DMVPN Dual Hub Dual Cloud

This topic is to discuss the following lesson:

Awesome, thanks Rene,

what does the tunnel-key do? i just spent ages trying to get this topology working but forgot the tunnel key command, i was using OSPF and only 1 neighbour fully established, the other just stuck at INIT

The tunnel key is necessary so the router can figure out which tunnel interface is responsible for processing the incoming encapsulated packet. You can’t rely on the destination address because it becomes a chicken-and-egg problem: Which tunnel interface should be used to de-encapulate the packet, so the destination address can be read to determine which tunnel interface should be used? :slight_smile:

The tunnel-key solves this problem.

Hi Team,

I just had an interesting experience configuring my second hub, I forgot too add the no split horizon eigrp # command. I was getting the following errors:

Mar  1 01:23:08.639: IP-EIGRP(Default-IP-Routing-Table:1): 192.168.254.0/24 - do advertise out Tunnel2
*Mar  1 01:23:08.639: IP-EIGRP(Default-IP-Routing-Table:1): Int 192.168.254.0/24 metric 128256 - 256 128000
*Mar  1 01:23:08.723: IP-EIGRP(Default-IP-Routing-Table:1): Processing incoming UPDATE packet
*Mar  1 01:23:08.723: IP-EIGRP(Default-IP-Routing-Table:1): Int 192.168.254.0/24 M 4294967295 - 284444416 4294967295 SM 4294967295 - 284444416 4294967295

What was interesting is that I still able to establish neighbors though, before adding split horizon on tunnel 2 interface. I was having issues getting 192.168.254.0 on my spoke’s routing table. So I added the network statement as follows and it worked without split horizon on:

router eigrp 1
net 192.168.254.0 

before I had it like this and it wasn’t working.

router eigrp 1
net 192.168.0.0

I hadn’t seen this error message so I was a little confused by this. I guess this is the error message for slit horizon not being enabled?

Thanks

Hi Fabian,

Split horizon (on or off) won’t prevent your router from becoming neighbors with another router. It will only prevent it from advertising.

The metric (4294967295) that you see in your debug is the highest value and is considered an infinite distance.

Rene

Hi Rene,

a question regarding OSPF with dual cloud DMVPN… i am currently labbing this for deploymant at one of my customers and i cannot find the answer as how to achieve the EIGRP stub functionality in OSPF, as my spoke router has dual connections its becoming a transit router when a certain downstream link fails (which i dont want) is there a way in OSPF to only advertise connected routes?

Hi Richard,

Hmm that might be difficult. OSPF does have the stub router feature, which sets the metric to the highest value:

That might be useful to make your router unlikely to become a transit route but doesn’t 100% exclude it. This can be difficult, especially if your OSPF routers are all in the same area, it’s hard to filter…

Rene

I have a weird scenario.
Let’s say I had 5 sites: 2 main sites, and 3 remote sites. In the mix, one of the main sites has 2 hubs, and one of the remote sites has 2 spokes.
How would that work? (Could it work?)
Please tell me if I’m wrong, but if it is possible, then to have full redundancy I would need to configure as such:

MainSite1
Hub1/Tunnel 1: Connected to RemoteSite1/Spoke1, RemoteSite2/Spoke1, RemoteSite3/Spoke1, MainSite2/Hub3
Hub2/Tunnel 2: Connected to RemoteSite1/Spoke2, RemoteSite2/Spoke3, RemoteSite3/Spoke4, MainSite2/Hub3

MainSite2
Hub3/Tunnel 3: Connected to RemoteSite1/Spoke1, RemoteSite1/Spoke2, RemoteSite2/Spoke3, RemoteSite3/Spoke4

If this scenario is correct, then would I also need to configure “add-path” for EIGRP? If so, then would it be configured only on MainSite1 or would it also be necessary elsewhere?

DMVPN - Complex Layout

Hi Kevin,

What you describe sounds correct. You should be able to make this work by configuring HUB3 as a hub for all your spoke routers, and making HUB3 a client of HUB1 and HUB2.

You’ll need EIGRP add path support on all hub routers:

Without it, your hub routers will only have a single route for the network(s) behinds SPOKE1 + SPOKE2.

Hello Rene,

Thank you. I will lab this and test it out.
One follow up question: Would there be any benefit in creating 2 new separate tunnels between MainSite1 and MainSite2, versus using existing tunnels and making HUB3 a client of HUB1 and HUB2?

Hi Kevin,

Were you able to make it work? You mean using regular GRE tunnels between MainSite1 and MainSite2? If you are using static IP addresses on both sites, it might be an idea to use regular GRE tunnels for these sites, saving you the hassle of DMVPN between these sites. I can’t think of an advantage of using DMVPN between these sites unless you are using a dynamic IP address on MainSite2.

Rene

Hi Rene, great write-up here.

I’ve got a similar situation - routing protocol TBD (maybe you can suggest) but essentially what we are trying to do is create 2 Main DMVPN hubs, located in the US. Then we want to create Secondary hubs (7 of them) across the oceans. We will then have spokes for the secondary hubs which need spoke-2-spoke between them.

Is this possible, if the Secondary hubs are just spokes to the Main hubs? Would I need 7 tunnels for each DMVPN domain (eg, 14 tunnels) and then each site would just connect to its closest geographical Secondary hub?

And what would be the best routing protocol to use for this? I appreciate any feedback :slight_smile:

Shawn

Hello Shawn

Sorry for the delay on this one.

Based on the information in the lesson, this would indeed be the case. You have your two main hubs in the US, and instead of having two spokes, you have seven spokes worldwide. And yes, you would require 7 tunnels for each domain. Sounds like you have the technology down pat.

Hmm, that’s a good question. It really depends on who you ask and what experience people have had with each routing protocol, and of course, what the topology looks like.

In general, for the topology that you describe, EIGRP or even BGP would be a preferred choice over OSPF. This is because OSPF has a defined hierarchy where a router’s interfaces belong to area 0 or to a non-backbone area. This makes it difficult to model a hub and spoke network like DMVPN. OSPF must sync its database within each individual area so summarization cannot occur just anywhere making it difficult to summarize from hub to spoke. For a smaller DMVPN deployment, OSPF could probably work just fine, but for something as large as your network, it’s probably not ideal.

EIGRP and BGP have no defined hierarchy and don’t need syncing of databases between routers. Summarization can occur anywhere in the topology which is good for hub and spoke topologies.

Depending on your experience with the protocl, BGP may actually be a better choice than EIGRP because of its rich set of built-in policy capabilities and its large number of configurable options to tailor the routing solution to your specific needs.

I hope this has been helpful!

Laz

Question if i have an OSPF dual hub setup with 2 tunnels on each is it best practice to use different IP address subnets for each tunnel in each hub or i can use the same subnet range per hub

HUB 1

tunnel 1 : 192.168.10.0/24

tunnel 2 192.168.20.0/24

HUB 2

tunnel 1 : 10.10.10.0/24

tunnel 2 : 10.20.20.0/24

Hello David

Because you are setting up two tunnels for each spoke router, these tunnels exist in two separate L3 segments. You are essentially creating two point to multipoint topologies: Hub1 to Spokes 1 and 2, and Hub 2 to Spokes 1 and 2. Each of these multipoint tunnels exists as a separate layer 3 segment, and thus must have a separate subnet configured.

I hope this has been helpful!

Laz

Yes Thank you for your quick response.

.

1 Like

I believe there is a typo in the config or the diagram is not accurate. According to the diagram both HUBs are using Gi0/1 to connect to the ISP. However the HUB2 router has source Gi0/2 in the tunnel2 configuration.

1 Like

Hello Denis

Yes you are correct, thanks for catching that. I’ll let Rene know to make the appropriate corrections.

Laz

1 Like

I just fixed this typo. Thanks @denis.grinceac

Rene

It seems to have a mistake on Hub2 configuration :

hostname Hub2
!
interface Tunnel2
 ip address 172.16.2.2 255.255.255.0
 no ip redirects
 no ip split-horizon eigrp 1
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 delay 6000
 tunnel source GigabitEthernet0/1 ==> It should be 0/2
 tunnel mode gre multipoint
 tunnel key 2
!
interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.0

!
interface GigabitEthernet0/2
 ip address 192.168.2.2 255.255.255.0

-

hostname Spoke1
!
interface Tunnel2
 ip address 172.16.2.3 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.2.2 192.168.2.2 It match on Hub2 G0/2 interface 
 ip nhrp map multicast 192.168.2.2
 ip nhrp network-id 2
 ip nhrp nhs 172.16.2.2
 delay 6000
 tunnel source GigabitEthernet2/0
 tunnel mode gre multipoint
 tunnel key 2

Thanks for correcting me