DMVPN interresing traffic

Unanswered Question
Nov 12th, 2008

Hi,

I have a DMVPN + OSPF set up. There is some self-encrypted traffic like https and ssh, which I want to sent into GRE tunnel without encryption, since they are already encrypted.

Is there any way I can implement this? For instance, sent all traffic into the tunnel, but only encrypt some type of the traffic?

Thx.

Paulo Roque

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

sorry once you place the "tunnel protect" command on the tunnel traffic using the tunnel is encrypted;

you can use policy routing to avoid routing the already encrypted traffic through the tunnel... but why would you want to do that?

from a management and configuration standpoint its fine to have everything go through the tunnel. on a router with a hardware crypto engine its really not much overhead... if anything policy routing would ad more overhead than adding ipsec to already encrypted traffic.

-Joe

pauloroque Thu, 11/13/2008 - 09:45

Thank you Joe,

Policy routing is not an option, because of its static nature.

The performance is the main point here, because this spoke router is an old 2620XM with no hardware encryption and it hits 80% of CPU utilization at 1Mbps of traffic and sometimes I need more traffic.

Thank you.

Paulo Roque

actually,

thats not true;

you should uprade the router to 12.4 so you can use dynamic policy routing. policy routing can now be configured to use track objects, and availability checks of the next hop. in your case i would policy route all ssh/https encrypted data around the tunnel (not much overhead here) and fallback to another path if necessary. evaulate the following configuration and let me know if you have any questions-

route-map vlan10-policy permit 10

match ip address MPLS-USERS-TO-VERIZON

set ip next-hop verify-availability 10.0.1.22 10 track 2

track 2 ip route 141.155.66.185 255.255.255.255 reachability

Here, I'm tracking Verizon is sending me a route on R2, and this route is sent on to R1 where the policy route is configured.

in your case i would run an IP SLA ping, and track that. If that succeeds dont take the dmvpn, if it fails take the dmvpn, or vice versa depending on your overall goal.

-Joe

pauloroque Mon, 11/17/2008 - 10:05

High Joe.

Thank you again.

My concerns about pbr are on the hub routers. If I use pbr only in spoke router, I would have asymmetric routing on hubs sites, because they would send returning traffic thru the tunnel.

On the other side, configuring PBR on the hub sites would be very complex and not scalable. There are 2 hub routers and they are in 2 different sites and these sites themselves are connected thru 2 other routers and 3 links.

Anyway, I didn't know about dynamic pbr. I think it will be useful for a couple of problems I have here.

Thank you!

Paulo Roque

Actions

This Discussion