########################
Dual-Hub DMVPN with VyOS
########################

DMVPN is a Dynamic Multipoint VPN technology that provides the capability 
for creating a dynamic-mesh VPN network without having to pre-configure 
(static) all possible tunnel end-point peers those simplifying deployment 
and management of the newly added remote sites. There are 3 main protocols 
primarily used to implement DMVPN:

* NHRP - provides the dynamic tunnel endpoint discovery mechanism (endpoint 
  registration, and endpoint discovery/lookup) 
* mGRE - provides the tunnel encapsulation itself 
* IPSec - protocols handle the key exchange, and crypto mechanism

For this example we are using the following devices:

* 2 x Hubs
* 3 x Spokes
* 1 x Client device (VPC)
* 1 x ISP router

The following software was used in the creation of this document:

* Operating system: VyOS
* Version: 1.3-beta-202112090443
* Image name: vyos-1.3-beta-202112090443-amd64.iso



********
Topology
********
.. image:: /_static/images/VyOS_Dual-Hub_DMVPN.png
   :width: 80%
   :align: center
   :alt: Network Topology Diagram



******************************************
Network Addressing and Protocol Parameters
******************************************

The following ip addressing schema used for the devices IPv4 connectivity:

+-----------------------------------------------------------------------------+
|10.X1.0.0/30 - p2p Hubs to ISP networks, where X is Hub site number          |
+-----------------------------------------------------------------------------+
|10.Y1.1.0/24 - p2p Spokes to ISP networks(DHCP), where Y is Spoke site number|
+-----------------------------------------------------------------------------+
|172.16.253.0/29 - tunnels addressing for Hub-1 connections                   |
+-----------------------------------------------------------------------------+
|172.16.254.0/29 - tunnels addressing for Hub-2 connections                   |
+-----------------------------------------------------------------------------+
|192.168.0.0/24 - HQ site local network                                       |
+-----------------------------------------------------------------------------+
|192.168.Z.0/24 - remote sites local network, where Z is Spoke site number    |
+-----------------------------------------------------------------------------+

eBGP parameters for the routers:

+----------------------------------------------+
|AS65000 - HQ (Hub-1 and Hub-2)                |
+----------------------------------------------+
|AS6500X - Spokes, where X is Spoke site number|
+----------------------------------------------+



*************
Configuration
*************



Step-1: Basic connectivity configuration
========================================

- Hub-1:

.. code-block:: none
   
    set interfaces ethernet eth0 address '10.11.0.1/30'
    set interfaces ethernet eth1 address '192.168.0.1/24'
    set protocols static route 0.0.0.0/0 next-hop 10.11.0.2
    set system host-name 'Hub-1'

- Hub-2:

.. code-block:: none
   
    set interfaces ethernet eth0 address '10.21.0.1/30'
    set interfaces ethernet eth1 address '192.168.0.2/24'
    set protocols static route 0.0.0.0/0 next-hop 10.21.0.2
    set system host-name 'Hub-2'

- Spoke-1:

.. code-block:: none
   
    set interfaces ethernet eth0 address 'dhcp'
    set interfaces ethernet eth1 address '192.168.1.1/24'
    set system host-name 'Spoke-1'

- Spoke-2:

.. code-block:: none
   
    set interfaces ethernet eth0 address 'dhcp'
    set interfaces ethernet eth1 address '192.168.2.1/24'
    set system host-name 'Spoke-2'
    
- Spoke-3:

.. code-block:: none
   
    set interfaces ethernet eth0 address 'dhcp'
    set interfaces ethernet eth1 address '192.168.3.1/24'
    set system host-name 'Spoke-3'
    
- ISP-1:

.. code-block:: none
   
    set interfaces ethernet eth0 address '10.11.0.2/30'
    set interfaces ethernet eth1 address '10.21.0.2/30'
    set interfaces ethernet eth2 address '10.31.1.1/24'
    set interfaces ethernet eth3 address '10.21.1.1/24'
    set interfaces ethernet eth4 address '10.11.1.1/24'
    set service dhcp-server shared-network-name SPK-1 authoritative
    set service dhcp-server shared-network-name SPK-1 subnet 10.11.1.0/24 default-router '10.11.1.1'
    set service dhcp-server shared-network-name SPK-1 subnet 10.11.1.0/24 range 1 start '10.11.1.10'
    set service dhcp-server shared-network-name SPK-1 subnet 10.11.1.0/24 range 1 stop '10.11.1.100'
    set service dhcp-server shared-network-name SPK-2 authoritative
    set service dhcp-server shared-network-name SPK-2 subnet 10.21.1.0/24 default-router '10.21.1.1'
    set service dhcp-server shared-network-name SPK-2 subnet 10.21.1.0/24 range 1 start '10.21.1.10'
    set service dhcp-server shared-network-name SPK-2 subnet 10.21.1.0/24 range 1 stop '10.21.1.100'
    set service dhcp-server shared-network-name SPK-3 authoritative
    set service dhcp-server shared-network-name SPK-3 subnet 10.31.1.0/24 default-router '10.31.1.1'
    set service dhcp-server shared-network-name SPK-3 subnet 10.31.1.0/24 range 1 start '10.31.1.10'
    set service dhcp-server shared-network-name SPK-3 subnet 10.31.1.0/24 range 1 stop '10.31.1.100'
    set system host-name 'ISP1'



Step-2: VRRP configuration for HQ Local network redundancy
==========================================================

Here we are using VRRP as a local redundancy protocol between Hub-1 and Hub-2.
Initially, Hub-1 operates as an Active and Hub-2 as a Standby router.
Additionally, health-check and script are used to track uplinks and properly 
switch mastership between Hub nodes based on the upstream router 
reachability (ISP-1). **Note, that before adding local paths to the scripts into 
configuration, you have to create and make them executable first**.

Hub-1 and Hub-2 VRRP health-check script:
_________________________________________

* /config/scripts/vrrp-check.sh

.. code-block:: none
    
    #!/bin/bash

    eth0status="$(cat /sys/class/net/eth0/operstate | grep 'up')"
    
    if [[ ! -z ${eth0status} ]]; then
     eth0gw="$(ip -j r show 0.0.0.0/0 dev eth0 | awk 'match($0, /\"gateway":\"([[:digit:]\.]+)/, gw) {print gw[1]}')"
     if [[ ! -z $eth0gw ]]; then
      /bin/ping -I eth0 -c 1 -W 1 $eth0gw && exit 0 || exit 1
     else
      exit 1
     fi
    else
     #Exit 0 because eth0 down is handled by vrrp transition
     exit 0
    fi


**Note**: some parts of the script might be dependent on your network topology 
and connectivity. Be careful before using it on your own devices.


Hub-1 and Hub-2 VRRP configuration:
___________________________________

* Hub-1

.. code-block:: none
   
    set high-availability vrrp group HQ health-check failure-count '3'
    set high-availability vrrp group HQ health-check interval '1'
    set high-availability vrrp group HQ health-check script '/config/scripts/vrrp-check.sh'
    set high-availability vrrp group HQ interface 'eth1'
    set high-availability vrrp group HQ no-preempt
    set high-availability vrrp group HQ priority '200'
    set high-availability vrrp group HQ rfc3768-compatibility
    set high-availability vrrp group HQ virtual-address '192.168.0.254/24'
    set high-availability vrrp group HQ vrid '1'

* Hub-2:

.. code-block:: none
    
    set high-availability vrrp group HQ health-check failure-count '3'
    set high-availability vrrp group HQ health-check interval '1'
    set high-availability vrrp group HQ health-check script '/config/scripts/vrrp-check.sh'
    set high-availability vrrp group HQ interface 'eth1'
    set high-availability vrrp group HQ no-preempt
    set high-availability vrrp group HQ priority '100'
    set high-availability vrrp group HQ rfc3768-compatibility
    set high-availability vrrp group HQ virtual-address '192.168.0.254/24'
    set high-availability vrrp group HQ vrid '1'



Step-3: DMVPN configuration between Hub and Spoke devices
=========================================================

This section provides an example configuration of the DMVPN enabled devices. 
Hub devices are configured with static IPv4 addresses on the uplink interfaces 
while Spoke devices receive addresses dynamically from a pre-defined DHCP 
pool configured on ISP router. For redundancy purposes, we use 1 tunnel 
interface on each Hub device and 2 tunnel interfaces on Spoke devices 
destined to each of the Hubs. For the optimal tunnel operation timers are 
significantly decreased and set to the following values:

**NHRP** tunnel holding time - 30 seconds

**IKE DPD** enabled with "restart" action set, interval 3 and timeout 
30 seconds

**Note**: these values are used only for the lab demonstration and may not 
suit exclusive production networks.

- Hub-1:

.. code-block:: none
   
    set interfaces tunnel tun100 address '172.16.253.134/29'
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 multicast 'enable'
    set interfaces tunnel tun100 parameters ip key '1'
    set interfaces tunnel tun100 source-address '10.11.0.1'
    
    set protocols nhrp tunnel tun100 cisco-authentication 'secret'
    set protocols nhrp tunnel tun100 holding-time '30'
    set protocols nhrp tunnel tun100 multicast 'dynamic'
    set protocols nhrp tunnel tun100 redirect
    set protocols nhrp tunnel tun100 shortcut
    
    set vpn ipsec esp-group ESP-HUB compression 'disable'
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
    set vpn ipsec ike-group IKE-HUB close-action 'none'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
    set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
    set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
    set vpn ipsec ipsec-interfaces interface 'eth0'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

- Hub-2:

.. code-block:: none
   
    set interfaces tunnel tun100 address '172.16.254.134/29'
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 multicast 'enable'
    set interfaces tunnel tun100 parameters ip key '2'
    set interfaces tunnel tun100 source-address '10.21.0.1'
    
    set protocols nhrp tunnel tun100 cisco-authentication 'secret'
    set protocols nhrp tunnel tun100 holding-time '30'
    set protocols nhrp tunnel tun100 multicast 'dynamic'
    set protocols nhrp tunnel tun100 redirect
    set protocols nhrp tunnel tun100 shortcut
    
    set vpn ipsec esp-group ESP-HUB compression 'disable'
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
    set vpn ipsec ike-group IKE-HUB close-action 'none'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
    set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
    set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
    set vpn ipsec ipsec-interfaces interface 'eth0'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
    
- Spoke-1:

.. code-block:: none
   
    set interfaces tunnel tun100 address '172.16.253.131/29'
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 multicast 'enable'
    set interfaces tunnel tun100 parameters ip key '1'
    set interfaces tunnel tun100 source-address '0.0.0.0'
    set interfaces tunnel tun200 address '172.16.254.131/29'
    set interfaces tunnel tun200 encapsulation 'gre'
    set interfaces tunnel tun200 multicast 'enable'
    set interfaces tunnel tun200 parameters ip key '2'
    set interfaces tunnel tun200 source-address '0.0.0.0'
    
    set protocols nhrp tunnel tun100 cisco-authentication 'secret'
    set protocols nhrp tunnel tun100 holding-time '30'
    set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '10.11.0.1'
    set protocols nhrp tunnel tun100 map 172.16.253.134/29 register
    set protocols nhrp tunnel tun100 multicast 'nhs'
    set protocols nhrp tunnel tun100 redirect
    set protocols nhrp tunnel tun100 shortcut
    set protocols nhrp tunnel tun200 cisco-authentication 'secret'
    set protocols nhrp tunnel tun200 holding-time '30'
    set protocols nhrp tunnel tun200 map 172.16.254.134/29 nbma-address '10.21.0.1'
    set protocols nhrp tunnel tun200 map 172.16.254.134/29 register
    set protocols nhrp tunnel tun200 multicast 'nhs'
    set protocols nhrp tunnel tun200 redirect
    set protocols nhrp tunnel tun200 shortcut
    
    set vpn ipsec esp-group ESP-HUB compression 'disable'
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
    set vpn ipsec ike-group IKE-HUB close-action 'none'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
    set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
    set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
    set vpn ipsec ipsec-interfaces interface 'eth0'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun200'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
    
- Spoke-2:

.. code-block:: none
   
    set interfaces tunnel tun100 address '172.16.253.132/29'
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 multicast 'enable'
    set interfaces tunnel tun100 parameters ip key '1'
    set interfaces tunnel tun100 source-address '0.0.0.0'
    set interfaces tunnel tun200 address '172.16.254.132/29'
    set interfaces tunnel tun200 encapsulation 'gre'
    set interfaces tunnel tun200 multicast 'enable'
    set interfaces tunnel tun200 parameters ip key '2'
    set interfaces tunnel tun200 source-address '0.0.0.0'
    
    set protocols nhrp tunnel tun100 cisco-authentication 'secret'
    set protocols nhrp tunnel tun100 holding-time '30'
    set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '10.11.0.1'
    set protocols nhrp tunnel tun100 map 172.16.253.134/29 register
    set protocols nhrp tunnel tun100 multicast 'nhs'
    set protocols nhrp tunnel tun100 redirect
    set protocols nhrp tunnel tun100 shortcut
    set protocols nhrp tunnel tun200 cisco-authentication 'secret'
    set protocols nhrp tunnel tun200 holding-time '30'
    set protocols nhrp tunnel tun200 map 172.16.254.134/29 nbma-address '10.21.0.1'
    set protocols nhrp tunnel tun200 map 172.16.254.134/29 register
    set protocols nhrp tunnel tun200 multicast 'nhs'
    set protocols nhrp tunnel tun200 redirect
    set protocols nhrp tunnel tun200 shortcut
    
    set vpn ipsec esp-group ESP-HUB compression 'disable'
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
    set vpn ipsec ike-group IKE-HUB close-action 'none'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
    set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
    set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
    set vpn ipsec ipsec-interfaces interface 'eth0'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun200'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
    
- Spoke-3:

.. code-block:: none
   
    set interfaces tunnel tun100 address '172.16.253.133/29'
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 multicast 'enable'
    set interfaces tunnel tun100 parameters ip key '1'
    set interfaces tunnel tun100 source-address '0.0.0.0'
    set interfaces tunnel tun200 address '172.16.254.133/29'
    set interfaces tunnel tun200 encapsulation 'gre'
    set interfaces tunnel tun200 multicast 'enable'
    set interfaces tunnel tun200 parameters ip key '2'
    set interfaces tunnel tun200 source-address '0.0.0.0'
    
    set protocols nhrp tunnel tun100 cisco-authentication 'secret'
    set protocols nhrp tunnel tun100 holding-time '30'
    set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '10.11.0.1'
    set protocols nhrp tunnel tun100 map 172.16.253.134/29 register
    set protocols nhrp tunnel tun100 multicast 'nhs'
    set protocols nhrp tunnel tun100 redirect
    set protocols nhrp tunnel tun100 shortcut
    set protocols nhrp tunnel tun200 cisco-authentication 'secret'
    set protocols nhrp tunnel tun200 holding-time '30'
    set protocols nhrp tunnel tun200 map 172.16.254.134/29 nbma-address '10.21.0.1'
    set protocols nhrp tunnel tun200 map 172.16.254.134/29 register
    set protocols nhrp tunnel tun200 multicast 'nhs'
    set protocols nhrp tunnel tun200 redirect
    set protocols nhrp tunnel tun200 shortcut
    
    set vpn ipsec esp-group ESP-HUB compression 'disable'
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
    set vpn ipsec ike-group IKE-HUB close-action 'none'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
    set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
    set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
    set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
    set vpn ipsec ipsec-interfaces interface 'eth0'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun200'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
    


Step-4: Enabling eBGP as a Dynamic Routing Protocol between Hubs and Spokes
===========================================================================

For the simplified and better network management we're using eBGP for routing 
information exchange between devices. As we're using Active-Standby mode in 
this example, Hub-2 is configured with AS-prepand as an export route-policy 
and VRRP transition scripts are used for switching mastership based on the 
current link/device state. Also, we use multihop BFD for faster eBGP failure 
detection.

Hub-1 and Hub-2 VRRP transition scripts:
________________________________________

* /config/scripts/vrrp-master.sh

.. code-block:: none
    
    #!/bin/vbash

    if [ $(id -gn) != vyattacfg ]; then
        exec sg vyattacfg "$0 $*"
    fi
    
    source /opt/vyatta/etc/functions/script-template
    
    configure
    delete protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map export AS65000-PREP
    commit
    
    exit


* /config/scripts/vrrp-fail.sh

.. code-block:: none
    
    #!/bin/vbash

    if [ $(id -gn) != vyattacfg ]; then
        exec sg vyattacfg "$0 $*"
    fi
    
    source /opt/vyatta/etc/functions/script-template
    
    configure
    set protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map export AS65000-PREP
    commit
    
    exit


**Note**: some parts of the script might be dependent on your network topology 
and connectivity. Be careful before using it on your own devices.


Hub devices configuration:
__________________________

- Hub-1:

.. code-block:: none
   
    set high-availability vrrp group HQ transition-script backup '/config/scripts/vrrp-fail.sh'
    set high-availability vrrp group HQ transition-script fault '/config/scripts/vrrp-fail.sh'
    set high-availability vrrp group HQ transition-script master '/config/scripts/vrrp-master.sh'
    set high-availability vrrp group HQ transition-script stop '/config/scripts/vrrp-fail.sh'
    
    set policy route-map AS65000-PREP rule 1 action 'permit'
    set policy route-map AS65000-PREP rule 1 set as-path-prepend '65000 65000 65000'
    
    set protocols bfd peer 172.16.253.131 interval multiplier '3'
    set protocols bfd peer 172.16.253.131 interval receive '300'
    set protocols bfd peer 172.16.253.131 interval transmit '300'
    set protocols bfd peer 172.16.253.131 multihop
    set protocols bfd peer 172.16.253.131 source address '172.16.253.134'
    set protocols bfd peer 172.16.253.132 interval multiplier '3'
    set protocols bfd peer 172.16.253.132 interval receive '300'
    set protocols bfd peer 172.16.253.132 interval transmit '300'
    set protocols bfd peer 172.16.253.132 multihop
    set protocols bfd peer 172.16.253.132 source address '172.16.253.134'
    set protocols bfd peer 172.16.253.133 interval multiplier '3'
    set protocols bfd peer 172.16.253.133 interval receive '300'
    set protocols bfd peer 172.16.253.133 interval transmit '300'
    set protocols bfd peer 172.16.253.133 multihop
    set protocols bfd peer 172.16.253.133 source address '172.16.253.134'
    
    set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/24
    set protocols bgp 65000 neighbor 172.16.253.131 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.131 remote-as '65001'
    set protocols bgp 65000 neighbor 172.16.253.132 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.132 remote-as '65002'
    set protocols bgp 65000 neighbor 172.16.253.133 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.133 remote-as '65003'
    set protocols bgp 65000 parameters log-neighbor-changes
    set protocols bgp 65000 parameters network-import-check
    set protocols bgp 65000 peer-group DMVPN bfd

- Hub-2:

.. code-block:: none
   
    set high-availability vrrp group HQ transition-script backup '/config/scripts/vrrp-fail.sh'
    set high-availability vrrp group HQ transition-script fault '/config/scripts/vrrp-fail.sh'
    set high-availability vrrp group HQ transition-script master '/config/scripts/vrrp-master.sh'
    set high-availability vrrp group HQ transition-script stop '/config/scripts/vrrp-fail.sh'
    
    set policy route-map AS65000-PREP rule 1 action 'permit'
    set policy route-map AS65000-PREP rule 1 set as-path-prepend '65000 65000 65000'
    
    set protocols bfd peer 172.16.254.131 interval multiplier '3'
    set protocols bfd peer 172.16.254.131 interval receive '300'
    set protocols bfd peer 172.16.254.131 interval transmit '300'
    set protocols bfd peer 172.16.254.131 multihop
    set protocols bfd peer 172.16.254.131 source address '172.16.254.134'
    set protocols bfd peer 172.16.254.132 interval multiplier '3'
    set protocols bfd peer 172.16.254.132 interval receive '300'
    set protocols bfd peer 172.16.254.132 interval transmit '300'
    set protocols bfd peer 172.16.254.132 multihop
    set protocols bfd peer 172.16.254.132 source address '172.16.254.134'
    set protocols bfd peer 172.16.254.133 interval multiplier '3'
    set protocols bfd peer 172.16.254.133 interval receive '300'
    set protocols bfd peer 172.16.254.133 interval transmit '300'
    set protocols bfd peer 172.16.254.133 multihop
    set protocols bfd peer 172.16.254.133 source address '172.16.254.134'
    
    set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/24
    set protocols bgp 65000 neighbor 172.16.254.131 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.131 remote-as '65001'
    set protocols bgp 65000 neighbor 172.16.254.132 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.132 remote-as '65002'
    set protocols bgp 65000 neighbor 172.16.254.133 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.133 remote-as '65003'
    set protocols bgp 65000 parameters log-neighbor-changes
    set protocols bgp 65000 parameters network-import-check
    set protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map export 'AS65000-PREP'
    set protocols bgp 65000 peer-group DMVPN bfd
    
Spoke devices configuration:
____________________________

- Spoke-1:

.. code-block:: none
   
    set protocols bfd peer 172.16.253.134 interval multiplier '3'
    set protocols bfd peer 172.16.253.134 interval receive '300'
    set protocols bfd peer 172.16.253.134 interval transmit '300'
    set protocols bfd peer 172.16.253.134 multihop
    set protocols bfd peer 172.16.253.134 source address '172.16.253.131'
    set protocols bfd peer 172.16.254.134 interval multiplier '3'
    set protocols bfd peer 172.16.254.134 interval receive '300'
    set protocols bfd peer 172.16.254.134 interval transmit '300'
    set protocols bfd peer 172.16.254.134 multihop
    set protocols bfd peer 172.16.254.134 source address '172.16.254.131'
    
    set protocols bgp 65001 address-family ipv4-unicast network 192.168.1.0/24
    set protocols bgp 65001 neighbor 172.16.253.134 address-family ipv4-unicast
    set protocols bgp 65001 neighbor 172.16.253.134 bfd
    set protocols bgp 65001 neighbor 172.16.253.134 remote-as '65000'
    set protocols bgp 65001 neighbor 172.16.254.134 address-family ipv4-unicast
    set protocols bgp 65001 neighbor 172.16.254.134 bfd
    set protocols bgp 65001 neighbor 172.16.254.134 remote-as '65000'
    set protocols bgp 65001 parameters log-neighbor-changes
    
- Spoke-2:

.. code-block:: none
   
    set protocols bfd peer 172.16.253.134 interval multiplier '3'
    set protocols bfd peer 172.16.253.134 interval receive '300'
    set protocols bfd peer 172.16.253.134 interval transmit '300'
    set protocols bfd peer 172.16.253.134 multihop
    set protocols bfd peer 172.16.253.134 source address '172.16.253.132'
    set protocols bfd peer 172.16.254.134 interval multiplier '3'
    set protocols bfd peer 172.16.254.134 interval receive '300'
    set protocols bfd peer 172.16.254.134 interval transmit '300'
    set protocols bfd peer 172.16.254.134 multihop
    set protocols bfd peer 172.16.254.134 source address '172.16.254.132'
    
    set protocols bgp 65002 address-family ipv4-unicast network 192.168.2.0/24
    set protocols bgp 65002 neighbor 172.16.253.134 address-family ipv4-unicast
    set protocols bgp 65002 neighbor 172.16.253.134 bfd
    set protocols bgp 65002 neighbor 172.16.253.134 remote-as '65000'
    set protocols bgp 65002 neighbor 172.16.254.134 address-family ipv4-unicast
    set protocols bgp 65002 neighbor 172.16.254.134 bfd
    set protocols bgp 65002 neighbor 172.16.254.134 remote-as '65000'
    set protocols bgp 65002 parameters log-neighbor-changes
    
- Spoke-3:

.. code-block:: none
   
    set protocols bfd peer 172.16.253.134 interval multiplier '3'
    set protocols bfd peer 172.16.253.134 interval receive '300'
    set protocols bfd peer 172.16.253.134 interval transmit '300'
    set protocols bfd peer 172.16.253.134 multihop
    set protocols bfd peer 172.16.253.134 source address '172.16.253.133'
    set protocols bfd peer 172.16.254.134 interval multiplier '3'
    set protocols bfd peer 172.16.254.134 interval receive '300'
    set protocols bfd peer 172.16.254.134 interval transmit '300'
    set protocols bfd peer 172.16.254.134 multihop
    set protocols bfd peer 172.16.254.134 source address '172.16.254.133'
    
    set protocols bgp 65003 address-family ipv4-unicast network 192.168.3.0/24
    set protocols bgp 65003 neighbor 172.16.253.134 address-family ipv4-unicast
    set protocols bgp 65003 neighbor 172.16.253.134 bfd
    set protocols bgp 65003 neighbor 172.16.253.134 remote-as '65000'
    set protocols bgp 65003 neighbor 172.16.254.134 address-family ipv4-unicast
    set protocols bgp 65003 neighbor 172.16.254.134 bfd
    set protocols bgp 65003 neighbor 172.16.254.134 remote-as '65000'
    set protocols bgp 65003 parameters log-neighbor-changes
    
**Note**: In case if you're using VyOS version that has a VRRP transition 
scripts issues after a device reboot, as a temporary solution you may add
postconfig-bootup script that reloads **keepalived** process additionally after 
the device booted.

- Hub devices /config/scripts/vyos-postconfig-bootup.script:

.. code-block:: none
   
    #!/bin/sh
    # This script is executed at boot time after VyOS configuration is fully applied.
    # Any modifications required to work around unfixed bugs
    # or use services not available through the VyOS CLI system can be placed here.
    
    echo "Reloading VRRP process"
    sudo systemctl restart keepalived.service
    echo "VRRP process reload completed"



Step-5: Verification
====================

Now, it's time to check that all protocols are working as expected and mastership 
during the failover switches correctly between Hub devices.

- Checking VRRP state between Hub-1 and Hub-2:

.. code-block:: none
   
    vyos@Hub-1:~$ show vrrp
    Name    Interface      VRID  State      Priority  Last Transition
    ------  -----------  ------  -------  ----------  -----------------
    HQ      eth1v1            1  MASTER          200  14s
    
    vyos@Hub-2:~$ show vrrp
    Name    Interface      VRID  State      Priority  Last Transition
    ------  -----------  ------  -------  ----------  -----------------
    HQ      eth1v1            1  BACKUP          100  29s

- Checking NHRP and eBGP sessions between Hub and Spoke devices:

.. code-block:: none
   
    vyos@Hub-1:~$ show nhrp tunnel
    Status: ok
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.135/32
    Alias-Address: 172.16.253.134
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.134/32
    Flags: up
    
    Interface: tun100
    Type: dynamic
    Protocol-Address: 172.16.253.131/32
    NBMA-Address: 10.11.1.11
    Flags: up
    Expires-In: 0:23
    
    Interface: tun100
    Type: dynamic
    Protocol-Address: 172.16.253.133/32
    NBMA-Address: 10.31.1.11
    Flags: up
    Expires-In: 0:22
    
    Interface: tun100
    Type: dynamic
    Protocol-Address: 172.16.253.132/32
    NBMA-Address: 10.21.1.11
    Flags: up
    Expires-In: 0:21
    
    vyos@Hub-1:~$ show bgp summary
    
    IPv4 Unicast Summary:
    BGP router identifier 192.168.0.1, local AS number 65000 vrf-id 0
    BGP table version 20
    RIB entries 7, using 1344 bytes of memory
    Peers 3, using 64 KiB of memory
    Peer groups 1, using 64 bytes of memory
    
    Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt
    172.16.253.131  4      65001     26519     26526        0    0    0 00:43:38            1        4
    172.16.253.132  4      65002     26545     26540        0    0    0 00:46:36            1        4
    172.16.253.133  4      65003     26528     26520        0    0    0 00:41:59            1        4
    
    Total number of neighbors 3
    
    
    vyos@Hub-2:~$ show nhrp tunnel
    Status: ok
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.254.135/32
    Alias-Address: 172.16.254.134
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.254.134/32
    Flags: up
    
    Interface: tun100
    Type: dynamic
    Protocol-Address: 172.16.254.132/32
    NBMA-Address: 10.21.1.11
    Flags: up
    Expires-In: 0:28
    
    Interface: tun100
    Type: dynamic
    Protocol-Address: 172.16.254.131/32
    NBMA-Address: 10.11.1.11
    Flags: up
    Expires-In: 0:21
    
    Interface: tun100
    Type: dynamic
    Protocol-Address: 172.16.254.133/32
    NBMA-Address: 10.31.1.11
    Flags: up
    Expires-In: 0:20
    
    vyos@Hub-2:~$ show bgp summary
    
    IPv4 Unicast Summary:
    BGP router identifier 192.168.0.2, local AS number 65000 vrf-id 0
    BGP table version 14
    RIB entries 7, using 1344 bytes of memory
    Peers 3, using 64 KiB of memory
    Peer groups 1, using 64 bytes of memory
    
    Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt
    172.16.254.131  4      65001     26516     26516        0    0    0 00:43:03            1        4
    172.16.254.132  4      65002     26563     26562        0    0    0 00:48:27            1        4
    172.16.254.133  4      65003     26518     26516        0    0    0 00:42:20            1        4
    
    Total number of neighbors 3
    
- Checking BFD sessions between Hub and Spoke devices:

.. code-block:: none
   
    vyos@Hub-1:~$ show protocols bfd peers
    Session count: 6
    SessionId  LocalAddress                             PeerAddress                             Status
    =========  ============                             ===========                             ======
    3600626867 172.16.253.134                           172.16.253.133                          up
    1123939978 172.16.253.134                           172.16.253.131                          up
    374394280  172.16.253.134                           172.16.253.132                          up
    1786735466 172.16.253.134                           172.16.253.132                          up
    1440522544 172.16.253.134                           172.16.253.131                          up
    1106910911 172.16.253.134                           172.16.253.133                          up
    
    
    vyos@Hub-2:~$ show protocols bfd peers
    Session count: 6
    SessionId  LocalAddress                             PeerAddress                             Status
    =========  ============                             ===========                             ======
    2442966178 172.16.254.134                           172.16.254.133                          up
    393258775  172.16.254.134                           172.16.254.131                          up
    2990308682 172.16.254.134                           172.16.254.133                          up
    2267910949 172.16.254.134                           172.16.254.132                          up
    3542474595 172.16.254.134                           172.16.254.131                          up
    4239538185 172.16.254.134                           172.16.254.132                          up

- Checking routing information and connectivity between Hub and Spoke devices:

.. code-block:: none
   
    vyos@Hub-1:~$ show ip bgp
    BGP table version is 20, local router ID is 192.168.0.1, vrf id 0
    Default local pref 100, local AS 65000
    Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
                   i internal, r RIB-failure, S Stale, R Removed
    Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
    Origin codes:  i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric LocPrf Weight Path
    *> 192.168.0.0/24   0.0.0.0                  0         32768 i
    *> 192.168.1.0/24   172.16.253.131           0             0 65001 i
    *> 192.168.2.0/24   172.16.253.132           0             0 65002 i
    *> 192.168.3.0/24   172.16.253.133           0             0 65003 i
    
    Displayed  4 routes and 4 total paths


    vyos@Hub-2:~$ show ip bgp
    BGP table version is 14, local router ID is 192.168.0.2, vrf id 0
    Default local pref 100, local AS 65000
    Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
                   i internal, r RIB-failure, S Stale, R Removed
    Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
    Origin codes:  i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric LocPrf Weight Path
    *> 192.168.0.0/24   0.0.0.0                  0         32768 i
    *> 192.168.1.0/24   172.16.254.131           0             0 65001 i
    *> 192.168.2.0/24   172.16.254.132           0             0 65002 i
    *> 192.168.3.0/24   172.16.254.133           0             0 65003 i
    
    Displayed  4 routes and 4 total paths


    vyos@Spoke-1:~$ show ip bgp
    BGP table version is 19, local router ID is 192.168.1.1, vrf id 0
    Default local pref 100, local AS 65001
    Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
                   i internal, r RIB-failure, S Stale, R Removed
    Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
    Origin codes:  i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric LocPrf Weight Path
    *  192.168.0.0/24   172.16.254.134           0             0 65000 65000 65000 65000 i
    *>                  172.16.253.134           0             0 65000 i
    *> 192.168.1.0/24   0.0.0.0                  0         32768 i
    *  192.168.2.0/24   172.16.254.132                         0 65000 65000 65000 65000 65002 i
    *>                  172.16.253.132                         0 65000 65002 i
    *  192.168.3.0/24   172.16.254.133                         0 65000 65000 65000 65000 65003 i
    *>                  172.16.253.133                         0 65000 65003 i
    
    Displayed  4 routes and 7 total paths

As you can see, Hub-2 announces routes with longer(prepended) AS path as 
we've configured it previously, those, traffic towards HQ subnet will be 
forwarded over Hub-1 which is operating as an Active VRRP router. Let's 
check connectivity and the path from Spoke-1 to the HQ local network:

.. code-block:: none
   
    vyos@Spoke-1:~$ ping 192.168.0.10 count 5 interface 192.168.1.1
    PING 192.168.0.10 (192.168.0.10) from 192.168.1.1 : 56(84) bytes of data.
    64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=3.50 ms
    64 bytes from 192.168.0.10: icmp_seq=2 ttl=63 time=2.45 ms
    64 bytes from 192.168.0.10: icmp_seq=3 ttl=63 time=2.34 ms
    64 bytes from 192.168.0.10: icmp_seq=4 ttl=63 time=2.20 ms
    64 bytes from 192.168.0.10: icmp_seq=5 ttl=63 time=2.44 ms
    
    --- 192.168.0.10 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 11ms
    rtt min/avg/max/mdev = 2.195/2.583/3.496/0.465 ms
    
    vyos@Spoke-1:~$ traceroute 192.168.0.10
    traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 60 byte packets
     1  172.16.253.134 (172.16.253.134)  0.913 ms  0.884 ms  0.819 ms
     2  192.168.0.10 (192.168.0.10)  1.352 ms  1.446 ms  1.391 ms

From the output, we can confirm successful connectivity between Spoke-1 and HQ 
local networks. From the traceroute we see that the traffic pass through the 
Hub-1.

Now, let's check traffic between Spoke sites. Based on our configuration, Spoke 
sites are using shortcut for direct reachability between each other. First, let's 
check NHRP tunnels before passing the traffic between Spoke-1 and Spoke-2:

.. code-block:: none
   
    vyos@Spoke-1:~$ show nhrp tunnel
    Status: ok
    
    Interface: tun200
    Type: local
    Protocol-Address: 172.16.254.135/32
    Alias-Address: 172.16.254.131
    Flags: up
    
    Interface: tun200
    Type: local
    Protocol-Address: 172.16.254.131/32
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.135/32
    Alias-Address: 172.16.253.131
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.131/32
    Flags: up
    
    Interface: tun200
    Type: static
    Protocol-Address: 172.16.254.134/29
    NBMA-Address: 10.21.0.1
    Flags: used up
    
    Interface: tun100
    Type: static
    Protocol-Address: 172.16.253.134/29
    NBMA-Address: 10.11.0.1
    Flags: used up

    vyos@Spoke-2:~$ show nhrp tunnel
    Status: ok
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.135/32
    Alias-Address: 172.16.253.132
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.132/32
    Flags: up
    
    Interface: tun200
    Type: local
    Protocol-Address: 172.16.254.135/32
    Alias-Address: 172.16.254.132
    Flags: up
    
    Interface: tun200
    Type: local
    Protocol-Address: 172.16.254.132/32
    Flags: up
    
    Interface: tun100
    Type: static
    Protocol-Address: 172.16.253.134/29
    NBMA-Address: 10.11.0.1
    Flags: used up
    
    Interface: tun200
    Type: static
    Protocol-Address: 172.16.254.134/29
    NBMA-Address: 10.21.0.1


After passing traffic we could see that there is additional shortcut tunnel 
created between Spoke-1 and Spoke-2 for the direct communication:

.. code-block:: none
   
    vyos@Spoke-1:~$ ping 192.168.2.1 count 5 interface 192.168.1.1
    PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
    64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=1.03 ms
    64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.820 ms
    64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=1.13 ms
    64 bytes from 192.168.2.1: icmp_seq=4 ttl=63 time=1.41 ms
    64 bytes from 192.168.2.1: icmp_seq=5 ttl=64 time=0.988 ms
    
    --- 192.168.2.1 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 10ms
    rtt min/avg/max/mdev = 0.820/1.075/1.412/0.197 ms
    
    vyos@Spoke-1:~$ traceroute 192.168.2.1
    traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 60 byte packets
     1  192.168.2.1 (192.168.2.1)  1.172 ms  1.109 ms  1.151 ms

    vyos@Spoke-1:~$ show nhrp tunnel
    Status: ok
    
    Interface: tun200
    Type: local
    Protocol-Address: 172.16.254.135/32
    Alias-Address: 172.16.254.131
    Flags: up
    
    Interface: tun200
    Type: local
    Protocol-Address: 172.16.254.131/32
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.135/32
    Alias-Address: 172.16.253.131
    Flags: up
    
    Interface: tun100
    Type: local
    Protocol-Address: 172.16.253.131/32
    Flags: up
    
    Interface: tun200
    Type: static
    Protocol-Address: 172.16.254.134/29
    NBMA-Address: 10.21.0.1
    Flags: used up
    
    ____________________________________
    Interface: tun100
    Type: cached
    Protocol-Address: 172.16.253.132/32
    NBMA-Address: 10.21.1.11
    Flags: used up
    Expires-In: 0:24
    ____________________________________
    
    Interface: tun100
    Type: static
    Protocol-Address: 172.16.253.134/29
    NBMA-Address: 10.11.0.1
    Flags: used up

The same applies to the rest of the devices and works with the same logic. 
As we've already confirmed successfull connectivity between Hub and Spoke 
devices, let's check failover process.

- Failover on the health-check failure on Hub-1:
  
.. code-block:: none
   
    # disabling interface towards Hub-1 on ISP router
    vyos@ISP1:~$ configure
    [edit]
    vyos@ISP1# set interfaces ethernet eth0 disable
    [edit]
    vyos@ISP1# commit
    [edit]
    vyos@ISP1#


    # checking VRRP state and eBGP configuration on Hub-1:
    vyos@Hub-1:~$ show vrrp
    Name    Interface      VRID  State      Priority  Last Transition
    ------  -----------  ------  -------  ----------  -----------------
    HQ      eth1v1            1  FAULT           200  1m15s
    
    vyos@Hub-1:~$ show configuration commands | match bgp
    set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/24
    set protocols bgp 65000 neighbor 172.16.253.131 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.131 remote-as '65001'
    set protocols bgp 65000 neighbor 172.16.253.132 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.132 remote-as '65002'
    set protocols bgp 65000 neighbor 172.16.253.133 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.133 remote-as '65003'
    set protocols bgp 65000 parameters log-neighbor-changes
    set protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map export 'AS65000-PREP'
    set protocols bgp 65000 peer-group DMVPN bfd


    # consecutive pings check from Spoke-1 to the HQ local network during the failure
    --- 192.168.0.10 ping statistics ---
    223 packets transmitted, 219 received, 1.79372% packet loss, time 679ms
    rtt min/avg/max/mdev = 0.918/2.191/2.957/0.364 ms
    vyos@Spoke-1:~$


    # consecutive pings check from Spoke-3 to the Spoke-2 local network during the failure
    --- 192.168.2.1 ping statistics ---
    265 packets transmitted, 265 received, 0% packet loss, time 690ms
    rtt min/avg/max/mdev = 0.663/1.128/2.272/0.285 ms
    vyos@Spoke-3:~$

**Note**: After bringing ISP interface towards Hub-1 back to UP state, 
VRRP state will remain unchanged due to "no-preempt" option enabled 
under the VRRP configuration on the Hub-1 and Hub-2 and will be changed 
only during link/device failure on Hub-2.
    
- Failover during Hub-2 device failure:

.. code-block:: none
   
    # Checking VRRP state and eBGP configuration on Hub-2 before reboot
    vyos@Hub-2:~$ show vrrp
    Name    Interface      VRID  State      Priority  Last Transition
    ------  -----------  ------  -------  ----------  -----------------
    HQ      eth1v1            1  MASTER          100  20m22s

    vyos@Hub-2:~$ show configuration commands | match bgp
    set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/24
    set protocols bgp 65000 neighbor 172.16.254.131 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.131 remote-as '65001'
    set protocols bgp 65000 neighbor 172.16.254.132 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.132 remote-as '65002'
    set protocols bgp 65000 neighbor 172.16.254.133 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.133 remote-as '65003'
    set protocols bgp 65000 parameters log-neighbor-changes
    set protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map
    set protocols bgp 65000 peer-group DMVPN bfd


    # Rebooting Hub-2
    vyos@Hub-2:~$ reboot
    Are you sure you want to reboot this system? [y/N]  y

    
    # Checking VRRP state and eBGP configuration on Hub-1
    vyos@Hub-1:~$ show vrrp
    Name    Interface      VRID  State      Priority  Last Transition
    ------  -----------  ------  -------  ----------  -----------------
    HQ      eth1v1            1  MASTER          200  1m57s
    
    vyos@Hub-1:~$ show configuration commands | match bgp
    set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/24
    set protocols bgp 65000 neighbor 172.16.253.131 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.131 remote-as '65001'
    set protocols bgp 65000 neighbor 172.16.253.132 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.132 remote-as '65002'
    set protocols bgp 65000 neighbor 172.16.253.133 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.253.133 remote-as '65003'
    set protocols bgp 65000 parameters log-neighbor-changes
    set protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map
    set protocols bgp 65000 peer-group DMVPN bfd
    
    
    # Checking VRRP state and eBGP configuration on Hub-2 after reboot completed
    vyos@Hub-2:~$ show vrrp
    Name    Interface      VRID  State      Priority  Last Transition
    ------  -----------  ------  -------  ----------  -----------------
    HQ      eth1v1            1  BACKUP          100  1m46s
    
    vyos@Hub-2:~$ show configuration commands | match bgp
    set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/24
    set protocols bgp 65000 neighbor 172.16.254.131 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.131 remote-as '65001'
    set protocols bgp 65000 neighbor 172.16.254.132 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.132 remote-as '65002'
    set protocols bgp 65000 neighbor 172.16.254.133 peer-group 'DMVPN'
    set protocols bgp 65000 neighbor 172.16.254.133 remote-as '65003'
    set protocols bgp 65000 parameters log-neighbor-changes
    set protocols bgp 65000 peer-group DMVPN address-family ipv4-unicast route-map export 'AS65000-PREP'
    set protocols bgp 65000 peer-group DMVPN bfd


    # consecutive pings check from Spoke-1 to the HQ local network during the failure
    --- 192.168.0.10 ping statistics ---
    1182 packets transmitted, 1182 received, 0% packet loss, time 1921ms
    rtt min/avg/max/mdev = 0.890/1.692/3.305/0.503 ms
    vyos@Spoke-1:~$


    # consecutive pings check from Spoke-3 to the Spoke-2 local network during the failure
    --- 192.168.2.1 ping statistics ---
    1186 packets transmitted, 1186 received, 0% packet loss, time 2100ms
    rtt min/avg/max/mdev = 0.506/1.236/8.497/0.369 ms
    vyos@Spoke-3:~$

From the results, we can see that the switchover performed as expected with 
0 packets loss both from Spoke-1 to HQ and Spoke-3 to Spoke-2 networks.