Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts with replies and give us your feedback.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1618
Views
0
Helpful
4
Replies

Multiple Site VPN with EIGRP

Christopher Baker
Level 3
Level 3

‎08-24-2018 10:15 AM

I am curious for the best way to approach configuring 4 sites each connected to 2 fully meshed WAN networks (each net delivered as ethernet to the site's gateway router) with all site-to-site traffic being sent over a VPN/IPsec tunnel with EIGRP routing determining best path/failover?

 

I am trying to avoid creating 6 point-to-point tunnels on each site's router (site A net 1 = A1<>B1, A1<>C1, A1<>D1 / site A net 2 = A2<>B2, A2<>C2, A2<>D2).  Without encryption, the setup is easy because each ethernet interface is a "private LAN" so establish EIGRP routing, setup neighbors, and you are good to go.  Is there a way to add encryption without having to hardcode each VPN tunnel and use EIGRP for best path?

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP Alumni
VIP Alumni

‎08-25-2018 12:56 AM

Hello,

 

typically, and in order to avoid having to build multiple static tunnels, DMVPN would be the solution, not sure if you have looked into this already ?

0 Helpful

Christopher Baker
Level 3
Level 3
In response to Georg Pauwen

‎08-25-2018 11:38 AM

Thank you for your response!

 

I had looked at that initially, but doesn't that still require a "hub / spoke" type connection?  In other words, I have 4 sites and in DMVPN, I would have to configure a "hub" site, correct?   Let's call that site A.   Behind the scene, it is my understanding that if Site B wants to communicate with Site C, it actually does so via Site A (a transparent type bridge).   In other words, if the hub goes down, none of the spokes can communicate with each other.   So in this case, if Site A were to fail (or loose connection to the WAN network), Site B would not be able to communicate with Site C.  Do you know if this is correct when using DMVPN?

0 Helpful

Georg Pauwen
VIP Alumni
VIP Alumni
In response to Christopher Baker

‎08-26-2018 12:23 AM

You are exactly right. DMVPN is a hub/spoke setup. You could configure dual hubs though. The only other way I see (and one that doesn't require multiple tunnels on all routers) is an ISP provided MPLS solution.

0 Helpful

Christopher Baker
Level 3
Level 3
In response to Georg Pauwen

‎08-26-2018 12:50 PM

I was looking at DMVPN a bit closer and I see a reference to a Phase 1, Phase 2, and Phase 3.  The impression I am getting is that a "Phase 2" and "Phase 3" solution addresses this "Hub/Spoke" failure issue.  Though I can't seem to find information confirming this.

 

Here is a site I was looking at about the Phases.  I am assuming this is really "versions of DMVPN" on not actual phases of DMVPN link creation on the routers.

 

https://learningnetwork.cisco.com/blogs/vip-perspectives/2017/02/15/dmvpn-the-phases-in-depth

 

0 Helpful
Customers Also Viewed These Support Documents