cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
980
Views
0
Helpful
3
Replies
Highlighted
Beginner

DMVPN hub & multiple spokes w/ same subnet

I have multiple (about 70!) sites, but each site has the exact same LAN (192.168.2.0/24)  Each site has an ISR800.

At my home office, I have a DMVPN hub (ISR4331) configured.  At my home office, I have one network that each of the clients on my spokes need access to (192.168.10.0/24).  

All other access for spoke clients should go straight to the internet through that routers wan connection.  Spokes will never talk to each other.

My tunnels are all in the 172.16.0.0/23 network, with \172.16.0.1 being the hub.

What's the best way to do this?  I feel like some sort of NAT would be the solution, but, not sure what direction to look in.  I've found other posts about duplicate networks, but only for a single network duplication... not 70x.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

I think I would considering using EasyVPN server instead of DMVPN.  It can do the NAT for you automatically.

http://www.cisco.com/c/en/us/products/collateral/security/ios-easy-vpn/eprod_qas0900aecd805358e0.html

Otherwise if you use DMVPN, then yes, you will need to NAT each LAN to the Tunnel interface IP address.  Just treat the Tunnel interface like any other outside IP address.  You'll need to use a route-map to match traffic going to the Internet interface and another for traffic going to the Tunnel interface.

Something like:

ip nat inside source route-map NAT-TUNNEL interface Tunnel0 overload
ip nat inside source route-map NAT-INTERNET interface Dialer0 overload

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

route-map NAT-TUNNEL permit 10
match ip address 105
match interface Tunnel0
!
route-map NAT-INTERNET permit 10
match ip address 105
match interface Dialer0

View solution in original post

3 REPLIES 3
Highlighted
Advisor

I think I would considering using EasyVPN server instead of DMVPN.  It can do the NAT for you automatically.

http://www.cisco.com/c/en/us/products/collateral/security/ios-easy-vpn/eprod_qas0900aecd805358e0.html

Otherwise if you use DMVPN, then yes, you will need to NAT each LAN to the Tunnel interface IP address.  Just treat the Tunnel interface like any other outside IP address.  You'll need to use a route-map to match traffic going to the Internet interface and another for traffic going to the Tunnel interface.

Something like:

ip nat inside source route-map NAT-TUNNEL interface Tunnel0 overload
ip nat inside source route-map NAT-INTERNET interface Dialer0 overload

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

route-map NAT-TUNNEL permit 10
match ip address 105
match interface Tunnel0
!
route-map NAT-INTERNET permit 10
match ip address 105
match interface Dialer0

View solution in original post

Highlighted

AH Wow.  So, I'd gotten stuck earlier because I'd only applied a route map for the tunnel nat, and nothing worked.  Thank you very much!!!

Also, I looked into EasyVPN, and I have a few questions.  

1) Other than the dynamic NAT piece, are there any other reasons you would use easyvpn for this type of deployment?

2) I've never touched easyvpn :( You wouldn't happen to know where I could see a config example / guide for the type of deployment I'm doing?  I saw something called network extension mode that looks *similar* to what I'm doing, but not exact.  But I'm havin difficulty finding good examples.  Of course, I've only looked for about 10 - 15 minutes too... 

Again, thanks for the help mate!

Highlighted

1. DMVPN provides a full routed any site to any site routed solution.  You don't require LAN access for local spokes, and spokes don't need to talk to other spokes.

2. You should not use network extension mode.  Below is quite a complex a full solution.  You should be using "Client Mode".

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80267995.html

Content for Community-Ad