05-13-2020 06:44 AM
Hello, in following the below cisco configuration guide for setting up a dual ISP spoke end DMVPN connection, wondering what the best security practice would be? Is it good to land the internet connections directly on the routers as described? Or would it be better to land them on the FTD we have on site, and then NAT out that?
From a simplicity stand point it would be easier to land the internet connection on the router directly as the route maps on an FTD through an FMC are proving to be difficult to configure.
This artcile\configuration talks about because each interface is setup on their own vrf it's okay?
Solved! Go to Solution.
05-13-2020 07:37 AM
Hello @Travis-Fleming ,
I think it is enough to land directly on the WAN interfaces of the spoke router without going via the FTD FW because the DMVPN uses its own encryption.
The configuration guide that you have linked uses the VRFs as a way to support a dual ISP DMVPN spoke.
This is not stricly required, because you can play on the tunnel parameters delay and bandwidth to make tunnel 0 primary and tunnel 1 secondary even without using the VRFs.
The document for me looks like to miss the per VRF configuration of the EIGRP process unless it is reported before
Hope to help
Giuseppe
05-13-2020 10:05 AM
05-13-2020 07:37 AM
Hello @Travis-Fleming ,
I think it is enough to land directly on the WAN interfaces of the spoke router without going via the FTD FW because the DMVPN uses its own encryption.
The configuration guide that you have linked uses the VRFs as a way to support a dual ISP DMVPN spoke.
This is not stricly required, because you can play on the tunnel parameters delay and bandwidth to make tunnel 0 primary and tunnel 1 secondary even without using the VRFs.
The document for me looks like to miss the per VRF configuration of the EIGRP process unless it is reported before
Hope to help
Giuseppe
05-13-2020 08:15 AM
Thank you for the reply! I don't think the security "fear" is the gre traffic, but the live internet connection on the WAN interface of the Router itself. Fear would be outside bad actors attacking the router.
In theory we could put an ACL on that interface that said only accept traffic from the public IP of our head end DMVPN router? Or is that not even a fear to begin with?
05-13-2020 09:51 AM
Hello @Travis-Fleming ,
yes you can use an access-list applied inbound to limit what traffic can be reiceved on the WAN interfaces.
Hope to help
Giuseppe
05-13-2020 10:05 AM
05-13-2020 10:23 AM
THanks! Both of those answers are good and I will take them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide