IPsec VPN Configuration On Cisco IOS XE - Part 10 - Dual Hub Dual Cloud Phase 3 Dynamic Multipoint VPN (DMVPN)

This is the tenth and last article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ] [Link to Part 5 ] [ Link to Part 6 ] [ Link to Part 7 ] [ Link to Part 8 ] [ Link to Part 9 ]

In the previous part, I configured Dual Hub Phase 3 DMVPN Cloud. In this article, I will show how to build a Dual Hub Dual Cloud Phase 3 Dynamic Multipoint VPN (DMVPN).

This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And site A connects to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections, and OSPF area are as shown in the diagram.

Goals of this scenario are -
1) Create two DMVPN network clouds on "dc-gw1", "dc-gw2" and connect router "site-a-gw1" in these clouds.

2) Configure dynamic routing between DC and Site routers.

Router IOS version used for this setup are -
dc-gw1, dc-gw2, site-a-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)

I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.

Interface And Route Configuration On DC Router = "dc-gw1"

track 1 interface GigabitEthernet1 line-protocol

interface GigabitEthernet1
platform ring rx 256
ip address 10.0.0.2 255.255.255.248
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 100.0.20.2 255.255.255.0 secondary
ip address 100.0.10.2 255.255.255.0
standby 10 ip 100.0.10.1
standby 10 priority 110
standby 10 preempt
standby 10 track 1 decrement 20
standby 20 ip 100.0.20.1
standby 20 priority 110
standby 20 preempt
standby 20 track 1 decrement 20
negotiation auto

ip route 0.0.0.0 0.0.0.0 10.0.0.1

Interface And Route Configuration On DC Router = "dc-gw2"

interface GigabitEthernet1
platform ring rx 256
ip address 40.0.0.2 255.255.255.248
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 100.0.20.3 255.255.255.0 secondary
ip address 100.0.10.3 255.255.255.0
standby 10 ip 100.0.10.1
standby 10 preempt
standby 20 ip 100.0.20.1
standby 20 preempt
negotiation auto

ip route 0.0.0.0 0.0.0.0 40.0.0.1

Interface And Route Configuration On Site Router = "site-a-gw1"

interface GigabitEthernet1
platform ring rx 256
ip address 20.0.0.2 255.255.255.252
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip vrf forwarding app
ip address 192.168.10.1 255.255.255.0
negotiation auto

interface GigabitEthernet3
platform ring rx 256
ip vrf forwarding storage
ip address 192.168.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 20.0.0.1

Next is creating DMVPN Cloud on DC router and connect site routers to these clouds.

DMVPN Cloud Configuration On DC Router = "dc-gw1"

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to Sites
ip address 172.20.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp registration timeout 3
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-site

DMVPN Cloud Configuration On DC Router = "dc-gw2"

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site
set transform-set AES-256-SHA

interface Tunnel2
description DMVPN Tunnel to Sites
ip address 172.20.20.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp registration timeout 3
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 20
tunnel protection ipsec profile tunnel-to-site

DMVPN Configuration On Site Router = "site-a-gw1"

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to DC
ip address 172.20.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map 172.20.10.1 10.0.0.2
ip nhrp map multicast 10.0.0.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 172.20.10.1
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-dc

interface Tunnel2
description DMVPN Tunnel to DC
ip address 172.20.20.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map 172.20.20.1 40.0.0.2
ip nhrp map multicast 40.0.0.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 172.20.20.1
ip nhrp shortcut
ip nhrp redirect
ip ospf network point-to-multipoint
keepalive 10 3
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 20
tunnel protection ipsec profile tunnel-to-dc

DMVPN Status On DC Router = "dc-gw1"

dc-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 20.0.0.2 172.20.10.2 UP 00:22:01 D

dc-gw1#

DMVPN Status On DC Router = "dc-gw2"

dc-gw2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel2, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 20.0.0.2 172.20.20.2 UP 00:26:22 D

dc-gw2#

DMVPN Status On Site Router = "site-a-gw1"

site-a-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.0.2 172.20.10.1 UP 00:27:48 S

Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 40.0.0.2 172.20.20.1 UP 00:27:58 S

site-a-gw1#sh ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue
1 Tunnel1 0 172.20.10.1 0 RE Running E Running
2 Tunnel2 0 172.20.20.1 0 RE Running E Running

No. Interface Cluster Status Max-Con Total-NHS Registering/UP Expecting Waiting Fallback
1 Tunnel1 0 Disable Not Set 1 1 0 0 0
2 Tunnel2 0 Disable Not Set 1 1 0 0 0

site-a-gw1#

This completes our goal 1, we have Dual Cloud Dual Hub DMVPN on DC routers and site router is connected to these clouds. There are two tunnels from the router at site A to two DC routers, where tunnel 1 (172.20.10.2) connects to router "dc-gw1" (172.20.10.1). And tunnel 2 (172.20.20.2) connects to router "dc-gw2" (172.20.10.2).

Next part is about implementing dynamic routing using OSPF.

OSPF Configuration On DC Router = "dc-gw1"

router ospf 100
router-id 172.20.10.1
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2

OSPF Configuration On DC Router = "dc-gw2"

router ospf 100
router-id 172.20.20.1
redistribute connected subnets route-map ospf-redistribute
network 172.20.20.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2

OSPF Configuration On Site Router = "site-a-gw1"

router ospf 100
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0
network 172.20.20.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2 GigabitEthernet3

This OSPF configuration is basic and has a single area, it distributes routes between DC routers and site router.

I had configured a route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF. This also avoids distribution of subnets configured on Internet side interfaces.

Routes Learned By DC Router = "dc-gw1"

dc-gw1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.20.1 0 FULL/ - 00:01:32 172.20.10.2 Tunnel1
dc-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/29 is directly connected, GigabitEthernet1
L 10.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.0.10.0/24 is directly connected, GigabitEthernet2
L 100.0.10.2/32 is directly connected, GigabitEthernet2
C 100.0.20.0/24 is directly connected, GigabitEthernet2
L 100.0.20.2/32 is directly connected, GigabitEthernet2
172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 172.20.10.0/24 is directly connected, Tunnel1
L 172.20.10.1/32 is directly connected, Tunnel1
O 172.20.10.2/32 [110/1000] via 172.20.10.2, 00:05:09, Tunnel1
O 172.20.20.1/32 [110/2000] via 172.20.10.2, 00:05:09, Tunnel1
O 172.20.20.2/32 [110/1000] via 172.20.10.2, 00:05:09, Tunnel1
O E2 192.168.10.0/24 [110/20] via 172.20.10.2, 00:05:09, Tunnel1
O E2 192.168.20.0/24 [110/20] via 172.20.10.2, 00:05:09, Tunnel1
dc-gw1#

Routes Learned By DC Router = "dc-gw1"

dc-gw2#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.20.1 0 FULL/ - 00:01:49 172.20.20.2 Tunnel2
dc-gw2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 40.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 40.0.0.1
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.0.0.0/29 is directly connected, GigabitEthernet1
L 40.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.0.10.0/24 is directly connected, GigabitEthernet2
L 100.0.10.3/32 is directly connected, GigabitEthernet2
C 100.0.20.0/24 is directly connected, GigabitEthernet2
L 100.0.20.3/32 is directly connected, GigabitEthernet2
172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks
O 172.20.10.1/32 [110/2000] via 172.20.20.2, 00:09:12, Tunnel2
O 172.20.10.2/32 [110/1000] via 172.20.20.2, 00:09:12, Tunnel2
C 172.20.20.0/24 is directly connected, Tunnel2
L 172.20.20.1/32 is directly connected, Tunnel2
O 172.20.20.2/32 [110/1000] via 172.20.20.2, 00:09:12, Tunnel2
O E2 192.168.10.0/24 [110/20] via 172.20.20.2, 00:09:12, Tunnel2
O E2 192.168.20.0/24 [110/20] via 172.20.20.2, 00:09:12, Tunnel2
dc-gw2#

Routes Learned By Site Router = "site-a-gw1"

site-a-gw1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.20.20.1 0 FULL/ - 00:01:51 172.20.20.1 Tunnel2
172.20.10.1 0 FULL/ - 00:01:45 172.20.10.1 Tunnel1
site-a-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 20.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 20.0.0.1
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.0.0.0/30 is directly connected, GigabitEthernet1
L 20.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/24 is subnetted, 2 subnets
O E2 100.0.10.0 [110/20] via 172.20.20.1, 00:11:00, Tunnel2
[110/20] via 172.20.10.1, 00:11:10, Tunnel1
O E2 100.0.20.0 [110/20] via 172.20.20.1, 00:11:00, Tunnel2
[110/20] via 172.20.10.1, 00:11:10, Tunnel1
172.20.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.20.10.0/24 is directly connected, Tunnel1
O 172.20.10.1/32 [110/1000] via 172.20.10.1, 00:11:10, Tunnel1
L 172.20.10.2/32 is directly connected, Tunnel1
C 172.20.20.0/24 is directly connected, Tunnel2
O 172.20.20.1/32 [110/1000] via 172.20.20.1, 00:11:00, Tunnel2
L 172.20.20.2/32 is directly connected, Tunnel2
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet2
L 192.168.10.1/32 is directly connected, GigabitEthernet2
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet3
L 192.168.20.1/32 is directly connected, GigabitEthernet3
site-a-gw1#

Here are ping results show connections between the app server in DC and user computers in the branch site.

app1> ping 192.168.10.10
84 bytes from 192.168.10.10 icmp_seq=1 ttl=62 time=14.500 ms
84 bytes from 192.168.10.10 icmp_seq=2 ttl=62 time=22.500 ms
84 bytes from 192.168.10.10 icmp_seq=3 ttl=62 time=31.500 ms
84 bytes from 192.168.10.10 icmp_seq=4 ttl=62 time=13.500 ms
84 bytes from 192.168.10.10 icmp_seq=5 ttl=62 time=15.000 ms

app1>

And here are trace-route results which show connections between the app1 server in DC to the user computer in site A. Traffic from app1 server in DC is going to dc-gw1 router (100.0.10.2), then to site A router (172.20.10.2). This means traffic is going via tunnel 1 between routers dc-gw1 and site-a-gw1.

app1> trace 192.168.10.10
trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop
1 100.0.10.2 2.500 ms 1.500 ms 1.000 ms
2 *172.20.10.2 20.000 ms 19.500 ms
3 *192.168.10.10 20.000 ms (ICMP type:3, code:3, Destination port unreachable)

app1>

Traffic from app1 server in DC goes to dc-gw1 router (100.0.10.2). This is due to HSRP status "active" on "dc-gw1" router. And thereafter traffic takes route received via OSPF. On the other hand return traffic from user PC to app1 server enters site-a-gw1 router first and then goes to dc-gw1 router as per route received via OSPF.

HSRP Status on Router = "dc-gw1"

dc-gw1#sh standby b
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi2 10 110 P Active local 100.0.10.3 100.0.10.1
Gi2 20 110 P Active local 100.0.20.3 100.0.20.1
dc-gw1#

HSRP Status on Router = "dc-gw2"

dc-gw2#sh standby b
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi2 10 100 P Standby 100.0.10.2 local 100.0.10.1
Gi2 20 100 P Standby 100.0.20.2 local 100.0.20.1
dc-gw2#

Fallback Test

When I shut down the Internet interface on "dc-gw1" router, then HSRP enabled interface lost its priority by 20 and will become "standby" interface and all traffic get diverted to router "dc-gw2". In this situation, VPN tunnels on "dc-gw1" go down and best routes learned by site routers are from "dc-gw2". Refer HSRP status and DMVPN status and routing table and traceroute results given below.

HSRP Status on Router = "dc-gw1"

dc-gw1#sh standby b
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi2 10 90 P Standby 100.0.10.3 local 100.0.10.1
Gi2 20 90 P Standby 100.0.20.3 local 100.0.20.1
dc-gw1#

HSRP Status on Router = "dc-gw2"

dc-gw2#sh standby b
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi2 10 100 P Active local 100.0.10.2 100.0.10.1
Gi2 20 100 P Active local 100.0.20.2 100.0.20.1
dc-gw2#

DMVPN Status On DC Router = "dc-gw1"

DMVPN Status On DC Router = "dc-gw2"

DMVPN Status On Site Router = "site-a-gw1"

site-a-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.0.2 172.20.10.1 IKE 00:00:21 S

Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 40.0.0.2 172.20.20.1 UP 00:34:44 S

site-a-gw1#sh ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue
1 Tunnel1 0 172.20.10.1 0 E Running
2 Tunnel2 0 172.20.20.1 0 RE Running E Running

No. Interface Cluster Status Max-Con Total-NHS Registering/UP Expecting Waiting Fallback
1 Tunnel1 0 Disable Not Set 1 1 0 0 0
2 Tunnel2 0 Disable Not Set 1 1 0 0 0

site-a-gw1#

Routes Learned By DC Router = "dc-gw1"

dc-gw1#sh ip ospf neighbor
dc-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.0.10.0/24 is directly connected, GigabitEthernet2
L 100.0.10.2/32 is directly connected, GigabitEthernet2
C 100.0.20.0/24 is directly connected, GigabitEthernet2
L 100.0.20.2/32 is directly connected, GigabitEthernet2
dc-gw1#

Routes Learned By DC Router = "dc-gw2"

dc-gw2#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.20.1 0 FULL/ - 00:01:54 172.20.20.2 Tunnel2
dc-gw2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 40.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 40.0.0.1
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.0.0.0/29 is directly connected, GigabitEthernet1
L 40.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.0.10.0/24 is directly connected, GigabitEthernet2
L 100.0.10.3/32 is directly connected, GigabitEthernet2
C 100.0.20.0/24 is directly connected, GigabitEthernet2
L 100.0.20.3/32 is directly connected, GigabitEthernet2
172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
O 172.20.10.2/32 [110/1000] via 172.20.20.2, 00:15:20, Tunnel2
C 172.20.20.0/24 is directly connected, Tunnel2
L 172.20.20.1/32 is directly connected, Tunnel2
O 172.20.20.2/32 [110/1000] via 172.20.20.2, 00:15:20, Tunnel2
O E2 192.168.10.0/24 [110/20] via 172.20.20.2, 00:15:20, Tunnel2
O E2 192.168.20.0/24 [110/20] via 172.20.20.2, 00:15:20, Tunnel2
dc-gw2#

Routes Learned By Site Router = "site-a-gw1"

site-a-gw1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.20.20.1 0 FULL/ - 00:01:31 172.20.20.1 Tunnel2
site-a-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 20.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 20.0.0.1
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.0.0.0/30 is directly connected, GigabitEthernet1
L 20.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/24 is subnetted, 2 subnets
O E2 100.0.10.0 [110/20] via 172.20.20.1, 00:16:31, Tunnel2
O E2 100.0.20.0 [110/20] via 172.20.20.1, 00:16:31, Tunnel2
172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 172.20.10.0/24 is directly connected, Tunnel1
L 172.20.10.2/32 is directly connected, Tunnel1
C 172.20.20.0/24 is directly connected, Tunnel2
O 172.20.20.1/32 [110/1000] via 172.20.20.1, 00:16:31, Tunnel2
L 172.20.20.2/32 is directly connected, Tunnel2
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet2
L 192.168.10.1/32 is directly connected, GigabitEthernet2
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet3
L 192.168.20.1/32 is directly connected, GigabitEthernet3
site-a-gw1#

Here are trace-route results which show connections between the app1 server in DC to the user computer in site A. Traffic from app1 server in DC is going to dc-gw2 router (100.0.10.3), then to site A router (172.20.20.2). This means traffic is going via a tunnel 2 between routers dc-gw2 and site-a-gw1.

app1> trace 192.168.10.10
trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop
1 100.0.10.3 2.000 ms 2.000 ms 2.501 ms
2 172.20.20.2 17.003 ms 20.504 ms 19.004 ms
3 *192.168.10.10 19.004 ms (ICMP type:3, code:3, Destination port unreachable)

app1>

These traceroute results show that in case of internet link or router failure (DMVPN cloud failure), traffic will flow through the second router (second DMVPN cloud).

This completes our goal 2 to configure dynamic routing between DC and Site routers to achieve redundancy of routers in DC. This is the end of Part 10. We have seen Dual Hub Dual Cloud Phase 3 DMVPN setup with dynamic routing protocol OSPF and its sample configuration. Anyone who is working on DMVPN setup using Cisco routers with IOS XE may use this configuration.

This is the last article of this series of articles on IPsec VPN configurations on IOS XE platform.

I hope you find this helpful.

IPsec VPN Configuration On Cisco IOS XE - Part 10 - Dual Hub Dual Cloud Phase 3 Dynamic Multipoint VPN (DMVPN)

Comments (0)