<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

IPsec VPN Configuration On Cisco IOS XE - Part 9 - Dual Hub Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud

Published on
3,220 Points
220 Views
Last Modified:
Editors:
This article is about building Dynamic Multipoint VPN tunnels in Cisco CSR1000V router with IOS XE.
There are two CSR1000V hub routers configured with single tier Phase 3 DMVPN Cloud.

This is the ninth article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ]  [Link to Part 5 ] [ Link to Part 6 ] [ Link to Part 7 ] [ Link to Part 8 ]


In the previous part, I configured Phase 3 DMVPN Cloud. In this article, I will show how to build a Dual Hub Phase 3 Dynamic Multipoint VPN (DMVPN) cloud with dynamic routing protocol OSPF.

This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And site A connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections, and OSPF area are as shown in the diagram.


Goals of this scenario are -
1) Create DMVPN network cloud on "dc-gw1", "dc-gw2" and connect router "site-a-gw1" in this cloud.

2) This setup will be Phase 3 DMVPN, with hub and spoke architecture, where DC router "dc-gw1" will be the primary hub and "dc-gw2" will be its backup hub router.
3) Configure dynamic routing between DC and Site routers.




Router IOS version used for this setup are -
dc-gw1, dc-gw2, site-a-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)




I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.


Interface And Route Configuration On DC Router = "dc-gw1"


track 1 interface GigabitEthernet1 line-protocol

interface GigabitEthernet1
platform ring rx 256
ip address 10.0.0.2 255.255.255.248
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 100.0.20.2 255.255.255.0 secondary
ip address 100.0.10.2 255.255.255.0
standby 10 ip 100.0.10.1
standby 10 priority 110
standby 10 preempt
standby 10 track 1 decrement 20
standby 20 ip 100.0.20.1
standby 20 priority 110
standby 20 preempt
standby 20 track 1 decrement 20
negotiation auto

ip route 0.0.0.0 0.0.0.0 10.0.0.1


Interface And Route Configuration On DC Router = "dc-gw2"


interface GigabitEthernet1
platform ring rx 256
ip address 40.0.0.2 255.255.255.252
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 100.0.20.3 255.255.255.0 secondary
ip address 100.0.10.3 255.255.255.0
standby 10 ip 100.0.10.1
standby 10 preempt
standby 20 ip 100.0.20.1
standby 20 preempt
negotiation auto

router ospf 100
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 40.0.0.1


Interface And Route Configuration On Site Router = "site-a-gw1"


interface GigabitEthernet1
platform ring rx 256
ip address 20.0.0.2 255.255.255.252
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 192.168.10.1 255.255.255.0
negotiation auto

interface GigabitEthernet3
platform ring rx 256
ip address 192.168.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 20.0.0.1


Next is creating DMVPN Cloud on DC router and connect site routers to this cloud.


DMVPN Configuration On DC Router = "dc-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to Sites
ip address 172.20.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp registration timeout 3
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-site


DMVPN Configuration On DC Router = "dc-gw2"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to Sites
ip address 172.20.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp registration timeout 3
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-site


DMVPN Configuration On Site Router = "site-a-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to DC
ip address 172.20.10.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map 172.20.10.1 10.0.0.2
ip nhrp map multicast 10.0.0.2
ip nhrp map 172.20.10.2 40.0.0.2
ip nhrp map multicast 40.0.0.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 172.20.10.1 priority 1 cluster 1
ip nhrp nhs 172.20.10.2 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 5
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-dc


DMVPN Status On DC Router = "dc-gw1"


dc-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 20.0.0.2            172.20.10.3    UP 00:46:03     D

dc-gw1#


DMVPN Status On DC Router = "dc-gw2"


dc-gw2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 20.0.0.2            172.20.10.3    UP 00:49:49     D

dc-gw2#


DMVPN Status On Site Router = "site-a-gw1"


site-a-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.0.2            172.20.10.1    UP 00:51:33     S
1 40.0.0.2            172.20.10.2    UP 00:51:43     S

site-a-gw1#

site-a-gw1#sh ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No.  Interface  Cluster             NHS Priority  Cur-State  Cur-Queue Prev-State Prev-Queue
1    Tunnel1        1     172.20.10.2        2         RE    Running          E    Running
2    Tunnel1        1     172.20.10.1        1         RE    Running          E    Running

No.  Interface  Cluster   Status  Max-Con  Total-NHS Registering/UP  Expecting  Waiting Fallback
1    Tunnel1        1   Enable        2          2              2          0        0        5

site-a-gw1#


This completes our goal 1 and 2, we have Dual Hub DMVPN cloud on DC routers and site router is connected to this cloud. There are two tunnels from the router at site A to two DC routers, where tunnel with router "dc-gw1" (172.20.10.1) has priority 1 which will be the primary tunnel. And tunnel with router "dc-gw2" (172.20.10.2) has priority 2, this will be the backup tunnel. Next part is about implementing dynamic routing using OSPF.


OSPF Configuration On DC Router = "dc-gw1"


router ospf 100
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2


OSPF Configuration On DC Router = "dc-gw2"


router ospf 100
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2


OSPF Configuration On Site Router = "site-a-gw1"


router ospf 100
log-adjacency-changes
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2 GigabitEthernet3


This OSPF configuration is basic and has a single area, it distributes routes between DC router and site routers.


I had configured a route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF.  This also avoids distribution of subnets configured on Internet side interfaces.


Routes Learned By DC Router = "dc-gw1"


dc-gw1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.10.1      0   FULL/  -        00:01:50    172.20.10.3     Tunnel1
dc-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/29 is directly connected, GigabitEthernet1
L        10.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        100.0.10.0/24 is directly connected, GigabitEthernet2
L        100.0.10.2/32 is directly connected, GigabitEthernet2
C        100.0.20.0/24 is directly connected, GigabitEthernet2
L        100.0.20.2/32 is directly connected, GigabitEthernet2
172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.20.10.0/24 is directly connected, Tunnel1
L        172.20.10.1/32 is directly connected, Tunnel1
O        172.20.10.2/32 [110/2000] via 172.20.10.3, 00:17:45, Tunnel1
O        172.20.10.3/32 [110/1000] via 172.20.10.3, 00:19:16, Tunnel1
O E2  192.168.10.0/24 [110/20] via 172.20.10.3, 00:13:38, Tunnel1
O E2  192.168.20.0/24 [110/20] via 172.20.10.3, 00:08:50, Tunnel1
dc-gw1#


Routes Learned By DC Router = "dc-gw2"


dc-gw2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.10.1      0   FULL/  -        00:01:53    172.20.10.3     Tunnel1

dc-gw2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 40.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 40.0.0.1
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        40.0.0.0/30 is directly connected, GigabitEthernet1
L        40.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        100.0.10.0/24 is directly connected, GigabitEthernet2
L        100.0.10.3/32 is directly connected, GigabitEthernet2
C        100.0.20.0/24 is directly connected, GigabitEthernet2
L        100.0.20.3/32 is directly connected, GigabitEthernet2
172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.20.10.0/24 is directly connected, Tunnel1
O        172.20.10.1/32 [110/2000] via 172.20.10.3, 00:31:08, Tunnel1
L        172.20.10.2/32 is directly connected, Tunnel1
O        172.20.10.3/32 [110/1000] via 172.20.10.3, 00:31:08, Tunnel1
O E2  192.168.10.0/24 [110/20] via 172.20.10.3, 00:26:51, Tunnel1
O E2  192.168.20.0/24 [110/20] via 172.20.10.3, 00:07:50, Tunnel1
dc-gw2#


Routes Learned By Site Router = "site-a-gw1"


site-a-gw1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.20.10.1       0   FULL/  -        00:01:33    172.20.10.1     Tunnel1
172.20.10.2       0   FULL/  -        00:01:59    172.20.10.2     Tunnel1
site-a-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 20.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.0.0.1
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.0.0.0/30 is directly connected, GigabitEthernet1
L        20.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/24 is subnetted, 2 subnets
O E2     100.0.10.0 [110/20] via 172.20.10.2, 00:33:11, Tunnel1
[110/20] via 172.20.10.1, 00:34:31, Tunnel1
O E2     100.0.20.0 [110/20] via 172.20.10.2, 00:33:11, Tunnel1
[110/20] via 172.20.10.1, 00:34:31, Tunnel1
172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.20.10.0/24 is directly connected, Tunnel1
O        172.20.10.1/32 [110/1000] via 172.20.10.1, 00:34:31, Tunnel1
O        172.20.10.2/32 [110/1000] via 172.20.10.2, 00:33:11, Tunnel1
L        172.20.10.3/32 is directly connected, Tunnel1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet2
L        192.168.10.1/32 is directly connected, GigabitEthernet2
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, GigabitEthernet3
L        192.168.20.1/32 is directly connected, GigabitEthernet3
site-a-gw1#


Here are ping results show connections between the app server in DC and user computers in the branch site.


app1> ping 192.168.10.10
84 bytes from 192.168.10.10 icmp_seq=1 ttl=62 time=22.004 ms
84 bytes from 192.168.10.10 icmp_seq=2 ttl=62 time=25.505 ms
84 bytes from 192.168.10.10 icmp_seq=3 ttl=62 time=20.004 ms
84 bytes from 192.168.10.10 icmp_seq=4 ttl=62 time=33.507 ms
84 bytes from 192.168.10.10 icmp_seq=5 ttl=62 time=24.004 ms

app1> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=24.505 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=26.005 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=19.504 ms
84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=22.505 ms
84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=30.506 ms


And here are trace-route results which show connections between the app1 server in DC to the user computer in site A. Traffic from app1 server in DC is going to dc-gw1 router (100.0.10.2), then to site A router (172.20.10.3). This means traffic is going via a primary tunnel between routers dc-gw1 and site-a-gw1.  This is the primary tunnel between DC routers and site router.


app1> trace 192.168.10.10
trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop
1   100.0.10.2   5.001 ms  5.001 ms  5.001 ms
2   172.20.10.3   34.507 ms  24.005 ms  21.504 ms
3   *192.168.10.10   29.005 ms (ICMP type:3, code:3, Destination port unreachable)

app1> trace 192.168.20.10
trace to 192.168.20.10, 8 hops max, press Ctrl+C to stop
1   100.0.10.2   6.001 ms  5.001 ms  5.501 ms
2   172.20.10.3   22.005 ms  20.504 ms  19.504 ms
3   *192.168.20.10   60.012 ms (ICMP type:3, code:3, Destination port unreachable)

app1>


Traffic from app1 server in DC goes to dc-gw1 router (100.0.10.2). This is due to HSRP status "active" on "dc-gw1" router. And thereafter traffic takes route received via OSPF. On the other hand return traffic from user PC to app1 server enters site-a-gw1 router first and then goes to dc-gw1 router as per route received via OSPF.


HSRP Status on Router = "dc-gw1"


dc-gw1#sh standby b
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Gi2         10   110 P Active  local           100.0.10.3      100.0.10.1
Gi2         20   110 P Active  local           100.0.20.3      100.0.20.1
dc-gw1#


HSRP Status on Router = "dc-gw2"


dc-gw2#sh standby b
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Gi2         10   100 P Standby 100.0.10.2      local           100.0.10.1
Gi2         20   100 P Standby 100.0.20.2      local           100.0.20.1
dc-gw2#


Fallback Test


When I shut down the Internet interface on "dc-gw1" router, then HSRP enabled interface lost its priority by 20 and will become "standby" interface and all traffic get diverted to router "dc-gw2". In this situation, VPN tunnels on "dc-gw1" go down and best routes learned by site routers are from "dc-gw2". Refer HSRP status and DMVPN status and routing table and traceroute results given below.


HSRP Status on Router = "dc-gw1"


dc-gw1#sh standby b
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Gi2         10   90  P Standby 100.0.10.3      local           100.0.10.1
Gi2         20   90  P Standby 100.0.20.3      local           100.0.20.1
dc-gw1#


HSRP Status on Router = "dc-gw2"


dc-gw2#sh standby b
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Gi2         10   100 P Active  local           100.0.10.2      100.0.10.1
Gi2         20   100 P Active  local           100.0.20.2      100.0.20.1
dc-gw2#


DMVPN Status On DC Router = "dc-gw1"


dc-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

dc-gw1#


DMVPN Status On DC Router = "dc-gw2"


dc-gw2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 20.0.0.2            172.20.10.3    UP 01:01:56     D

dc-gw2#


DMVPN Status On Site Router = "site-a-gw1"


site-a-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.0.2            172.20.10.1   IKE 00:05:12     S
1 40.0.0.2            172.20.10.2    UP 01:03:04     S

site-a-gw1#sh ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No.  Interface  Cluster             NHS Priority  Cur-State  Cur-Queue Prev-State Prev-Queue
1    Tunnel1        1     172.20.10.2        2         RE    Running          E    Running
2    Tunnel1        1     172.20.10.1        1          E    Running         RE    Running

No.  Interface  Cluster   Status  Max-Con  Total-NHS Registering/UP  Expecting  Waiting Fallback
1    Tunnel1        1   Enable        2          2              1          1        0        5

site-a-gw1#


Routes Learned By DC Router = "dc-gw1"


dc-gw1#sh ip ospf neighbor
dc-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        100.0.10.0/24 is directly connected, GigabitEthernet2
L        100.0.10.2/32 is directly connected, GigabitEthernet2
C        100.0.20.0/24 is directly connected, GigabitEthernet2
L        100.0.20.2/32 is directly connected, GigabitEthernet2
dc-gw1#


Routes Learned By DC Router = "dc-gw2"


dc-gw2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.10.1      0   FULL/  -        00:01:35    172.20.10.3     Tunnel1
dc-gw2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 40.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 40.0.0.1
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        40.0.0.0/30 is directly connected, GigabitEthernet1
L        40.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        100.0.10.0/24 is directly connected, GigabitEthernet2
L        100.0.10.3/32 is directly connected, GigabitEthernet2
C        100.0.20.0/24 is directly connected, GigabitEthernet2
L        100.0.20.3/32 is directly connected, GigabitEthernet2
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.20.10.0/24 is directly connected, Tunnel1
L        172.20.10.2/32 is directly connected, Tunnel1
O        172.20.10.3/32 [110/1000] via 172.20.10.3, 00:43:12, Tunnel1
O E2  192.168.10.0/24 [110/20] via 172.20.10.3, 00:38:55, Tunnel1
O E2  192.168.20.0/24 [110/20] via 172.20.10.3, 00:19:54, Tunnel1
dc-gw2#


Routes Learned By Site Router = "site-a-gw1"


site-a-gw1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.20.10.2       0   FULL/  -        00:01:38    172.20.10.2     Tunnel1
site-a-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 20.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.0.0.1
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.0.0.0/30 is directly connected, GigabitEthernet1
L        20.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/24 is subnetted, 2 subnets
O E2     100.0.10.0 [110/20] via 172.20.10.2, 00:44:19, Tunnel1
O E2     100.0.20.0 [110/20] via 172.20.10.2, 00:44:19, Tunnel1
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.20.10.0/24 is directly connected, Tunnel1
O        172.20.10.2/32 [110/1000] via 172.20.10.2, 00:44:19, Tunnel1
L        172.20.10.3/32 is directly connected, Tunnel1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet2
L        192.168.10.1/32 is directly connected, GigabitEthernet2
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, GigabitEthernet3
L        192.168.20.1/32 is directly connected, GigabitEthernet3
site-a-gw1#


Here are trace-route results which show connections between the app1 server in DC to the user computer in site A. Traffic from app1 server in DC is going to dc-gw2 router (100.0.10.3), then to site A router (172.20.10.3). This means traffic is going via a tunnel between routers dc-gw2 and site-a-gw1.  This is a secondary (backup) tunnel between DC routers and site router.


app1> trace 192.168.10.10
trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop
1   100.0.10.3   6.501 ms  5.001 ms  5.001 ms
2   172.20.10.3   29.506 ms  19.004 ms  20.504 ms
3   *192.168.10.10   22.504 ms (ICMP type:3, code:3, Destination port unreachable)

app1> trace 192.168.20.10
trace to 192.168.20.10, 8 hops max, press Ctrl+C to stop
1   100.0.10.3   4.501 ms  8.002 ms  6.501 ms
2   172.20.10.3   24.005 ms  19.504 ms  20.004 ms
3   *192.168.20.10   29.506 ms (ICMP type:3, code:3, Destination port unreachable)

app1>


These traceroute results show that in case of internet link or primary router failure, the Secondary router will take over DMVPN Cloud.


This completes our goal 3 to configure dynamic routing between DC and Site routers to achieve redundancy of routers in DC. This is also the end of Part 9 of this series, we have seen Dual Hub DMVPN Phase 3 Cloud setup with dynamic routing protocol OSPF and its sample configuration. Anyone who is working on DMVPN setup using Cisco routers with IOS XE may use this configuration.

In the next article, we will be configuring Dual Hub DMVPN Phase 3 Dual Cloud with a dynamic routing protocol under different VRF's.


Link to the final (Part 10) of this series.

I hope you find this helpful.

0
Comment
0 Comments

Featured Post

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Join & Write a Comment

Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month