Solved: Does anyone have an updated

Scott Pettit · ‎05-01-2012

Hi all,

The scenario I'm trying to solve is for a managed internet access product we are building where by we want to roll out the 867VAE on a mass scale to smaller sites.

For every one of our customers at present we have them all on a full DMVPN with spoke to spoke firewalled except from internal networks (so we can see our customers from multiple sites, but customers can't see each other).

The 867VAE does not support DMVPN though, but we still need a simple remote access/management solution.

My thinking is:

Head End

1. Create mGRE interface with NO NHRP but still enable encryption

2. Enable RIP (only choice on 867VAE)

867VAE CPE:

1. Create PtP GRE interface with encryption and RIP.

Before I spend hours testing this - can anyone see a reason why it wouldn't work?

Our requirement here is that we want full visibility of the customer's network (PC's/servers) so it needs encryption but we are not running voice over this or anything that would need the full DMVPN features.

Thanks,

Scott

Marcin Latosiewicz · ‎05-01-2012

Scott,

Config and concept similar to this:

https://supportforums.cisco.com/thread/2089906

And you can run RIP on top.

M.

View solution in original post

Marcin Latosiewicz · ‎05-01-2012

Scott,

Probably not the only options but here goes.

NHRP registration is the way hub learns how to get to spoke, i.e. this tunnel address is hidden behind this public ip.

The alternative is to use static mappings on hub or p2p interfaces on hub sides (provided there is no dynamic IP address).

And if different solututoins are an option:

1) if 867 supports IKEv2/FlexVPN you should be able to push routing information via IKE/IPsec and not have registtration problem.

2) similar to 1) but in IKEv1 world - SVTI-DVTI solution.

HTH,

Marcin

Scott Pettit · ‎05-01-2012

Hmm, so there is no way for the hub to dynamically learn about the spokes as they register?

I can still use NTP to bring the tunnel up from the remote side... The 867VAE does not have NHRP.

We are using static IP's for each site, but I want to keep provisioning simple otherwise we may end up with 1000 nhrp mappings in the hub and that sounds hard to manage.

I think your suggestion #2 might be possible with 867 as it supports EasyVPN Client so should have VTI - how are you suggesting this would be used?

Marcin Latosiewicz · ‎05-01-2012

Scott,

Config and concept similar to this:

https://supportforums.cisco.com/thread/2089906

And you can run RIP on top.

M.

Scott Pettit · ‎05-01-2012

Hi Marcin,

That looks like it may do what I need - can I still prevent spokes routing via the hub though? We only want hub <--> spoke communication.

With our DMVPN tunnels we have an acl on the hub tunnel if to limit traffic to our internal nets only. VTI spawns tunnels on the fly so not sure how that will impact this

Thanks,

-Scott

Marcin Latosiewicz · ‎05-01-2012

Scott, same principle applies, whaterver you put on VT will spawn to VA interfaces (ACLs, summaries, etc etc).

M.

Scott Pettit · ‎05-06-2012

Hi Marcin,

Seems to have done the trick, RIP isn't really desirable but the 867VAE price point for what we are doing is too good to ignore.

Thanks,

-Scott

matt-long · ‎10-14-2015

Does anyone have an updated link to this material? Coming up access denied to me???

DMVPN without NHRP