Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2702
Views
0
Helpful
2
Replies

Cisco DMVPN Spoke ISP Redundancy

teymur azimov
Level 1
Level 1

‎06-30-2014 04:01 AM - edited ‎02-21-2020 07:42 PM

Hi Dears,

I want to configure DMVPN on cisco routers. I want to configure dual ISP at spoke's. ADSL link is primary and 3g is backup and configure dmvpn.

How i configure in HUB and Spoke sites? I want to use Eigrp protocol.

Labels:
0 Helpful
2 Replies 2

Frank DeNofa
Cisco Employee
Cisco Employee

‎09-09-2014 04:05 PM

teymur,

 

It sounds like what you're looking for is a DMVPN configuration which implements two separate DMVPN clouds, as seen in this configuration guide: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubdual

 

With this configuration, it is best to have two Hubs in separate physical locations for redundancy and physical recovery, but you can easily have both of the Hub tunnel interfaces configured on the same physical box. With this configuration, you will want to adjust the EIGRP metrics by means of configuring a "delay" on the backup Tunnel. This way your DMVPN spokes will operate in an active/active state and receive all necessary routes from both Hubs so they can fail over as necessary.

 

HTH,

Frank

0 Helpful

Raja Periyasamy
Level 1
Level 1

‎09-10-2014 12:06 AM

Hi Teymur,

You can configure a single tunnel interface on the spoke, primary hub and the secondary hub for dual hub and dual isp on spoke.

Use EEM script for failover between your ISP connections and can configure both hubs on the same tunnel interface.

Introduce delay on the secondary hub tunnel interface so that it is less preferred.

Spoke Tunnel configuration :

interface Tunnel0
  bandwidth 1000
  ip address 10.10.0.12 255.255.255.0
  ip mtu 1400
  ip nhrp authentication test
  ip nhrp map 10.10.0.1 172.16.1.1
  ip nhrp map 10.10.0.2 172.16.1.2
  ip nhrp network-id 100000
  ip nhrp holdtime 300
  ip nhrp nhs 10.10.0.1       <---- Primary Hub
  ip nhrp nhs 10.10.0.2       <---- Secondary Hub
  delay 1000
  tunnel source Ethernet0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpnprof
  
 Primary Hub
 interface Tunnel0
  ip address 10.10.0.1 255.255.255.0
  ip mtu 1400
  ip nhrp authentication test
  ip nhrp map multicast dynamic
  ip nhrp network-id 100000
  ip nhrp holdtime 600
  no ip split-horizon eigrp 1
  delay 1000
  tunnel source Ethernet0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpnprof
  
 Secondary Hub
 interface Tunnel0
  ip address 10.10.0.2 255.255.255.0
  ip mtu 1400
  ip nhrp authentication test
  ip nhrp map multicast dynamic
  ip nhrp network-id 100000
  ip nhrp holdtime 600
  no ip split-horizon eigrp 1
  delay 1500                    <--- Increase the delay so that the routes learnt from this is less prefered
  tunnel source Ethernet0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpnprof

For Dual ISP failover on Spoke :
 Configure tracking with IP SLA monitor. Then use EEM script to change the source and route of the tunnel when the track fails.
 If Ethernet0/0 is the primary WAN interface and Ethernet0/1 is the backup then you can use the below template.
  
 track 1 ip sla 1 reachability
 ip sla 1
   icmp-echo <Primary Next-hop IP> source-interface Ethernet0/0
    threshold 3000
    timeout 3000
    frequency 3
ip sla schedule 1 life forever start-time now
ip sla responder

event manager applet Failto-secondary-tunnel
 event track 1 state down
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "interface tunnel0"
 action 1.3 cli command "shut"
 action 1.4 cli command "tunnel source Ethernet0/1"
 action 1.5 cli command "no shut"
 action 1.6 cli command "exit"
 action 1.7 cli command "ip route 0.0.0.0 0.0.0.0 <backup next-hop ip>"
 action 1.8 cli command "ip route 0.0.0.0 0.0.0.0 <Primary next-hop ip> 10"
 action 1.9 cli command "end"
event manager applet Comeback-primary-tunnel
 event track 1 state up
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "interface tunnel0"
 action 1.3 cli command "shut"
 action 1.4 cli command "tunnel source Ethernet0/0"
 action 1.5 cli command "no shut"
 action 1.6 cli command "exit"
 action 1.7 cli command "ip route 0.0.0.0 0.0.0.0 <Primary next-hop ip>"
 action 1.8 cli command "ip route 0.0.0.0 0.0.0.0 backup next-hop ip> 10"
 action 1.9 cli command "end"

 

Hope that helps

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents