As promised, next up is the Dual Hub AND Dual Cloud config using OSPF.

As the previous post, I will be using this Cisco document — http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubdual

A few highlights on how this is different from the single cloud

1. Each Hub connects to only a single cloud (as in our single cloud config). Except this time the spokes connect to BOTH clouds instead of just one.

2. Because we now have two tunnels that the spokes can choose from (tunnel to either Hub A or B), we can start modifying routing metrics on each tunnel to better influence which path to take (instead of before we only had 1 choice).

3. We now have the choice of using the SAME tunnel for both clouds (the doc calls it p-pGRE or point to point GRE) or if you use mGRE (multipointGRE) you need different IPs per tunnel.

4. As the documentation states, this setup is little more trickier to configure, but allows for more control on where we want our routes to go.

Personally I’ve seen this dual cloud setup used in the field, not-so-much the single cloud.

dualclouddmvpn

OK so let’s go over this topology. To make things a bit easier, we’ll use OSPF area 0 all over.

Hub A will belong in DMVPN Cloud A and Hub B will have DMVPN Cloud B. Each cloud will have its own subnet. This means that each spoke will have two different tunnels, one per cloud, and a different subnet per tunnel corresponding to the cloud its attached to.

Note — if your going to do this in GNS3/VIRL/CML, you’ll need to put into your DMVPN cloud a router. I have the following setup…

GNS3DMVPNDual

R6 will have RIP adv all interfaces. Inside our “provider cloud” I have the 172.17.0.0 network, so on each router start an RIP process and adv out the 172.17.x.x network. I also enabled OSPF area 0 on the tunnel IP and loopback interfaces.

So let’s start on Hub A (R2)

interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication MEETUP
 ip nhrp map multicast dynamic
 ip nhrp network-id 1234
 ip ospf network broadcast
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1234

On Hub B (R3) let’s do

interface Tunnel0
 bandwidth 1000
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication MEETUP
 ip nhrp map multicast dynamic
 ip nhrp network-id 5678
 ip ospf network broadcast
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint

Now where this becomes more trickier is the spokes. We want to create two DMVPN clouds, so we’ll create two tunnels per spoke, one pointing to each hub. Don’t foget to change the network type to broadcast and the OSPF priority to 0! Also for the spokes remember to adv out both the networks behind your spoke as well as the tunnel subnets.

Spoke R4
—-
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.11 255.255.255.0
 ip mtu 1400
 ip nhrp authentication MEETUP
 ip nhrp map 10.0.0.1 172.17.0.1
 ip nhrp network-id 1234
 ip nhrp nhs 10.0.0.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0
 tunnel destination 172.17.0.1
interface Tunnel1
 bandwidth 1000
 ip address 10.0.1.11 255.255.255.0
 ip mtu 1400
 ip nhrp authentication MEETUP
 ip nhrp map 10.0.1.11 172.17.0.5
 ip nhrp network-id 5678
 ip nhrp nhs 10.0.1.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0
 tunnel destination 172.17.0.5
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 0
 network 10.0.1.0 0.0.0.255 area 0
 network 192.168.0.0 0.0.255.255 area 0

Spoke R5
————
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.12 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication MEETUP
 ip nhrp map 10.0.0.1 172.17.0.1
 ip nhrp network-id 1234
 ip nhrp nhs 10.0.0.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1234
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 0
 network 10.0.1.0 0.0.0.255 area 0
 network 192.168.0.0 0.0.255.255 area 0

interface Tunnel1
 ip address 10.0.1.12 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication MEETUP
 ip nhrp map 10.0.1.1 172.17.0.5
 ip nhrp network-id 5678
 ip nhrp nhs 10.0.1.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint

Now let’s grab one of the Spokes, lets say R4 and do some show commands…

R4#sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incompletea
        N – NATed, L – Local, X – No Socket
        # Ent –> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 —– ————— ————— —– ——– —–
     1      172.17.0.1        10.0.0.1  NHRP 00:15:43 S

Tunnel1, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 —– ————— ————— —– ——– —–
     1      172.17.0.5       10.0.1.11  NHRP    never S

R4#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
       E1 – OSPF external type 1, E2 – OSPF external type 2
       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
       ia – IS-IS inter area, * – candidate default, U – per-user static route
       o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/30 is subnetted, 4 subnets
R       172.17.0.12 [120/1] via 172.17.0.10, 00:00:16, FastEthernet0/0
C       172.17.0.8 is directly connected, FastEthernet0/0
R       172.17.0.4 [120/1] via 172.17.0.10, 00:00:16, FastEthernet0/0
R       172.17.0.0 [120/1] via 172.17.0.10, 00:00:16, FastEthernet0/0
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O       10.0.0.12/32 [110/200] via 10.0.1.1, 00:01:55, Tunnel1
O       10.0.1.12/32 [110/200] via 10.0.1.1, 00:01:55, Tunnel1
O       10.0.1.1/32 [110/100] via 10.0.1.1, 00:04:50, Tunnel1
C       10.0.0.0/24 is directly connected, Tunnel0
C       10.0.1.0/24 is directly connected, Tunnel1
O       10.0.0.1/32 [110/300] via 10.0.1.1, 00:01:56, Tunnel1
     192.168.0.0/32 is subnetted, 1 subnets
O       192.168.0.1 [110/301] via 10.0.1.1, 00:01:57, Tunnel1
     192.168.1.0/32 is subnetted, 1 subnets
O       192.168.1.1 [110/101] via 10.0.1.1, 00:04:51, Tunnel1
C    192.168.2.0/24 is directly connected, Loopback0
     192.168.3.0/32 is subnetted, 1 subnets
O       192.168.3.1 [110/201] via 10.0.1.1, 00:01:57, Tunnel1
R4#sh ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:56:23, never expire
  Type: static, Flags:
  NBMA address: 172.17.0.1
10.0.1.11/32 via 10.0.1.11, Tunnel1 created 00:55:08, never expire
  Type: static, Flags:
  NBMA address: 172.17.0.5

In summary, up front we got alot more config and planning that needs to be done for the dual hub cloud. Hope this helps people out there get their DMVPN setup working — this initial topology is a great way to get one studying for CCIE v5 R&S labs!

William Zambrano

William Zambrano

NYC networkers is run by William Zambrano, a passionate network engineer who has been in the IT industry for eight years who posts up blog articles, YouTube videos, and holds meetup.com events in the NYC area. He lives in Queens, New York and has consulted in various different companies in the NY area. Previously William worked as a Cisco Certified Systems Instructor (CCSI) but now currently works for Arista Networks serving as a Systems Engineer. William can be reached by email at willzambrano@gmail.com

More Posts - Website

Follow Me:
Twitter