Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
0
Helpful
1
Replies

DMVPN, Zone based FIREWALL, NAT, Dynamic routing protocol, design and implementation

walter baziuk
Level 5
Level 5

‎09-29-2011 04:47 AM - edited ‎03-04-2019 01:46 PM

Hello:

I have been asked to design and implement a mid scale VPN solution. I plan to use a hub and spoke design where:

  • some spokes are corporate sites and others are connected via the inet.
  • WAN speeds vary between 5-20 Mb/s.
  • Not all spoke sites will be "on and connected" 24/7. 
  • Some spokea that are far from the hub we need to communicate direcetly with one or more other spokes.
  • iNet acces will be limited to the hub.
  • Split tunnel wan connections will not be permnitted on the spokes, but will be used on the hub for inet access
  • spokes will either have a hard router or some soft VPN client depneding on their size, uptime and number of users

My planned architecture is based on DMVPN phase 3  . This will allow

  • dynamic spoke creation
  • control over spoke to spoke communications
  • ability to limit iNet access through a main controlled gateway
  • simplification of the HUB as the number of spokes increases over time

I also need to use

  • NAT so that we can isolate spokes and deploy a well planned LAN side address space
  • ZFW- Zone based firewall is planned to be implemented as various spokes and the hub will have services running
  • EIGRP is planned for the LAN side
  • BGP or static is planned for the WAN side

I am old school and tend to do all my configs with CLI and not use a gui or some wizards. Maybe this will be easier?

My question relates to the order of implementation. Specifically what should be coded first and how do they interact. Can people please recommend a  deployment order for the following.

  • DMVPN
  • NAT
  • ZBF
  • LAN -EIGRP
  • WAN-BGP

For my non-router based spokes, are there any preferred VPN clients that work well with DMVPN, easy VPN, Get VPN, NCP VPN client etc.

Tips, suggestions and comments are welcome from users in this excellent forum.

Walter

Labels:
0 Helpful
1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

‎09-30-2011 01:02 AM

Walter,

My personal suggestion is to leave the security measures only to the very end of your deployment work, i.e. I would suggest the following order of steps:

  • LAN-EIGRP
  • WAN-BGP
  • DMVPN without IPsec (you may choose to implement IPsec at this point if you are already experienced with it)
  • IPsec if not implemented immediately along the DMVPN
  • ZBF

With respect to clients, I am afraid that there are no software clients that work in particular with DMVPN, i.e. interact with NHRP and GRE tunnels. However, you may use any VPN technology to access the DMVPN as a whole if any of the DMVPN-enabled routers also works as an VPN access concentrator, i.e. IPsec or SSLVPN (WebVPN). The SSL VPN is probably the way to go for the future, the IPsec seems to be shifting away from remote access VPNs only to the realm of site-to-site VPNs. The GETVPN is a different technology you are most probably not interested in.

As I consider myself to be just a beginner in the world of VPNs myself, I would appreciate very much if other friends here shared their experiences. Thanks!

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card