CCIE Security Lab: Dual-Hub DMVPN


Now that OSPF is all fixed I can set up the Dual-Hub DMVPN. I need to decide on an addressing scheme to go across the DMVPN network, and I think that 192.168.1.0/24 is suitable; it's far enough away from the main networks 10.1.x.0/24 subnets to be easily distinguishable.


There are a couple of things to remember here. Firstly, we need to open up the transparent ASA to permit the DMVPN traffic, and similarly on the failover ASAs. The DMVPN hubs also need to be NAT-aware, as we will connect the clients to the NAT address (10.1.16.200 and 10.1.26.200), rather than the loopbacks. Thankfully, they handle this part themselves, but we do need to factor this in (as you'll see later).

We will start off by creating the isakmp policy and transport-sets that we will use. Because it is identical we can create it on notepad, nd then paste onto the routers, or create it on one router and then do "sh run | s crypto" and then copy and paste:
DMVPN-Hub1(config)#crypto isakmp policy 10
DMVPN-Hub1(config-isakmp)#encryption 3des
DMVPN-Hub1(config-isakmp)#authentication pre-share
DMVPN-Hub1(config-isakmp)#group 2
DMVPN-Hub1(config-isakmp)#exit
DMVPN-Hub1(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac 
DMVPN-Hub1(cfg-crypto-trans)#mode transport
DMVPN-Hub1(cfg-crypto-trans)#exit
DMVPN-Hub1(config)#crypto ipsec profile DMVPN
DMVPN-Hub1(ipsec-profile)#set transform-set esp-3des-sha-hmac
DMVPN-Hub1(ipsec-profile)#exit
DMVPN-Hub1(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
This then gets copied to the other routers:
DMVPN-Hub2(config)#crypto isakmp policy 10
DMVPN-Hub2(config-isakmp)# encr 3des
DMVPN-Hub2(config-isakmp)# authentication pre-share
DMVPN-Hub2(config-isakmp)# group 2
DMVPN-Hub2(config-isakmp)# exit
DMVPN-Hub2(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac     
DMVPN-Hub2(cfg-crypto-trans)# mode transport
DMVPN-Hub2(cfg-crypto-trans)#crypto ipsec profile DMVPN
DMVPN-Hub2(ipsec-profile)# set transform-set esp-3des-sha-hmac 
DMVPN-Hub2(ipsec-profile)# exit
DMVPN-Hub2(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0

DMVPN-Client(config)#crypto isakmp policy 10
DMVPN-Client(config-isakmp)# encr 3des
DMVPN-Client(config-isakmp)# authentication pre-share
DMVPN-Client(config-isakmp)# group 2
DMVPN-Client(config-isakmp)# exit
DMVPN-Client(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac   
DMVPN-Client(cfg-crypto-trans)# mode transport
DMVPN-Client(cfg-crypto-trans)#crypto ipsec profile DMVPN
DMVPN-Client(ipsec-profile)# set transform-set esp-3des-sha-hmac 
DMVPN-Client(ipsec-profile)# exit
DMVPN-Client(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0

EzVPN-Server(config)#crypto isakmp policy 10
EzVPN-Server(config-isakmp)# encr 3des
EzVPN-Server(config-isakmp)# authentication pre-share
EzVPN-Server(config-isakmp)# group 2
EzVPN-Server(config-isakmp)# exit
EzVPN-Server(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac   
EzVPN-Server(cfg-crypto-trans)# mode transport
EzVPN-Server(cfg-crypto-trans)#crypto ipsec profile DMVPN
EzVPN-Server(ipsec-profile)# set transform-set esp-3des-sha-hmac 
EzVPN-Server(ipsec-profile)# exit
EzVPN-Server(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
The beauty of things like DMVPN is that it's one of those technologies with little variation in the commands, so we can do a lot of direct cutting and pasting.

Now we can start creating the tunnels, and it's easier to break out Notepad, and chuck in the basics:
int tunnel 0
tun mode gre multipoint
bandwidth 1000
delay 1000
no ip redirects
ip mtu 1360
ip nhrp shortcut
tunnel key 101
tunnel protection ipsec profile DMVPN
Let's paste this onto the routers:
DMVPN-Hub1(config-if)#int tunnel 0
DMVPN-Hub1(config-if)#tun mode gre multipoint
DMVPN-Hub1(config-if)#bandwidth 1000
DMVPN-Hub1(config-if)#delay 1000
DMVPN-Hub1(config-if)#no ip redirects
DMVPN-Hub1(config-if)#ip mtu 1360
DMVPN-Hub1(config-if)#ip nhrp shortcut
DMVPN-Hub1(config-if)#tunnel key 101
DMVPN-Hub1(config-if)#tunnel protection ipsec profile DMVPN
DMVPN-Hub1(config-if)#

DMVPN-Hub2(config)#int tunnel 0
DMVPN-Hub2(config-if)#tun mode gre multipoint
DMVPN-Hub2(config-if)#bandwidth 1000
DMVPN-Hub2(config-if)#delay 1000
DMVPN-Hub2(config-if)#no ip redirects
DMVPN-Hub2(config-if)#ip mtu 1360
DMVPN-Hub2(config-if)#ip nhrp shortcut
DMVPN-Hub2(config-if)#tunnel key 101
DMVPN-Hub2(config-if)#tunnel protection ipsec profile DMVPN
DMVPN-Hub2(config-if)#

DMVPN-Client(config)#int tunnel 0
DMVPN-Client(config-if)#tun mode gre multipoint
DMVPN-Client(config-if)#bandwidth 1000
DMVPN-Client(config-if)#delay 1000
DMVPN-Client(config-if)#no ip redirects
DMVPN-Client(config-if)#ip mtu 1360
DMVPN-Client(config-if)#ip nhrp shortcut
DMVPN-Client(config-if)#tunnel key 101
DMVPN-Client(config-if)#tunnel protection ipsec profile DMVPN
DMVPN-Client(config-if)#

EzVPN-Server(config)#int tunnel 0
EzVPN-Server(config-if)#tun mode gre multipoint
EzVPN-Server(config-if)#bandwidth 1000
EzVPN-Server(config-if)#delay 1000
EzVPN-Server(config-if)#no ip redirects
EzVPN-Server(config-if)#ip mtu 1360
EzVPN-Server(config-if)#ip nhrp shortcut
EzVPN-Server(config-if)#tunnel key 101
EzVPN-Server(config-if)#tunnel protection ipsec profile DMVPN
EzVPN-Server(config-if)#
I should have also put the authentication command in there as well, as that will be the same for all of the routers:
DMVPN-Hub1(config-if)#ip nhrp authentication cisco

DMVPN-Hub2(config-if)#ip nhrp authentication cisco

DMVPN-Client(config-if)#ip nhrp authentication cisco

EzVPN-Server(config-if)#ip nhrp authentication cisco
OK, let's set up the IP addresses. We'll use the 192.168.1.0/24 network, and use .1 for DMVPN-Hub1, .2 for Hub2, .5 for DMVPN-Client and .6 for EZVPN-Server:
DMVPN-Hub1(config-if)#ip address 192.168.1.1 255.255.255.0

DMVPN-Hub2(config-if)#ip address 192.168.1.2 255.255.255.0

DMVPN-Client(config-if)#ip address 192.168.1.5 255.255.255.0

EzVPN-Server(config-if)#ip address 192.168.1.6 255.255.255.0
We need to set the tunnel source:
DMVPN-Hub1(config-if)#tunnel source lo0
DMVPN-Hub1(config-if)#
*Jul  1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jul  1: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
DMVPN-Hub1(config-if)# 

DMVPN-Hub2(config-if)#tunnel source lo0
DMVPN-Hub2(config-if)#
Jul  1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
DMVPN-Hub2(config-if)#

DMVPN-Client(config-if)#tunnel source lo0
DMVPN-Client(config-if)#
*Jul  1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
DMVPN-Client(config-if)#

EzVPN-Server(config-if)#tunnel source lo0
EzVPN-Server(config-if)#
*Jul  1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jul  1: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
EzVPN-Server(config-if)#
The tunnels should come up at this point, and ISAKMP will be turned on. Let's complete the hubs:
DMVPN-Hub1(config-if)#ip nhrp map multicast dynamic
DMVPN-Hub1(config-if)#ip nhrp network-id 101
DMVPN-Hub1(config-if)#ip nhrp redirect 
DMVPN-Hub1(config-if)#

DMVPN-Hub2(config-if)#ip nhrp map multicast dynamic
DMVPN-Hub2(config-if)#ip nhrp network-id 101
DMVPN-Hub2(config-if)#ip nhrp redirect
DMVPN-Hub2(config-if)#
We have a few commands to put on the clients.
DMVPN-Client(config-if)#ip nhrp map 192.168.1.1 10.1.16.200
DMVPN-Client(config-if)#ip nhrp map 192.168.1.2 10.1.26.200
DMVPN-Client(config-if)#ip nhrp map multicast 10.1.26.200
DMVPN-Client(config-if)#ip nhrp map multicast 10.1.16.200
DMVPN-Client(config-if)#ip nhrp nhs 192.168.1.1
DMVPN-Client(config-if)#ip nhrp nhs 192.168.1.2
DMVPN-Client(config-if)#ip nhrp network-id 101
DMVPN-Client(config-if)#

EzVPN-Server(config-if)#ip nhrp map 192.168.1.1 10.1.16.200
EzVPN-Server(config-if)#ip nhrp map 192.168.1.2 10.1.26.200
EzVPN-Server(config-if)#ip nhrp map multicast 10.1.26.200
EzVPN-Server(config-if)#ip nhrp map multicast 10.1.16.200
EzVPN-Server(config-if)#ip nhrp nhs 192.168.1.1
EzVPN-Server(config-if)#ip nhrp nhs 192.168.1.2
EzVPN-Server(config-if)#ip nhrp network-id 101
EzVPN-Server(config-if)#
We need a few ACLs to help. The problem is, that I have been quite messy with the ACLs on the firewalls so far, and they could probably do with a clean up. I think this is the reason for these errors:
DMVPN-Hub1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
4.4.4.4         5.5.5.5         MM_KEY_EXCH       1096 ACTIVE
4.4.4.4         5.5.5.5         MM_NO_STATE       1095 ACTIVE (deleted)
4.4.4.4         6.6.6.6         MM_KEY_EXCH       1097 ACTIVE
4.4.4.4         6.6.6.6         MM_NO_STATE       1094 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

DMVPN-Hub1
The traffic is passing to an extent, but definitely not all the traffic.

After (much) tidying up, this is what I am left with:
FO-ASA/C1(config)# sh run | i access-list                                                            
access-list Out->In extended permit icmp any host 4.4.4.4 
access-list Out->In extended permit icmp any object GlobalNats 
access-list Out->In extended permit esp host 5.5.5.5 host 4.4.4.4 
access-list Out->In extended permit esp host 6.6.6.6 host 4.4.4.4 
access-list Out->In extended permit udp host 5.5.5.5 host 4.4.4.4 eq isakmp 
access-list Out->In extended permit udp host 6.6.6.6 host 4.4.4.4 eq isakmp 
access-list In->Out extended permit icmp host 4.4.4.4 any 
access-list In->Out extended permit icmp object GlobalNats any 
access-list In->Out extended permit esp host 4.4.4.4 host 5.5.5.5 
access-list In->Out extended permit esp host 4.4.4.4 host 6.6.6.6 
access-list In->Out extended permit udp host 4.4.4.4 host 5.5.5.5 eq isakmp 
access-list In->Out extended permit udp host 4.4.4.4 host 6.6.6.6 eq isakmp 
FO-ASA/C1(config)# sh run | i access-group
access-group In->Out in interface Inside
access-group Out->In in interface outside
FO-ASA/C1(config)#  

FO-ASA/C2(config)# sh run | i access-list                                                 
access-list Out->In extended permit icmp any host 1.1.1.1 
access-list Out->In extended permit icmp any host 3.3.3.3 
access-list Out->In extended permit icmp any object-group GlobalNats 
access-list Out->In extended permit esp host 5.5.5.5 host 3.3.3.3 
access-list Out->In extended permit esp host 6.6.6.6 host 3.3.3.3 
access-list Out->In extended permit udp host 5.5.5.5 host 3.3.3.3 eq isakmp 
access-list Out->In extended permit udp host 6.6.6.6 host 3.3.3.3 eq isakmp 
access-list In->Out extended permit esp host 3.3.3.3 host 5.5.5.5 
access-list In->Out extended permit esp host 3.3.3.3 host 6.6.6.6 
access-list In->Out extended permit udp host 3.3.3.3 host 5.5.5.5 eq isakmp 
access-list In->Out extended permit udp host 3.3.3.3 host 6.6.6.6 eq isakmp 
access-list In->Out extended permit icmp host 1.1.1.1 any 
access-list In->Out extended permit icmp host 3.3.3.3 any 
access-list In->Out extended permit icmp object-group GlobalNats any 
FO-ASA/C2(config)# sh run | i access-group                                                
access-group Out->In in interface outside
access-group In->Out in interface inside
FO-ASA/C2(config)# 

Transparent(config)# sh run | i access-list 
access-list Out->In extended permit ospf host 10.1.7.1 host 224.0.0.5 
access-list Out->In extended permit ospf host 10.1.7.1 host 224.0.0.6 
access-list Out->In extended permit icmp host 10.1.7.1 host 10.1.7.2 
access-list Out->In extended permit ospf host 10.1.7.1 host 10.1.7.2 
access-list Out->In extended permit icmp host 1.1.1.1 any 
access-list Out->In extended permit icmp host 10.1.26.200 any 
access-list Out->In extended permit icmp host 10.1.16.200 any 
access-list Out->In extended permit icmp host 10.1.26.254 any 
access-list Out->In extended permit icmp host 10.1.16.254 any 
access-list Out->In extended permit esp host 10.1.16.200 host 5.5.5.5 
access-list Out->In extended permit esp host 10.1.26.200 host 5.5.5.5 
access-list Out->In extended permit esp host 10.1.16.200 host 6.6.6.6 
access-list Out->In extended permit esp host 10.1.26.200 host 6.6.6.6 
access-list Out->In extended permit udp host 10.1.16.200 host 5.5.5.5 eq isakmp 
access-list Out->In extended permit udp host 10.1.26.200 host 5.5.5.5 eq isakmp 
access-list Out->In extended permit udp host 10.1.16.200 host 6.6.6.6 eq isakmp 
access-list Out->In extended permit udp host 10.1.26.200 host 6.6.6.6 eq isakmp 
access-list In->Out extended permit ospf host 10.1.7.2 host 224.0.0.5 
access-list In->Out extended permit ospf host 10.1.7.2 host 224.0.0.6 
access-list In->Out extended permit ospf host 10.1.7.2 host 10.1.7.1 
access-list In->Out extended permit icmp host 10.1.7.2 host 10.1.7.1 
access-list In->Out extended permit icmp any host 1.1.1.1 
access-list In->Out extended permit icmp any host 10.1.26.200 
access-list In->Out extended permit icmp any host 10.1.16.200 
access-list In->Out extended permit icmp any host 10.1.26.254 
access-list In->Out extended permit icmp any host 10.1.16.254 
access-list In->Out extended permit esp host 5.5.5.5 host 10.1.16.200 
access-list In->Out extended permit esp host 5.5.5.5 host 10.1.26.200 
access-list In->Out extended permit esp host 6.6.6.6 host 10.1.16.200 
access-list In->Out extended permit esp host 6.6.6.6 host 10.1.26.200 
access-list In->Out extended permit udp host 5.5.5.5 host 10.1.16.200 eq isakmp 
access-list In->Out extended permit udp host 5.5.5.5 host 10.1.26.200 eq isakmp 
access-list In->Out extended permit udp host 6.6.6.6 host 10.1.16.200 eq isakmp 
access-list In->Out extended permit udp host 6.6.6.6 host 10.1.26.200 eq isakmp 
Transparent(config)# 
Transparent(config)# sh run | i access-group
access-group Out->In in interface Outside
access-group In->Out in interface Inside
Transparent(config)# 
 
This is much neater and more precise, but as far as DMVPN goes, still no dice, so let's think about the network. We have four DMVPN-speaking routers behind two firewalls. Whilst the transparent firewall is not performing NAT (because it's transparent), the other firewall is. So, let' enable NAT traversal, and open up port 4500 (nat traversal):
Transparent(config)# crypto isakmp nat-traversal 
Transparent(config)# access-list Out->In extended permit udp host 10.1.16.200 host 5.5.5.5 eq 4500
Transparent(config)# access-list Out->In extended permit udp host 10.1.26.200 host 5.5.5.5 eq 4500
Transparent(config)# access-list Out->In extended permit udp host 10.1.16.200 host 6.6.6.6 eq 4500
Transparent(config)# access-list Out->In extended permit udp host 10.1.26.200 host 6.6.6.6 eq 4500
Transparent(config)# access-list In->Out extended permit udp host 5.5.5.5 host 10.1.16.200 eq 4500
Transparent(config)# access-list In->Out extended permit udp host 5.5.5.5 host 10.1.26.200 eq 4500
Transparent(config)# access-list In->Out extended permit udp host 6.6.6.6 host 10.1.16.200 eq 4500
Transparent(config)# access-list In->Out extended permit udp host 6.6.6.6 host 10.1.26.200 eq 4500
Transparent(config)# 

FO-ASA/C1(config)# crypto isakmp nat-traversal 
FO-ASA/C1(config)# access-list Out->In extended permit udp host 5.5.5.5 host 4.4.4.4 eq 4500
FO-ASA/C1(config)# access-list Out->In extended permit udp host 6.6.6.6 host 4.4.4.4 eq 4500
FO-ASA/C1(config)# access-list In->Out extended permit udp host 4.4.4.4 host 5.5.5.5 eq 4500
FO-ASA/C1(config)# access-list In->Out extended permit udp host 4.4.4.4 host 6.6.6.6 eq 4500
FO-ASA/C1(config)# 

FO-ASA/C1(config)# changeto con C2
FO-ASA/C2(config)# crypto isakmp nat-traversal 
FO-ASA/C2(config)# access-list Out->In extended permit udp host 5.5.5.5 host 3.3.3.3 eq 4500
FO-ASA/C2(config)# access-list Out->In extended permit udp host 6.6.6.6 host 3.3.3.3 eq 4500
FO-ASA/C2(config)# access-list In->Out extended permit udp host 3.3.3.3 host 5.5.5.5 eq 4500
FO-ASA/C2(config)# access-list In->Out extended permit udp host 3.3.3.3 host 6.6.6.6 eq 4500
FO-ASA/C2(config)# 
This gets us exactly where we need to be:
DMVPN-Hub1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
4.4.4.4         5.5.5.5         QM_IDLE           1079 ACTIVE
4.4.4.4         6.6.6.6         QM_IDLE           1080 ACTIVE

IPv6 Crypto ISAKMP SA

DMVPN-Hub1#

DMVPN-Hub2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
3.3.3.3         6.6.6.6         QM_IDLE           1097 ACTIVE
3.3.3.3         5.5.5.5         QM_IDLE           1096 ACTIVE

IPv6 Crypto ISAKMP SA

DMVPN-Hub2#

DMVPN-Client#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.1.16.200         192.168.1.1    UP 00:09:05     S
     1 10.1.26.200         192.168.1.2    UP 00:01:09     S

DMVPN-Client#

EzVPN-Server#sh dmvpn | b Interface
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.1.16.200         192.168.1.1    UP 00:04:59     S
     1 10.1.26.200         192.168.1.2    UP 00:01:37     S

EzVPN-Server#

EzVPN-Server#ping 192.168.1.1 so tun 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.6 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
EzVPN-Server#ping 192.168.1.2 so tun 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.6 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/20/24 ms
EzVPN-Server#

DMVPN-Client#ping 192.168.1.1 so tun0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.5 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/28 ms
DMVPN-Client#ping 192.168.1.2 so tun0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.5 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/20/22 ms
DMVPN-Client#
There is no huge mystery to dual-hub DMVPN, it is the same as single-hub, but with a couple more commands.

I covered DMVPN in VPNs and NAT for Cisco Networks, so have a read of that.

Now that the tunnels are up, we can run EIGRP across it:
DMVPN-Hub1(config)#int tun 0
DMVPN-Hub1(config-if)#no ip split-horizon eigrp 101
DMVPN-Hub1(config-if)#router eigrp 101
DMVPN-Hub1(config-router)#eigrp router-id 192.168.1.1
DMVPN-Hub1(config-router)#network 192.168.1.0 0.0.0.255
DMVPN-Hub1(config-router)#

DMVPN-Hub2(config)#int tun 0
DMVPN-Hub2(config-if)#no ip split-horizon eigrp 101
DMVPN-Hub2(config-if)#router eigrp 101
DMVPN-Hub2(config-router)#eigrp router-id 192.168.1.2
DMVPN-Hub2(config-router)#network 192.168.1.0 0.0.0.255
DMVPN-Hub2(config-router)#

DMVPN-Client(config)#int tun 0
DMVPN-Client(config-if)#no ip split-horizon eigrp 101
DMVPN-Client(config-if)#router eigrp 101
DMVPN-Client(config-router)#eigrp router-id 192.168.1.5
DMVPN-Client(config-router)#network 192.168.1.0 0.0.0.255 
DMVPN-Client(config-router)#
*Jul  2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency
*Jul  2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency
DMVPN-Client(config-router)#

EzVPN-Server(config)#int tun 0
EzVPN-Server(config-if)#no ip split-horizon eigrp 101 
EzVPN-Server(config-if)#router eigrp 101
EzVPN-Server(config-router)#eigrp router-id 192.168.1.6
EzVPN-Server(config-router)#network 192.168.1.0 0.0.0.255
EzVPN-Server(config-router)#
*Jul  2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency
*Jul  2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency
EzVPN-Server(config-router)#
Next up will be zone-based firewalls. I have not tried these before, so it should be interesting,

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »