SPA VPN DMVPN with multiple wan ethernet links

Unanswered Question
Sep 6th, 2010

I have 2 1gb wan ethernet pipes coming into our new building.  Our ISP has brought both connections in on the same (vlan) on their end (non internet).  I basically need this setup so I get the best performance out of the 2 1gb connections.  The provider said they won't port channel to me.  So if I use the below configuration how will it treat the 2 switchport wan connections.  Will spanning tree block one port and forward out the other.  I am trying to figure out how to load-balance the 2 wan connections through a DMVPN SPA VPN (This site would be the hub of a DMVPN environment).  The 2 Gigabit interfaces would be my wan connections. (G1/2, G1/1).   Will a bridge group work with the spa vpn adapter.  I know they have alot of limitations.

Any suggestions???

vlan 101
name Centurylink_connection_layer2
exit

interface GigabitEthernet1/2
desc **centurylink link 1 1gb**
! switch outside port
switchport
switchport access vlan 101
switchport mode access
!
interface GigabitEthernet1/1
desc **centurylink link 2 1gb**
! switch outside port
switchport
switchport access vlan 101
switchport mode access
!

interface Vlan100
desc **Wan Ethernet IP interface Layer 3***
! interface VLAN
ip address 172.19.247.130 255.255.255.128
crypto engine slot 2/0

!
interface Vlan101
desc **Connects multiple switch ports to spa vpn adapter to 1 ip address**
! port VLAN
no ip address
crypto connect vlan 100

interface Tunnel2
description ***mGRE DMVPN Enhanced Ethernet Interface ***
ip address 172.19.254.129 255.255.255.128
no ip redirects
ip mtu 1400
ip flow ingress
ip nhrp authentication xxxxx

ip nhrp map multicast dynamic
ip nhrp network-id 40000
no ip split-horizon eigrp 9

ip tcp adjust-mss 1300
delay 8
tunnel source Vlan100
tunnel mode gre multipoint
tunnel protection ipsec profile gre3
crypto engine slot 2/0
!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Tue, 09/14/2010 - 06:34

First of all please advise what mode you're running your VPN SPA in and which software release.

If you cannot run BGP to advertise one prefix into both links I would rather rely on load-banacing on routing protocol level.

As a general note VRF or CCA are more efficient since not ALL traffic is passing via SPA.

edit: corrected unfortunate phrasing.

khambright Tue, 09/14/2010 - 08:17

We have to encrypt every packet on our network.  (dang FBI mandates).  I really would like to bundle or channel the to links (layer 2 solution) and use a vlan interface for the IP, and to maximize the 2 connections.  Not just a failover connection.  Software code is 12.2.33SXI3.

Marcin Latosiewicz Tue, 09/14/2010 - 09:01

Well, the wisest answer I have is "it depends".

It depends on what's on the other side of the links and what they are willing to do.

If they are not willing to do portchannel on their side ... only L3 solutions some to mind.

Can you maybe scetch a diagram?

Marcin

Actions

This Discussion