This is the tenth and last article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ] [Link to Part 5 ] [ Link to Part 6 ] [ Link to Part 7 ] [ Link to Part 8 ] [ Link to Part 9 ]
In the previous part, I configured Dual Hub Phase 3 DMVPN Cloud. In this article, I will show how to build a Dual Hub Dual Cloud Phase 3 Dynamic Multipoint VPN (DMVPN).
This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And site A connects to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections, and OSPF area are as shown in the diagram.
Goals of this scenario are -
1) Create two DMVPN network clouds on "dc-gw1", "dc-gw2" and connect router "site-a-gw1" in these clouds.
2) Configure dynamic routing between DC and Site routers.
Router IOS version used for this setup are -
dc-gw1, dc-gw2, site-a-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.
Interface And Route Configuration On DC Router = "dc-gw1"
track 1 interface GigabitEthernet1 line-protocol interface GigabitEthernet1 platform ring rx 256 ip address 10.0.0.2 255.255.255.248 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip address 100.0.20.2 255.255.255.0 secondary ip address 100.0.10.2 255.255.255.0 standby 10 ip 100.0.10.1 standby 10 priority 110 standby 10 preempt standby 10 track 1 decrement 20 standby 20 ip 100.0.20.1 standby 20 priority 110 standby 20 preempt standby 20 track 1 decrement 20 negotiation auto ip route 0.0.0.0 0.0.0.0 10.0.0.1 |
Interface And Route Configuration On DC Router = "dc-gw2"
interface GigabitEthernet1 platform ring rx 256 ip address 40.0.0.2 255.255.255.248 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip address 100.0.20.3 255.255.255.0 secondary ip address 100.0.10.3 255.255.255.0 standby 10 ip 100.0.10.1 standby 10 preempt standby 20 ip 100.0.20.1 standby 20 preempt negotiation auto ip route 0.0.0.0 0.0.0.0 40.0.0.1 |
Interface And Route Configuration On Site Router = "site-a-gw1"
interface GigabitEthernet1 platform ring rx 256 ip address 20.0.0.2 255.255.255.252 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip vrf forwarding app ip address 192.168.10.1 255.255.255.0 negotiation auto interface GigabitEthernet3 platform ring rx 256 ip vrf forwarding storage ip address 192.168.20.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 20.0.0.1 |
Next is creating DMVPN Cloud on DC router and connect site routers to these clouds.
DMVPN Cloud Configuration On DC Router = "dc-gw1"
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 0.0.0.0 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile tunnel-to-site set transform-set AES-256-SHA interface Tunnel1 description DMVPN Tunnel to Sites ip address 172.20.10.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication acme ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 10 ip nhrp registration timeout 3 ip nhrp shortcut ip nhrp redirect ip ospf network point-to-multipoint keepalive 10 3 tunnel source GigabitEthernet1 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile tunnel-to-site |
DMVPN Cloud Configuration On DC Router = "dc-gw2"
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 0.0.0.0 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile tunnel-to-site set transform-set AES-256-SHA interface Tunnel2 description DMVPN Tunnel to Sites ip address 172.20.20.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication acme ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp holdtime 10 ip nhrp registration timeout 3 ip nhrp shortcut ip nhrp redirect ip ospf network point-to-multipoint keepalive 10 3 tunnel source GigabitEthernet1 tunnel mode gre multipoint tunnel key 20 tunnel protection ipsec profile tunnel-to-site |
DMVPN Configuration On Site Router = "site-a-gw1"
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 0.0.0.0 0.0.0.0 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel1 description DMVPN Tunnel to DC ip address 172.20.10.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication acme ip nhrp map 172.20.10.1 10.0.0.2 ip nhrp map multicast 10.0.0.2 ip nhrp network-id 1 ip nhrp holdtime 10 ip nhrp nhs 172.20.10.1 ip nhrp shortcut ip nhrp redirect ip ospf network point-to-multipoint keepalive 10 3 tunnel source GigabitEthernet1 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile tunnel-to-dc interface Tunnel2 description DMVPN Tunnel to DC ip address 172.20.20.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication acme ip nhrp map 172.20.20.1 40.0.0.2 ip nhrp map multicast 40.0.0.2 ip nhrp network-id 2 ip nhrp holdtime 10 ip nhrp nhs 172.20.20.1 ip nhrp shortcut ip nhrp redirect ip ospf network point-to-multipoint keepalive 10 3 tunnel source GigabitEthernet1 tunnel mode gre multipoint tunnel key 20 tunnel protection ipsec profile tunnel-to-dc |
DMVPN Status On DC Router = "dc-gw1"
dc-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 20.0.0.2 172.20.10.2 UP 00:22:01 D dc-gw1# |
DMVPN Status On DC Router = "dc-gw2"
dc-gw2#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel2, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 20.0.0.2 172.20.20.2 UP 00:26:22 D dc-gw2# |
DMVPN Status On Site Router = "site-a-gw1"
site-a-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.0.0.2 172.20.10.1 UP 00:27:48 S Interface: Tunnel2, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 40.0.0.2 172.20.20.1 UP 00:27:58 S site-a-gw1#sh ip nhrp nhs redundancy Legend: E=Expecting replies, R=Responding, W=Waiting No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue 1 Tunnel1 0 172.20.10.1 0 RE Running E Running 2 Tunnel2 0 172.20.20.1 0 RE Running E Running No. Interface Cluster Status Max-Con Total-NHS Registering/UP Expecting Waiting Fallback 1 Tunnel1 0 Disable Not Set 1 1 0 0 0 2 Tunnel2 0 Disable Not Set 1 1 0 0 0 site-a-gw1# |
This completes our goal 1, we have Dual Cloud Dual Hub DMVPN on DC routers and site router is connected to these clouds. There are two tunnels from the router at site A to two DC routers, where tunnel 1 (172.20.10.2) connects to router "dc-gw1" (172.20.10.1). And tunnel 2 (172.20.20.2) connects to router "dc-gw2" (172.20.10.2).
Next part is about implementing dynamic routing using OSPF.
OSPF Configuration On DC Router = "dc-gw1"
router ospf 100 router-id 172.20.10.1 redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.255 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 |
OSPF Configuration On DC Router = "dc-gw2"
router ospf 100 router-id 172.20.20.1 redistribute connected subnets route-map ospf-redistribute network 172.20.20.0 0.0.0.255 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 |
OSPF Configuration On Site Router = "site-a-gw1"
router ospf 100 redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.255 area 0 network 172.20.20.0 0.0.0.255 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 GigabitEthernet3 |
This OSPF configuration is basic and has a single area, it distributes routes between DC routers and site router.
I had configured a route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF. This also avoids distribution of subnets configured on Internet side interfaces.
Routes Learned By DC Router = "dc-gw1"
dc-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:01:32 172.20.10.2 Tunnel1 dc-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/29 is directly connected, GigabitEthernet1 L 10.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.2/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.2/32 is directly connected, GigabitEthernet2 172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks C 172.20.10.0/24 is directly connected, Tunnel1 L 172.20.10.1/32 is directly connected, Tunnel1 O 172.20.10.2/32 [110/1000] via 172.20.10.2, 00:05:09, Tunnel1 O 172.20.20.1/32 [110/2000] via 172.20.10.2, 00:05:09, Tunnel1 O 172.20.20.2/32 [110/1000] via 172.20.10.2, 00:05:09, Tunnel1 O E2 192.168.10.0/24 [110/20] via 172.20.10.2, 00:05:09, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.10.2, 00:05:09, Tunnel1 dc-gw1# |
Routes Learned By DC Router = "dc-gw1"
dc-gw2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:01:49 172.20.20.2 Tunnel2 dc-gw2#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 40.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 40.0.0.1 40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 40.0.0.0/29 is directly connected, GigabitEthernet1 L 40.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.3/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.3/32 is directly connected, GigabitEthernet2 172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks O 172.20.10.1/32 [110/2000] via 172.20.20.2, 00:09:12, Tunnel2 O 172.20.10.2/32 [110/1000] via 172.20.20.2, 00:09:12, Tunnel2 C 172.20.20.0/24 is directly connected, Tunnel2 L 172.20.20.1/32 is directly connected, Tunnel2 O 172.20.20.2/32 [110/1000] via 172.20.20.2, 00:09:12, Tunnel2 O E2 192.168.10.0/24 [110/20] via 172.20.20.2, 00:09:12, Tunnel2 O E2 192.168.20.0/24 [110/20] via 172.20.20.2, 00:09:12, Tunnel2 dc-gw2# |
Routes Learned By Site Router = "site-a-gw1"
site-a-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.20.1 0 FULL/ - 00:01:51 172.20.20.1 Tunnel2 172.20.10.1 0 FULL/ - 00:01:45 172.20.10.1 Tunnel1 site-a-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 20.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.0.0.1 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.0.0.0/30 is directly connected, GigabitEthernet1 L 20.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.20.1, 00:11:00, Tunnel2 [110/20] via 172.20.10.1, 00:11:10, Tunnel1 O E2 100.0.20.0 [110/20] via 172.20.20.1, 00:11:00, Tunnel2 [110/20] via 172.20.10.1, 00:11:10, Tunnel1 172.20.0.0/16 is variably subnetted, 6 subnets, 2 masks C 172.20.10.0/24 is directly connected, Tunnel1 O 172.20.10.1/32 [110/1000] via 172.20.10.1, 00:11:10, Tunnel1 L 172.20.10.2/32 is directly connected, Tunnel1 C 172.20.20.0/24 is directly connected, Tunnel2 O 172.20.20.1/32 [110/1000] via 172.20.20.1, 00:11:00, Tunnel2 L 172.20.20.2/32 is directly connected, Tunnel2 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.10.0/24 is directly connected, GigabitEthernet2 L 192.168.10.1/32 is directly connected, GigabitEthernet2 192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.20.0/24 is directly connected, GigabitEthernet3 L 192.168.20.1/32 is directly connected, GigabitEthernet3 site-a-gw1# |
Here are ping results show connections between the app server in DC and user computers in the branch site.
app1> ping 192.168.10.10 84 bytes from 192.168.10.10 icmp_seq=1 ttl=62 time=14.500 ms 84 bytes from 192.168.10.10 icmp_seq=2 ttl=62 time=22.500 ms 84 bytes from 192.168.10.10 icmp_seq=3 ttl=62 time=31.500 ms 84 bytes from 192.168.10.10 icmp_seq=4 ttl=62 time=13.500 ms 84 bytes from 192.168.10.10 icmp_seq=5 ttl=62 time=15.000 ms app1> |
And here are trace-route results which show connections between the app1 server in DC to the user computer in site A. Traffic from app1 server in DC is going to dc-gw1 router (100.0.10.2), then to site A router (172.20.10.2). This means traffic is going via tunnel 1 between routers dc-gw1 and site-a-gw1.
app1> trace 192.168.10.10 trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop 1 100.0.10.2 2.500 ms 1.500 ms 1.000 ms 2 *172.20.10.2 20.000 ms 19.500 ms 3 *192.168.10.10 20.000 ms (ICMP type:3, code:3, Destination port unreachable) app1> |
Traffic from app1 server in DC goes to dc-gw1 router (100.0.10.2). This is due to HSRP status "active" on "dc-gw1" router. And thereafter traffic takes route received via OSPF. On the other hand return traffic from user PC to app1 server enters site-a-gw1 router first and then goes to dc-gw1 router as per route received via OSPF.
HSRP Status on Router = "dc-gw1"
dc-gw1#sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 110 P Active local 100.0.10.3 100.0.10.1 Gi2 20 110 P Active local 100.0.20.3 100.0.20.1 dc-gw1# |
HSRP Status on Router = "dc-gw2"
dc-gw2#sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 100 P Standby 100.0.10.2 local 100.0.10.1 Gi2 20 100 P Standby 100.0.20.2 local 100.0.20.1 dc-gw2# |
Fallback Test
When I shut down the Internet interface on "dc-gw1" router, then HSRP enabled interface lost its priority by 20 and will become "standby" interface and all traffic get diverted to router "dc-gw2". In this situation, VPN tunnels on "dc-gw1" go down and best routes learned by site routers are from "dc-gw2". Refer HSRP status and DMVPN status and routing table and traceroute results given below.
HSRP Status on Router = "dc-gw1"
dc-gw1#sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 90 P Standby 100.0.10.3 local 100.0.10.1 Gi2 20 90 P Standby 100.0.20.3 local 100.0.20.1 dc-gw1# |
HSRP Status on Router = "dc-gw2"
dc-gw2#sh standby b P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi2 10 100 P Active local 100.0.10.2 100.0.10.1 Gi2 20 100 P Active local 100.0.20.2 100.0.20.1 dc-gw2# |
DMVPN Status On DC Router = "dc-gw1"
dc-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== dc-gw1# |
DMVPN Status On DC Router = "dc-gw2"
dc-gw2#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel2, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 20.0.0.2 172.20.20.2 UP 00:32:11 D dc-gw2# |
DMVPN Status On Site Router = "site-a-gw1"
site-a-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.0.0.2 172.20.10.1 IKE 00:00:21 S Interface: Tunnel2, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 40.0.0.2 172.20.20.1 UP 00:34:44 S site-a-gw1#sh ip nhrp nhs redundancy Legend: E=Expecting replies, R=Responding, W=Waiting No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue 1 Tunnel1 0 172.20.10.1 0 E Running 2 Tunnel2 0 172.20.20.1 0 RE Running E Running No. Interface Cluster Status Max-Con Total-NHS Registering/UP Expecting Waiting Fallback 1 Tunnel1 0 Disable Not Set 1 1 0 0 0 2 Tunnel2 0 Disable Not Set 1 1 0 0 0 site-a-gw1# |
Routes Learned By DC Router = "dc-gw1"
dc-gw1#sh ip ospf neighbor dc-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.2/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.2/32 is directly connected, GigabitEthernet2 dc-gw1# |
Routes Learned By DC Router = "dc-gw2"
dc-gw2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:01:54 172.20.20.2 Tunnel2 dc-gw2#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 40.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 40.0.0.1 40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 40.0.0.0/29 is directly connected, GigabitEthernet1 L 40.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.3/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet2 L 100.0.20.3/32 is directly connected, GigabitEthernet2 172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks O 172.20.10.2/32 [110/1000] via 172.20.20.2, 00:15:20, Tunnel2 C 172.20.20.0/24 is directly connected, Tunnel2 L 172.20.20.1/32 is directly connected, Tunnel2 O 172.20.20.2/32 [110/1000] via 172.20.20.2, 00:15:20, Tunnel2 O E2 192.168.10.0/24 [110/20] via 172.20.20.2, 00:15:20, Tunnel2 O E2 192.168.20.0/24 [110/20] via 172.20.20.2, 00:15:20, Tunnel2 dc-gw2# |
Routes Learned By Site Router = "site-a-gw1"
site-a-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.20.1 0 FULL/ - 00:01:31 172.20.20.1 Tunnel2 site-a-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 20.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.0.0.1 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.0.0.0/30 is directly connected, GigabitEthernet1 L 20.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.20.1, 00:16:31, Tunnel2 O E2 100.0.20.0 [110/20] via 172.20.20.1, 00:16:31, Tunnel2 172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks C 172.20.10.0/24 is directly connected, Tunnel1 L 172.20.10.2/32 is directly connected, Tunnel1 C 172.20.20.0/24 is directly connected, Tunnel2 O 172.20.20.1/32 [110/1000] via 172.20.20.1, 00:16:31, Tunnel2 L 172.20.20.2/32 is directly connected, Tunnel2 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.10.0/24 is directly connected, GigabitEthernet2 L 192.168.10.1/32 is directly connected, GigabitEthernet2 192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.20.0/24 is directly connected, GigabitEthernet3 L 192.168.20.1/32 is directly connected, GigabitEthernet3 site-a-gw1# |
Here are trace-route results which show connections between the app1 server in DC to the user computer in site A. Traffic from app1 server in DC is going to dc-gw2 router (100.0.10.3), then to site A router (172.20.20.2). This means traffic is going via a tunnel 2 between routers dc-gw2 and site-a-gw1.
app1> trace 192.168.10.10 trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop 1 100.0.10.3 2.000 ms 2.000 ms 2.501 ms 2 172.20.20.2 17.003 ms 20.504 ms 19.004 ms 3 *192.168.10.10 19.004 ms (ICMP type:3, code:3, Destination port unreachable) app1> |
These traceroute results show that in case of internet link or router failure (DMVPN cloud failure), traffic will flow through the second router (second DMVPN cloud).
This completes our goal 2 to configure dynamic routing between DC and Site routers to achieve redundancy of routers in DC. This is the end of Part 10. We have seen Dual Hub Dual Cloud Phase 3 DMVPN setup with dynamic routing protocol OSPF and its sample configuration. Anyone who is working on DMVPN setup using Cisco routers with IOS XE may use this configuration.
This is the last article of this series of articles on IPsec VPN configurations on IOS XE platform.
I hope you find this helpful.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)