In this blog my aim is to discuss deployment of DMVPN with vrf and BGP ( iBGP and eBGP ) as the tunneling protocol and EIRGP running on the control plane ( core ) on a different vrf. The intend is to make direct spoke to spoke communication (IKE and IPSEC/GRE) and pass traffic.
In DMVPN both the spokes will will create a GRE/IPSEC tunnel to the hub all the time and register themselves on the NHRP server which is the hub and this registeration has IP-IP mapping ie tunnel ip mapped to NBMA ip. When spoke 1 wants to send packet to a lan subnet on spoke 2, then it will query the hub ( NHRP database ) for real outside ( NBMA ) address of the destination spoke. Once spoke 1 has this information then it can initiate a GRE/IPSEC tunnel to spoke 2 since it has the NBMA address of spoke 2. The dynamic spoke to spoke tunnel is built over the mGRE interface and when the traffic ceases then spoke to spoke tunnel is removed. And we can configure ISAKMP keepalives ( Dead peer detection packets ) to kill the tunnel. Hence two main components in DMVPN is NHRP and mGRE interface.
HUB Configuration ( HUB-iBGP.rtf ) :- The hub will act as Route reflector for spoke 1 and spoke 2. Use the same BGP AS on spoke1, spoke2 and HUB router. On the HUB router the internet traffic is routed via EIGRP in Global VRF, and tunnel traffic is via iBGP over VRF HOPA. Attached is the configuration, and show commands for IKE, IPSEC, NHRP, Sockets and routes. In phase 2 look for SA protected in VRF HOPA, and also bgp routes are in vrf HOPA.
Spoke configuration (spoke1-iBGP.rtf, spoke2-iBGP.rtf ) :- The spokes are in the same BGP AS and are configured as route-reflector client. The spokes have internet traffic via EIGRP in VRF DSL#1 and tunnel traffic via iBGP in global VRF. Attaced in the config and show commands and in IKE/IPSEC SA we see direct spoke to spoke tunnel, once we initate traffic between 126.96.36.199 and 188.8.131.52 ( simulated as LAN subnets ).
HUB Configuration (hub-eBGP.rtf ) :- The HUB ia in AS 1 and spoke are in different AS. On the HUB router the internet traffic is routed via EIGRP in Global VRF, and tunnel traffic is via iBGP over VRF HOPA. Within address-family vrf HOPA we need to define remote AS, peer group, and next-hop-unchanged, neighbor spokes and advertise the networks.
Spoke configuration (sp1-sp2-eBGP.rtf ) :- The spokes are in AS 2 and for HUB the local-as is defined as 21719. The spokes have internet traffic via EIGRP in VRF DSL#1 and tunnel traffic via iBGP in global VRF. Also configure "allow-as in" under bgp configuration to allow prefixes on eack spoke to re-advertised even with duplicate AS number.
I have implement ise and enabled ise posture at client environment. Policy rule configured as if domain id and posture status pass will get full access. What if someone setup a laptop with same domain and pass posture, will he able to access ne...
Hello there, I would like to ask around and pool some ideas on how other planets are doing in the self-service password reset area for windows user. Do you implement this self-service password reset function for windows users? and what met...
Hi, I have a firewall that is setup to connect to outside devices via IKEv2 vpns. I need to find out how many connections have been made and how many ip's are leased from the Firewall? Any help on this would be greatly appreciated. Thanks
Hi everyone - I have a situation requiring the use of an SSL reverse proxy (single public IP and multiple HTTPS servers). I would also like to run the Anyconnect SSL VPN on the same public IP and port. Is it possible to reverse proxy the SSL traffic throu...