DMVPN/GETVPN Dual Spoke Router Design

Answered Question
Jul 17th, 2008

All:

I am trying to lay out a new VPN design - single DMVPN cloud, dual hub routers at primary site, single hub router at backup site, and dual spoke routers at the branch/remotes.

This is all via internet transport, with GETVPN overlay to encrypt.

Has anyone had any experience laying out DMVPN designs with dual spoke routers, and how did you go about it? HSRP @ outside or inside interface, routing protocol determination only, etc..

Thanks in advance!

I have this problem too.
0 votes
Correct Answer by Daniel Voicu about 8 years 4 months ago

Hi Steve,

Using BGP will complicate the things a little bit.

That's because you need to advertise the HSRP IP (used as GRE source) on both your ISPs. So you need to own that IP.

If that is not possible, you can use the Dual Hub - Dual DMVPN Layout (part of the DMVPN link i attached previous).

This will require one GRE per router, and the routing to be done using the routing protocol.

HSRP can still be used on inside interface, tracking the GRE tunnel status.

Traffic doesnit need to be NATed as it will go via the GRE tunnels.

Please rate if this helped.

Regards,

Daniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
schatsm Thu, 07/17/2008 - 08:07

Thanks Daniel!

I think I have a handle on the primary site Hub Configurations now - my remaining issues would be:

1) Backup Site 3rd Hub VPN Peer (Not critical in initial design.

2) Dual Spoke Routers (Critical - While still remote offices, we need to build highly available deployments).

3) Hub routers in DMZ behind ASA for design @ HQ - Allow only known peers to initiate sessions. I think this is moot, but want to see if anyone else is doing it. Mainly because my DMVPN routers won't be my Internet routers.

Daniel Voicu Thu, 07/17/2008 - 08:28

Hi,

1. TBD

2. This is fairly simple to implement.

Check the document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

Basically, you will apply the crypto map to the external interface. Have both internal and external interfaces in HSRP groups.

Have GRE source inerface to use the HSRP IP.

On the External Interface add the commend:

Crypto map redundancy

The idea is so simple but genius:

If you use for GRE source the HSRP IP, only the primary router can use it, therefore only the primary router will have the GRE up.

You will configure the secondary with the same GRE settings (including the IP address). Only the primary router has the right to use the HSRP IP and build the tunnel.

What is the benefit? Only one tunnel for both routers. Half the number of tunnels normally needed.

You can use HSRP or SSO (for stateful failover)

3. That is fine provided that all your spokes have fixed IPs.

Please rate if this helped.

Regards,

Daniel

schatsm Thu, 07/17/2008 - 10:03

Thanks!

Last bit - I will be using 2811's with AIM + 4pt HWIC Switches most likely (For a full L2 mesh back to dual core switcehs, etc), so the HSRP interfaces will be VLAN's. Therefore, the crypto map will be applied to a serial (or eth) interface depending on provider handoff. No issues there, i think?

I will be building 3 VLAN's on those 2811's (Outside, Inside, and DMZ) and running ZPF. Each of these VLAN's will be tracking the Serial/Ethernet provider facing interface, correct?

NAT will bring the inside conversions into the outside VLAN, where they will then take the correct provider route out (BGP learned).

That seem right to you? Sorry for the stream of consciousness, just typing it out as I go along!

-Steve

Correct Answer
Daniel Voicu Fri, 07/18/2008 - 05:53

Hi Steve,

Using BGP will complicate the things a little bit.

That's because you need to advertise the HSRP IP (used as GRE source) on both your ISPs. So you need to own that IP.

If that is not possible, you can use the Dual Hub - Dual DMVPN Layout (part of the DMVPN link i attached previous).

This will require one GRE per router, and the routing to be done using the routing protocol.

HSRP can still be used on inside interface, tracking the GRE tunnel status.

Traffic doesnit need to be NATed as it will go via the GRE tunnels.

Please rate if this helped.

Regards,

Daniel

Actions

This Discussion