cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Whebcast-Overview of Cisco's Branch Routing Portfolio
114
Views
0
Helpful
3
Replies

Best Practice for subnet to use for IPSEC/VTI

Greetings, 

 

Easy question, I'm developing a plan for a basic IPSEC hub/spoke design using VTI, eventually will move to DMVPN, but have to start simple. My question is, best practice wise should you use a /30 subnet between hub and spoke or a larger subnet like /24? Coming from the old school days of T1/T3, we would prefer /30 on serial interfaces, but these are VPN's which a bit different and need to consider a future transition to DMVPN/FlexVPN setup. Thoughts?

 

An example: 

 

Hub A  Spoke A
int t0 - 10.20.10.6/30


int t1 - 10.10.10.6/30
interface T0 - 10.20.10.5/30
 
Hub B
interface T0 - 10.10.10.5/30

 

 VS.

 

 

Hub A  Spoke A
int t0 - 10.20.10.6/24


int t1 - 10.10.10.6/24
interface T0 - 10.20.10.5/24
 
Hub B
interface T0 - 10.10.10.5/24

 

 

 

 

Everyone's tags (1)
3 REPLIES 3
Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Best Practice for subnet to use for IPSEC/VTI

Hi,
On a DMVPN network you would normally scale the subnet for the total number of peers, so if a couple of hundred of peers a /24 would suffice.

 

If you plan on implementing FlexVPN it's quite common to use the ip unnumbered command on the tunnel interface or virtual-template. This allows you to define a loopback interface with a /32 ip address and still be able to router to establish connectivity with a peer. Example here

 

HTH

Re: Best Practice for subnet to use for IPSEC/VTI

Thanks for the feedback, question though, in the example link for unnumbered it seems that they are doing a /32 match in the EIGRP block, but then they use a /24 under the loopback0. Would have thought they would have just made that a /32 on l0?

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Best Practice for subnet to use for IPSEC/VTI

In their examples they are indicating the use of establishing an EIGRP session between peers in different subnets, in this instance different /24 networks. The same principle applies if you were to use a /32 which would obviously be more efficient and waste less IP addresses.

HTH
CreatePlease to create content
Content for Community-Ad

Spotlight awards-March 2019