Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
5
Helpful
4
Replies

Cisco FlexVPN with three Hubs connectivity

KENNEDY BIZUAYEHU TADEGE
Level 1
Level 1

‎12-18-2020 12:18 PM

Dear All,

 

we've implemented FlexVPN network for organization with hundreds of branches with two hubs at head office and one at the DR sites and we're using BGP on all Hubs and Spokes.

 

we've connected branches to the HQ hubs with client profile, what is the best method to connect the branches to the DR Hub and DR Hub to the HQ Hubs for replication ?

we're using dynamic tunnel ip addresses from the HUbs.

 

regards

Labels:
4 Replies 4

Rob Ingram
VIP
VIP

‎12-18-2020 12:28 PM

Hi @KENNEDY BIZUAYEHU TADEGE 

You could use the FlexVPN client on the spoke routers to specify the order of the hubs you wish to connect to. The spoke will connect to the first IP address and only connect to the next if the first fails. E.g.

 

crypto ikev2 client flexvpn Flex_Client
 peer 1 172.25.1.1
 peer 2 172.25.2.1

Example here:-

 https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.html

0 Helpful

KENNEDY BIZUAYEHU TADEGE
Level 1
Level 1
In response to Rob Ingram

‎12-18-2020 12:40 PM

Thanks Rob for your fast response.

 

the network is currently working with two of the hubs installed at the HQ and we want to add a new Hub at the DR.

our concern is how can we connect DR hub (bgp) to the HQ Hubs (bgp), for DR to Branches connectivity we're planning to add a new tunnel.

please advise !

 

0 Helpful

Rob Ingram
VIP
VIP

‎12-18-2020 12:49 PM - edited ‎12-18-2020 12:59 PM

Do you already have 2 active tunnels to the 2 HQ hubs?

 

If you added another tunnel you'd need the routing protocol to prefer the DR Hub the least, so traffic would only be routed over that tunnel in the event the other 2 hubs failed. The downside is you'd have multiple active tunnels.

 

If you used the FlexVPN client then you just specify the Hubs in order you wish to connect to, add the DR last on the list and the spoke will only connect if the first 2 hubs are down. You'd only ever have 1 active tunnel.

 

There are several options, the suggests above are the most common.

0 Helpful

KENNEDY BIZUAYEHU TADEGE
Level 1
Level 1
In response to Rob Ingram

‎12-18-2020 01:18 PM

we've one tunnel with client profile from branches to the HQ but planning to add a new tunnel with separate client profile from branches to the DR.

what's the downside of having a separate tunnel to the DR and what's the preferred way to connect the DR to the HQ? both sites are hubs with iBGP routing.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents