DMVPN with dual ISPs

mpls label protocol ldp

mpls ldp router-id Loopback 0 force

!

ip vrf CUST

 rd 1:1

 route-target both 1:1

!

interface Loopback 0

 ip address 1.1.1.1 255.255.255.255

 ip ospf 1 area 0

!

interface Serial 0/0

 ip vrf forwarding CUST

 ip address 172.11.1.2 255.255.255.0

!

router bgp 100

 neighbor 2.2.2.2 remote-as 100

 neighbor 2.2.2.2 update-source Loopback 0

 !

 address-family vpnv4

 neighbor 2.2.2.2 activate

 exit-address-family

 !

 address-family ipv4 vrf CUST

 neighbor 172.11.1.1 remote-as 65001

 neighbor 172.11.1.1 activate

 redistribute connected

 exit-address-family

!

interface Loopback 0

 ip address 2.2.2.2 255.255.255.255

 ip ospf 1 area 0

!

router ospf 1

 passive-interface FastEthernet1/0

 passive-interface FastEthernet2/0

 network 10.100.1.0 0.0.0.255 area 0

 network 10.100.2.0 0.0.0.255 area 0

!

router bgp 100

 no bgp route-target default filter                ! Accept all VPNv4 routes

 neighbor 1.1.1.1 remote-as 100                    ! PE11 router

 neighbor 1.1.1.1 update-source Loopback 0

 neighbor 3.3.3.3 remote-as 100                    ! PE12 router

 neighbor 3.3.3.3 update-source Loopback 0

 neighbor 10.100.1.2 remote-as 200

 neighbor 10.100.1.2 send-label                    ! eBGP connection with PE200 router. The "send-label" keyword allows the router to send label with BGP VPNv4 prefixes

 neighbor 10.100.2.2 remote-as 200

 neighbor 10.100.2.2 send-label

 !

 address-family vpnv4

 neighbor 1.1.1.1 activate

 neighbor 1.1.1.1 route-reflector-client

 neighbor 1.1.1.1 next-hop-self

 neighbor 3.3.3.3 activate

 neighbor 3.3.3.3 route-reflector-client

 neighbor 3.3.3.3 next-hop-self

 neighbor 10.100.1.2 activate

 neighbor 10.100.1.2 route-map LOCAL_PREF in    ! Set Local-Preference to 150 for all incoming VPNv4 prefixes from this neighbor

 neighbor 10.100.2.2 activate

!

route-map LOCAL_PREF permit 10

 set local-preference 150

!

interface Loopback 0

 ip address 5.5.5.5 255.255.255.255

 ip ospf 2 area 0

!

router ospf 2

 passive-interface FastEthernet1/0

 passive-interface FastEthernet2/0

 network 10.100.1.0 0.0.0.255 area 0

 network 10.100.2.0 0.0.0.255 area 0

!

router bgp 200

 no bgp route-target default filter

 neighbor 4.4.4.4 remote-as 200                ! PE21 router

 neighbor 4.4.4.4 update-source Loopback 0

 neighbor 6.6.6.6 remote-as 200                ! PE22 router

 neighbor 6.6.6.6 update-source Loopback 0

 neighbor 10.100.1.1 remote-as 100             ! eBGP connection to PE100

 neighbor 10.100.1.1 send-label

 neighbor 10.100.2.1 remote-as 100

 neighbor 10.100.2.1 send-label

 !

 address-family vpnv4

 neighbor 4.4.4.4 activate

 neighbor 4.4.4.4 route-reflector-client

 neighbor 4.4.4.4 next-hop-self

 neighbor 6.6.6.6 activate

 neighbor 6.6.6.6 route-reflector-client

 neighbor 6.6.6.6 next-hop-self

 neighbor 10.100.1.1 activate

 neighbor 10.100.1.1 route-map LOCAL_PREF in

 neighbor 10.100.2.1 activate

!

route-map LOCAL_PREF permit 10

 set local-preference 150

!

PE100# show ip bgp vpnv4 all summary

BGP router identifier 2.2.2.2, local AS number 100

BGP table version is 13, main routing table version 13

4 network entries using 560 bytes of memory

6 path entries using 408 bytes of memory

4/2 BGP path/bestpath attribute entries using 496 bytes of memory

1 BGP AS-PATH entries using 24 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 1 (at peak 3) using 32 bytes of memory

BGP using 1544 total bytes of memory

BGP activity 4/0 prefixes, 10/4 paths, scan interval 15 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

1.1.1.1         4   100      41      47       13    0    0 00:36:36        1

3.3.3.3         4   100      41      47       13    0    0 00:35:42        1

10.100.1.2      4   200      51      52       13    0    0 00:15:47        2

10.100.2.2      4   200      40      41       13    0    0 00:15:43        2

PE100# show ip bgp vpnv4 all

BGP table version is 13, local router ID is 2.2.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:1

*>i172.11.1.0/24    1.1.1.1                  0    100      0 ?

*  172.12.1.0/24    10.100.2.2                             0 200 ?

*>                  10.100.1.2                    150      0 200 ?

*>i172.22.1.0/24    3.3.3.3                  0    100      0 ?

*  172.33.1.0/24    10.100.2.2                             0 200 ?

*>                  10.100.1.2                    150      0 200 ?

PE200# show ip bgp vpnv4 all

BGP table version is 13, local router ID is 5.5.5.5

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:1

*  172.11.1.0/24    10.100.2.1                             0 100 ?

*>                  10.100.1.1                    150      0 100 ?

*>i172.12.1.0/24    4.4.4.4                  0    100      0 ?

*  172.22.1.0/24    10.100.2.1                             0 100 ?

*>                  10.100.1.1                    150      0 100 ?

*>i172.33.1.0/24    6.6.6.6                  0    100      0 ?

crypto isakmp policy 10

 encryption 3des

 authentication pre-share

 hash md5

 group 2

!

crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set TS

!

interface Tunnel10                        ! Primary Tunnel

 ip address 192.168.100.1 255.255.255.0

 no ip next-hop-self eigrp 1020

 ip nhrp map multicast dynamic

 ip nhrp network-id 123

 no ip split-horizon eigrp 1020

 delay 5

 tunnel source Serial1/0

 tunnel mode gre multipoint

 tunnel key 123

 tunnel protection ipsec profile DMVPN shared

!

interface Tunnel20                        ! Backup Tunnel

 ip address 192.168.200.1 255.255.255.0

 no ip next-hop-self eigrp 1020

 ip nhrp map multicast dynamic

 ip nhrp network-id 456

 no ip split-horizon eigrp 1020

 delay 10

 tunnel source Serial1/1

 tunnel mode gre multipoint

 tunnel key 456

 tunnel protection ipsec profile DMVPN shared

!

router eigrp 1020

 no auto-summary

 network 192.168.0.0

 network 192.168.100.0

 network 192.168.200.0

!

router bgp 65001

 neighbor 172.11.1.2 remote-as 100

 neighbor 172.11.1.2 filter-list 10 out

 neighbor 172.12.1.2 remote-as 200

 neighbor 172.12.1.2 filter-list 10 out

!

ip as-path access-list 10 permit ^$        ! Allows only local routes to be advertised

!

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set TS

!

interface Tunnel10

 ip address 192.168.100.2 255.255.255.0

 ip nhrp map 192.168.100.1 172.11.1.1

 ip nhrp map multicast 172.11.1.1

 ip nhrp network-id 123

 ip nhrp nhs 192.168.100.1

 delay 5

 tunnel source Serial1/0

 tunnel mode gre multipoint

 tunnel key 123

 tunnel protection ipsec profile DMVPN shared

!

interface Tunnel20

 ip address 192.168.200.2 255.255.255.0

 ip nhrp map 192.168.200.1 172.12.1.1

 ip nhrp map multicast 172.12.1.1

 ip nhrp network-id 456

 ip nhrp nhs 192.168.200.1

 delay 10

 tunnel source Serial1/0

 tunnel mode gre multipoint

 tunnel key 456

 tunnel protection ipsec profile DMVPN shared

!

router bgp 65002

 neighbor 172.22.1.2 remote-as 100

!

crypto isakmp policy 10

 encryption 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set TS

!

interface Tunnel10

 ip address 192.168.100.3 255.255.255.0

 ip nhrp map 192.168.100.1 172.11.1.1

 ip nhrp map multicast 172.11.1.1

 ip nhrp network-id 123

 ip nhrp nhs 192.168.100.1

 delay 5

 tunnel source Serial1/0

 tunnel mode gre multipoint

 tunnel key 123

 tunnel protection ipsec profile DMVPN shared

!

interface Tunnel20

 ip address 192.168.200.3 255.255.255.0

 ip nhrp map 192.168.200.1 172.12.1.1

 ip nhrp map multicast 172.12.1.1

 ip nhrp network-id 456

 ip nhrp nhs 192.168.200.1

 delay 10

 tunnel source Serial1/0

 tunnel mode gre multipoint

 tunnel key 456

 tunnel protection ipsec profile DMVPN shared

!

router bgp 65003

 neighbor 172.33.1.2 remote-as 200

!

ip sla responder

!

track 1 ip sla 1 reachability

 delay down 180 up 180

!

ip sla 1

 icmp-echo 172.11.1.1 source-interface Serial1/0

 timeout 300

 threshold 300

 frequency 3

ip sla schedule 1 life forever start-time now

!

event manager applet UP_TUNNEL_10

 event track 1 state up

 action 1.0 cli command "enable"

 action 1.1 cli command "config t"

 action 1.2 cli command "interface Tunnel20"

 action 1.3 cli command "shutdown"

 action 1.4 cli command "interface Tunnel10"

 action 1.5 cli command "no shutdown"

 action 1.6 cli command "do clear crypto isakmp"

event manager applet SHUT_TUNNEL_10

 event track 1 state down

 action 1.0 cli command "enable"

 action 1.1 cli command "config t"

 action 1.2 cli command "interface Tunnel10"

 action 1.3 cli command "shutdown"

 action 1.4 cli command "interface Tunnel20"

 action 1.5 cli command "no shutdown"

 action 1.6 cli command "do clear crypto isakmp"

!

track 1 ip sla 1 reachability

 delay down 180 up 180

!

ip sla 1

 icmp-echo 172.12.1.1 source-interface Serial1/0

 timeout 300

 threshold 300

 frequency 3

ip sla schedule 1 life forever start-time now

!

event manager applet UP_TUNNEL_10

 event track 1 state up

 action 1.0 cli command "enable"

 action 1.1 cli command "config t"

 action 1.2 cli command "interface Tunnel20"

 action 1.3 cli command "shutdown"

 action 1.4 cli command "interface Tunnel10"

 action 1.5 cli command "no shutdown"

 action 1.6 cli command "do clear crypto isakmp"

event manager applet SHUT_TUNNEL_10

 event track 1 state down

 action 1.0 cli command "enable"

 action 1.1 cli command "config t"

 action 1.2 cli command "interface Tunnel10"

 action 1.3 cli command "shutdown"

 action 1.4 cli command "interface Tunnel20"

 action 1.5 cli command "no shutdown"

 action 1.6 cli command "do clear crypto isakmp"

!

Hub# show ip nhrp

192.168.100.2/32 via 192.168.100.2

   Tunnel10 created 00:29:51, expire 01:30:28

   Type: dynamic, Flags: unique registered

   NBMA address: 172.22.1.1

192.168.100.3/32 via 192.168.100.3

   Tunnel10 created 00:29:48, expire 01:31:00

   Type: dynamic, Flags: unique registered used

   NBMA address: 172.33.1.1

Hub# show ip route eigrp

D    192.168.1.0/24 [90/25603840] via 192.168.100.2, 00:10:34, Tunnel10

D    192.168.2.0/24 [90/25603840] via 192.168.100.3, 00:10:34, Tunnel10

Spoke1# show ip route eigrp

D    192.168.0.0/24 [90/25603840] via 192.168.100.1, 00:14:19, Tunnel10

D    192.168.2.0/24 [90/25605120] via 192.168.100.3, 00:11:08, Tunnel10

Spoke2# show ip route eigrp

D    192.168.0.0/24 [90/25603840] via 192.168.100.1, 00:11:34, Tunnel10

D    192.168.1.0/24 [90/25605120] via 192.168.100.2, 00:11:34, Tunnel10

Spoke1#

*Jul 15 15:42:45.734: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down

*Jul 15 15:42:45.982: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

*Jul 15 15:42:46.434: %SYS-5-CONFIG_I: Configured from console by vty0

*Jul 15 15:42:47.898: %LINK-5-CHANGED: Interface Tunnel10, changed state to administratively down

*Jul 15 15:42:48.186: %LINK-3-UPDOWN: Interface Tunnel20, changed state to up

*Jul 15 15:42:48.286: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Jul 15 15:42:48.910: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to down

*Jul 15 15:42:49.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel20, changed state to up

*Jul 15 15:42:52.614: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1020: Neighbor 192.168.200.1 (Tunnel20) is up: new adjacency

Spoke1# show track

Track 1

  IP SLA 1 reachability

  Reachability is Down

    99 changes, last change 00:00:33

  Delay up 180 secs, down 180 secs

  Latest operation return code: Timeout

  Tracked by:

    EEM applet UP_TUNNEL_10

    EEM applet SHUT_TUNNEL_10

Hub# show ip nhrp

192.168.200.2/32 via 192.168.200.2

   Tunnel20 created 00:03:58, expire 01:56:01

   Type: dynamic, Flags: unique registered

   NBMA address: 172.22.1.1

192.168.200.3/32 via 192.168.200.3

   Tunnel20 created 00:06:54, expire 01:53:05

   Type: dynamic, Flags: unique registered

   NBMA address: 172.33.1.1

Spoke1# ping 192.168.2.1 source fa 0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 388/864/1440 ms

Spoke1# show ip nhrp

192.168.200.1/32 via 192.168.200.1

   Tunnel20 created 00:04:41, never expire

   Type: static, Flags: used

   NBMA address: 172.12.1.1

192.168.200.2/32 via 192.168.200.2

   Tunnel20 created 00:00:05, expire 01:59:54

   Type: dynamic, Flags: router unique local

   NBMA address: 172.22.1.1

    (no-socket)

192.168.200.3/32 via 192.168.200.3

   Tunnel20 created 00:00:08, expire 01:59:56

   Type: dynamic, Flags: router

   NBMA address: 172.33.1.1