04-03-2017 01:46 PM - edited 02-21-2020 09:14 PM
I am designing a VPN solution for our company and believe that DMVPN is the best solution. This configuration would allow an easier to manage vpn configuration on the spokes and on the hub\s. In my testing I intentionally built scenarios that would result in overlapping ip spaces on the spokes. Using NAT I was still able to get traffic to flow to the correct locations. What I haven't been able to deal with is when the IP space of the local spoke is in the same subnet space as the DMVPN cloud. These VPNs will connect to possibly thousands of clients with every manner of local networks configured. I am trying to design a solution that is tolerant of overlapping networks in as many ways as possible.
Solved! Go to Solution.
04-04-2017 12:52 AM
Hi,
If by the "DMVPN" cloud you are referring to the actual tunnel interfaces IP address, you can use a VRF to have the tunnel´s ip address on an isolated routing table from the actual LAN, this would allow you to haver overlapping addressing between the DMVPN cloud (WAN) and the actual LAN:
Look on Cisco documentation for the "tunnel VRF" command. This applies the VRF only to the tunnel interface itself (tunnel source/destination). or using a VRF directly on the tunnel interface (using the vrf forwarding, not the tunnel vrf command) would put your WAN interface on a vrf but your actual tunnel outside of that vrf (on the global routing table)
You can also google from "DMVPN front door vrf", there are many useful blog posts on this subject.
04-04-2017 12:52 AM
Hi,
If by the "DMVPN" cloud you are referring to the actual tunnel interfaces IP address, you can use a VRF to have the tunnel´s ip address on an isolated routing table from the actual LAN, this would allow you to haver overlapping addressing between the DMVPN cloud (WAN) and the actual LAN:
Look on Cisco documentation for the "tunnel VRF" command. This applies the VRF only to the tunnel interface itself (tunnel source/destination). or using a VRF directly on the tunnel interface (using the vrf forwarding, not the tunnel vrf command) would put your WAN interface on a vrf but your actual tunnel outside of that vrf (on the global routing table)
You can also google from "DMVPN front door vrf", there are many useful blog posts on this subject.
04-04-2017 07:18 AM
Hey,
Thanks for your help. I'll start looking into VRF. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide