2.5.1 Dual hub Single cloud DMVPN via active/standby ASA

Dual hub single cloud DMVPN

R1,r2 ---à Hubs

R3,r4 ---à spokes

Asa1/asa2 ---à active/standby failover

Basic Configuration

R1:

int f0/0

ip add 1.1.1.1 255.255.255.0

no sh

int f0/1

ip add 10.1.1.1 255.255.255.0

no sh

ip route 3.3.3.0 255.255.255.0 1.1.1.10

R2:

int f0/0

ip add 1.1.1.2 255.255.255.0

no sh

int f0/1

ip add 10.1.1.2 255.255.255.0

no sh

ip route 3.3.3.0 255.255.255.0 1.1.1.10

R3:

int f0/0

ip add 3.3.3.1 255.255.255.0

no sh

int l0

ip add 10.1.3.1 255.255.255.255

ip route 1.1.1.0 255.255.255.0 3.3.3.10

R4:

int f0/0

ip add 3.3.3.2 255.255.255.0

no sh

int l0

ip add 10.1.4.1 255.255.255.255

ip route 1.1.1.0 255.255.255.0 3.3.3.10

ASA1:

int e0/0

ip add 1.1.1.10 255.255.255.0 standby 1.1.1.11

nameif INSIDE

no sh

int e0/1

ip add 3.3.3.10 255.255.255.0 standby 3.3.3.11

nameif OUTSIDE

no sh

int e0/2

no sh

ASA2:

int e0/0

no sh

int e0/1

no sh

int e0/2

no sh

ACTIVE/STANDBY FAILOVER CONFIGURATION

ASA1:

failover lan unit primary

failover lan interface FOVER e0/2

failover interface ip FOVER 7.7.100.100 255.255.255.0 standby 7.7.100.101

failover link FOVER e0/2

ASA2:

failover lan unit secondary

failover lan interface FOVER e0/2

failover interface ip FOVER 7.7.100.100 255.255.255.0 standby 7.7.100.101

failover link FOVER e0/2

ASA1# ping 7.7.100.101 // Before configuring failover, verify the basic reachability//

!!!!!

ASA1(config)# failover

ASA2(config)# failover

IPSEC CONFIGURATION

R1:

crypto isakmp policy 10

au pre

crypto isakmp key 0 cisco add 0.0.0.0

crypto ipsec transform-set TSET esp-des esp-sha-hmac

crypto ipsec profile DMVPN

set transform-set TSET

R2:

crypto isakmp policy 10

au pre

crypto isakmp key 0 cisco add 0.0.0.0

crypto ipsec transform-set TSET esp-des esp-sha-hmac

crypto ipsec profile DMVPN

set transform-set TSET

R3:

crypto isakmp policy 10

au pre

crypto isakmp key 0 cisco add 0.0.0.0

crypto ipsec transform-set TSET esp-des esp-sha-hmac

crypto ipsec profile DMVPN

set transform-set TSET

R4:

crypto isakmp policy 10

au pre

crypto isakmp key 0 cisco add 0.0.0.0

crypto ipsec transform-set TSET esp-des esp-sha-hmac

crypto ipsec profile DMVPN

set transform-set TSET

// IPSec profile configuration is same in all hubs & spokes//

ASA1:

access-list OUT permit udp host 3.3.3.1 host 1.1.1.1 eq isakmp

access-list OUT permit esp host 3.3.3.1 host 1.1.1.1

access-list OUT permit udp host 3.3.3.1 host 1.1.1.2 eq isakmp

access-list OUT permit esp host 3.3.3.1 host 1.1.1.2

access-list OUT permit udp host 3.3.3.2 host 1.1.1.1 eq isakmp

access-list OUT permit esp host 3.3.3.2 host 1.1.1.1

access-list OUT permit udp host 3.3.3.2 host 1.1.1.2 eq isakmp

access-list OUT permit esp host 3.3.3.2 host 1.1.1.2

access-group OUT in interface OUTSIDE

// In order to allow isakmp and esp traffic, permit udp port 500 (for establishing phase 1 & 2 tunnel) and esp (since data is encrypted within esp)//

PHASE-I

R1:

interface Tunnel0

ip address 172.16.23.1 255.255.255.0

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

tunnel key 123

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 23

no ip split-horizon eigrp 123 // split horizon prevents a route from being re-advertised out the interface on which it was received. So disable it //

router eigrp 123

no auto-summary

network 10.1.1.0 0.0.0.255

network 172.16.23.0 0.0.0.255

no auto-summary

R2:

interface Tunnel0

ip address 172.16.23.2 255.255.255.0

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

tunnel key 123

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 23

no ip split-horizon eigrp 123

router eigrp 123

no auto-summary

network 10.1.1.0 0.0.0.255

network 172.16.23.0 0.0.0.255

R3:

interface Tunnel0

ip address 172.16.23.3 255.255.255.0

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile DMVPN

ip nhrp authentication cisco

ip nhrp map 172.16.23.1 1.1.1.1

ip nhrp map 172.16.23.2 1.1.1.2

ip nhrp map multicast 1.1.1.1

ip nhrp map multicast 1.1.1.2

ip nhrp nhs 172.16.23.1

ip nhrp nhs 172.16.23.2

ip nhrp network-id 23

router eigrp 123

no auto-summary

network 172.16.23.0 0.0.0.255

network 10.1.3.1 0.0.0.0

R4:

interface Tunnel0

ip address 172.16.23.4 255.255.255.0

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile DMVPN

ip nhrp authentication cisco

ip nhrp map 172.16.23.1 1.1.1.1

ip nhrp map 172.16.23.2 1.1.1.2

ip nhrp map multicast 1.1.1.1

ip nhrp map multicast 1.1.1.2

ip nhrp nhs 172.16.23.1

ip nhrp nhs 172.16.23.2

ip nhrp network-id 23

router eigrp 123

no auto-summary

network 172.16.23.0 0.0.0.255

network 10.1.4.1 0.0.0.0

POINTS TO REMEMBER

spoke 1’s (R3) routing table and CEF table point hub as next hop to reach spoke 2 (R4).
CEF table has valid adjacency for both the next hops

Spoke 1 (R3)’s nhrp table won’t have the entry for spoke 2 (R4).

Spoke 1 (R3) reaches spoke 2 (R4) via the hubs.

PHASE-II

R1:

interface tunnel 0

no ip next-hop-self eigrp 123 //This command disables R1 from changing the next-hop while traffic is flowing between the two spokes through it so that spoke-to-spoke communication can happen//

R2:

interface tunnel 0

no ip next-hop-self eigrp 123

POINTS TO REMEMBER

Initially, CEF table of spoke 1 has invalid adjacency for next hop to reach the loopback of spoke 2 though it has an entry to reach 10.1.4.1 via 172.16.23.4 in the routing table (because it has no entry in its nhrp table to reach 172.16.23.4).
NHRP RESOLUTION: When any traffic is initiated from spoke 1 to 10.1.4.1 (say ping), it will send the mapping request to reach 172.16.23.4 to the hub which in turn is forwarded to spoke 2. After receiving the request from spoke 1, spoke 2 will reply (send the mapping information) directly to spoke 1. Now, spoke 1 has the entry in its nhrp table to reach 172.16.3.4 in its nhrp table and thus CEF table entry becomes valid.
Now spoke 1 will reach spoke 2 directly ( spoke-to-spoke communication).
If hub fails, spoke-to-spoke communication will fail after the hold down timer of routing protocol expires.

PHASE-III

R1:

Interface tunnel 0

Ip next-hop-self eigrp 123

Ip nhrp redirect // informs to the spoke that it can communicate to other intended spoke directly//

R2:

Interface tunnel 0

Ip next-hop-self eigrp 123

Ip nhrp redirect

R3:

Interface tunnel 0

Ip nhrp shortcut // rewrites the CEF entry after getting the redirect message from hub//

R4:

Interface tunnel 0

Ip nhrp shortcut

POINTS TO REMEMBER

Spoke 1’s routing table and CEF table point hubs as the next hop to reach spoke 2.
But to forward a packet, it will use nhrp table instead of routing and CEF table.
As spoke 1 uses its nhrp table, it will reach spoke 2 in a single hop (DIRECT SPOKE-TO-SPOKE COMMUNICATION)