Solved: Re: DMVPN and Point-to-Point (IPSec) - Page 4

UCrypto · ‎09-11-2018

Dear All,

PLease help me:

I would like to know DMVPN and Point to Point (IPSec) can run in one router ? I mean two type of VPN can run together ?
If i will use GBP for DMVPN ,how many RAM will need in minimum ?
For BGP in DMVPN, my remote as is ISP AS number and PE router IP(gateway IP)?
For my DMVPN,can I use AS number are (100,200,300 etc) ?

Francesco Molino · ‎10-10-2018

Hi

Here are my answers.

1. Yes BGP is enough as soon as your ISP advertise your default route which is standard. No need to add static routes here for this.

2. You can use loopback but as you're peering with your ISP, you'll use your physical interface and that's ok, no worries.

3. No additional protocols needed.

4. Your spoke and hub routers will peer with your ISP for underlay network. Then, with DMVPN they will peer with your HUB and using DMVPN Phase 3, if needed, each spoke will build up a dynamic tunnel between each other when traffic must from 1 to the other. Here you will have BGP with ISP and you can use also BGP for DMVPM which is considered as overlay network.

5. If you have 2 IPs at the hub router, yes in your tunnel configuration you will have 2 nhrp map pointing to both Hub IPs. By default, both nhrp will be up but if you use the cluster capability at the spoke side, you can have only 1 up and the other pre-built. It will come hub when the first goes down

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-10-2018

Hi ,

Thanks for your help.

Now I am clear No. 2 to 4.

But i am not clear No.1,do you mean i need run default route in each site ?

In my lad i never run default route. :P .

The second ,i tested as-path pretend in HUB site.it is only for incoming traffic ?

Eg.

router bgp 65500
nei 10.100.1.1 remote-as 200
nei 10.100.1.1 description ISP peer
nei 10.100.1.1 route-map prepend out

route-map prepend permit 10
set as-path prepend 65500

Do we still need to use weight attribute together for fail-over ?

And we can change holdtime timer to reduce fail-over time ? Which way is better ?

Francesco Molino · ‎10-10-2018

I talked about default route because your point 1 was BGP peering with ISP. I believe this is an Internet link and BGP peering with them will give you a default route or the full internet BGP table to reach all spokes connected on internet. Is that clear?
If you want to prioritize a tunnel over an other, yes the best way is to use as-path prepend on advertised routes.
You can reduce holdtime but you need to validate with your ISP (what is their standard) Don't set it too low.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-12-2018

HI Francesco Molino ,

I am clear now.Last time i thought i am using private network ( our network cannot access internet),so we don't need to use default route.

let me ask another question for cisco 892 router.

This router have 8 LAN port 2 WAN port.

So I carry my LAN with trunk.My network don't need to use internet access so i didn't use NAT.

I use static route to our DC only.

i would like to ask.When i bind my ACL to interface all traffic are deny.I can ping without binding ACL rule on interface.What wrong.

And i would like to know we bought switches cisco 2960 LAN Lite base.I knew LAN lite base cannot support ACL ,is it correct ?

If i want to use ACL in LAN Lite ,what should i do ?

interface GigabitEthernet7
switchport trunk native vlan 7
switchport trunk allowed vlan 1,2,200-203,1001-1005
switchport mode trunk
ip access-list access-group in
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet9
ip address 10.1.1.111 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan30
ip address 10.100.201.1 255.255.255.224
!
interface Vlan40
ip address 10.100.201.65 255.255.255.224
!
interface Vlan50
ip address 10.100.201.97 255.255.255.224
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 101 permit ip 10.100.201.0 0.0.0.32 10.1.14.0 0.0.0.255
access-list 101 permit ip 10.100.201.0 0.0.0.32 10.100.201.0 0.0.0.32
access-list 101 permit ip 10.100.201.0 0.0.0.32 10.1.5.0 0.0.0.255
access-list 101 deny ip any any
!

Francesco Molino · ‎10-13-2018

You can't do anything, upgrade between feature-set isn't possible:
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/qa_c67-728348.html

Lan Lite supports only Layer2 features

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-14-2018

Hi ,

Sorry my question.My questions make you confuse.

The first question mean i configure ACL rule in c892 router. Configure sample is i configured in router.When i enable those ACL rule in router interface ,all traffic are deny. I try to carry traffic with trunk and i crate SVI in router c892.I want to restrict access between these SVI each other.

nterface GigabitEthernet7
switchport trunk native vlan 7
switchport trunk allowed vlan 1,2,200-203,1001-1005
switchport mode trunk
ip access-list access-group in
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet9
ip address 10.1.1.111 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan30
ip address 10.100.201.1 255.255.255.224
!
interface Vlan40
ip address 10.100.201.65 255.255.255.224
!
interface Vlan50
ip address 10.100.201.97 255.255.255.224
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 101 permit ip 10.100.201.0 0.0.0.32 10.1.14.0 0.0.0.255
access-list 101 permit ip 10.100.201.0 0.0.0.32 10.100.201.0 0.0.0.32
access-list 101 permit ip 10.100.201.0 0.0.0.32 10.1.5.0 0.0.0.255
access-list 101 deny ip any any

Francesco Molino · ‎10-15-2018

You've applied this acl on a trunk interface. Have you tried applying on your vlan 30 SVI? It seems you're trying to control only this subnet. And by the way, the wildcard mask is 0.0.0.31 instead of 0.0.0.32

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-21-2018

Hi ,
I want to ask some question.In my dmvpn and aws network,if i use bgp to neighbor relationship only and can i use eigrp for DMVPN ? somebody said use bgp for ISP relationship and EIGRP for DMVPN. What is the best practice ?
Please advice me?

Francesco Molino · ‎10-22-2018

There's no best practices but more what protocol are you comfortable with?
I would use bgp with isp in front vrf and then bgp for my dmvpn. But eigrp works fine as well for dmvpn

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-26-2018

Thank you for your advise.
I worry bpg because i don't have experience in BGP. And i also worry if i use bgp with isp in front vrf and then EIGRP for my dmvpn because of router performance.This is first time for me.
There is some effect on router performance ?
I am using low end router for branch.Last week i busy for other integration.With your help i can over-come 802.1x with certificate. Now i will focus on DMVPN Fail Over.
And i would like to request some advise if i got some error in DMVPN fail over.

Francesco Molino · ‎10-26-2018

Which router are you using? I mean I deployed so many DMVPN with some 800 series using BGP and other protocols + ZBF + IPS + NBAR2 and performance are ok. Then using BGP with your ISP and EIGRP in your DMVPN it's something your router can handle

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎11-07-2018

Hi ,

I would like to recall DMVPN and IPSec. Now i need to integrate these two scenario together.

but i am confuse how to apply acl rule for these two tunnel in branches.I mean how to configure

if destination is 192.169.30.0/24 use IPSec
the rest is using DMVPN or the other destination is use DMVPN

let me know for IPSec should i use VTI ? which one is more preferable

Georg Pauwen · ‎11-07-2018

Hello,

VTI is the easiest way to configure in your scenario, as there is no need for crypto maps and access lists. All you need is static routes...

UCrypto · ‎11-07-2018

Hi,
i will use bgp in both of my scenario . DMVPN is dual home single ISP with one router and branch routers have IPSec to DC 1 and DMVPN to DC2 .
i only need to use static routes ? In below links say to use route-map for IPSec .
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html
I don't want to use route-map .how can i do for these two scenario.

Georg Pauwen · ‎11-07-2018

Hello,

basically you use static routes with the tunnel as the outgoing interface.

This thread is very long, can you post your current configuration ?