05-19-2020 06:53 PM
Let's say you have have a couple virtual routers like CSRs that will be the hubs to replace a couple other virtual or physical routers that are hubs using IKE v1 Crypto maps for spoke routers of course using the same. What is the best way to deploy these two new CSRs in conjunction with the current virtual or physical routers, but instead of using legacy IPSEC with crypto maps use perhaps VTI or Flex VPN with IPSEC - all while keeping tunnel source, destination IPs the same?
Is there a way to do this in conjunction with the current tunnels so you can just failover or delete legacy tunnel configs on the spokes and hubs?
Is something like Flex VPN or even DMVPN even a good option if you don't want the spoke routers communicating with other spokes?
05-20-2020 12:25 AM
05-20-2020 08:59 AM
05-20-2020 09:13 AM
05-20-2020 05:07 PM
05-21-2020 12:37 AM
You can use the mechanisms built into the VPN solutions. With FlexVPN you can use the FlexVPN Client on the spoke routers, this defines a list of the Hub routers and the spoke connects the first hub until failure, at which point it will connect to the next hub in the list. Alternatively you could use FlexVPN Load Balancer (which uses HSRP), the spoke connects to the LB IP address, which will distribute the connects to the least loaded FlexVPN Hub router.
If you wish to use DMVPN instead, you can define all Hub routers and then use the command "ip nhrp nhs cluster 1 max-connections 1" to allow a VPN to be established to the first Hub router, upon failure it will connect to the next. Alternatively you could allow a VPN established between the spoke routers and multiple Hubs, and use the routing protocol to introduce a delay.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide