IOS DMVPN Single Hub With EIGRP

R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
router ei 100
no auto-summary
net 192.168.0.0 0.0.255.255
ISP
interface s0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
int s0/2
no shutdown
ip add 103.1.1.1 255.255.255.0
no shutdown
int s0/3
no shutdown
ip add 104.1.1.1 255.255.255.0
no shutdown

R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
router ei 100
no auto-summary
net 192.168.0.0 0.0.255.255

R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.103.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 103.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 103.1.1.1
router ei 100
no auto-summary
net 192.168.0.0 0.0.255.255
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.104.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 104.1.1.100 255.255.255.0
nos h
no shutdown
ip route 0.0.0.0 0.0.0.0 104.1.1.1
router ei 100
no auto-summary
net 192.168.0.0 0.0.255.255

R4#ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/17/44 ms
R4#ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/72 ms

R4#ping 103.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 103.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/48 ms
R1
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 1800
R1(config-isakmp)#exit
R1(config)#crypto isakmp key shiva add 0.0.0.0
R1(config)#crypto ipsec transform-set t-set esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile shiva
R1(ipsec-profile)#set transform-set t-set
R1(ipsec-profile)#exit

R2
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#group 5
R2(config-isakmp)#lifetime 1800
R2(config-isakmp)#exit
R2(config)#crypto isakmp key shiva add 0.0.0.0
R2(config)#crypto ipsec transform-set t-set esp-aes esp-sha-hmac
R2(cfg-crypto-trans)#mode transport
R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec profile shiva
R2(ipsec-profile)#set transform-set t-set
R2(ipsec-profile)#exit

R3
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 1800
R3(config-isakmp)#exit
R3(config)#crypto isakmp key shiva add 0.0.0.0
R3(config)#crypto ipsec transform-set t-set esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#mode transport
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile shiva
R3(ipsec-profile)#set transform-set t-set
R3(ipsec-profile)#exit

R4
R4(config)#crypto isakmp policy 1
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#encryption aes
R4(config-isakmp)#hash sha
R4(config-isakmp)#group 5
R4(config-isakmp)#lifetime 1800
R4(config-isakmp)#exit
R4(config)#crypto isakmp key shiva add 0.0.0.0
R4(config)#crypto ipsec transform-set t-set esp-aes esp-sha-hmac
R4(cfg-crypto-trans)#mode transport
R4(cfg-crypto-trans)#exit
R4(config)#crypto ipsec profile shiva
R4(ipsec-profile)#set transform-set t-set
R4(ipsec-profile)#exit

R1
interface tunnel 0
ip add 192.168.1.1 255.255.255.0
tunnel source s0/0
tunnel mode gre multipoint
tunnel key 1
ip nhrp map multicast dynamic
ip nhrp authentication shiva
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel protection ipsec profile shiva
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
R2
interface tunnel 0
ip add 192.168.1.2 255.255.255.0
tunnel source s0/0
tunnel mode gre multipoint
tunnel key 1
ip nhrp map 192.168.1.1 101.1.1.100
ip nhrp map multicast 101.1.1.100
ip nhrp authentication shiva
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel protection ipsec profile shiva
ip nhrp nhs 192.168.1.1

R3
interface tunnel 0
ip add 192.168.1.3 255.255.255.0

tunnel source s0/0

tunnel mode gre multipoint
tunnel key 1
ip nhrp map 192.168.1.1 101.1.1.100
ip nhrp map multicast 101.1.1.100
ip nhrp authentication shiva
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel protection ipsec profile shiva
ip nhrp nhs 192.168.1.1

R4
interface tunnel 0
ip add 192.168.1.4 255.255.255.0
tunnel source s0/0
tunnel mode gre multipoint
tunnel key 1
ip nhrp map 192.168.1.1 101.1.1.100
ip nhrp map multicast 101.1.1.100
ip nhrp authentication shiva
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel protection ipsec profile shiva
ip nhrp nhs 192.168.1.1
R1
R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec) (ms) Cnt
Num
2 192.168.1.3 Tu0 13 00:02:22 91 5000 0 3
1 192.168.1.4 Tu0 13 00:02:31 137 5000 0 3
0 192.168.1.2 Tu0 12 00:03:55 80 5000 0 3
R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 102.1.1.100 192.168.1.2 UP never D
1 103.1.1.100 192.168.1.3 UP never D
1 104.1.1.100 192.168.1.4 UP never D
R2
R2#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q
Seq (sec) (ms) Cnt

Num
0 192.168.1.1 Tu0 10 00:04:09 82 5000 0
10
R2#sh ip route eigrp
D 192.168.104.0/24 [90/310070016] via 192.168.1.4, 00:02:58, Tunnel0
D 192.168.103.0/24 [90/310070016] via 192.168.1.3, 00:02:49, Tunnel0
D 192.168.101.0/24 [90/297270016] via 192.168.1.1, 00:04:08, Tunnel0
R3
R3#sh ip route eigrp
D 192.168.104.0/24 [90/310070016] via 192.168.1.4, 00:03:02, Tunnel0
D 192.168.102.0/24 [90/310070016] via 192.168.1.2, 00:03:02, Tunnel0
D 192.168.101.0/24 [90/297270016] via 192.168.1.1, 00:03:02, Tunnel0
R3#
*Mar 1 00:20:55.187: %SYS-5-CONFIG_I: Configured from console by console
R3#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec) (ms) Cnt
Num
0 192.168.1.1 Tu0 10 00:03:04 91 5000 0
10
R4

R4#sh ip route eigrp

D 192.168.102.0/24 [90/310070016] via 192.168.1.2, 00:03:39, Tunnel0
D 192.168.103.0/24 [90/310070016] via 192.168.1.3, 00:03:29, Tunnel0
D 192.168.101.0/24 [90/297270016] via 192.168.1.1, 00:03:39, Tunnel0
R4#
*Mar 1 00:21:21.739: %SYS-5-CONFIG_I: Configured from console by console
R4#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec) (ms) Cnt
Num
0 192.168.1.1 Tu0 14 00:03:41 140 5000 0
10

R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.1.1.100 192.168.1.1 UP 00:05:06 S

R4#ping 192.168.102.1 source fastEthernet 0/0 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.104.1
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 48/71/320 ms
R4#ping 192.168.103.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.103.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.104.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 52/69/180
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.1.1.100 192.168.1.1 UP 00:06:05 S
1 102.1.1.100 192.168.1.2 UP never D
1 103.1.1.100 192.168.1.3 UP never D
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.1.1.100 192.168.1.1 UP 00:07:33 S
1 104.1.1.100 192.168.1.4 UP never D
R3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.1.1.100 192.168.1.1 UP 00:06:15 S
1 104.1.1.100 192.168.1.4 UP never D
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
101.1.1.100 104.1.1.100 QM_IDLE 1001 0 ACTIVE
102.1.1.100 104.1.1.100 QM_IDLE 1003 0 ACTIVE
104.1.1.100 102.1.1.100 QM_IDLE 1002 0 ACTIVE
104.1.1.100 103.1.1.100 QM_IDLE 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA

R4#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 104.1.1.100
protected vrf: (none)
local ident (addr/mask/prot/port): (104.1.1.100/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.1.1.100/255.255.255.255/47/0)
current_peer 101.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 119, #pkts encrypt: 119, #pkts digest: 119
#pkts decaps: 117, #pkts decrypt: 117, #pkts verify: 117
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 104.1.1.100, remote crypto endpt.: 101.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x71B66562(1907778914)
inbound esp sas:
spi: 0xA9019029(2835451945)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4500977/3197)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x71B66562(1907778914)
transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4500977/3194)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (104.1.1.100/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (102.1.1.100/255.255.255.255/47/0)
current_peer 102.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 94, #pkts encrypt: 94, #pkts digest: 94
#pkts decaps: 93, #pkts decrypt: 93, #pkts verify: 93
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 104.1.1.100, remote crypto endpt.: 102.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x13018B4(19929268)
inbound esp sas:
spi: 0xBDECAED9(3186405081)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 9, flow_id: SW:9, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4560558/3543)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x13018B4(19929268)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 10, flow_id: SW:10, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4560558/3543)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas: