Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1025
Views
0
Helpful
2
Replies

Hub to Hub communication in Dual cloud DMVPN?

Warren Sullivan
Level 1
Level 1

ā€Ž03-10-2013 03:31 PM - edited ā€Ž02-21-2020 06:45 PM

Hi guys,

This is a gns3 lab example, but this a cut down version of my production network in real life

I have the following topology;

dmvpn.jpg

This is  a dual hub, dual cloud environment, subnets 10.0.251.0/24 and 10.0.252.0/24

Each spoke (ISA,TVL,RED and GLS) has two tunnels configured

We have our production Data center hanging off bne-swcr01 and our DR data center off bne-swcr02

There are users also hanging off these two switches (in real life these are HP Procurve switches, soon to be Cisco)

I have a 10Gbps dark fibre connection between bne-swcr01 and bne-swcr02 mainly for replication but also provides connection to internet (R11 firewall) for users hanging off bne-swcr02.

The DMVPN network is running EIGRP (bne and brn-rt01 and above including all spokes)

Everything below is running OSPF

EIGRP is redistributed into OSPF

an EIGRP summary is configured on the Hubs sending a default to spokes, it has a higher AD than the network default below.

a network default route is learnt from R11 (firewall)

The two uplinks to the DMVPN cloud from bne-rt01 and brn-rt01 are 100Mbps

I want to configure a backup 100Mbps connection between the two hubs in the case of a dark fiber failure and my initial thoughts were a single IPSEC site to site tunnel, but the problem seems to lie in the configuration of the interesting traffic statement, as it really needs to be a permit ip any any rule, but it won't form a neighborship unless i am specific in the source and destination subnets(and they are mirrored)

If the pipe fiber fails (dark fiber 10gbps) traffic from the hosts hanging off bne-swcr02 will still need to get to the internet so how do i configure an interesting traffic statement for that other that ip any any?

Im hoping there is something i can do in the DMVPN world to solve this, it will be cleaner and easier to implement i would imagine.

Configurations follow in txt files

Labels:
15356103-brn-rt01.txt.zip
15356096-bne-swcr01.txt.zip
15356095-brn-sw01.txt.zip
15356104-bne-rt01.txt.zip
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

ā€Ž03-11-2013 08:49 AM

Warren,

You can configure a p2p VTI (any any proxy IDs) or GRE tunnel (with a small loss of MTU but with added flexability) with IPsec protection or have one hub be a spoke for the other.

There's quite a few differet possibilities there, I guess from routing perspective it's best you also run a routing protocol between the sites and have them know about specifc subnets and not only summaries ;-)

M.

0 Helpful

Warren Sullivan
Level 1
Level 1
In response to Marcin Latosiewicz

ā€Ž03-24-2013 08:26 PM

So i ended up making the brn router a spoke of bne, i created a second tunnel interface on brn and pointed it to bne as the NHS, and redistributing routes over from OSPF into EIGRP at the BRN site, worked well, one thing i am having touble with is redistibuting the default which is learned from bne over the tunnel (the summary) into OSPF, it just won't go, at the moment i have a floating static default pointing to brn-rt01 in the event of a "PIPE" failure, bit of a bandaid solution though....your thoughts?

0 Helpful
Customers Also Viewed These Support Documents