To configure a simple single tiered headened, single cloud single hub, spoke-to-spoke DMVPN
There are numerous excellent documents on CCO about configure some very complex spoke-to-spoke scenarios, but it's very diffcult to find one that simply shows you how to configure a simple spoke-to-spoke DMVPN cloud.
The biggest difference between a hub-and-spoke and spoke-to-spoke tunnel is the manner in whic traffic between two spokes are routed. As in the hub-and-spoke model, the spoke-to-hub tunnels are continuously up, however, unlike in hub-and-spoke, when one spoke wants to communicate to another spoke it doesn't do so via the hub. Instead, when a spoke wants to transmit a packet to another spoke, it uses NHRP to dynamically determine the required destination address of the target spoke. The hub router acts as the NHRP server and handles this request for the source spoke, but there ends it's role in this particular transaction. The two spokes then dynamically create an IPsec tunnel between them (via the single mGRE interface) and data can be directly transferred. This dynamic spoke-to-spoke tunnel will be automatically torn down after a (configurable) period of inactivity.
Now because the tunnel is dynamic, there are a couple of things that you need to keep in mind when configuring a spoke-to-spoke DMVPN:
1. The spokes can no longer be a point-to-point tunnel. Like the hub they will need to be able to dynamically accept incoming SA requests. Hence, all tunnels in a spoke-to-spoke setup are multipoint (aka mGRE) tunnels.
2. The spokes still learn all routing updates via the hub, since the EIGRP(or any other dynamic Routing Protocol) neighborships are still formed only between the hub and the spoke. Therefore, the hub must be configured so that it doesn't set itself as the next hop for all routes that it advertises. This way, the spoke will learn the original next hop of a particular subnet, and accordingly try to build a tunnel to that "next hop"(spoke) when routing traffic to that subnet.
Hello all, I have 2 ASA connected with a similar configuration than the attached file. If I need to connect, let´s say, 10 more ASAs between them (full mesh). What is the easiest way to do it? I have to create new tunnel-group and a interface for eac...
Hi Team, Is there any repository for the SecureX playbooks/workflows? I see the default workflows that are already available ("Submit URL to Threat Grid", "Take Forensic Snapshot", etc), how can I see/access some popular or recommended workflows to g...
Meet the Authors Video - CCIE Security and Practical Applications in Today’s Network: Zero Trust
(Live event – Thursday, 29th, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This event had place on Thursday 29th, October 2020 at 10hrs ...