Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SPA VPN DMVPN with multiple wan ethernet links

I have 2 1gb wan ethernet pipes coming into our new building.  Our ISP has brought both connections in on the same (vlan) on their end (non internet).  I basically need this setup so I get the best performance out of the 2 1gb connections.  The provider said they won't port channel to me.  So if I use the below configuration how will it treat the 2 switchport wan connections.  Will spanning tree block one port and forward out the other.  I am trying to figure out how to load-balance the 2 wan connections through a DMVPN SPA VPN (This site would be the hub of a DMVPN environment).  The 2 Gigabit interfaces would be my wan connections. (G1/2, G1/1).   Will a bridge group work with the spa vpn adapter.  I know they have alot of limitations.

Any suggestions???

vlan 101
name Centurylink_connection_layer2
exit

interface GigabitEthernet1/2
desc **centurylink link 1 1gb**
! switch outside port
switchport
switchport access vlan 101
switchport mode access
!
interface GigabitEthernet1/1
desc **centurylink link 2 1gb**
! switch outside port
switchport
switchport access vlan 101
switchport mode access
!

interface Vlan100
desc **Wan Ethernet IP interface Layer 3***
! interface VLAN
ip address 172.19.247.130 255.255.255.128
crypto engine slot 2/0

!
interface Vlan101
desc **Connects multiple switch ports to spa vpn adapter to 1 ip address**
! port VLAN
no ip address
crypto connect vlan 100

interface Tunnel2
description ***mGRE DMVPN Enhanced Ethernet Interface ***
ip address 172.19.254.129 255.255.255.128
no ip redirects
ip mtu 1400
ip flow ingress
ip nhrp authentication xxxxx

ip nhrp map multicast dynamic
ip nhrp network-id 40000
no ip split-horizon eigrp 9

ip tcp adjust-mss 1300
delay 8
tunnel source Vlan100
tunnel mode gre multipoint
tunnel protection ipsec profile gre3
crypto engine slot 2/0
!

  • VPN
Everyone's tags (4)
4 REPLIES
New Member

Re: SPA VPN DMVPN with multiple wan ethernet links

No one has any comments or ideas on this ?

Cisco Employee

Re: SPA VPN DMVPN with multiple wan ethernet links

First of all please advise what mode you're running your VPN SPA in and which software release.

If you cannot run BGP to advertise one prefix into both links I would rather rely on load-banacing on routing protocol level.

As a general note VRF or CCA are more efficient since not ALL traffic is passing via SPA.

edit: corrected unfortunate phrasing.

New Member

Re: SPA VPN DMVPN with multiple wan ethernet links

We have to encrypt every packet on our network.  (dang FBI mandates).  I really would like to bundle or channel the to links (layer 2 solution) and use a vlan interface for the IP, and to maximize the 2 connections.  Not just a failover connection.  Software code is 12.2.33SXI3.

Cisco Employee

Re: SPA VPN DMVPN with multiple wan ethernet links

Well, the wisest answer I have is "it depends".

It depends on what's on the other side of the links and what they are willing to do.

If they are not willing to do portchannel on their side ... only L3 solutions some to mind.

Can you maybe scetch a diagram?

Marcin

675
Views
0
Helpful
4
Replies