DMVPN Dual Hub Dual Cloud

In previous DMVPN lessons I explained how to configure a small DMVPN network using a hub and two spoke routers. The disadvantage of a single hub router is that it’s a single point of failure. Once your hub router fails, the entire DMVPN network is gone.

To add redundancy to our DMVPN network we need to add another hub router. There are two options for this:

Dual hub – Single Cloud
Dual hub – Dual Cloud

With the single cloud option we use a single DMVPN network but we add a second hub. The spoke routers will use only one multipoint GRE interface where we configure the second hub as a next hop server.

The dual cloud option also has two hubs but we will use two DMVPN networks which means that all spoke routers will get a second multipoint GRE interface.

In this lesson we’ll take a look at the dual hub dual cloud option. This is the best option for DMVPN dual hub. Take a look at the following picture:

DMVPN Dual Hub Dual Cloud Overview

Above we have two hub routers and two spoke routers. Each hub router will be connected to a different ISP and we will create two DMVPN networks. The spoke routers will be connected to both DMVPN networks which means they’ll have two multipoint GRE interfaces. The main advantage of using two interfaces is that it’s easy to influence your routing. The only disadvantage is that it takes a bit more time to build this configuration.

Configuration

To demonstrate all of this, we’ll use the following topology:

DMVPN Dual Hub Dual Cloud Topology

Above we have the R1 router which is on the main site. Hub1 and hub2 provide access to our main network and are connected to different ISPs. This is not a requirement but for redundancy, it makes sense to use a different ISP for each hub.

The spoke routers are connected to both ISPs and will connect to both DMVPN networks. R1, spoke1 and spoke2 each have a loopback interface which we will advertise in a routing protocol.

Hub routers

Let’s start with the hub routers:

Hub1(config)#interface Tunnel1
Hub1(config-if)#ip address 172.16.1.1 255.255.255.0
Hub1(config-if)#ip nhrp authentication DMVPN
Hub1(config-if)#ip nhrp map multicast dynamic
Hub1(config-if)#ip nhrp network-id 1
Hub1(config-if)#tunnel source GigabitEthernet0/1
Hub1(config-if)#tunnel mode gre multipoint
Hub1(config-if)#tunnel key 1
Hub2(config)#interface Tunnel2
Hub2(config-if)#ip address 172.16.2.2 255.255.255.0
Hub2(config-if)#ip nhrp authentication DMVPN
Hub2(config-if)#ip nhrp map multicast dynamic
Hub2(config-if)#ip nhrp network-id 2
Hub2(config-if)#tunnel source GigabitEthernet0/2
Hub2(config-if)#tunnel mode gre multipoint
Hub2(config-if)#tunnel key 2

The configuration of the hub routers is identical except:

  • We use a different NHRP network ID.
  • We use a different tunnel key.
  • We use a different subnet for each tunnel.

Spoke routers

Let’s configure the spoke routers:

Spoke1(config)#interface Tunnel1
Spoke1(config-if)#ip address 172.16.1.3 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.1.1 192.168.1.1
Spoke1(config-if)#ip nhrp map multicast 192.168.1.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.1.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#tunnel key 1
Spoke1(config)#interface Tunnel2
Spoke1(config-if)#ip address 172.16.2.3 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.2.2 192.168.2.2
Spoke1(config-if)#ip nhrp map multicast 192.168.2.2
Spoke1(config-if)#ip nhrp network-id 2
Spoke1(config-if)#ip nhrp nhs 172.16.2.2
Spoke1(config-if)#tunnel source GigabitEthernet0/2
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#tunnel key 2

The spoke routers will have two tunnel interfaces. The configuration is pretty much the same but make sure you use the correct tunnel address, NBMA address, NHRP network ID and tunnel key.

We can copy the configuration of spoke1 to spoke2, the only difference is the IP address:

Spoke2(config)#interface Tunnel1
Spoke2(config-if)#ip address 172.16.1.4 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.1.1 192.168.1.1
Spoke2(config-if)#ip nhrp map multicast 192.168.1.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.1.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#tunnel key 1
Spoke2(config)#interface Tunnel2
Spoke2(config-if)#ip address 172.16.2.4 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.2.2 192.168.2.2
Spoke2(config-if)#ip nhrp map multicast 192.168.2.2
Spoke2(config-if)#ip nhrp network-id 2
Spoke2(config-if)#ip nhrp nhs 172.16.2.2
Spoke2(config-if)#tunnel source GigabitEthernet0/2
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#tunnel key 2

This takes care of the DMVPN networks. Let’s verify our work:

Hub1#show dmvpn | begin Peers
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.1.3          172.16.1.3    UP 00:18:06     D
     1 192.168.1.4          172.16.1.4    UP 00:05:55     D
Hub2#show dmvpn | begin Peers
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.2.3          172.16.2.3    UP 00:00:45     D
     1 192.168.2.4          172.16.2.4    UP 00:01:40     D

Each hub router has two registration, one for each spoke router. We can now focus on the routing configuration.

EIGRP

This time I’ll use EIGRP as the routing protocol. We will advertise all loopback and tunnel interfaces in EIGRP:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 654 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

535 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,

    a question regarding OSPF with dual cloud DMVPN… i am currently labbing this for deploymant at one of my customers and i cannot find the answer as how to achieve the EIGRP stub functionality in OSPF, as my spoke router has dual connections its becoming a transit router when a certain downstream link fails (which i dont want) is there a way in OSPF to only advertise connected routes?

  2. Hi Richard,

    Hmm that might be difficult. OSPF does have the stub router feature, which sets the metric to the highest value:

    That might be useful to make your router unlikely to become a transit route but doesn’t 100% exclude it. This can be difficult, especially if your OSPF routers are all in the same area, it’s hard to filter…

    Rene

  3. I have a weird scenario.
    Let’s say I had 5 sites: 2 main sites, and 3 remote sites. In the mix, one of the main sites has 2 hubs, and one of the remote sites has 2 spokes.
    How would that work? (Could it work?)
    Please tell me if I’m wrong, but if it is possible, then to have full redundancy I would need to configure as such:

    MainSite1
    Hub1/Tunnel 1: Connected to RemoteSite1/Spoke1, RemoteSite2/Spoke1, RemoteSite3/Spoke1, MainSite2/Hub3
    Hub2/Tunnel 2: Connected to RemoteSite1/Spoke2, RemoteSite2/Spoke3, RemoteSite3/Spoke4, MainSite2/Hub3

    MainSite2
    Hub3/Tunnel 3:

    ... Continue reading in our forum

  4. Hi Kevin,

    What you describe sounds correct. You should be able to make this work by configuring HUB3 as a hub for all your spoke routers, and making HUB3 a client of HUB1 and HUB2.

    You’ll need EIGRP add path support on all hub routers:

    ... Continue reading in our forum

  5. Hi Kevin,

    Were you able to make it work? You mean using regular GRE tunnels between MainSite1 and MainSite2? If you are using static IP addresses on both sites, it might be an idea to use regular GRE tunnels for these sites, saving you the hassle of DMVPN between these sites. I can’t think of an advantage of using DMVPN between these sites unless you are using a dynamic IP address on MainSite2.

    Rene

7 more replies! Ask a question or join the discussion by visiting our Community Forum