Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN/GETVPN Dual Spoke Router Design

All:

I am trying to lay out a new VPN design - single DMVPN cloud, dual hub routers at primary site, single hub router at backup site, and dual spoke routers at the branch/remotes.

This is all via internet transport, with GETVPN overlay to encrypt.

Has anyone had any experience laying out DMVPN designs with dual spoke routers, and how did you go about it? HSRP @ outside or inside interface, routing protocol determination only, etc..

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DMVPN/GETVPN Dual Spoke Router Design

Hi Steve,

Using BGP will complicate the things a little bit.

That's because you need to advertise the HSRP IP (used as GRE source) on both your ISPs. So you need to own that IP.

If that is not possible, you can use the Dual Hub - Dual DMVPN Layout (part of the DMVPN link i attached previous).

This will require one GRE per router, and the routing to be done using the routing protocol.

HSRP can still be used on inside interface, tracking the GRE tunnel status.

Traffic doesnit need to be NATed as it will go via the GRE tunnels.

Please rate if this helped.

Regards,

Daniel

5 REPLIES

Re: DMVPN/GETVPN Dual Spoke Router Design

Hi,

A very good guide for DMVPN and dual hub:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Please rate if this helped.

Regards,

Daniel

New Member

Re: DMVPN/GETVPN Dual Spoke Router Design

Thanks Daniel!

I think I have a handle on the primary site Hub Configurations now - my remaining issues would be:

1) Backup Site 3rd Hub VPN Peer (Not critical in initial design.

2) Dual Spoke Routers (Critical - While still remote offices, we need to build highly available deployments).

3) Hub routers in DMZ behind ASA for design @ HQ - Allow only known peers to initiate sessions. I think this is moot, but want to see if anyone else is doing it. Mainly because my DMVPN routers won't be my Internet routers.

Re: DMVPN/GETVPN Dual Spoke Router Design

Hi,

1. TBD

2. This is fairly simple to implement.

Check the document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

Basically, you will apply the crypto map to the external interface. Have both internal and external interfaces in HSRP groups.

Have GRE source inerface to use the HSRP IP.

On the External Interface add the commend:

Crypto map redundancy

The idea is so simple but genius:

If you use for GRE source the HSRP IP, only the primary router can use it, therefore only the primary router will have the GRE up.

You will configure the secondary with the same GRE settings (including the IP address). Only the primary router has the right to use the HSRP IP and build the tunnel.

What is the benefit? Only one tunnel for both routers. Half the number of tunnels normally needed.

You can use HSRP or SSO (for stateful failover)

3. That is fine provided that all your spokes have fixed IPs.

Please rate if this helped.

Regards,

Daniel

New Member

Re: DMVPN/GETVPN Dual Spoke Router Design

Thanks!

Last bit - I will be using 2811's with AIM + 4pt HWIC Switches most likely (For a full L2 mesh back to dual core switcehs, etc), so the HSRP interfaces will be VLAN's. Therefore, the crypto map will be applied to a serial (or eth) interface depending on provider handoff. No issues there, i think?

I will be building 3 VLAN's on those 2811's (Outside, Inside, and DMZ) and running ZPF. Each of these VLAN's will be tracking the Serial/Ethernet provider facing interface, correct?

NAT will bring the inside conversions into the outside VLAN, where they will then take the correct provider route out (BGP learned).

That seem right to you? Sorry for the stream of consciousness, just typing it out as I go along!

-Steve

Re: DMVPN/GETVPN Dual Spoke Router Design

Hi Steve,

Using BGP will complicate the things a little bit.

That's because you need to advertise the HSRP IP (used as GRE source) on both your ISPs. So you need to own that IP.

If that is not possible, you can use the Dual Hub - Dual DMVPN Layout (part of the DMVPN link i attached previous).

This will require one GRE per router, and the routing to be done using the routing protocol.

HSRP can still be used on inside interface, tracking the GRE tunnel status.

Traffic doesnit need to be NATed as it will go via the GRE tunnels.

Please rate if this helped.

Regards,

Daniel

637
Views
7
Helpful
5
Replies