Solved: what if I chose not to use

doug_3002 · ‎11-18-2014

I currently have a router that has 2 circuits (Circuit 1 and Circuit 2) from 1 provider. Circuit 1 is set up for a DMVPN Hub and Circuit 2 is set up for internet traffic.

I have been asked to add 1 additional circuit (Circuit 3) from a different provider and loadbalance DMVPN over Circuit 1 and Circuit 3....is this possible?

I obviously cant use multiple tunnel source ip under the tunnel but can i use 2 tunnel interface which would then give me 2 DMVPN hubs on a single router?

What are the issues that I have to watch out for...Asymetric routing maybe?

Any advice? Link to how to do articles? anything that can help me accomplish this.

Thank you,

NAGISWAREN2 · ‎11-18-2014

Hi,

Both Tunnel should run Eigrp in Global Routing table in HUB. Tunnel VRF used to specify which routing table to look for Tunnel Source and Tunnel Destination. It does not put Tunnel Interface itself into VRF. The only routing in VRF is static default route

ip route vrf Circuit1 0.0.0.0 0.0.0.0 "WAN 1 next hop IP"

ip route vrf Circuit3 0.0.0.0 0.0.0.0 "WAN 3 next hop IP"

Then You cloud configure Un-Equal cost load balancing using Eigrp once neighbour relationship formed.

Pls rate useful post

Regards, Nagis

View solution in original post

NAGISWAREN2 · ‎11-18-2014

There are many things need to be considered.

1) 1st & 3rd circuit will be used for internet browsing ? If not, then it would more easier to achieve your goal.

You would need to put 1st Circuit & 3rd Circuit in different VRF

1) ip vrf Circuit1

2) ip vrf Circuit3

Put both circuit in respective VRF

Interface fastethernet0/0

description *** Circuit 1***

ip vrf forwarding Circuit1

ip add a.a.a.a y.y.y.y

Interface fastethernet0/1

description *** Circuit 3***

ip vrf forwarding Circuit3

ip add b.b.b.b y.y.y.y

You should have default route for both VRF. To confirm if VRF configured properly, make sure you able reach your Circuit 1 & 3 WAN IP from Internet.

Then you would need too have two DMVPN Tunnel

First Tunnel uses Tunnel Source Fa0/0 and need to specify Tunnel VRF. Tunnel VRF command tells the Router to look in specific vrf routing for Source IP and Destination IP(Spoke IP). The method apply for second DMVPN tunnel.

Int Tunnel0

description *** DMVPN 1***

tunnel vrf Circuit1

tunnel source fa0/0

Int Tunnel1

description *** DMVPN 1***

tunnel vrf Circuit3

tunnel source fa0/1

Now that its better to protect the tunnel with IPSec Profile.

crypto keyring Circuit1-Keyring vrf Circuit1
pre-shared-key address 0.0.0.0 key Key@VPN
crypto keyring Circuit3-Keyring vrf Circuit3
pre-shared-key address 0.0.0.0 key Key@VPN

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set VTI esp-3des esp-md5-hmac
mode transport

crypto ipsec profile VTI-Profile
set transform-set VTI

Int Tun0

tunnel protection ipsec profile VTI-Profile

Int Tun1

tunnel protection ipsec profile VTI-Profile

Important Note : Make sure your DMVPN tunnel uses different NHRP network id

Int tun0

ip nhrp network-id 111

Int tun0

ip nhrp network-id 112

Regards, Nagis

doug_3002 · ‎11-18-2014

NAGISWAREN2,

Circuit 2 will be used for internet traffic at the man site but there is only one circuit at the 16 remote sites that will be used for everything.

Circurity 1 and 3 will be used for DMVPN and have port forwarding for VOIP phone to an Avaya GW.

The current setup has PBR being used, could this be used instead of VRF? Also if necessary that I use VRF, this has to also be used in all remote sites as well correct...being that they too will have DMVPN configs which are clients pointing to two different DMVPN server IP?

The DMVPN traffic also need perform loadbalancing and failover when necessary.

NAGISWAREN2 · ‎11-18-2014

Hi,

You need to use VRF in HUB site, otherwise only one DMVPN tunnel can pick-up at given time. because of default route. You can add two default route ( each via Circuit 1 & 3) , but Remember that, traffic always 2 ways, Spoke could point to Circuit 1 WAN IP , but might return via Circuit 3 which end up causing Tunnel cant pick up. VRF can solve this problem. On branch you dont need VRF, as only 1 circuit available for all purpose.

The above config just to bring up both DMVPN tunnel. We haven't talk about load balancing. PBR could be very troublesome, as you would need to apply it at both site (HUB and SPOKE) to make traffic path synchronous. Another viable solution is you could actually do NAT on SPOKE router. NAT user IP to Tunnel IP . As such, you would only need to specify PBR at SPOKE level and the return traffic will get on same path.

Regards, Nagis

doug_3002 · ‎11-18-2014

do you mean:

Int Tunnel0

description *** DMVPN 1***

tunnel vrf Circuit1

tunnel source fa0/0

Int Tunnel1

description *** DMVPN 2***

tunnel vrf Circuit3

tunnel source fa0/3

question:

based on your response, please confirm that my understanding of VRF-lite is correct. I am new to VRF!

On the Hub:

VRF 1 (Tunnel 0) points to WAN 1

NOVRF points to WAN 2

VRF 3 (Tunnel 1) points to WAN 3

There are 3 LAN interfaces.

LAN 1

LAN 2

LAN3

Routint table:

VRF 1 routing table: runs EIGRP with the Tunnel 0 subnet

used for DMVPN and VOIP Traffic

Global routing table: runs EIGRP with LAN1, LAN2, LAN3

used for Internet, SSL VPN, and Portforwarding to Servers.

VRF 3 routing table: runs EIGRP with the Tunnel 1 subnet

used for DMVPN and VOIP Traffic

On the Spokes,

Tunnel 0 and Tunnel 1 registers to their respective DMNPN Server or HUB but through a shard public interface.

EIGRP is used for load balancing

NOW, being that LAN1, LAN2 and LAN3 are only on the Global routing table at the HUB, how will the traffic from the remote site that traverses the DMVPN tunnel talk to LAN1, LAN2, and LAN3?

Would I have to use MP-BGP to communicate between the three route instances....and if so, is there s possibility for Asymmetric routing?

Thank you,

David

NAGISWAREN2 · ‎11-18-2014

Hi,

Both Tunnel should run Eigrp in Global Routing table in HUB. Tunnel VRF used to specify which routing table to look for Tunnel Source and Tunnel Destination. It does not put Tunnel Interface itself into VRF. The only routing in VRF is static default route

ip route vrf Circuit1 0.0.0.0 0.0.0.0 "WAN 1 next hop IP"

ip route vrf Circuit3 0.0.0.0 0.0.0.0 "WAN 3 next hop IP"

Then You cloud configure Un-Equal cost load balancing using Eigrp once neighbour relationship formed.

Pls rate useful post

Regards, Nagis

doug_3002 · ‎11-19-2014

Light bulb! I cant take credit for this...it was all you. Its brilliant!

Thank you,

doug_3002 · ‎12-22-2014

what if I chose not to use VRFs?...could i use a static route on the hub to each site instead of the default route? All current sites and all future sites will have a static IP so I wont really need to have more than one default route on the hub. using the VRF broke email for me because i couldnt communicate between one of the public WAN IP's and my local subnet. I know I could do inter VRF routing but I am not to familiar with that.

1 Router, 2 Providers, DMVPN loadbalancing