Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
3
Replies

Best Practice for subnet to use for IPSEC/VTI

Professor_Pickles
Level 1
Level 1

‎02-12-2019 01:19 PM - edited ‎02-21-2020 09:33 PM

Greetings, 

 

Easy question, I'm developing a plan for a basic IPSEC hub/spoke design using VTI, eventually will move to DMVPN, but have to start simple. My question is, best practice wise should you use a /30 subnet between hub and spoke or a larger subnet like /24? Coming from the old school days of T1/T3, we would prefer /30 on serial interfaces, but these are VPN's which a bit different and need to consider a future transition to DMVPN/FlexVPN setup. Thoughts?

 

An example: 

 

Hub A  Spoke A
int t0 - 10.20.10.6/30


int t1 - 10.10.10.6/30
interface T0 - 10.20.10.5/30
 
Hub B
interface T0 - 10.10.10.5/30

 

 VS.

 

 

Hub A  Spoke A
int t0 - 10.20.10.6/24


int t1 - 10.10.10.6/24
interface T0 - 10.20.10.5/24
 
Hub B
interface T0 - 10.10.10.5/24

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎02-12-2019 01:35 PM

Hi,
On a DMVPN network you would normally scale the subnet for the total number of peers, so if a couple of hundred of peers a /24 would suffice.

 

If you plan on implementing FlexVPN it's quite common to use the ip unnumbered command on the tunnel interface or virtual-template. This allows you to define a loopback interface with a /32 ip address and still be able to router to establish connectivity with a peer. Example here

 

HTH

0 Helpful

Professor_Pickles
Level 1
Level 1
In response to Rob Ingram

‎02-12-2019 03:18 PM

Thanks for the feedback, question though, in the example link for unnumbered it seems that they are doing a /32 match in the EIGRP block, but then they use a /24 under the loopback0. Would have thought they would have just made that a /32 on l0?

0 Helpful

Rob Ingram
VIP
VIP
In response to Professor_Pickles

‎02-12-2019 03:22 PM

In their examples they are indicating the use of establishing an EIGRP session between peers in different subnets, in this instance different /24 networks. The same principle applies if you were to use a /32 which would obviously be more efficient and waste less IP addresses.

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents