cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
0
Helpful
3
Replies

IPSEC-GRE ; DESIGN Help

saquib.tandel
Level 1
Level 1

Hi

HeadQ is connected 9 Branch office with GRE over IPSEC running EIGRP on WAN and OSPF on LAN.

HeadQ=Hub is single point of failure with One Service Provider and Single piece of hardware. We are moving slowly, planned to get another Internet connection from another Service Provider.

Terminating Two Service provider as sub interface at HUB, is this best practice from cisco. Would this impact two tunnels from Hub facing same spoke with different service provider.

Need to make it simple, workable, redundant.

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Saquib

What you describe as the current situation certainly has a significant single point of failure. Getting a second Internet connection would help with this (and a second provider might be an improvement).

You could certainly do 2 GRE tunnels but I do not believe that you can have 2 IPSec sessions between the same 2 hosts. My understanding of Best Practice in this situation would be to have 2 hubs, with each hub having its own Internet connection, and with each hub having a GRE tunnel with IPSec to a branch.

Your description of EIGRP on the WAN is clear and makes sense. Your description of OSPF on the LAN is a bit ambiguous: do you mean on the Branch LAN or the HQ LAN? And I am not sure that mixing routing protocols like that necessarily is a Best Practice. Is there a reason that you do not run a single routing protocol?

I have implemented the design of dual hubs with each hub having its own Internet connection, each hub having a GRE tunnel with IPSec to each branch. It is reasonable simple, it is workable, and it is redundant.

We run EIGRP as the single routing protocol for both WAN and LAN. And we have found that configuring the branch offices as EIGRP stub is helpful.

HTH

Rick

HTH

Rick

Rick Million thanks

When I say 2 IPSEC session between the same host, i was referring each ipsec gre tunnel with different service provider pointing to spoke. Does this makes sense.

I have one Router at Hub and Two Service Provider for internet with unequal Bandwidth.(one link now for testing only )

Time I joined the company they had OSPF in place. Since Bandwidth would be unequal for Two service provider I had selected EIGRP.

Can you explain more about your implementation of Dual Hubs, was it dmvpn. More details would help me greatly

Saquib

I think that I understood correctly that you were referring to 2 tunnels from the hub to each spoke. It sort of makes sense and I believe that the GRE part of it could work. But I believe that IPSec will only negotiate a single session from the hub to a spoke.

When you talk about two service providers and links with unequal bandwidth are these connections from the hub to the Internet or are these connections through the service provider some kind of private link (like Frame Relay or perhaps MPLS)?

The implementation that I talked about was not DMVPN. This implementation had two hubs, each hub had its own connection to the Internet (through separate providers). Each hub had a GRE tunnel to each spoke with IPSec over the GRE. Each spoke had 2 tunnels - one to each hub. We ran EIGRP through the GRE/IPSec tunnels.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: