Thursday, June 3, 2010

VRF aware DMVPN with dual ISP on Single HUB + autofailover (using iVRF and FVRF)



Task Details:
(for lab usage only!)

- We have two separate DMVPN clouds via two different ISPs. The LAN Segments in both these DMVPN clouds use the same IP address.
- Requirement is to merge both the clouds, remove redundant equipments (remove one hub, and two spoke routers), configure DMVPN clouds using both ISPs with automatic failover between the ISPs.
- Use VRF aware DMVPN with fVRF and iVRF.
- Use VRF ISP1 and ISP2 for fVRF to segregate the ISPs.
- Use VRF RED and BLUE for iVRF so that overlapping LAN segments can communicate.
- Configure DMVPN in such a way that VRF RED uses ISP1 as primary. In event of any failure on ISP1, it should switche via ISP2.
- Similarly, VRF BLUE should use ISP2 as primary (active) and ISP1 as secondary (passive).

To be contd. (init configs, Dynamips .NET File, explanation on challenges, and solution)

Few considerations:
1. We'll need total 4 tunnel interfaces on each Spoke and Hub.
      First tunnel for VRF RED via ISP1
      Second tunnel for VRF RED via ISP2
      Third tunnel for VRF BLUE via ISP1
      Fourth tunnel for VRF BLUE via ISP2
Tunnel interfaces on HUB will be ACTIVE/ACTIVE allowing the SPOKES to dynamically choose and switcover during ISP Failure.

Tunnel Interfaces on SPOKES will be ACTIVE/STANDBY per ISP. Again, dynamic failover.

2. So we'll create 4 different DMVPN clouds, two active (one active for VRF RED via ISP1, one active for VRF BLUE via ISP2) and two passive (vice versa).
Challege1: All 4 DMVPN clouds will have their own Tunnel IP subnets. Switchover between the DMVPN clouds during failover should be tracked appropriately.
Example1: if ISP1 on HUB fails, SPOKE1 and SPOKE2 should automatically switch to ISP2.
Example2: if ISP1 on SPOKE1 fails, SPOKE1 should automatically switch to ISP2, HUB2 should support this tunnel switchover dynamically.

3.Challege2: So how do we keep a sync between SPOKEs and HUB.
Here comes Cisco EEM with IP SLA tracking to the rescue.
We'll track ISP connection on each SPOKE, both for the SPOKE itself, and the HUB.
So SPOKE1 will track if its ISP1 connectivity is alive, if YES, it'll use Tunnel1 via ISP1 for DMVPN. IF ISP1 is doen on SPOKE1, it'll switch to ISP2 and use Tunnel2.
At the same time, SPOKE1 will track HUB's ISP1 connection. If ISP1 on HUB is live, SPOKE1 will use ISP1 for itself. If HUB's ISP1 connection is dead, SPOKE1 will shutdown its Tunnel1 going via ISP1, and switch over to Tunnel2 via ISP2.
Note - SPOKE1 can't use Tunnel1 via ISP1 when HUB's ISP1 is dead. Why? Because IP subnet on Tunnel1 on SPOKE1 and IP subnet on HUB's Tunnel interface must match.

Let's get our hands dirty, and move onto the configuration part -

Initial Configs:
HUB:
HUB:
hostname HUB
!
ip cef
!
ip vrf BLUE
rd 1:2
!
ip vrf ISP1
rd 100:1
!
ip vrf ISP2
rd 200:1
!
ip vrf RED
rd 1:1
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 101.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 201.1.1.1 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 101.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 201.1.1.254
!

SPOKE1:
hostname SPOKE1
!
ip cef
!
ip vrf BLUE
rd 2:2
!
ip vrf ISP1
rd 100:2
!
ip vrf ISP2
rd 200:2
!
ip vrf RED
rd 2:1
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.2.1.2 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.2.1.2 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 102.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 202.1.1.2 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 102.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 202.1.1.254
!


SPOKE2:
hostname SPOKE2
!
ip cef
!
ip vrf BLUE
rd 2:3
!
ip vrf ISP1
rd 100:3
!
ip vrf ISP2
rd 200:3
!
ip vrf RED
rd 1:3
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.3.1.3 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.3.1.3 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 103.1.1.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 203.1.1.3 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 103.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 203.1.1.254
!
!

ISP1:

ISP1#r
Building configuration...

Current configuration : 2689 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 101.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/1
ip address 102.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
ip address 103.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router bgp 100
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 12.1.1.2 remote-as 200
no auto-summary
!
ip classless
!
no ip http server
!
!
!
ip access-list extended ACL_ESP_ONLY
permit icmp any any echo
permit icmp any any echo-reply
permit esp any any
permit udp any any eq 4500
permit udp any any eq isakmp
deny ip any any log
!
!
!
control-plane
!
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
no login
!
!
end
ISP1#


ISP2:

ISP2#r
Building configuration...

Current configuration : 2394 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP2
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 201.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/1
ip address 202.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
ip address 203.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router bgp 200
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 12.1.1.1 remote-as 100
no auto-summary
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
no login
!
!
end
ISP2#

DYNAMIPS NET FILE
startautostart = False
[1.1.1.1]
port = 7200
udp = 10000

[[7200]]
image = C:\Program Files\Dynamips\images\c7200-k91p-m.122-25.S15.bin
npe = npe-400
ram = 96
disk0 = 0
disk1 = 0
mmap = false

[[router HUB]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224
Fa0/0 = LAN 10
S1/0 = ISP1 S1/0
S1/1 = ISP2 S1/0

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\HUB.cfg

[[router SPOKE1]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224

Fa0/0 = LAN 20
S1/0 = ISP1 S1/1
S1/1 = ISP2 S1/1

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\SPOKE1.cfg

[[router SPOKE2]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224
Fa0/0 = LAN 30
S1/0 = ISP1 S1/2
S1/1 = ISP2 S1/2

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\SPOKE2.cfg

[[Router ISP1]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
S1/3 = ISP2 S1/3
cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\ISP1.cfg

[[Router ISP2]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\ISP2.cfg

SOLUTION -:

HUB CONFIG:

HUB CRYPTO CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
set transform-set TRANS

TUNNEL CONFIG for VRF RED
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map multicast dynamic
ip nhrp network-id 131313
ip ospf network broadcast
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map multicast dynamic
ip nhrp network-id 131313
ip ospf network broadcast
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!

TUNNEL CONFIG for VRF BLUE
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 242424
no ip split-horizon eigrp 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 242424
no ip split-horizon eigrp 1
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared

ROUTING CONFIG VRF BLUE
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 1.1.1.1
exit-address-family

ROUTING CONFIG VRF RED
router ospf 1 vrf RED
router-id 1.1.1.1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 1
network 172.16.10.1 0.0.0.0 area 0
network 172.16.11.1 0.0.0.0 area 0
!

SPOKE1 CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
set transform-set TRANS
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.10.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.10.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.20.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.20.1
ip ospf network broadcast
ip ospf priority 0
shutdown
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.11.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.11.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.21.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.21.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 2.2.2.2
exit-address-family
!
router ospf 1 vrf RED
router-id 2.2.2.2
log-adjacency-changes
network 10.2.1.2 0.0.0.0 area 2
network 172.16.10.2 0.0.0.0 area 0
network 172.16.11.2 0.0.0.0 area 0
!
ip sla 1
icmp-echo 101.1.1.1 source-interface Serial1/0
timeout 15000
vrf ISP1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 201.1.1.1 source-interface Serial1/1
timeout 15000
vrf ISP2
ip sla schedule 2 life forever start-time now
!
!
event manager applet EEM_SHUT_ISP1_HUB
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP1_HUB
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_SHUT_ISP2_HUB
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP2_HUB
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto"
!
end

SPOKE2 CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.10.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.10.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.20.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.20.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.11.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.11.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 201.1.1.1
ip nhrp map 172.16.21.1 201.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.21.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 3.3.3.3
exit-address-family
!
router ospf 1 vrf RED
router-id 3.3.3.3
log-adjacency-changes
network 10.3.1.3 0.0.0.0 area 3
network 172.16.10.3 0.0.0.0 area 0
network 172.16.11.3 0.0.0.0 area 0
!
ip sla 1
icmp-echo 101.1.1.1 source-interface Serial1/0
timeout 15000
vrf ISP1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 201.1.1.1 source-interface Serial1/1
timeout 15000
vrf ISP2
ip sla schedule 2 life forever start-time now
!
event manager applet EEM_SHUT_ISP1_HUB
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP1_HUB
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_SHUT_ISP2_HUB
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP2_HUB
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
!
end

4 comments:

  1. DMVPN and INTERNET VIA HUB ISSUES
    -------------------------------------

    Hello,

    I really wish that you can help me with the issue I have. If you have an e-mail I can send you the configs and drawing

    I explain. I have to test a Dual Hub - Dual DMVPN Layout for a customer before we configure it in real production.
    The customer has some sites where routers are behind some ISP routers which are doing NAT.

    How things are configured:

    - All the traffic from spokes has to go via the Hub location so no local internet traffic on spokes.
    - Hub 1 and Hub 2 sends a default route to spokes via EIGRP. But only Hub 1 is used.
    - Hub 1 is the primary router for DMVPN. In case of hardware/Connection to Internet failure Hub 2 become active for DMVPN and Internet.
    - Hub 1 and Hub 2 are both connected to one ISP and are Internet Gateway for spokes.
    - Hub 1 and Hub 2 are configured with IOS Firewall.
    - On spokes I have used VRF to seperate DMVPN routning table from Global routning table so I could receive a default route from Hub 1 and Hub 2 to route traffic from spokes to Internet via Hub location


    What is working:

    - All spokes can have access to local LAN at Hub location.
    - All spokes can do spoke to spoke
    - Failover working for DMVPN
    - Spokes NOT behind NAT ISP router (that is to say having the public IP address directly attached at their outside interface) can go to Internet via hub location and
    all packets are inspected correctly by the IOS firewall and Nat correctly

    What is not working:

    - Spokes behind NAT ISP router cannot reach the Internet through Hub location. They can only reach local LAN at Hub location and do spoke to spoke.
    On hub router the IOS firewall sees the packets comming from theses spokes (behind NAT) with a source IP address which is the public IP address og the ISP router outside interface. Not the LAN private IP address behind spoke.
    Moreover packets are never natted. If I do some snifing on an Internet server the source private IP address is the LAN IP address of the LAN behind the spoke. That means that the Hub router never nat these packets.

    How to solve this problem?

    Well I don't know that is why I need your help/advices :-)
    I don't know if I should configure a VRF on the hub location also as maybe things gets mess up.
    The problem seems to be coming from NAT-T as the spokes which aren't behind NAT can find go on the Internet through Hub and both Cisco IOS inspection and NAT are working find.
    As I was testing today with the customer at the begining the spoke behind nat could ping different server on the Internet but not open a HTTP session. DNS was working find. The IOS Firewall was actually
    inspecting packets with the real private IP addresse. Then I thought that it was a MTU issue so I decided to ping out the Internet with bigger MTU size and suddenly the pings were not going through anymore.
    I could see on the Hub1 router that the IOS firewall was inspecting the public IP address again of the ISP NAT router at spoke side and not anymore the real private IP address. Really strange!

    Best Regards,
    Laurent

    ReplyDelete
  2. Wht Source IP address you are matching to NAT? IT should be the private LAN IP of the Spokes.

    Post me your configs and topology.

    This should work without VRF.

    Swap
    ccie19804 AT gm@i@l dot COM

    ReplyDelete
  3. Greg Hackney - CCIE R&S 41704December 26, 2013 at 8:02 PM

    I think this is my favorite GNS3 lab so far, thank you!

    ReplyDelete