Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1611
Views
0
Helpful
1
Replies

VTI Configuration & IP Unnumbered usage

Mikey John
Level 1
Level 1

‎09-19-2018 06:20 AM - edited ‎03-05-2019 10:56 AM

Hi,

 

I have two Internet circuits from an ISP connecting to a Single router. The ISP is same but has provided us two different last mile providers for some redundancy. We have been given a /29 Public subnet by the ISP, and I have configured eBGP with these two last mile providers, and have preferred one link over another. One of the IPs from this /29 subnet is being used on the firewall (LAN) for tunnel termination. Currently, there are two IPSEC tunnels going to two different locations, and are terminating on the firewall on both ends.

 

Proposed changes

 

We are planning to upgrade the router, and introduce another one for router level redundancy. The 2nd ISP link will connect on Router 2, and I would be configuring EBGP towards the ISP2 Also, Local Pref and AS path prepend would be used to prefer ISP1 link.

 

I also plan to move the tunnel from the firewall onto the router, and have a few queries in regards to that.

 

We cannot make any changes on the customer end, so we will move the same public IP from firewall to router for Tunnel termination.

 

1) Can I configure VTI on the router, and configure "ip unnumbered loopback 0" for the Tunnel0 interface as I won't be able to get a Tunnel subnet from customer? See sample config below.
2) There will be HSRP running between the routers, and iBGP would be configured too. Can I make the HSRP IP as the tunnel source so that the Router2 can take over ownership if the ISP1 link or Router 1 fails?

3) How do I make the interesting traffic take the tunnel route? Should an ACL be defined to make the traffic go via VTI?

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ABC esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set ABC
!
!
interface Tunnel0
ip address unnumbered loopback0
tunnel source x.x.x.x (Public IP on our end)
tunnel destination x.x.x.x (Customer FW IP_
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!

Pic attached for reference.


Cheers

Mikey

Labels:
Preview file
44 KB
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎09-19-2018 10:28 AM

Hello,

 

1) Can I configure VTI on the router, and configure "ip unnumbered loopback 0" for the Tunnel0 interface as I won't be able to get a Tunnel subnet from customer? See sample config below.

 

--> that is certainly possible, as long as you advertise the Loopback interface


2) There will be HSRP running between the routers, and iBGP would be configured too. Can I make the HSRP IP as the tunnel source so that the Router2 can take over ownership if the ISP1 link or Router 1 fails?

 

--> the tunnel source needs to be an IP address on the outside. HSRP is typically configured on the inside (LAN), so that wouldn't work

 

3) How do I make the interesting traffic take the tunnel route? Should an ACL be defined to make the traffic go via VTI?

 

--> simply configure (a) static route(s) with the tunnel as the next hop

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card