SPA VPN DMVPN with multiple wan ethernet links

Unanswered Question
Sep 6th, 2010
User Badges:

I have 2 1gb wan ethernet pipes coming into our new building.  Our ISP has brought both connections in on the same (vlan) on their end (non internet).  I basically need this setup so I get the best performance out of the 2 1gb connections.  The provider said they won't port channel to me.  So if I use the below configuration how will it treat the 2 switchport wan connections.  Will spanning tree block one port and forward out the other.  I am trying to figure out how to load-balance the 2 wan connections through a DMVPN SPA VPN (This site would be the hub of a DMVPN environment).  The 2 Gigabit interfaces would be my wan connections. (G1/2, G1/1).   Will a bridge group work with the spa vpn adapter.  I know they have alot of limitations.

Any suggestions???

vlan 101
name Centurylink_connection_layer2

interface GigabitEthernet1/2
desc **centurylink link 1 1gb**
! switch outside port
switchport access vlan 101
switchport mode access
interface GigabitEthernet1/1
desc **centurylink link 2 1gb**
! switch outside port
switchport access vlan 101
switchport mode access

interface Vlan100
desc **Wan Ethernet IP interface Layer 3***
! interface VLAN
ip address
crypto engine slot 2/0

interface Vlan101
desc **Connects multiple switch ports to spa vpn adapter to 1 ip address**
! port VLAN
no ip address
crypto connect vlan 100

interface Tunnel2
description ***mGRE DMVPN Enhanced Ethernet Interface ***
ip address
no ip redirects
ip mtu 1400
ip flow ingress
ip nhrp authentication xxxxx

ip nhrp map multicast dynamic
ip nhrp network-id 40000
no ip split-horizon eigrp 9

ip tcp adjust-mss 1300
delay 8
tunnel source Vlan100
tunnel mode gre multipoint
tunnel protection ipsec profile gre3
crypto engine slot 2/0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Tue, 09/14/2010 - 06:34
User Badges:
  • Cisco Employee,

First of all please advise what mode you're running your VPN SPA in and which software release.

If you cannot run BGP to advertise one prefix into both links I would rather rely on load-banacing on routing protocol level.

As a general note VRF or CCA are more efficient since not ALL traffic is passing via SPA.

edit: corrected unfortunate phrasing.

khambright Tue, 09/14/2010 - 08:17
User Badges:

We have to encrypt every packet on our network.  (dang FBI mandates).  I really would like to bundle or channel the to links (layer 2 solution) and use a vlan interface for the IP, and to maximize the 2 connections.  Not just a failover connection.  Software code is 12.2.33SXI3.

Marcin Latosiewicz Tue, 09/14/2010 - 09:01
User Badges:
  • Cisco Employee,

Well, the wisest answer I have is "it depends".

It depends on what's on the other side of the links and what they are willing to do.

If they are not willing to do portchannel on their side ... only L3 solutions some to mind.

Can you maybe scetch a diagram?



This Discussion