[c-nsp] DMVPN and dual internet connection
Jay Nakamura
zeusdadog at gmail.com
Fri Apr 9 23:06:23 EDT 2010
I finally got some time to experiment with this in a lab setup with
some 891 routers. Here is my working config for other's googling
benefit.
--------------------------------------------------
hostname Hub
!
no ip source-route
!
ip cef
ip vrf inside
rd 100:3
import map VRFDefaultOnlyMap
route-target import 100:1
route-target import 100:2
!
ip vrf isp1
rd 100:1
route-target export 100:1
!
ip vrf isp2
rd 100:2
route-target export 100:2
!
crypto keyring vpn1 vrf isp1
pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
crypto keyring vpn2 vrf isp2
pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
crypto isakmp key testkey address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IpsecProf1
set transform-set AES256SHA
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
interface Tunnel1
bandwidth 1000
ip vrf forwarding inside
ip address 10.120.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication nhrpauth
ip nhrp map multicast dynamic
ip nhrp network-id 53
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 100
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel vrf isp1
tunnel protection ipsec profile IpsecProf1
!
interface Tunnel2
bandwidth 500
ip vrf forwarding inside
ip address 10.121.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication nhrpaut2
ip nhrp map multicast dynamic
ip nhrp network-id 54
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 100
tunnel source FastEthernet8
tunnel mode gre multipoint
tunnel vrf isp2
tunnel protection ipsec profile IpsecProf1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
ip vrf forwarding isp2
ip address 10.103.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0
ip vrf forwarding isp1
ip address 10.100.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip vrf forwarding inside
ip address 10.106.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router ospf 1 vrf inside
router-id 10.106.0.2
log-adjacency-changes
network 10.106.0.0 0.0.0.255 area 0
network 10.120.0.0 0.0.0.255 area 0
network 10.121.0.0 0.0.0.255 area 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf isp2
redistribute static
default-information originate
no synchronization
exit-address-family
!
address-family ipv4 vrf isp1
redistribute static
default-information originate
no synchronization
exit-address-family
!
ip route vrf isp1 0.0.0.0 0.0.0.0 10.100.0.1 track 10
ip route vrf isp2 0.0.0.0 0.0.0.0 10.103.0.1 track 20
!
ip extcommunity-list 1 permit rt 100:1
ip extcommunity-list 2 permit rt 100:2
!
ip nat inside source route-map Isp1NatMap interface GigabitEthernet0
vrf inside overload
ip nat inside source route-map Isp2NatMap interface FastEthernet8 vrf
inside overload
!
ip access-list extended NATIP
deny ip 10.106.0.0 0.0.0.255 10.105.0.0 0.0.0.255
deny ip 10.106.0.0 0.0.0.255 10.107.0.0 0.0.0.255
deny ip 10.106.0.0 0.0.0.255 10.120.0.0 0.0.0.255
deny ip 10.106.0.0 0.0.0.255 10.121.0.0 0.0.0.255
permit ip 10.106.0.0 0.0.0.255 any
!
!
ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0
ip sla 1
icmp-echo 10.100.0.1
timeout 500
vrf isp1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.103.0.1
timeout 500
vrf isp2
ip sla schedule 2 life forever start-time now
!
route-map VRFDefaultOnlyMap permit 10
match ip address prefix-list DefaultOnly
match extcommunity 1
!
route-map VRFDefaultOnlyMap permit 20
match ip address prefix-list DefaultOnly
match extcommunity 2
set metric +5
!
route-map Isp1NatMap permit 10
match ip address NATIP
match interface GigabitEthernet0
!
route-map Isp2NatMap permit 10
match ip address NATIP
match interface FastEthernet8
!
--------------------------------------------------
hostname spoke
!
no ip source-route
!
ip cef
ip vrf inside
rd 100:3
import map VRFDefaultOnlyMap
route-target import 100:1
route-target import 100:2
!
ip vrf isp1
rd 100:1
route-target export 100:1
!
ip vrf isp2
rd 100:2
route-target export 100:2
!
crypto keyring vpn1 vrf isp1
pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
crypto keyring vpn2 vrf isp2
pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
crypto isakmp key testkey address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IpsecProf1
set transform-set AES256SHA
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
interface Tunnel1
bandwidth 1000
ip vrf forwarding inside
ip address 10.120.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication nhrpauth
ip nhrp map multicast 10.100.0.2
ip nhrp map 10.120.0.1 10.100.0.2
ip nhrp network-id 53
ip nhrp holdtime 450
ip nhrp nhs 10.120.0.1
ip virtual-reassembly
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 0
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel vrf isp1
tunnel protection ipsec profile IpsecProf1
!
interface Tunnel2
bandwidth 500
ip vrf forwarding inside
ip address 10.121.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication nhrpaut2
ip nhrp map multicast 10.103.0.2
ip nhrp map 10.121.0.1 10.103.0.2
ip nhrp network-id 54
ip nhrp holdtime 450
ip nhrp nhs 10.121.0.1
ip virtual-reassembly
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 0
delay 1000
tunnel source FastEthernet8
tunnel mode gre multipoint
tunnel vrf isp2
tunnel protection ipsec profile IpsecProf1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
ip vrf forwarding isp2
ip address 10.104.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0
ip vrf forwarding isp1
ip address 10.100.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip vrf forwarding inside
ip address 10.105.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router ospf 1 vrf inside
router-id 10.105.0.2
log-adjacency-changes
network 10.105.0.0 0.0.0.255 area 0
network 10.120.0.0 0.0.0.255 area 0
network 10.121.0.0 0.0.0.255 area 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf isp2
redistribute static
default-information originate
no synchronization
exit-address-family
!
address-family ipv4 vrf isp1
redistribute static
default-information originate
no synchronization
exit-address-family
!
ip route vrf isp1 0.0.0.0 0.0.0.0 10.101.0.1 track 10
ip route vrf isp2 0.0.0.0 0.0.0.0 10.104.0.1 track 20
!
ip extcommunity-list 1 permit rt 100:1
ip extcommunity-list 2 permit rt 100:2
!
ip nat inside source route-map Isp1NatMap interface GigabitEthernet0
vrf inside overload
ip nat inside source route-map Isp2NatMap interface FastEthernet8 vrf
inside overload
!
ip access-list extended NATIP
deny ip 10.106.0.0 0.0.0.255 10.105.0.0 0.0.0.255
deny ip 10.106.0.0 0.0.0.255 10.107.0.0 0.0.0.255
deny ip 10.106.0.0 0.0.0.255 10.120.0.0 0.0.0.255
deny ip 10.106.0.0 0.0.0.255 10.121.0.0 0.0.0.255
permit ip 10.106.0.0 0.0.0.255 any
!
!
ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0
ip sla 1
icmp-echo 10.100.0.1
timeout 500
vrf isp1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.103.0.1
timeout 500
vrf isp2
ip sla schedule 2 life forever start-time now
!
route-map VRFDefaultOnlyMap permit 10
match ip address prefix-list DefaultOnly
match extcommunity 1
!
route-map VRFDefaultOnlyMap permit 20
match ip address prefix-list DefaultOnly
match extcommunity 2
set metric +5
!
route-map Isp1NatMap permit 10
match ip address NATIP
match interface GigabitEthernet0
!
route-map Isp2NatMap permit 10
match ip address NATIP
match interface FastEthernet8
!
On Tue, Mar 2, 2010 at 4:55 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
> I have considered that but that would involved re-designing the second
> hub/rest of the DMVPN cloud so I was hoping there was another
> solution...
>
> I found a config where you can put each ISP on a VRF and do fancy
> route redistribution, which could work. It seemed a little too
> complicated than it should be but that may be where I need to go.
>
> On Tue, Mar 2, 2010 at 2:52 PM, Rodney Dunn <rodunn at cisco.com> wrote:
>> Most people run dual DMVPN clouds with two tunnels on the spoke.
>>
>> One primary cloud for CM and one for the T1 side.
>>
>> Your failover comes from the dyanmic routing protocol running over the
>> clouds (ie: eigrp).
>>
>> On the spoke you put a /32 route for the two hub ip's out each respective
>> internet link.
>>
>> Rodney
>>
>>
>>
>> On 3/1/10 3:08 PM, Jay Nakamura wrote:
>>>
>>> All,
>>>
>>> I have a site that has a cable modem and a T1. I was able to
>>> configure internet access redundancy using IP SLA/track. This site is
>>> also spoke side of a DMVPN mesh. Is there anyway I can make DMVPN to
>>> failover to the other connection? I can't find any reference to it so
>>> far. I am not sure what you can do when the tunnel interface for
>>> DMVPN you have to specify "tunnel source" and that will be different
>>> depending on which link is up and running.
>>>
>>> Thanks,
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
More information about the cisco-nsp
mailing list