IPsec VPN Configuration On Cisco IOS XE - Part 6 - Route Based VPN With Redundant Routers in DC (HUB)
Published:
Edited by: Andrew Leniart
Browse All Articles > IPsec VPN Configuration On Cisco IOS XE - Part 6 - Route Based VPN With Redundant Routers in DC (HUB)
This article is about building a Route Based site to site VPN tunnels with Redundant Routers in DC (HUB) in Cisco CSR1000V router with IOS XE.
There are four Route Based IPsec VPN tunnels configured on two CSR1000V routers as redundant routers pair.
There are four Route Based IPsec VPN tunnels configured on two CSR1000V routers as redundant routers pair.
Scenario 6
This is the sixth article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ] [ Link to Part 5 ]
In the previous part, I configured site to site VPN tunnels with VRF and dynamic routing. In this article, I will show how to configure route-based VPN tunnel with redundant routers in HUB location.
This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two sites (a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections, and OSPF area are as shown in the diagram.
Goals of this scenario are -
1) Create two Route-based IPSec VPN tunnels between "dc-gw1" and "dc-gw2" in DC to "site-a-gw1" in site A.
2) Create two Route-based IPSec VPN tunnels between "dc-gw1" and "dc-gw2" in DC to "site-b-gw1" in site B.
3) Configure dynamic routing between DC and Site routers to achieve redundancy of routers in DC.
Router IOS version used for this setup are -
dc-gw1 and dc-gw2 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
site-a-gw1 and site-b-gw1 = Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.
Interface And Route Configuration On DC Router = "dc-gw1"
| track 1 interface GigabitEthernet1 line-protocol interface GigabitEthernet1 platform ring rx 256 ip address 10.0.0.2 255.255.255.248 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip address 100.0.20.2 255.255.255.0 secondary ip address 100.0.10.2 255.255.255.0 ip mtu 1400 ip nat inside standby 10 ip 100.0.10.1 standby 10 priority 110 standby 10 preempt standby 10 track 1 decrement 20 standby 20 ip 100.0.20.1 standby 20 priority 110 standby 20 preempt standby 20 track 1 decrement 20 negotiation auto ip route 0.0.0.0 0.0.0.0 10.0.0.1 |
Interface And Route Configuration On DC Router = "dc-gw2"
| interface GigabitEthernet1 platform ring rx 256 ip address 10.0.0.3 255.255.255.248 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip address 100.0.20.3 255.255.255.0 secondary ip address 100.0.10.3 255.255.255.0 ip mtu 1400 ip nat inside standby 10 ip 100.0.10.1 standby 10 preempt standby 20 ip 100.0.20.1 standby 20 preempt negotiation auto ip route 0.0.0.0 0.0.0.0 10.0.0.1 |
Interface And Route Configuration On Site A Router = "site-a-gw1"
| interface GigabitEthernet0/0 ip address 20.0.0.2 255.255.255.252 duplex full speed 1000 media-type gbic negotiation auto interface GigabitEthernet1/0 ip address 192.168.10.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 20.0.0.1 |
Interface And Route Configuration On Site B Router = "site-b-gw1"
| interface GigabitEthernet0/0 ip address 30.0.0.2 255.255.255.252 duplex full speed 1000 media-type gbic negotiation auto interface GigabitEthernet1/0 ip address 192.168.20.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 30.0.0.1 |
Next is Route-based IPsec VPN configuration for DC router and site routers.
IPsec VPN Configuration On DC Router = "dc-gw1"
| crypto keyring site-a pre-shared-key address 20.0.0.2 key acme crypto keyring site-b pre-shared-key address 30.0.0.2 key acme crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile tunnel-to-site-a set transform-set AES-256-SHA crypto ipsec profile tunnel-to-site-b set transform-set AES-256-SHA interface Tunnel1 description Tunnel to Site A ip address 172.20.10.1 255.255.255.252 ip mtu 1400 ip nat outside ip ospf network point-to-point ip ospf cost 10 tunnel source 10.0.0.2 tunnel mode ipsec ipv4 tunnel destination 20.0.0.2 tunnel protection ipsec profile tunnel-to-site-a interface Tunnel2 description Tunnel to Site B ip address 172.20.20.1 255.255.255.252 ip mtu 1400 ip ospf network point-to-point ip ospf cost 10 tunnel source 10.0.0.2 tunnel mode ipsec ipv4 tunnel destination 30.0.0.2 tunnel protection ipsec profile tunnel-to-site-b |
IPsec VPN Configuration On DC Router = "dc-gw2"
| crypto keyring site-a pre-shared-key address 20.0.0.2 key acme crypto keyring site-b pre-shared-key address 30.0.0.2 key acme crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile tunnel-to-site-a set transform-set AES-256-SHA crypto ipsec profile tunnel-to-site-b set transform-set AES-256-SHA interface Tunnel3 description Tunnel to Site A ip address 172.20.30.1 255.255.255.252 ip mtu 1400 ip nat outside ip ospf network point-to-point ip ospf cost 100 tunnel source 10.0.0.3 tunnel mode ipsec ipv4 tunnel destination 20.0.0.2 tunnel protection ipsec profile tunnel-to-site-a interface Tunnel4 description Tunnel to Site B ip address 172.20.40.1 255.255.255.252 ip mtu 1400 ip ospf network point-to-point ip ospf cost 100 tunnel source 10.0.0.3 tunnel mode ipsec ipv4 tunnel destination 30.0.0.2 tunnel protection ipsec profile tunnel-to-site-b |
IPsec VPN Configuration On Site A Router = "site-a-gw1"
| crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 10.0.0.2 crypto isakmp key acme address 10.0.0.3 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel1 description Tunnel to DC ip address 172.20.10.2 255.255.255.252 ip mtu 1400 ip ospf network point-to-point ip ospf cost 10 tunnel source 20.0.0.2 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile tunnel-to-dc interface Tunnel3 description Tunnel to DC ip address 172.20.30.2 255.255.255.252 ip mtu 1400 ip ospf network point-to-point ip ospf cost 100 tunnel source 20.0.0.2 tunnel destination 10.0.0.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile tunnel-to-dc |
IPsec VPN Configuration On Site B Router = "site-b-gw1"
| crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 10.0.0.2 crypto isakmp key acme address 10.0.0.3 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel2 description Tunnel to DC ip address 172.20.20.2 255.255.255.252 ip mtu 1400 ip ospf network point-to-point ip ospf cost 10 tunnel source 30.0.0.2 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile tunnel-to-dc interface Tunnel4 description Tunnel to DC ip address 172.20.40.2 255.255.255.252 ip mtu 1400 ip ospf network point-to-point ip ospf cost 100 tunnel source 30.0.0.2 tunnel destination 10.0.0.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile tunnel-to-dc |
This completes our goals 1 and 2 and we have VPN tunnels between DC and sites. The next part is about implementing dynamic routing protocol OSPF.
OSPF Configuration On DC Router = "dc-gw1"
| router ospf 100 redistribute connected subnets route-map ospf-redistribute redistribute static subnets route-map static-redistribute network 172.20.10.0 0.0.0.3 area 0 network 172.20.20.0 0.0.0.3 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 |
OSPF Configuration On DC Router = "dc-gw2"
| router ospf 100 redistribute connected subnets route-map ospf-redistribute redistribute static subnets route-map static-redistribute network 172.20.30.0 0.0.0.3 area 0 network 172.20.40.0 0.0.0.3 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 |
OSPF Configuration On Site A Router = "site-a-gw1"
| router ospf 100 log-adjacency-changes redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.3 area 0 network 172.20.30.0 0.0.0.3 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet1/0 |
OSPF Configuration On Site B Router = "site-b-gw1"
| router ospf 100 log-adjacency-changes redistribute connected subnets route-map ospf-redistribute network 172.20.20.0 0.0.0.3 area 0 network 172.20.40.0 0.0.0.3 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet1/0 |
This OSPF configuration is to distribute routes between DC routers and site routers.
I had configured a route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF. This also avoids distribution of subnets configured on Internet side interfaces.
There are two paths from DC servers to each user in sites, one via "dc-gw1" and second is via "dc-gw2". These routers select the best path based on cost configured tunnel interfaces using the command "ip ospf cost <number>".
I had configured HSRP between DC side interfaces of routers "dc-gw1" and "dc-gw2" with interface tracker to internet interface on "dc-gw1". When Internet links up and working on all four routers. Then interface on router "dc-gw1" are active in HSRP and best routes learned by site routers are from "dc-gw1". Refer HSRP status and routing table and traceroute results given below.
HSRP Status on Router = "dc-gw1"
| dc-gw1# sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 110 P Active local 100.0.10.3 100.0.10.1 Gi2 20 110 P Active local 100.0.20.3 100.0.20.1 dc-gw1# |
HSRP Status on Router = "dc-gw2"
| dc-gw2#sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 100 P Speak 100.0.10.2 unknown 100.0.10.1 Gi2 20 100 P Speak 100.0.20.2 unknown 100.0.20.1 dc-gw2# |
Routes Learned By Router = "dc-gw1"
| dc-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:00:08 172.20.20.2 Tunnel2 192.168.10.1 0 FULL/ - 00:00:37 172.20.10.2 Tunnel1 dc-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/29 is directly connected, GigabitEthernet1 L 10.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.2/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.2/32 is directly connected, GigabitEthernet2 172.20.0.0/16 is variably subnetted, 6 subnets, 2 masks C 172.20.10.0/30 is directly connected, Tunnel1 L 172.20.10.1/32 is directly connected, Tunnel1 C 172.20.20.0/30 is directly connected, Tunnel2 L 172.20.20.1/32 is directly connected, Tunnel2 O 172.20.30.0/30 [110/110] via 172.20.10.2, 00:09:48, Tunnel1 O 172.20.40.0/30 [110/110] via 172.20.20.2, 00:01:42, Tunnel2 O E2 192.168.10.0/24 [110/20] via 172.20.10.2, 00:09:48, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.20.2, 00:01:42, Tunnel2 dc-gw1# |
Routes Learned By Router = "dc-gw2"
| dc-gw2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:00:36 172.20.40.2 Tunnel4 192.168.10.1 0 FULL/ - 00:00:37 172.20.30.2 Tunnel3 dc-gw2#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/29 is directly connected, GigabitEthernet1 L 10.0.0.3/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.3/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.3/32 is directly connected, GigabitEthernet2 172.20.0.0/16 is variably subnetted, 6 subnets, 2 masks O 172.20.10.0/30 [110/110] via 172.20.30.2, 00:00:16, Tunnel3 O 172.20.20.0/30 [110/110] via 172.20.40.2, 00:00:16, Tunnel4 C 172.20.30.0/30 is directly connected, Tunnel3 L 172.20.30.1/32 is directly connected, Tunnel3 C 172.20.40.0/30 is directly connected, Tunnel4 L 172.20.40.1/32 is directly connected, Tunnel4 O E2 192.168.10.0/24 [110/20] via 172.20.30.2, 00:00:16, Tunnel3 O E2 192.168.20.0/24 [110/20] via 172.20.40.2, 00:00:16, Tunnel4 dc-gw2# |
Routes Learned By Router = "site-a-gw1"
| site-a-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.40.1 0 FULL/ - 00:00:36 172.20.30.1 Tunnel3 172.20.20.1 0 FULL/ - 00:00:38 172.20.10.1 Tunnel1 site-a-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 20.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.10.1, 00:01:40, Tunnel1 O E2 100.0.20.0 [110/20] via 172.20.10.1, 00:01:40, Tunnel1 20.0.0.0/30 is subnetted, 1 subnets C 20.0.0.0 is directly connected, GigabitEthernet0/0 C 192.168.10.0/24 is directly connected, GigabitEthernet1/0 172.20.0.0/30 is subnetted, 3 subnets C 172.20.30.0 is directly connected, Tunnel3 O 172.20.20.0 [110/20] via 172.20.10.1, 00:01:40, Tunnel1 C 172.20.10.0 is directly connected, Tunnel1 S* 0.0.0.0/0 [1/0] via 20.0.0.1 site-a-gw1# |
Routes Learned By Router = "site-b-gw1"
| site-b-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.40.1 0 FULL/ - 00:00:35 172.20.40.1 Tunnel4 172.20.20.1 0 FULL/ - 00:00:39 172.20.20.1 Tunnel2 site-b-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 30.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.20.1, 00:02:23, Tunnel2 O E2 100.0.20.0 [110/20] via 172.20.20.1, 00:02:23, Tunnel2 O E2 192.168.10.0/24 [110/20] via 172.20.20.1, 00:02:23, Tunnel2 172.20.0.0/30 is subnetted, 4 subnets C 172.20.40.0 is directly connected, Tunnel4 O 172.20.30.0 [110/120] via 172.20.20.1, 00:02:23, Tunnel2 C 172.20.20.0 is directly connected, Tunnel2 O 172.20.10.0 [110/20] via 172.20.20.1, 00:02:23, Tunnel2 C 192.168.20.0/24 is directly connected, GigabitEthernet1/0 30.0.0.0/30 is subnetted, 1 subnets C 30.0.0.0 is directly connected, GigabitEthernet0/0 S* 0.0.0.0/0 [1/0] via 30.0.0.1 site-b-gw1# |
Traceroute from app server
| app1> trace 192.168.10.10 trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop 1 100.0.10.2 57.011 ms 63.012 ms 73.014 ms 2 172.20.10.2 145.529 ms 168.534 ms 162.533 ms 3 *192.168.10.10 212.042 ms (ICMP type:3, code:3, Destination port unreachable) app1> trace 192.168.20.10 trace to 192.168.20.10, 8 hops max, press Ctrl+C to stop 1 100.0.10.2 61.013 ms 42.509 ms 68.514 ms 2 172.20.20.2 181.536 ms 111.022 ms 154.031 ms 3 *192.168.20.10 209.542 ms (ICMP type:3, code:3, Destination port unreachable) app1> |
When I shut down the Internet interface on "dc-gw1" router, then HSRP enabled interface lost its priority by 20 and will become "standby" interface and all traffic get diverted to router "dc-gw2". In this situation, VPN tunnels on "dc-gw1" goes down and best routes learned by site routers are from "dc-gw2". Refer HSRP status and routing table and traceroute results given below.
HSRP Status on Router = "dc-gw1"
| dc-gw1# sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 90 P Standby 100.0.10.3 local 100.0.10.1 Gi2 20 90 P Standby 100.0.20.3 local 100.0.20.1 dc-gw1# |
HSRP Status on Router = "dc-gw2"
| dc-gw2#sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 100 P Active local 100.0.10.2 100.0.10.1 Gi2 20 100 P Active local 100.0.20.2 100.0.20.1 dc-gw2# |
Routes Learned By Router = "dc-gw1"
| dc-gw1#sh ip ospf neighbor dc-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.2/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.2/32 is directly connected, GigabitEthernet2 dc-gw1# |
Routes Learned By Router = "dc-gw2"
| dc-gw2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:00:35 172.20.40.2 Tunnel4 192.168.10.1 0 FULL/ - 00:00:35 172.20.30.2 Tunnel3 dc-gw2#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/29 is directly connected, GigabitEthernet1 L 10.0.0.3/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.3/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.3/32 is directly connected, GigabitEthernet2 172.20.0.0/16 is variably subnetted, 6 subnets, 2 masks O 172.20.10.0/30 [110/110] via 172.20.30.2, 00:04:03, Tunnel3 O 172.20.20.0/30 [110/110] via 172.20.40.2, 00:04:56, Tunnel4 C 172.20.30.0/30 is directly connected, Tunnel3 L 172.20.30.1/32 is directly connected, Tunnel3 C 172.20.40.0/30 is directly connected, Tunnel4 L 172.20.40.1/32 is directly connected, Tunnel4 O E2 192.168.10.0/24 [110/20] via 172.20.30.2, 00:04:03, Tunnel3 O E2 192.168.20.0/24 [110/20] via 172.20.40.2, 00:04:56, Tunnel4 dc-gw2# |
Routes Learned By Router = "site-a-gw1"
| site-a-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.40.1 0 FULL/ - 00:00:37 172.20.30.1 Tunnel3 site-a-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 20.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.30.1, 00:05:28, Tunnel3 O E2 100.0.20.0 [110/20] via 172.20.30.1, 00:05:28, Tunnel3 20.0.0.0/30 is subnetted, 1 subnets C 20.0.0.0 is directly connected, GigabitEthernet0/0 C 192.168.10.0/24 is directly connected, GigabitEthernet1/0 172.20.0.0/30 is subnetted, 4 subnets O 172.20.40.0 [110/200] via 172.20.30.1, 00:05:28, Tunnel3 C 172.20.30.0 is directly connected, Tunnel3 O 172.20.20.0 [110/210] via 172.20.30.1, 00:05:28, Tunnel3 C 172.20.10.0 is directly connected, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.30.1, 00:05:28, Tunnel3 S* 0.0.0.0/0 [1/0] via 20.0.0.1 site-a-gw1# |
Routes Learned By Router = "site-b-gw1"
| site-b-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.40.1 0 FULL/ - 00:00:32 172.20.40.1 Tunnel4 site-b-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 30.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.40.1, 00:05:48, Tunnel4 O E2 100.0.20.0 [110/20] via 172.20.40.1, 00:05:48, Tunnel4 O E2 192.168.10.0/24 [110/20] via 172.20.40.1, 00:05:58, Tunnel4 172.20.0.0/30 is subnetted, 4 subnets C 172.20.40.0 is directly connected, Tunnel4 O 172.20.30.0 [110/200] via 172.20.40.1, 00:05:58, Tunnel4 C 172.20.20.0 is directly connected, Tunnel2 O 172.20.10.0 [110/210] via 172.20.40.1, 00:05:48, Tunnel4 C 192.168.20.0/24 is directly connected, GigabitEthernet1/0 30.0.0.0/30 is subnetted, 1 subnets C 30.0.0.0 is directly connected, GigabitEthernet0/0 S* 0.0.0.0/0 [1/0] via 30.0.0.1 site-b-gw1# |
Traceroute from app server
| app1> trace 192.168.10.10 trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop 1 100.0.10.3 43.509 ms 74.015 ms 86.017 ms 2 172.20.30.2 214.043 ms 205.041 ms 154.031 ms 3 *192.168.10.10 222.045 ms (ICMP type:3, code:3, Destination port unreachable) app1> trace 192.168.20.10 trace to 192.168.20.10, 8 hops max, press Ctrl+C to stop 1 100.0.10.3 46.009 ms 70.014 ms 72.514 ms 2 172.20.40.2 173.535 ms 137.527 ms 142.529 ms 3 *192.168.20.10 173.535 ms (ICMP type:3, code:3, Destination port unreachable) app1> |
This completes our goal 3 to configure dynamic routing between DC and Site routers to achieve redundancy of routers in DC.
This is the end of Part 6 of this series. We have seen sample configuration of basic route-based VPN setup with Redundant Routers in DC (HUB). Anyone who is working on VPN setup using Cisco routers with IOS XE may use this configuration.
In the next article, we will be configuring Dynamic Multipoint VPN (DMVPN) tunnels configuration.
Link to the next article in this series = Part 7 - Single Tier Dynamic Multipoint VPN (DMVPN) Cloud
I hope you find this helpful.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)