Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1119
Views
15
Helpful
3
Replies

Two DC and Two VPN tunnel (DMVPN with IPSec and IPSec)

Go to solution
MrBeginner
Spotlight
Spotlight

‎11-24-2018 08:13 PM - last edited on ‎10-12-2022 03:17 AM by Community Manager

Dear all,

I am beginner for network and some my question is duplicate and very bad to understand.Please forgive me.I would like to ask about DMVPN and IPSec. I have the network diagram for our network.

We have 2 DC .One DC1 and our branches have cisco devices.DC2 are using other vendor. We want to run DMVPN between DC one and our branches .And then branches network and DC2 is IPSec only.Please see below attachment and please help me.

So I would like to know some confusion and please hlep me and explain.

  1. If we are using eBGP as underlay protocol and can we use eBGP again on DMVPN and IPSec tunnel also (overlay protocol)? If we using eBGP as overlay protocol,do i need to use different AS ? 
  2. If i use eBGP as overlay protocol,do i need to peer every site for DMVPN,correct ? or Only need to Peer to HUB Site ? Please config example: 
     and let me know do i need to put ebgp-multihop 2 ?
    1. Spoke 1

      router bgp 102

      net 2.2.2.0 mask 255.255.255.0    (lookback ip)

      net 22.22.22.0 mask 255.255.255.0

      nei 192.168.100.1 remote-as 65300  (192.168.100.1 is tunnel IP)

      nei 192.168.100.3 remote-as 65301  (branches 2 tunnel IP and AS )

      nei 192.168.100.3 ebgp-multihop 2
  3. Should i use EIGRP as Overlay protocol ? If i use EIGRP ,May i know what kind of restriction can i get ?
  4. If I use VTI for IPSec tunnel to DC2 ,wll it become some rececursive lookup error in our branches site ? ( When i test i got recursive.So may i know should i use VTI or policy base IPSec ?
  5. For certificate MAP should I use certificate MAP with issuer-name co domain-name ?
  6. How can i use IPSec to DC 2 ? i mean should i use static route next hop IP is FW WAN ip ? Should I use ACL rule ? 
  7. For DMVPN HUB site, I have two ISP link with one router.I confuse how to configure to get redundancy ? if i have two router i can configure two tunnel and I will configure secondary router as a NHC client .But Now this scenario how can i configure as second tunnel as backup or can configure two interface as one tunnel ? or How to configure to get redundancy for DMVPN ? Spoke site is sample . I worry in HUB site.
1 person had this problem
Preview file
109 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-26-2018 07:05 AM - last edited on ‎10-12-2022 03:26 AM by Community Manager

Hi,

You can run BGP, EIGRP or OSPF as the overlay routing protocol. The spokes only need to peer with the Hub, the spokes do not need to peer with each other. This cisco live presentation provides more information about suggested protocols to use, EIGRP or BGP should be fine, BGP might be considered more complex to configure.

I would definately suggest you purchase another router for DC2 in order to run a second DMVPN hub rather than a static IPSec VPN to another device. This would allow you to have full resilency for the DMVPN topology, because if DC1 Hub fails you'd have no spoke-to-spoke connectivity. In addition the complexity of the overall configuration would be greatly simplified.
 
Assuming the certificate of all the devices is issued from the same Certificate Authority and the issuer-name for example was pki-ca, then you'd use the following example for the certificate map:-



crypto pki certificate map CERT_MAP 1
 issuer-name co cn = pki-ca
 

If you have 2 ISP's on one router then you could use place each physical interface in a unique VRF, create a default route per VRF, then define 2 separate tunnel interfaces. Each tunnel interface would have a different tunnel source. You would use define a delay on the tunnel interface to make one tunnel preferred over the other. This link provides information on this scenario.

HTH

View solution in original post

3 Replies 3

Go to solution
MrBeginner
Spotlight
Spotlight

‎11-25-2018 05:27 PM

please help me.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-26-2018 07:05 AM - last edited on ‎10-12-2022 03:26 AM by Community Manager

Hi,

You can run BGP, EIGRP or OSPF as the overlay routing protocol. The spokes only need to peer with the Hub, the spokes do not need to peer with each other. This cisco live presentation provides more information about suggested protocols to use, EIGRP or BGP should be fine, BGP might be considered more complex to configure.

I would definately suggest you purchase another router for DC2 in order to run a second DMVPN hub rather than a static IPSec VPN to another device. This would allow you to have full resilency for the DMVPN topology, because if DC1 Hub fails you'd have no spoke-to-spoke connectivity. In addition the complexity of the overall configuration would be greatly simplified.
 
Assuming the certificate of all the devices is issued from the same Certificate Authority and the issuer-name for example was pki-ca, then you'd use the following example for the certificate map:-



crypto pki certificate map CERT_MAP 1
 issuer-name co cn = pki-ca
 

If you have 2 ISP's on one router then you could use place each physical interface in a unique VRF, create a default route per VRF, then define 2 separate tunnel interfaces. Each tunnel interface would have a different tunnel source. You would use define a delay on the tunnel interface to make one tunnel preferred over the other. This link provides information on this scenario.

HTH

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-26-2018 04:53 PM - last edited on ‎10-12-2022 03:33 AM by Community Manager

Hi ,

Thanks alot your help.before I read your suggested links I would like to ask .

For DC2,

I have the plan to change cisco device.but now we need to run on existing devices.my main challenge is on DC 2.

So DC2 is not using DMVPN now,try to use IPSec VPN only.So may i know can I use IPSec VPN only to all branches.can be? if I run BGP for DC2 how to peer .Because bgp peering is doing on router infornt of firewall.FW will do ipsec.is it limitation ,correct ? if i want to use eigrp canot because my firewall didn't support.my firewall support bgp and ospf.ospf cannot run on IPSec ,correct ? if i want to use ospf i need to use GRE over IPSec ? So may i know for DC 2,

Which scenario is the best ?

1.IPSec with ACL (policy base)

2.IPsec with BGP

3.GRE over IPsec with (OSPF)




For certificate enrollment,

May I know do I need tto put isusser-name as subject-name?

I mean eg.

enrollment terminal

subject-name Cn=r1,Cn=issuer-name?




or 




enrollment terminal

subject-name Cn=r1 is enough?

 

For DMVPN,

We have plan to add another router next three month.So second ISP link will move to next router.So i need temporary configuration for second tunnel.

If I use bgp,1 AS number for each site,correct?

I am using eBGP for isp peering ,shout I use ebgp or ibgp?

If bgp is so complex for configuration,which protocol should I use?

May I know if I request to remove ebgp peering with isp and if I use default route only for isp,can I get some limitations for dmvpn? Because ebgp make me headache

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card