Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual Hub Dual DMVPN with different transport

Hello Cisco Tech,

 

presently I have been working on a project between Dual DMVPN network with dual Hub. I did the configuration on GNS3. Every hub and spoke location has one single Router. The spoke has no redundancy link. But both Hub has different transport link between them. The primary link between the both hub is metroethernet and the redundant is Internet. The spoke move to redundant tunnel when the primary tunnel fails. But I would like to know if the primary trasnport (metroethernet) link fails how could the the both hub router can communicate with each other over Internet transport link . Because every hub has different network/cloud. None of the Hub router has any redundant Internet link.

It would be nice if any person can send a configuration example for such kind of scenario. Thanks in advance.

 

Pial 

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

You can try the following

You can try the following configuration:

crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400
 
crypto isakmp key cisco123 address OTHER-HUB
crypto ipsec transform-set strong esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set strong

int tunnel 1

 bandwidth xxx
 ip address 192.168.10.x 255.255.255.252
 tunnel source gig1/0
 tunnel destination OTHER-HUB
 tunnel protection ipsec profile protect-gre

8 REPLIES
Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Although your MetroE and Internet are different clouds, you can intercommunicate between then on any router that has connections to both.  For those devices that do route across both, you can prefer one over the other if the same destination is reachable from either.

New Member

Hello Joseph, I appreciate

Hello Joseph,

 

I appreciate for your quick reply. But can you please send me an configuration example on the Both hub side configuration example? I have added both hub present config as well as the diagram example.

 

 

New Member

You can create a GRE tunnel

You can create a GRE tunnel between the two hubs over the internet and use EIGRP to use this route if metroethernet failes. A example of the config, replace THIS-HUB and OTHER-HUB with the public ip addresses.

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set strong esp-aes 256 esp-sha-hmac
 mode transport

crypto map vpn 10 ipsec-isakmp
 set peer OTHER-HUB
 set transform-set strong
 match address 111

interface Tunnel1
 bandwidth
 ip address 192.168.10.x 255.255.255.252
 tunnel source gig1/0
 tunnel destination OTHER-HUB
 crypto map vpn
!
access-list 111 permit gre host THIS-HUB host OTHER-HUB

New Member

Hello Joseph, thanks again

Hello Joseph,

 

thanks again for your quick reply. Presently we have 1841 router with ios 12.4. Currently we have the same configuration what you have sent. But now we have ISR series router for Hub which has 15.3 and we cannot create  crypto map on tunnel interface. Here is the message when crypto map is configured on tunnel interface.

crypto map Backup_Hub
% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

 

New Member

You can try the following

You can try the following configuration:

crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400
 
crypto isakmp key cisco123 address OTHER-HUB
crypto ipsec transform-set strong esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set strong

int tunnel 1

 bandwidth xxx
 ip address 192.168.10.x 255.255.255.252
 tunnel source gig1/0
 tunnel destination OTHER-HUB
 tunnel protection ipsec profile protect-gre

New Member

Hello mate, I do apologize

Hello mate,

 

I do apologize for late reply. The command you have sent last time worked like a charm. Thanks a lot for giving that time.  But after changes to DMVPN two locations have issues and the rest locations are working perfectly as it was expected. One of the location don't distribute the static subnet properly and another is not working due to some ios issue. Now I am sending you the which cannot redistribute properly. What I marked that the static route at spoke location is appeared as internal route on spoke as well as well Hub side which should be as external. I have defined the command as "redistribute static metric 10000 100 255 1 1500". But it didn't bring anything better. I cleared the route and tunnel. But the result is same as usual. 

Here is the output: 

Spoke side

Topology output:

sh ip eigrp topology 10.191.0.0/16
IP-EIGRP (AS 100): Topology entry for 10.191.0.0/16
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 28160
  Routing Descriptor Blocks:
  10.0.219.254, from Rstatic, Send flag is 0x0
      Composite metric is (28160/0), Route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 100 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 0
  172.26.100.91 (Tunnel0), from 172.26.100.1, Send flag is 0x0
      Composite metric is (3074560/2818560), Route is Internal
      Vector metric:
        Minimum bandwidth is 1000 Kbit
        Total delay is 20100 microseconds
        Reliability is 255/255
        Load is 47/255
        Minimum MTU is 1400
        Hop count is 2

Spoke Configuration:

 

ip prefix-list Static-Redist seq 5 permit 10.191.0.0/16
ip prefix-list Static-Redist seq 10 permit 10.192.0.0/16
ip prefix-list Static-Redist seq 15 permit 10.193.0.0/16
ip prefix-list Static-Redist seq 20 permit 10.196.0.0/16
ip prefix-list Static-Redist seq 25 permit 10.198.0.0/16
ip prefix-list Static-Redist seq 30 permit 10.0.219.0/24

 

route-map Static-to-EIGRP permit 10
 match ip address prefix-list Static-Redist

 

router eigrp 100
 redistribute static route-map Static-to-EIGRP metric 10000 100 255 1 1500
 passive-interface default
 no passive-interface Tunnel0
 no passive-interface Tunnel1
 network 10.0.0.0
 network 172.26.100.0 0.0.0.255
 no auto-summary
 eigrp router-id 10.0.219.252
 eigrp event-logging

 

ip route 0.0.0.0 0.0.0.0 88.X.X.X

ip route 10.191.0.0 255.255.0.0 10.0.219.254
ip route 10.192.0.0 255.255.0.0 10.0.219.254
ip route 10.193.0.0 255.255.0.0 10.0.219.254
ip route 10.196.0.0 255.255.0.0 10.0.219.254
ip route 10.198.0.0 255.255.0.0 10.0.219.254

 

 

 

New Member

You have a network statement

You have a network statement with the 10.0.0.0/8 network. All static routes in 10.0.0.0/8 will be redistributed as internal. If you remove network 10.0.0.0 they should appear external. If you have other networks in 10.0.0.0/8 that need te be internal you should ad a more specific network statement.

New Member

Hello Joseph,you are right: I

Hello Joseph,

you are right: I have edited those lines under eigrp process and the network appears as external. But unfortunately I couldn't access the remote (DMVPN) local network still now. Before the remote users could able to access the local network at hub side. But now the user from remote local network (over DMVPN) cannot access the local network at hub and all central databank are unaccessable. The local Hub has different interface which are connected to Metro-Ethernet and I have change all the Metro-Ethernet locations to proper WAN network 10.0.0.0/17 instead of 10.0.0.0/8 and those remote users (over DMVPN) can access the local networks at Metro-Ethernet. So what I understand that the redistribute static network from remote (DMVPN) spoke's local network and HUB's local network are unaccessable.

I have added the log and present config from Hub and Spoke.

 

670
Views
5
Helpful
8
Replies