cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5419
Views
0
Helpful
7
Replies

DMVPN without NHRP

Scott Pettit
Level 9
Level 9

Hi all,

The scenario I'm trying to solve is for a managed internet access product we are building where by we want to roll out the 867VAE on a mass scale to smaller sites.

For every one of our customers at present we have them all on a full DMVPN with spoke to spoke firewalled except from internal networks (so we can see our customers from multiple sites, but customers can't see each other).

The 867VAE does not support DMVPN though, but we still need a simple remote access/management solution.

My thinking is:

Head End

1. Create mGRE interface with NO NHRP but still enable encryption

2. Enable RIP (only choice on 867VAE)

867VAE CPE:

1. Create PtP GRE interface with encryption and RIP.

Before I spend hours testing this - can anyone see a reason why it wouldn't work?

Our requirement here is that we want full visibility of the customer's network (PC's/servers) so it needs encryption but we are not running voice over this or anything that would need the full DMVPN features.

Thanks,

Scott

1 Accepted Solution

Accepted Solutions

Scott,

Config and concept similar to this:

https://supportforums.cisco.com/thread/2089906

And you can run RIP on top.

M.

View solution in original post

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Scott,

Probably not the only options but here goes.

NHRP registration is the way hub learns how to get to spoke, i.e. this tunnel address is hidden behind this public ip.

The alternative is to use static mappings on hub or p2p interfaces on hub sides (provided there is no dynamic IP address).

And if different solututoins are an option:

1) if 867 supports IKEv2/FlexVPN you should be able to push routing information via IKE/IPsec and not have registtration problem.

2) similar to 1) but in IKEv1 world - SVTI-DVTI solution.

HTH,

Marcin

Hmm, so there is no way for the hub to dynamically learn about the spokes as they register?

I can still use NTP to bring the tunnel up from the remote side... The 867VAE does not have NHRP.

We are using static IP's for each site, but I want to keep provisioning simple otherwise we may end up with 1000 nhrp mappings in the hub and that sounds hard to manage.

I think your suggestion #2 might be possible with 867 as it supports EasyVPN Client so should have VTI - how are you suggesting this would be used?

Scott,

Config and concept similar to this:

https://supportforums.cisco.com/thread/2089906

And you can run RIP on top.

M.

Hi Marcin,

That looks like it may do what I need - can I still prevent spokes routing via the hub though? We only want hub <--> spoke communication.

With our DMVPN tunnels we have an acl on the hub tunnel if to limit traffic to our internal nets only. VTI spawns tunnels on the fly so not sure how that will impact this

Thanks,

-Scott

Scott, same principle applies, whaterver you put on VT will spawn to VA interfaces (ACLs, summaries, etc etc).

M.

Hi Marcin,

Seems to have done the trick, RIP isn't really desirable but the 867VAE price point for what we are doing is too good to ignore.

Thanks,

-Scott

matt-long
Level 1
Level 1

Does anyone have an updated link to this material? Coming up access denied to me???

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: