AWS DMVPN expansion

Richard Tapp · ‎01-25-2023

We currently have a DMVPN network running from a hub which is a physical DC. This DC is planned to shut down this summer.

We have a C1000v running in AWS as a spoke and most of our servers are now on the VPC behind this single router. All our servers are on a single VPC.

We are just about to test what happens when we move a single site over to use the C1000v as the hub, basically remove the tunnel lines that point it to the DC and re point to the AWS router.

I have a couple of questions.

1. Can you have a C1000v running as the DMVPN hub in AWS, I can't find any direct examples on the web.

2. Can you have two c1000v's running DMVPN with their interfaces in the same VPC ? I beilive the main issue with this is routing and how to direct / redirect traffic between the VPC side interfaces on the routers in the event of a failure. Currenty we have a L3 switch in the same EIGRP network, so that is not an issue. But as we also have found wanting to install ASAv's into AWS, you cant have active/standby.

Richard Tapp · ‎01-25-2023

Ok we have been doing some testing. First observation is that when the AWS router is a spoke, it is the internal DHCP Gig 1 address that shows up in 'show DMVPN' on the test router for AWS, not the public elastic one.

If we set the test spoke router so that it connects straight to the AWS router, 'show dmvpn' on the test router shows the connection to the public elastic IP as IKE and if we packet capture on gig 1 on the AWS router, we are not seeing any traffic from the test router public IP.

The AWS router allows udp/500 & 4500 inbound.

Its like the elastic IP and Gig 1 (dhcp internal IP) are not connecting up when the inbound packet is destined for the elastic IP.