Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
5
Replies

Best Security Practice for DMVPN spoke with 2 internet connections

Go to solution
Travis-Fleming
Level 1
Level 1

‎05-13-2020 06:44 AM

Hello, in following the below cisco configuration guide for setting up a dual ISP spoke end DMVPN connection, wondering what the best security practice would be? Is it good to land the internet connections directly on the routers as described? Or would it be better to land them on the FTD we have on site, and then NAT out that?

 

From a simplicity stand point it would be easier to land the internet connection on the router directly as the route maps on an FTD through an FMC are proving to be difficult to configure.

 

This artcile\configuration talks about because each interface is setup on their own vrf it's okay?

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/119022-configure-dmvpn-00.html

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-13-2020 07:37 AM

Hello @Travis-Fleming ,

I think it is enough to land directly on the WAN interfaces of the spoke router without going via the FTD FW because the DMVPN uses its own encryption.

The configuration guide that you have linked uses the VRFs as a way to support a dual ISP DMVPN spoke.

This is not stricly required, because you can play on the tunnel parameters delay and bandwidth to make tunnel 0 primary and tunnel 1 secondary even without using the VRFs.

 

The document for me looks like to miss the per VRF configuration of the EIGRP process unless it is reported before

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Travis-Fleming

‎05-13-2020 10:05 AM

Being a bit paranoid with Internet connected routers, on VPN only routers I generally use an interface ACL that blocks all traffic except from expected peers and/or blocks all traffic types except "expected" traffic kinds. Further, if peers have known destinations, only those outbound routes are defined, i.e. I don't use a default route to the Internet. (If for some reason I do want to use a default router, toward the Internet [like for multiple DMVPN spokes using dynamic addresses], I've, in the past, defined a VRF so the outside VRF only has the Internet default route.)

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-13-2020 07:37 AM

Hello @Travis-Fleming ,

I think it is enough to land directly on the WAN interfaces of the spoke router without going via the FTD FW because the DMVPN uses its own encryption.

The configuration guide that you have linked uses the VRFs as a way to support a dual ISP DMVPN spoke.

This is not stricly required, because you can play on the tunnel parameters delay and bandwidth to make tunnel 0 primary and tunnel 1 secondary even without using the VRFs.

 

The document for me looks like to miss the per VRF configuration of the EIGRP process unless it is reported before

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Giuseppe Larosa

‎05-13-2020 08:15 AM

Thank you for the reply! I don't think the security "fear" is the gre traffic, but the live internet connection on the WAN interface of the Router itself. Fear would be outside bad actors attacking the router.

 

In theory we could put an ACL on that interface that said only accept traffic from the public IP of our head end DMVPN router? Or is that not even a fear to begin with?

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Travis-Fleming

‎05-13-2020 09:51 AM

Hello @Travis-Fleming ,

yes you can use an access-list applied inbound to limit what traffic can be reiceved on the WAN interfaces.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Travis-Fleming

‎05-13-2020 10:05 AM

Being a bit paranoid with Internet connected routers, on VPN only routers I generally use an interface ACL that blocks all traffic except from expected peers and/or blocks all traffic types except "expected" traffic kinds. Further, if peers have known destinations, only those outbound routes are defined, i.e. I don't use a default route to the Internet. (If for some reason I do want to use a default router, toward the Internet [like for multiple DMVPN spokes using dynamic addresses], I've, in the past, defined a VRF so the outside VRF only has the Internet default route.)
0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Joseph W. Doherty

‎05-13-2020 10:23 AM

THanks! Both of those answers are good and I will take them.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card