07-17-2008 07:26 AM - edited 03-09-2019 09:06 PM
All:
I am trying to lay out a new VPN design - single DMVPN cloud, dual hub routers at primary site, single hub router at backup site, and dual spoke routers at the branch/remotes.
This is all via internet transport, with GETVPN overlay to encrypt.
Has anyone had any experience laying out DMVPN designs with dual spoke routers, and how did you go about it? HSRP @ outside or inside interface, routing protocol determination only, etc..
Thanks in advance!
Solved! Go to Solution.
07-18-2008 05:53 AM
Hi Steve,
Using BGP will complicate the things a little bit.
That's because you need to advertise the HSRP IP (used as GRE source) on both your ISPs. So you need to own that IP.
If that is not possible, you can use the Dual Hub - Dual DMVPN Layout (part of the DMVPN link i attached previous).
This will require one GRE per router, and the routing to be done using the routing protocol.
HSRP can still be used on inside interface, tracking the GRE tunnel status.
Traffic doesnit need to be NATed as it will go via the GRE tunnels.
Please rate if this helped.
Regards,
Daniel
07-17-2008 07:52 AM
Hi,
A very good guide for DMVPN and dual hub:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml
Please rate if this helped.
Regards,
Daniel
07-17-2008 08:07 AM
Thanks Daniel!
I think I have a handle on the primary site Hub Configurations now - my remaining issues would be:
1) Backup Site 3rd Hub VPN Peer (Not critical in initial design.
2) Dual Spoke Routers (Critical - While still remote offices, we need to build highly available deployments).
3) Hub routers in DMZ behind ASA for design @ HQ - Allow only known peers to initiate sessions. I think this is moot, but want to see if anyone else is doing it. Mainly because my DMVPN routers won't be my Internet routers.
07-17-2008 08:28 AM
Hi,
1. TBD
2. This is fairly simple to implement.
Check the document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
Basically, you will apply the crypto map to the external interface. Have both internal and external interfaces in HSRP groups.
Have GRE source inerface to use the HSRP IP.
On the External Interface add the commend:
Crypto map
The idea is so simple but genius:
If you use for GRE source the HSRP IP, only the primary router can use it, therefore only the primary router will have the GRE up.
You will configure the secondary with the same GRE settings (including the IP address). Only the primary router has the right to use the HSRP IP and build the tunnel.
What is the benefit? Only one tunnel for both routers. Half the number of tunnels normally needed.
You can use HSRP or SSO (for stateful failover)
3. That is fine provided that all your spokes have fixed IPs.
Please rate if this helped.
Regards,
Daniel
07-17-2008 10:03 AM
Thanks!
Last bit - I will be using 2811's with AIM + 4pt HWIC Switches most likely (For a full L2 mesh back to dual core switcehs, etc), so the HSRP interfaces will be VLAN's. Therefore, the crypto map will be applied to a serial (or eth) interface depending on provider handoff. No issues there, i think?
I will be building 3 VLAN's on those 2811's (Outside, Inside, and DMZ) and running ZPF. Each of these VLAN's will be tracking the Serial/Ethernet provider facing interface, correct?
NAT will bring the inside conversions into the outside VLAN, where they will then take the correct provider route out (BGP learned).
That seem right to you? Sorry for the stream of consciousness, just typing it out as I go along!
-Steve
07-18-2008 05:53 AM
Hi Steve,
Using BGP will complicate the things a little bit.
That's because you need to advertise the HSRP IP (used as GRE source) on both your ISPs. So you need to own that IP.
If that is not possible, you can use the Dual Hub - Dual DMVPN Layout (part of the DMVPN link i attached previous).
This will require one GRE per router, and the routing to be done using the routing protocol.
HSRP can still be used on inside interface, tracking the GRE tunnel status.
Traffic doesnit need to be NATed as it will go via the GRE tunnels.
Please rate if this helped.
Regards,
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: