03-07-2019 04:31 PM
Hello,
We have 25+ sites connected to our data center in a DMVPN mGRE IPSEC hub and spoke configuration. Presently, each remote site has it's own web filter appliance and internet traffic is local to the remote site (egress via the local ISP connection). We are changing web filter vendors and need to backhaul ALL remote site traffic to our data center so that ALL internet traffic can be sent through our new centralized filtering appliance.
I've heard multiple ways to deal with this; route-maps, PBR and front-door VRF. After doing some research into fVRF it seems to be the best option.
Has anyone actually gone through the same scenario and converted remote spokes to backhaul internet traffic via fVRF? If so, I would greatly appreciate any advice and assistance with specific details for the necessary hub and/or spoke (re)configuration.
I can/will post our existing hub and spoke configs if needed.
TIA,
John
03-08-2019 05:19 PM
1. Can you please share your Hub and one Spoke config
2. Are you running Phase2 or Phase3 in your environment? if Phase3, why can't you just advertise a default route from Hub onto all the spokes?
03-09-2019 12:44 AM
Hi,
As you said that all web filtering must be processed through the Datacenter Web gateway only means you need a default route to advertise over the GRE/DMVPN tunnel. I don't think that you required any changes in the DMVPN or GRE tunnel configuration on Hub. This is only a routing protocol changes and advertises a default route toward the spokes.
There are multiple points to be considered?
1. Is it Phase3 DMVPN?
2. Do you have sufficient Bandwidth on HUB and router resources to handle all Spokes traffic?
3. Which Routing protocol is configured on an overlay network?
Spoke site: At the spoke routers, you may consider a VRF configuration for preventing overlay and underlay routing issues. You can keep LAN network and Tunnel interface in a Global VRF as Overlay and ISP connection in the different VRF or viceversa.
Regards,
Deepak Kumar
03-09-2019 04:50 AM
Deepak,
1. Phase 2
2. Yes
3. EIGRP
Due to business constraints beyond my pay grade, I need to be able to backhaul traffic from spokes on an individual basis. This is why I was curious about the VRF configuration option and am looking for detailed instruction on the configuration. I will post my hub and spoke configs.
Thank you,
John
03-09-2019 07:02 AM
Hi,
Due to business constraints beyond my pay grade, I need to be able to backhaul traffic from spokes on an individual basis
As I understanding correctly, you don't want to allow traffic between two spokes. is it correct? Then there are two options:
1. Enable split horizon. When split horizon is enabled none of the routes learned from spokes will be advertised to other spokes so there won't be any spoke to spoke communication but hub will have routes to all destinations behind the spokes.
2. You can go with VTI/DVTI tunnels. On the Hub, you can accept VPNs from any peers with the DVTI-config. The spokes use traditional VTI-tunnels.
3. Configure Each VRF for Each Spoke on HUB. It depends on your HUB router platform limitation.
As you mentioned that there are 25+ sites then VRF is not that much scalable option. It will increase the configuration and Route leak is another issue.
Regards,
Deepak Kumar
03-09-2019 02:55 PM
Deepak,
Thank you for the reply but I do not t think you are understanding my particular needs. They have nothing to do with allowing or disallowing spoke to spoke traffic.
What I meant was that I cannot make this change at all spokes at one time. I need to be able to make the change individually (one spoke at a time and, if necessary, reverse the change on individual spokes one at a time). So I cannot make changes that affect ALL spokes at one time. I hope this makes it clearer.
I simply need a solution to backhaul internet traffic from spokes to the hub site and need to be able to make this change on an individual spoke basis (one at a time).
John
03-09-2019 07:03 PM
Hi,
Sorry for miss understanding. Do you have any spare Wan IP address? If yes then it is a bit easy to migration.
Steps:
1. Configure a VRF on the HUB:
2. Configure Routing Protocol, Tunnel, and Crypto as required in the VRF.
3. Make route leak between global VRF and VRF.
Share your existing configuration. It will help us to make a demo configuration for you.
Regards,
Deepak Kumar
03-10-2019 04:08 AM
Thank you for input but I was able to accomplish my goals with PBR on the (individual) spoke routers.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide