Cisco DMVPN Configuration Template

DMVPN_Example
– Advertise MENA as 192.168.96.0/20
– 192.168.96.0 – 192.168.111.255
– 255.255.240.0

— To Do Tasks / Queries —
! — ACL to allow only : GRE, ESP, SIP (Digium), ICMP,
! — Select DMVPN Range
! Crypto ACL required????
Firewall rules – Anything? SIP will bypass the FW now and route around the FW….

– 1.) /29 for the ‘inside’ Gi0/x interface
– 2.) EIGRP on the ‘inside’ interface
– 3.) Move the default gateway (not .1 IP address),

———————————————————————-

! Base configuration
! Primary ISP connection Gi0/0
interface gi0/0
ip address 62.201.219.13x 255.255.255.224
ip access-group X2
!
! Secondary ISP connection Gi0/1
interface gi0/1
ip address 171.33.165.6x 255.255.255.248
ip access-group Xy

! Configure IP SLA to track Primary Internet access status

ip sla 10
icmp-echo 8.8.8.8
threshold 2000
frequency 30

ip sla schedule 10 start-time now life forever
!
track 10 ip sla 10 reachability

! Configure the following IP routes
! Route to Beacon

ip route 8.8.8.8 255.255.255.255 62.201.219.129

! — Primary route
ip route 0.0.0.0 0.0.0.0 62.201.219.129 track 10

! — Secondary route with administrative distance 5
ip route 0.0.0.0 0.0.0.0 171.33.165.57 5

! — DMVPN Tunnels Headend Configuration

interface Tunnel1
description *** Primary DMVPN Tunnel ***
bandwidth 5000
ip address 10.200.1.1 255.255.255.0
no ip redirects
ip mtu 1380
ip nhrp authentication !NHRP01
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip tcp adjust-mss 1340
tunnel source Gi0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
interface Tunnel2
description *** Secondary DMVPN Tunnel ***
bandwidth 1000
ip address 10.200.2.1 255.255.255.0
no ip redirects
ip mtu 1380
ip nhrp authentication !NHRP01
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
ip tcp adjust-mss 1340
tunnel source g0/1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN

! EIGRP over tunnel interfaces
router eigrp 1
passive interface-default
prefix-list NRP-MENA-FILTER
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 2=1plus1 address 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set security-association idle-time 600
set transform-set ESP-AES128-SHA1

———————————————————————-

! —— DMVPN Client End Configuration ——-

interface Tunnel1
description *** Primary DMVPN Tunnel ***
bandwidth 5000
ip address 10.200.1.30 255.255.255.0
no ip redirects
ip mtu 1380
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nhrp authentication !NHRP01
ip nhrp map 10.200.1.1 62.201.219.130
ip nhrp map multicast 62.201.219.130
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 10.200.1.1
ip nhrp nhs 10.200.1.2 ip tcp adjust-mss 1300
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
!
interface Tunnel2
description *** Secondary DMVPN Tunnel ***
bandwidth 1000
ip address 10.200.2.30 255.255.255.0
no ip redirects
ip mtu 1380
ip nhrp authentication !NHRP01
ip nhrp map 10.200.2.1 171.33.165.60
ip nhrp map multicast 171.33.165.60
ip nhrp network-id 2
ip nhrp holdtime 600
ip nhrp nhs 10.200.2.1
ip tcp adjust-mss 1340
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN
!
!
! EIGRP over tunnel interfaces
router eigrp 1
passive interface-default
prefix-list NRP-MENA-FILTER
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 2=1plus1 address 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set security-association idle-time 600
set transform-set ESP-AES128-SHA1