Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
888
Views
15
Helpful
9
Replies

Routing

Go to solution
Mlex1
Spotlight
Spotlight

ā€Ž02-02-2023 03:21 AM

Hi everyone my question about routing 

For example.
i'n working on international company and my company has a few breach on a broad MOSCOW, FRANCE, and ENGLAND and between branches i have dmvpn, and every country has real ip address and private ip address, like this topology, here my question, how traffic going to going to FRANCE or ENGLAND.
when i entry via ssh to equipment on FRANCE or ENGLAND with real ip address what's going on on routing?
when i entry via ssh to equipment on FRANCE or ENGLAND with private ip address what's going on on routing?

Screenshot from 2023-02-02 16-20-05.png

Š”ŠæрŠ°ŃˆŠøŠ²Š°Š¹ Š²ŃŠµ чтŠ¾ хŠ¾Ń‡ŠµŃˆŃŒ
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Mlex1

ā€Ž02-03-2023 08:40 AM

I believe I fully understood you question, but my prior reply appears it did not convey the concept I was hoping to convey.  (VLANs, themselves, have nothing to do with your question - I was trying to highlight a similar topology using a L2 example which you might better understand - looks like I failed.)

(BTW, I suspect your English is much, much, much better than my Russian[?]).

Let try a simple L3 example.

Moscow RTR (1.1.1.1) <> Internet <> (2.2.2.2) France RTR

How might Moscow and France route traffic between themselves?  Perhaps as simple as using a default route to the Internet.

Add GRE tunnel between Moscow and France

e.g.:

Moscow (192.168.1.1 using Internet interface) GRE tunnel (192.168.1.2 using Internet interface) France

Once the above is done, Moscow should be able to connect to France using either 2.2.2.2 or 192.168.1.2.

Conversely France should be able to connect to Moscow using 1.1.1.1 or 192.168.1.1.

Do you understand this, so far?

Next we might do:

England RTR (3.3.3.3) <> Internet <> (2.2.2.2) France RTR

How might France and England route traffic between themselves?  Again, perhaps as simple as using a default route to the Internet.

Add GRE tunnel between England and France

e.g.:

England (192.168.2.1 using Internet interface) GRE tunnel (192.168.2.2 using Internet interface) France

Once the above is done, England should be able to connect to France using either 2.2.2.2 or 192.168.2.2.

Conversely France should be able to connect to England using 3.3.3.3 or 192.168.2.1.

Do you understand this, so far?

What about between Moscow and England, using the private IP addresses?

Well, as they don't have their own p2p GRE tunnel, they need to transit France.

So, Moscow's router needs a route for 192.168.2.1 going to 192.168.1.2.

Conversely, England's router needs a route for 192.168.1.1 going to 192.168.2.2.

The route information might be provided by static routes or using a dynamic routing protocol across the GRE tunnels.

DNVPN, is just a bit more of the same.  Actual configuration depends on how DMVPN is configured, as basic DMVPN is hub and spoke, but as @balaji.bandi described, later DMVPN variants support dynamic spoke to spoke tunnels.

Do you understand this, so far?  If not, please post what still is unclear.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž02-02-2023 06:03 AM

You can use DMVPN Phase 3 for the Branch to Branch communication

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/211292-Configure-Phase-3-Hierarchical-DMVPN-wit.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mlex1
Spotlight
Spotlight
In response to balaji.bandi

ā€Ž02-02-2023 09:00 PM

Thank you but i know this option 

Š”ŠæрŠ°ŃˆŠøŠ²Š°Š¹ Š²ŃŠµ чтŠ¾ хŠ¾Ń‡ŠµŃˆŃŒ
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

ā€Ž02-02-2023 08:02 AM

Hmm, I'm guessing what has you a bit confused is getting to the same destination, using two different IPs, one "real" (which I also presume you mean public, as all IPs are real) and one using a private IP.

I'm sure you understand how using different IPs, for destinations, usually gets you to different destinations.

Well, using both public and private IPs, you can get to the same physical destination, but you are routing to them, logically, much like going to different physical destinations.

Between public and private IPs, packets may take totally different physical paths, and/or, they may take same physical paths.  The latter, though, is kept logically different as packets are often "encapsulated" to keep them logically different (i.e. DMVPN tunnels, in your case).

If you're familiar with VLANs, they too support a similar situation.

Sharing physical links, but keeping frames on them logically different, can be done with VLANs.  The same host might be connected to multiple VLANs.  For example, I might SSH to a switch using its SVI for VLAN 5 and for its SVI for VLAN 10.  How I get to the same, in this example, switch, might differ because I'm accessing switch via two different VLANs, or, physically, I might be using the same physical path, like a trunk (which logically keeps VLANs distinct).

0 Helpful

Go to solution
Mlex1
Spotlight
Spotlight
In response to Joseph W. Doherty

ā€Ž02-02-2023 08:37 PM

Hi Joseph W. Doherty  thank you for supporting, yes i mean real ip address (public ip address) You didn't understand me i know what does means VLAN, SVI and what is different between them. So i now when i connect via ssh with public ip address or private ip address i get to same destination i guess everyone knows it. This my question 

What is difference when i connect via ssh with public ip address on my equipment and how traffic going to destination and go back.

and 

When i connect via ssh with private ip address on my equipment and how traffic going to destination and go back.

i want to understand this.

Š”ŠæрŠ°ŃˆŠøŠ²Š°Š¹ Š²ŃŠµ чтŠ¾ хŠ¾Ń‡ŠµŃˆŃŒ
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Mlex1

ā€Ž02-03-2023 08:40 AM

I believe I fully understood you question, but my prior reply appears it did not convey the concept I was hoping to convey.  (VLANs, themselves, have nothing to do with your question - I was trying to highlight a similar topology using a L2 example which you might better understand - looks like I failed.)

(BTW, I suspect your English is much, much, much better than my Russian[?]).

Let try a simple L3 example.

Moscow RTR (1.1.1.1) <> Internet <> (2.2.2.2) France RTR

How might Moscow and France route traffic between themselves?  Perhaps as simple as using a default route to the Internet.

Add GRE tunnel between Moscow and France

e.g.:

Moscow (192.168.1.1 using Internet interface) GRE tunnel (192.168.1.2 using Internet interface) France

Once the above is done, Moscow should be able to connect to France using either 2.2.2.2 or 192.168.1.2.

Conversely France should be able to connect to Moscow using 1.1.1.1 or 192.168.1.1.

Do you understand this, so far?

Next we might do:

England RTR (3.3.3.3) <> Internet <> (2.2.2.2) France RTR

How might France and England route traffic between themselves?  Again, perhaps as simple as using a default route to the Internet.

Add GRE tunnel between England and France

e.g.:

England (192.168.2.1 using Internet interface) GRE tunnel (192.168.2.2 using Internet interface) France

Once the above is done, England should be able to connect to France using either 2.2.2.2 or 192.168.2.2.

Conversely France should be able to connect to England using 3.3.3.3 or 192.168.2.1.

Do you understand this, so far?

What about between Moscow and England, using the private IP addresses?

Well, as they don't have their own p2p GRE tunnel, they need to transit France.

So, Moscow's router needs a route for 192.168.2.1 going to 192.168.1.2.

Conversely, England's router needs a route for 192.168.1.1 going to 192.168.2.2.

The route information might be provided by static routes or using a dynamic routing protocol across the GRE tunnels.

DNVPN, is just a bit more of the same.  Actual configuration depends on how DMVPN is configured, as basic DMVPN is hub and spoke, but as @balaji.bandi described, later DMVPN variants support dynamic spoke to spoke tunnels.

Do you understand this, so far?  If not, please post what still is unclear.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž02-02-2023 08:06 AM

there are two routing plane here 
the trick is which source you use in SSH?

Go to solution
Mlex1
Spotlight
Spotlight
In response to MHM Cisco World

ā€Ž02-02-2023 08:48 PM

Hi MHM Cisco World thank you for supporting. for example this.

ssh 192.168.1.1

ssh 94.128.20.80

Š”ŠæрŠ°ŃˆŠøŠ²Š°Š¹ Š²ŃŠµ чтŠ¾ хŠ¾Ń‡ŠµŃˆŃŒ
0 Helpful

Go to solution
umeshpathak
Level 1
Level 1

ā€Ž02-03-2023 12:25 AM

So How does your routing table looks for those two destination you are trying to reach from the device you are accessing them? It more depend on your routing ,I believe.

 

0 Helpful

Go to solution
Mlex1
Spotlight
Spotlight

ā€Ž02-03-2023 01:02 AM

sorry for everyone who answering me, i don't know it's depend on my English i can't describe my question properly.

Š”ŠæрŠ°ŃˆŠøŠ²Š°Š¹ Š²ŃŠµ чтŠ¾ хŠ¾Ń‡ŠµŃˆŃŒ
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card