Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

DMVPN - Dual Hub Single Cloud VRF Aware Phase 3 IPsec with Crypto Profile w/ Spoke behind NAT

Picture
As we add scale to our DMVPN deployment, the first way to do that is to configure a new hub and then add the additional hub config to the spoke tunnel. The spokes then form IPsec VPN connections and IGP peerings to the hubs. Since this is a single cloud with dual hubs, that means that will be dual routes learned on the spoke side. 

CSR9
interface Tunnel1
 ip address 10.1.1.9 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet3
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set ESP_AES esp-aes esp-sha256-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP_AES 


IOS33
interface Tunnel1
 ip address 10.1.1.33 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 10.1.1.22 122.0.0.22
 ip nhrp map multicast 122.0.0.22
 ip nhrp map 10.1.1.9 29.0.0.9
 ip nhrp map multicast 29.0.0.9
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.22
 ip nhrp nhs 10.1.1.9
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE

CSR11
interface Tunnel1
 ip address 10.1.1.11 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.22 nbma 122.0.0.22 multicast
 ip nhrp nhs 10.1.1.9 nbma 29.0.0.9 multicast
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE

IOS25
interface Tunnel1
 ip address 10.1.1.25 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.22 nbma 122.0.0.22 multicast
 ip nhrp nhs 10.1.1.9 nbma 29.0.0.9 multicast
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/2
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE


IOS25#show ip eigrp 1 neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   10.1.1.9                Tu1                      11 00:20:20  134  1362  0  144
0   10.1.1.22               Tu1                      12 13:01:15 1067  5000  0  216


IOS25#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
122.0.0.22      25.0.0.25       QM_IDLE           1001 ACTIVE
29.0.0.9        25.0.0.25       QM_IDLE           1003 ACTIVE



IOS25#show crypto session 
Crypto session current status

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 29.0.0.9 port 500 
  Session ID: 0  
  IKEv1 SA: local 25.0.0.25/500 remote 29.0.0.9/500 Active 
  IPSEC FLOW: permit 47 host 25.0.0.25 host 29.0.0.9 
        Active SAs: 2, origin: crypto map

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 122.0.0.22 port 500 
  Session ID: 0  
  IKEv1 SA: local 25.0.0.25/500 remote 122.0.0.22/500 Active 
  IPSEC FLOW: permit 47 host 25.0.0.25 host 122.0.0.22 
        Active SAs: 2, origin: crypto map


IOS33#sh ip route eigrp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.16.103.24 to network 0.0.0.0

D*EX  0.0.0.0/0 [170/3072] via 172.16.103.24, 1d12h, GigabitEthernet0/0
      10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
D        10.3.9.0/24 [90/26880256] via 10.1.1.9, 1d00h, Tunnel1
D        10.3.22.0/24 [90/26880256] via 10.1.1.22, 1d00h, Tunnel1
D        10.4.9.0/24 [90/26880256] via 10.1.1.9, 1d00h, Tunnel1
D        10.4.22.0/24 [90/26880256] via 10.1.1.22, 1d00h, Tunnel1
D        10.11.19.0/24 [90/28160256] via 10.1.1.22, 1d00h, Tunnel1
                       [90/28160256] via 10.1.1.9, 1d00h, Tunnel1
D EX     10.102.12.0/24 [170/28160512] via 10.1.1.22, 1d00h, Tunnel1
                        [170/28160512] via 10.1.1.9, 1d00h, Tunnel1
D EX     10.102.15.0/24 [170/28160512] via 10.1.1.22, 1d00h, Tunnel1
                        [170/28160512] via 10.1.1.9, 1d00h, Tunnel1
D EX     10.102.25.0/24 [170/28160256] via 10.1.1.22, 1d00h, Tunnel1
                        [170/28160256] via 10.1.1.9, 1d00h, Tunnel1
D EX     10.255.10.0/24 
           [170/3072] via 172.16.103.24, 1d00h, GigabitEthernet0/0
      19.0.0.0/32 is subnetted, 1 subnets
D        19.19.19.19 [90/28288256] via 10.1.1.22, 1d00h, Tunnel1
                     [90/28288256] via 10.1.1.9, 1d00h, Tunnel1
      20.0.0.0/32 is subnetted, 1 subnets
D EX     20.20.20.20 [170/28288256] via 10.1.1.22, 1d00h, Tunnel1
                     [170/28288256] via 10.1.1.9, 1d00h, Tunnel1
      22.0.0.0/32 is subnetted, 1 subnets
D        22.22.22.22 [90/27008000] via 10.1.1.22, 1d00h, Tunnel1
      24.0.0.0/32 is subnetted, 1 subnets
D        24.24.24.24 [90/130816] via 172.16.103.24, 1d00h, GigabitEthernet0/0
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D        172.16.101.0/24 [90/26880512] via 10.1.1.22, 1d00h, Tunnel1
                         [90/26880512] via 10.1.1.9, 1d00h, Tunnel1



IOS33#traceroute 19.19.19.19 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.9 57 msec
    10.1.1.22 71 msec
    10.1.1.9 26 msec
  2 10.1.1.11 62 msec 50 msec 106 msec
  3 10.11.19.19 46 msec *  59 msec



IOS33#traceroute 19.19.19.19 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.11 37 msec 25 msec 28 msec
  2 10.11.19.19 23 msec *  42 msec


IOS33#show crypto isa sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
122.0.0.22      172.16.103.33   QM_IDLE           1002 ACTIVE
29.0.0.9        172.16.103.33   QM_IDLE           1004 ACTIVE
211.0.0.11      172.16.103.33   QM_IDLE           1005 ACTIVE


IOS33#show crypto session 
Crypto session current status

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 211.0.0.11 port 4500 
  Session ID: 0  
  IKEv1 SA: local 172.16.103.33/4500 remote 211.0.0.11/4500 Active 
  IPSEC FLOW: permit 47 host 172.16.103.33 host 211.0.0.11 
        Active SAs: 4, origin: crypto map

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 29.0.0.9 port 4500 
  Session ID: 0  
  IKEv1 SA: local 172.16.103.33/4500 remote 29.0.0.9/4500 Active 
  IPSEC FLOW: permit 47 host 172.16.103.33 host 29.0.0.9 
        Active SAs: 2, origin: crypto map

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 122.0.0.22 port 4500 
  Session ID: 0  
  IKEv1 SA: local 172.16.103.33/4500 remote 122.0.0.22/4500 Active 
  IPSEC FLOW: permit 47 host 172.16.103.33 host 122.0.0.22 
        Active SAs: 2, origin: crypto map




Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto