DMVPN with dual ISPs
DMVPN with dual ISPs
This article demonstrates DMVPN with 2 ISPs where the Hub has dual ISP connections. Also, each Spoke router is connected to a separate ISP.
Configuration
PE11, PE12, PE21 and PE22 routers have a very simple and similar VRF configuration. There is an eBGP connection between PE and CE routers. A sample configuration on PE11 follows.
VRF Configuration on PE11 router
mpls label protocol ldp
mpls ldp router-id Loopback 0 force
!
ip vrf CUST
rd 1:1
route-target both 1:1
!
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Serial 0/0
ip vrf forwarding CUST
ip address 172.11.1.2 255.255.255.0
!
router bgp 100
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0
!
address-family vpnv4
neighbor 2.2.2.2 activate
exit-address-family
!
address-family ipv4 vrf CUST
neighbor 172.11.1.1 remote-as 65001
neighbor 172.11.1.1 activate
redistribute connected
exit-address-family
!
PE100 and PE200 routers act as Route-Reflectors (RR) for their respective ASes. To exchange VPNv4 routes, they run MP-eBGP connection across the two physical connections- one preferred over the other achieved by setting higher local-preference value for prefixes learnt via one connection.
PE100 Configuration
interface Loopback 0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
router ospf 1
passive-interface FastEthernet1/0
passive-interface FastEthernet2/0
network 10.100.1.0 0.0.0.255 area 0
network 10.100.2.0 0.0.0.255 area 0
!
router bgp 100
no bgp route-target default filter ! Accept all VPNv4 routes
neighbor 1.1.1.1 remote-as 100 ! PE11 router
neighbor 1.1.1.1 update-source Loopback 0
neighbor 3.3.3.3 remote-as 100 ! PE12 router
neighbor 3.3.3.3 update-source Loopback 0
neighbor 10.100.1.2 remote-as 200
neighbor 10.100.1.2 send-label ! eBGP connection with PE200 router. The "send-label" keyword allows the router to send label with BGP VPNv4 prefixes
neighbor 10.100.2.2 remote-as 200
neighbor 10.100.2.2 send-label
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 route-reflector-client
neighbor 1.1.1.1 next-hop-self
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 route-reflector-client
neighbor 3.3.3.3 next-hop-self
neighbor 10.100.1.2 activate
neighbor 10.100.1.2 route-map LOCAL_PREF in ! Set Local-Preference to 150 for all incoming VPNv4 prefixes from this neighbor
neighbor 10.100.2.2 activate
!
route-map LOCAL_PREF permit 10
set local-preference 150
!
Configuration on PE200 router is very similar to PE100 router.
PE200 Configuration
interface Loopback 0
ip address 5.5.5.5 255.255.255.255
ip ospf 2 area 0
!
router ospf 2
passive-interface FastEthernet1/0
passive-interface FastEthernet2/0
network 10.100.1.0 0.0.0.255 area 0
network 10.100.2.0 0.0.0.255 area 0
!
router bgp 200
no bgp route-target default filter
neighbor 4.4.4.4 remote-as 200 ! PE21 router
neighbor 4.4.4.4 update-source Loopback 0
neighbor 6.6.6.6 remote-as 200 ! PE22 router
neighbor 6.6.6.6 update-source Loopback 0
neighbor 10.100.1.1 remote-as 100 ! eBGP connection to PE100
neighbor 10.100.1.1 send-label
neighbor 10.100.2.1 remote-as 100
neighbor 10.100.2.1 send-label
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 route-reflector-client
neighbor 4.4.4.4 next-hop-self
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 route-reflector-client
neighbor 6.6.6.6 next-hop-self
neighbor 10.100.1.1 activate
neighbor 10.100.1.1 route-map LOCAL_PREF in
neighbor 10.100.2.1 activate
!
route-map LOCAL_PREF permit 10
set local-preference 150
!
The following output shows the VPNv4 prefixes learnt by PE100 and PE200 routers. Note the prefixes with higher local-preference value are preferred.
VPNv4 Prefixes on PE100 and PE200
PE100# show ip bgp vpnv4 all summary
BGP router identifier 2.2.2.2, local AS number 100
BGP table version is 13, main routing table version 13
4 network entries using 560 bytes of memory
6 path entries using 408 bytes of memory
4/2 BGP path/bestpath attribute entries using 496 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 3) using 32 bytes of memory
BGP using 1544 total bytes of memory
BGP activity 4/0 prefixes, 10/4 paths, scan interval 15 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 100 41 47 13 0 0 00:36:36 1
3.3.3.3 4 100 41 47 13 0 0 00:35:42 1
10.100.1.2 4 200 51 52 13 0 0 00:15:47 2
10.100.2.2 4 200 40 41 13 0 0 00:15:43 2
PE100# show ip bgp vpnv4 all
BGP table version is 13, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i172.11.1.0/24 1.1.1.1 0 100 0 ?
* 172.12.1.0/24 10.100.2.2 0 200 ?
*> 10.100.1.2 150 0 200 ?
*>i172.22.1.0/24 3.3.3.3 0 100 0 ?
* 172.33.1.0/24 10.100.2.2 0 200 ?
*> 10.100.1.2 150 0 200 ?
PE200# show ip bgp vpnv4 all
BGP table version is 13, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
* 172.11.1.0/24 10.100.2.1 0 100 ?
*> 10.100.1.1 150 0 100 ?
*>i172.12.1.0/24 4.4.4.4 0 100 0 ?
* 172.22.1.0/24 10.100.2.1 0 100 ?
*> 10.100.1.1 150 0 100 ?
*>i172.33.1.0/24 6.6.6.6 0 100 0 ?
DMVPN Hub and Spoke Configuration
Since the Hub router has 2 connections to the ISP, two tunnel interfaces are created on each Hub and Spoke routers. However, only one tunnel is operational at any time.
DMVPN Hub Configuration
crypto isakmp policy 10
encryption 3des
authentication pre-share
hash md5
group 2
!
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set TS
!
interface Tunnel10 ! Primary Tunnel
ip address 192.168.100.1 255.255.255.0
no ip next-hop-self eigrp 1020
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 1020
delay 5
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
!
interface Tunnel20 ! Backup Tunnel
ip address 192.168.200.1 255.255.255.0
no ip next-hop-self eigrp 1020
ip nhrp map multicast dynamic
ip nhrp network-id 456
no ip split-horizon eigrp 1020
delay 10
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile DMVPN shared
!
router eigrp 1020
no auto-summary
network 192.168.0.0
network 192.168.100.0
network 192.168.200.0
!
router bgp 65001
neighbor 172.11.1.2 remote-as 100
neighbor 172.11.1.2 filter-list 10 out
neighbor 172.12.1.2 remote-as 200
neighbor 172.12.1.2 filter-list 10 out
!
ip as-path access-list 10 permit ^$ ! Allows only local routes to be advertised
!
Now, since the Spoke routers have a single connection to the ISP, they share the same interface for both tunnels.
DMVPN Configuration on Spoke1 router
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set TS
!
interface Tunnel10
ip address 192.168.100.2 255.255.255.0
ip nhrp map 192.168.100.1 172.11.1.1
ip nhrp map multicast 172.11.1.1
ip nhrp network-id 123
ip nhrp nhs 192.168.100.1
delay 5
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
!
interface Tunnel20
ip address 192.168.200.2 255.255.255.0
ip nhrp map 192.168.200.1 172.12.1.1
ip nhrp map multicast 172.12.1.1
ip nhrp network-id 456
ip nhrp nhs 192.168.200.1
delay 10
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile DMVPN shared
!
router bgp 65002
neighbor 172.22.1.2 remote-as 100
!
DMVPN Configuration on Spoke2 router
crypto isakmp policy 10
encryption 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set TS
!
interface Tunnel10
ip address 192.168.100.3 255.255.255.0
ip nhrp map 192.168.100.1 172.11.1.1
ip nhrp map multicast 172.11.1.1
ip nhrp network-id 123
ip nhrp nhs 192.168.100.1
delay 5
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
!
interface Tunnel20
ip address 192.168.200.3 255.255.255.0
ip nhrp map 192.168.200.1 172.12.1.1
ip nhrp map multicast 172.12.1.1
ip nhrp network-id 456
ip nhrp nhs 192.168.200.1
delay 10
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile DMVPN shared
!
router bgp 65003
neighbor 172.33.1.2 remote-as 200
!
The major issue with this setup is that if the primary connection to ISP at Hub site goes down, the tunnel interface (tunnel 10) goes down as well. EIGRP adjacency with Spoke routers fall. However, the Spoke routers still have primary tunnel interface as functional. Hence, a tracking mechanism is required on Spoke routers to track the reachability of the source address of primary tunnel interface. IP SLA with tracking can do the job. Further, this reachability information can be used to administer the functionality of tunnel interfaces on Spoke routers. For example, if primary tunnel interface goes down on Hub, the Spoke routers shut down their primary tunnel interface and bring the secondary tunnel up. This can be done using Embedded Event Manager EEM. Before any IP SLA configuration on Spoke routers, ip sla responder command is required on the Hub router. The configuration is as below:
IP SLA on Hub
ip sla responder
!
IP SLA + Tracking + EEM on Spoke1 router
track 1 ip sla 1 reachability
delay down 180 up 180
!
ip sla 1
icmp-echo 172.11.1.1 source-interface Serial1/0
timeout 300
threshold 300
frequency 3
ip sla schedule 1 life forever start-time now
!
event manager applet UP_TUNNEL_10
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "interface Tunnel20"
action 1.3 cli command "shutdown"
action 1.4 cli command "interface Tunnel10"
action 1.5 cli command "no shutdown"
action 1.6 cli command "do clear crypto isakmp"
event manager applet SHUT_TUNNEL_10
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "interface Tunnel10"
action 1.3 cli command "shutdown"
action 1.4 cli command "interface Tunnel20"
action 1.5 cli command "no shutdown"
action 1.6 cli command "do clear crypto isakmp"
!
IP SLA + Tracking + EEM on Spoke2 router
track 1 ip sla 1 reachability
delay down 180 up 180
!
ip sla 1
icmp-echo 172.12.1.1 source-interface Serial1/0
timeout 300
threshold 300
frequency 3
ip sla schedule 1 life forever start-time now
!
event manager applet UP_TUNNEL_10
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "interface Tunnel20"
action 1.3 cli command "shutdown"
action 1.4 cli command "interface Tunnel10"
action 1.5 cli command "no shutdown"
action 1.6 cli command "do clear crypto isakmp"
event manager applet SHUT_TUNNEL_10
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "interface Tunnel10"
action 1.3 cli command "shutdown"
action 1.4 cli command "interface Tunnel20"
action 1.5 cli command "no shutdown"
action 1.6 cli command "do clear crypto isakmp"
!
Verification
Since the primary tunnel interface is UP, all the Spoke routers register their NHRP mappings with the Hub router over primary tunnel interface 10. Also, all internal prefixes are learnt over primary tunnel as EIGRP adjacency is established over that interface.
Hub# show ip nhrp
192.168.100.2/32 via 192.168.100.2
Tunnel10 created 00:29:51, expire 01:30:28
Type: dynamic, Flags: unique registered
NBMA address: 172.22.1.1
192.168.100.3/32 via 192.168.100.3
Tunnel10 created 00:29:48, expire 01:31:00
Type: dynamic, Flags: unique registered used
NBMA address: 172.33.1.1
Hub# show ip route eigrp
D 192.168.1.0/24 [90/25603840] via 192.168.100.2, 00:10:34, Tunnel10
D 192.168.2.0/24 [90/25603840] via 192.168.100.3, 00:10:34, Tunnel10
Spoke1# show ip route eigrp
D 192.168.0.0/24 [90/25603840] via 192.168.100.1, 00:14:19, Tunnel10
D 192.168.2.0/24 [90/25605120] via 192.168.100.3, 00:11:08, Tunnel10
Spoke2# show ip route eigrp
D 192.168.0.0/24 [90/25603840] via 192.168.100.1, 00:11:34, Tunnel10
D 192.168.1.0/24 [90/25605120] via 192.168.100.2, 00:11:34, Tunnel10
When the source address of primary tunnel interface on the Hub router is unreachable (data-link between Hub and PE11 is down), the tracking object discovers that the Hub is not reachable over Tunnel 10. The Spoke routers shut down Tunnel 10 and bring up Tunnel 20. The Hub router receives NHRP mapping over Tunnel 20. EIGRP adjacency is formed over this interface and routes are exchanged.
Spoke1#
*Jul 15 15:42:45.734: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Jul 15 15:42:45.982: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jul 15 15:42:46.434: %SYS-5-CONFIG_I: Configured from console by vty0
*Jul 15 15:42:47.898: %LINK-5-CHANGED: Interface Tunnel10, changed state to administratively down
*Jul 15 15:42:48.186: %LINK-3-UPDOWN: Interface Tunnel20, changed state to up
*Jul 15 15:42:48.286: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Jul 15 15:42:48.910: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to down
*Jul 15 15:42:49.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel20, changed state to up
*Jul 15 15:42:52.614: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1020: Neighbor 192.168.200.1 (Tunnel20) is up: new adjacency
Spoke1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
99 changes, last change 00:00:33
Delay up 180 secs, down 180 secs
Latest operation return code: Timeout
Tracked by:
EEM applet UP_TUNNEL_10
EEM applet SHUT_TUNNEL_10
Hub# show ip nhrp
192.168.200.2/32 via 192.168.200.2
Tunnel20 created 00:03:58, expire 01:56:01
Type: dynamic, Flags: unique registered
NBMA address: 172.22.1.1
192.168.200.3/32 via 192.168.200.3
Tunnel20 created 00:06:54, expire 01:53:05
Type: dynamic, Flags: unique registered
NBMA address: 172.33.1.1
During Spoke-to-Spoke traffic forwarding, dynamic tunnel is formed via Tunnel 20.
Dynamic Spoke-to-Spoke tunnel
Spoke1# ping 192.168.2.1 source fa 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 388/864/1440 ms
Spoke1# show ip nhrp
192.168.200.1/32 via 192.168.200.1
Tunnel20 created 00:04:41, never expire
Type: static, Flags: used
NBMA address: 172.12.1.1
192.168.200.2/32 via 192.168.200.2
Tunnel20 created 00:00:05, expire 01:59:54
Type: dynamic, Flags: router unique local
NBMA address: 172.22.1.1
(no-socket)
192.168.200.3/32 via 192.168.200.3
Tunnel20 created 00:00:08, expire 01:59:56
Type: dynamic, Flags: router
NBMA address: 172.33.1.1