22 multicast
ip nhrp nhs 10.1.1.9 nbma 29.0.0.9 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
IOS25
interface Tunnel1
ip address 10.1.1.25 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22 nbma 122.0.0.22 multicast
ip nhrp nhs 10.1.1.9 nbma 29.0.0.9 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE
IOS25#show ip eigrp 1 neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.1.9 Tu1 11 00:20:20 134 1362 0 144
0 10.1.1.22 Tu1 12 13:01:15 1067 5000 0 216
IOS25#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
122.0.0.22 25.0.0.25 QM_IDLE 1001 ACTIVE
29.0.0.9 25.0.0.25 QM_IDLE 1003 ACTIVE
IOS25#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 29.0.0.9 port 500
Session ID: 0
IKEv1 SA: local 25.0.0.25/500 remote 29.0.0.9/500 Active
IPSEC FLOW: permit 47 host 25.0.0.25 host 29.0.0.9
Active SAs: 2, origin: crypto map
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 122.0.0.22 port 500
Session ID: 0
IKEv1 SA: local 25.0.0.25/500 remote 122.0.0.22/500 Active
IPSEC FLOW: permit 47 host 25.0.0.25 host 122.0.0.22
Active SAs: 2, origin: crypto map
IOS33#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 172.16.103.24 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3072] via 172.16.103.24, 1d12h, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
D 10.3.9.0/24 [90/26880256] via 10.1.1.9, 1d00h, Tunnel1
D 10.3.22.0/24 [90/26880256] via 10.1.1.22, 1d00h, Tunnel1
D 10.4.9.0/24 [90/26880256] via 10.1.1.9, 1d00h, Tunnel1
D 10.4.22.0/24 [90/26880256] via 10.1.1.22, 1d00h, Tunnel1
D 10.11.19.0/24 [90/28160256] via 10.1.1.22, 1d00h, Tunnel1
[90/28160256] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.102.12.0/24 [170/28160512] via 10.1.1.22, 1d00h, Tunnel1
[170/28160512] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.102.15.0/24 [170/28160512] via 10.1.1.22, 1d00h, Tunnel1
[170/28160512] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.102.25.0/24 [170/28160256] via 10.1.1.22, 1d00h, Tunnel1
[170/28160256] via 10.1.1.9, 1d00h, Tunnel1
D EX 10.255.10.0/24
[170/3072] via 172.16.103.24, 1d00h, GigabitEthernet0/0
19.0.0.0/32 is subnetted, 1 subnets
D 19.19.19.19 [90/28288256] via 10.1.1.22, 1d00h, Tunnel1
[90/28288256] via 10.1.1.9, 1d00h, Tunnel1
20.0.0.0/32 is subnetted, 1 subnets
D EX 20.20.20.20 [170/28288256] via 10.1.1.22, 1d00h, Tunnel1
[170/28288256] via 10.1.1.9, 1d00h, Tunnel1
22.0.0.0/32 is subnetted, 1 subnets
D 22.22.22.22 [90/27008000] via 10.1.1.22, 1d00h, Tunnel1
24.0.0.0/32 is subnetted, 1 subnets
D 24.24.24.24 [90/130816] via 172.16.103.24, 1d00h, GigabitEthernet0/0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.101.0/24 [90/26880512] via 10.1.1.22, 1d00h, Tunnel1
[90/26880512] via 10.1.1.9, 1d00h, Tunnel1
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.9 57 msec
10.1.1.22 71 msec
10.1.1.9 26 msec
2 10.1.1.11 62 msec 50 msec 106 msec
3 10.11.19.19 46 msec * 59 msec
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.11 37 msec 25 msec 28 msec
2 10.11.19.19 23 msec * 42 msec
IOS33#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
122.0.0.22 172.16.103.33 QM_IDLE 1002 ACTIVE
29.0.0.9 172.16.103.33 QM_IDLE 1004 ACTIVE
211.0.0.11 172.16.103.33 QM_IDLE 1005 ACTIVE
IOS33#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 211.0.0.11 port 4500
Session ID: 0
IKEv1 SA: local 172.16.103.33/4500 remote 211.0.0.11/4500 Active
IPSEC FLOW: permit 47 host 172.16.103.33 host 211.0.0.11
Active SAs: 4, origin: crypto map
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 29.0.0.9 port 4500
Session ID: 0
IKEv1 SA: local 172.16.103.33/4500 remote 29.0.0.9/4500 Active
IPSEC FLOW: permit 47 host 172.16.103.33 host 29.0.0.9
Active SAs: 2, origin: crypto map
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 122.0.0.22 port 4500
Session ID: 0
IKEv1 SA: local 172.16.103.33/4500 remote 122.0.0.22/4500 Active
IPSEC FLOW: permit 47 host 172.16.103.33 host 122.0.0.22
Active SAs: 2, origin: crypto map