Double Encryption in Hierarchical DMVPN Design

Cory Anderson · ‎11-06-2018

Hi all,

I have a scenario where we're looking into Hierarchical DMVPNs. The majority of the traffic is between either the spoke or the regional hub, and the central hub. What's the best way to avoid double encryption if traffic from a spoke traverses the regional hub to get to the central hub? PBR?

Rob Ingram · ‎11-06-2018

Hi,
There wouldn't be double encryption, encryption is between the spoke(s) to the regional hub and then another encrypted tunnel from regional hub to central hub. Once routed through an encrypted tunnel, traffic would be routed out of the egress interface un-encrypted, unless the egress interface (in this instance the tunnel interface between regional hub and central hub) encrypts the traffic.

You would want traffic encrypted from regional hub to central hub.

HTH

Cory Anderson · ‎11-07-2018

Yes, I understand. I probably didn't describe the issues that I see well enough. I see the forwarding options as either the spoke creating an end to end tunnel to the central hub, creating a double encryption scenario, or the regional spoke having the extra burden of decrypting then re-encrypting traffic to the central hub. I'm looking for a third alternative for processing efficiency where traffic is encrypted once, and forwarded end-to-end.

Rob Ingram · ‎11-07-2018

If you don't wish to route traffic via the regional hub you probably don't want to use a hierarchial design. You could just create 2 tunnels on the spoke router, 1 direct to the regional hub router and another to the central hub. Traffic would be routed via the appropriate tunnel and encrypted once.