Re: Best Practice for subnet to use for IPSEC/VTI

Professor_Pickles · ‎02-12-2019

Greetings,

Easy question, I'm developing a plan for a basic IPSEC hub/spoke design using VTI, eventually will move to DMVPN, but have to start simple. My question is, best practice wise should you use a /30 subnet between hub and spoke or a larger subnet like /24? Coming from the old school days of T1/T3, we would prefer /30 on serial interfaces, but these are VPN's which a bit different and need to consider a future transition to DMVPN/FlexVPN setup. Thoughts?

An example:

Hub A	Spoke A int t0 - 10.20.10.6/30 int t1 - 10.10.10.6/30
interface T0 - 10.20.10.5/30

Hub B
interface T0 - 10.10.10.5/30

VS.

Hub A	Spoke A int t0 - 10.20.10.6/24 int t1 - 10.10.10.6/24
interface T0 - 10.20.10.5/24

Hub B
interface T0 - 10.10.10.5/24

Rob Ingram · ‎02-12-2019

Hi,
On a DMVPN network you would normally scale the subnet for the total number of peers, so if a couple of hundred of peers a /24 would suffice.

If you plan on implementing FlexVPN it's quite common to use the ip unnumbered command on the tunnel interface or virtual-template. This allows you to define a loopback interface with a /32 ip address and still be able to router to establish connectivity with a peer. Example here

HTH

Professor_Pickles · ‎02-12-2019

Thanks for the feedback, question though, in the example link for unnumbered it seems that they are doing a /32 match in the EIGRP block, but then they use a /24 under the loopback0. Would have thought they would have just made that a /32 on l0?

Rob Ingram · ‎02-12-2019

In their examples they are indicating the use of establishing an EIGRP session between peers in different subnets, in this instance different /24 networks. The same principle applies if you were to use a /32 which would obviously be more efficient and waste less IP addresses.

HTH