The scenario I'm trying to solve is for a managed internet access product we are building where by we want to roll out the 867VAE on a mass scale to smaller sites.
For every one of our customers at present we have them all on a full DMVPN with spoke to spoke firewalled except from internal networks (so we can see our customers from multiple sites, but customers can't see each other).
The 867VAE does not support DMVPN though, but we still need a simple remote access/management solution.
My thinking is:
1. Create mGRE interface with NO NHRP but still enable encryption
2. Enable RIP (only choice on 867VAE)
1. Create PtP GRE interface with encryption and RIP.
Before I spend hours testing this - can anyone see a reason why it wouldn't work?
Our requirement here is that we want full visibility of the customer's network (PC's/servers) so it needs encryption but we are not running voice over this or anything that would need the full DMVPN features.
Solved! Go to Solution.
Probably not the only options but here goes.
NHRP registration is the way hub learns how to get to spoke, i.e. this tunnel address is hidden behind this public ip.
The alternative is to use static mappings on hub or p2p interfaces on hub sides (provided there is no dynamic IP address).
And if different solututoins are an option:
1) if 867 supports IKEv2/FlexVPN you should be able to push routing information via IKE/IPsec and not have registtration problem.
2) similar to 1) but in IKEv1 world - SVTI-DVTI solution.
Hmm, so there is no way for the hub to dynamically learn about the spokes as they register?
I can still use NTP to bring the tunnel up from the remote side... The 867VAE does not have NHRP.
We are using static IP's for each site, but I want to keep provisioning simple otherwise we may end up with 1000 nhrp mappings in the hub and that sounds hard to manage.
I think your suggestion #2 might be possible with 867 as it supports EasyVPN Client so should have VTI - how are you suggesting this would be used?
That looks like it may do what I need - can I still prevent spokes routing via the hub though? We only want hub <--> spoke communication.
With our DMVPN tunnels we have an acl on the hub tunnel if to limit traffic to our internal nets only. VTI spawns tunnels on the fly so not sure how that will impact this
Seems to have done the trick, RIP isn't really desirable but the 867VAE price point for what we are doing is too good to ignore.