Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
5
Helpful
4
Replies

Backhaul Internet Traffic From DMVPN Spokes To Centralized Web Filter Appliance

johnwoods
Level 1
Level 1

‎07-01-2019 07:05 PM

Hello all,

I'm looking to tap in to the experience of the community here at a design level. We currently have 20+ remotes sites connected via DMVPN over internet through a handful of different ISPs. All sites are given a static IP from their respective ISP. We currently allow internet traffic local to each individual site to egress through the local ISP after being filtered by a local appliance that we own.

We are making a big shift in our design plans and desire to backhaul all internet traffic from remote spokes to our data center to be filtered through one large centralized appliance.

I am curious as to the WAN design options I have and what you all think would be optimal.

Here are some specifics that may help you in your recommendations:

  1. Central (data center) DMVPN hub is a single Cisco ISR 4431 running DMVPN phase 2
    1. Hub NBMA address is NATed (1.2.3.4 > 10.0.0.1) by a legacy Juniper SSG-550 stack
  2. Remote spoke sites are Cisco ISR 4331s
    1. Remote routers are configured with NAT overload (and respective ACLs) for internet access
    2. Remote routers all have default route set to ISP gateway
  3. Central internet connectivity is presently 250 Mbps, soon to be increased to 500 Mbps and higher if necessary
  4. Remote spoke internet bandwidth is 50-100 Mbps at each individual site
  5. We do not need/want to include internet traffic in the IPSec encrypted DMVPN tunnel(s), as it seems to result in major performance/speed degradation
  6. The traffic traversing the DMVPM tunnels now is all private traffic routed via EIGRP
    1. Primarily Active Directory traffic and also connectivity to a central Exchange server and a handful of private web servers hosted in our data centerI want to thank you in advance for your consideration and look forward to hearing your ideas. Please let me know if I can provide any other information.

Thank you,

John

Labels:
0 Helpful
4 Replies 4

Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee

‎07-02-2019 04:35 PM - edited ‎07-02-2019 04:37 PM

Hi @johnwoods,

So, you would like to "backhaul all internet traffic from remote spokes to our data center to be filtered through one large centralized appliance."

I understand that you want so send all the Internet traffic from the remote locations over the DMVPN tunnel to your DMVPN Hub where it will be routed to some sort of IPS/Firewall appliance and then routed to the Internet. Is this correct?

I am a bit confused since additionally you mention "5. We do not need/want to include internet traffic in the IPSec encrypted DMVPN tunnel(s), as it seems to result in major performance/speed degradation"

Perhaps I can share my point of view but I got a bit confused with the statements above.

Cheers.

0 Helpful

johnwoods
Level 1
Level 1
In response to Hector Gustavo Serrano Gutierrez

‎07-02-2019 08:06 PM

No, we do not want to send the internet traffic over the tunnel(s) as it seems to negatively impact performance/speed substantially. The central web filter appliance is simply that. A web filter appliance. It is not an IPS/firewall appliance. I am just interested in how others are backhauling remote site web traffic through a centralized appliance without including it (unnecessarily) in the encrypted private traffic being routed over the DMVPN IPSec tunnel(s).

We cannot be the only company looking to do this. I'm interested in how others are already doing this. I am envisioning routing only internet traffic from spokes to another WAN IP at our data center (not the IP NAting in to our DMVPN hub) so it can be forced through our centralized web filter. The specific configuration recommendations I'm looking for would include route maps, VRFs, etc. or any other "best practice" way to do this.

Thank you,

John

0 Helpful

Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee
In response to johnwoods

‎07-02-2019 09:03 PM - edited ‎07-03-2019 05:11 AM

You need to route the remote site's traffic to the Data Center first. Once there, it will pass thru your central web filter, NATted and finally forwarded to the Internet. The response from the Internet will follow the same process in reverse direction.

If not over the DMVPN Tunnel, what other option there is in place in your network to route the remote site's traffic to the Data Center? Does the remote site have also a MPLS circuit, private line or any other appliance with a Tunnel so you can route the traffic to the Data Center first?

Cheers.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-02-2019 11:54 PM - edited ‎07-03-2019 12:02 AM

Hello John,

if all your remote site have only the internet connection over which the DMVPN is working and no MPLS circuits anymore you will stilll need some form of tunneling to be able to send the traffic destined to the internet to the central site second public IP address.

To avoid encryption you can use a second DMVPN cloud that does not use IPsec protection profile, but your traffic will have only GRE encapsulation and will be visible to third party.

You will get links with IP MTU of 1476 and MSS of 1436 bytes.

Another aspect to look at is the licensing levels you have on the current DMVPN HUB router.

You may need an HSEC license on that ISR 4331 to be able to support an higher IPSec encrypted troughput.

However, using a second DMVPN without IPSec protection will remove encryption issues.

If needed, you can use a VRF in this second DMVPN on the central site or you can use PBR route-maps to manage the return traffic from the internet to remote sites public IP addresses in order to send this traffic over the second DMVPN.

For licensing aspects you can post

show license all on the HUB router.

 

b) MTU issues if have the highest level of licensing on your HUB router the low performance may be caused by fragmentation as I have explained in the other thread you have opened.

I wonder if the web appliance can have two different "inside " interfaces one for the centrali site users and one for the remote site users that can have  a reduced IP MTU and TCP MSS.

 

Another option that may be expensive is to have an increased MTU on all remote site internet links to account for all the overhead.

I don't know if ISPs allow for this on internet connections.

For sure if they allow to use an MTU of 1600 bytes you will need to pay for this.

You also have a mix of different ISPs, so this path may be not available in all of them despite increased costs.

 

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents