VPN full mesh on ISRs, no DMVPN

Similar Messages

• Full Mesh to Hub Spoke Connectivity

  I have implemented MPLS VPN. Currently running as a full mesh connectivity. I
  need to implement and configure a hub and spoke connectivity due to the
  business requirement.
  I have 4 spokes and 1 hub. For each spokes, they shouldn't communicate
  with spoke, only to hub and vice-versa.
  What is the appropriate and best practise for me to implement and configuring for such scenario?
  Appreciate your feedbacks and opinion.
  regards,
  maher

  ok keep all your config in as it is just now. The only issue (personal one I believe) is that you shall be using the same RD everywhere but that shouldnt matter. On your hub site add under the vrf something like Route-target export 99:1. On a your spoke sites add route-target export 99:2 then on the other spoke site route-target export 99:3 until you do them all to 99:x. Then go back to the hub site and do route-target import 99:2 all the way through to x. You can now remove your original route-targets and all shall be fine. A cleaner method would be to completely remove the vrf but thats prolly too much hassle and downtime for your liking :-)
  HTH

• KCC Generated Replication Topology for 3 sites - not a full mesh

  A fairly old topic but a question still - in a 3 site AD domain/forest, 2003 forest and domain level, 2x 2012R2 DC, 1x 2008R2 DC, and a single site link that all 3 are members of (cost 100, replication 15 min) - KCC doesn't end up creating a full mesh but
  a hub and spoke topology.
  So it ends up being Site A connects to both B and C, but B and C just go back to A and don't set up links to each other - which I'd prefer a bit more redundant, but without manually creating any links.
  Is there any reason/logic for hub and spoke even though 3 sites really should be a ring/mesh?

  > Is there any reason/logic for hub and spoke even though 3 sites really
  > should be a ring/mesh?
  Is direct communication between B and C possible? Then create site links
  according to your topology :)
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Vpls full mesh

  What is the recommeded number of
  ce's in a full mesh.
  and can you have more than one ce on
  the same PE with physical different interfaces
  in the same VPLS domain

  I should clarify the previous statement.
  What I was looking for was the max number of PE in a full mesh, most examples i have read have 4 PE. I have a max of 14 PE that may require a full mesh.

• Full mesh VPN solution for on MPLS network with PE and CPEs

  Hi,
  We are trying to evaluate some best solution for Hub-Spoke mesh vpn solution in a MPLS network. The VPN hub router will be in PE router and all the VPN spoke will be in CPE.
  Can someone please let us know what will be the best vpn solution, we understands that there will be some technical limitations going with GETVPN but still we did counld find any documenation for possiblity of using DMVPN.
  How about the recent flexvpn, can fex-vpn work on this requirement, where can i get a design/configuration document.?
  thanks in advance.

  Hello,
  GetVPN is intended for (ANY-to-ANY) type of VPN communication, over an MPLS network with Hub and Spoke Topology, your best Option is to look for Cisco (DMVPN) implementation where this type of VPN is primarily designed for Hub & Spoke.
  Regards,
  Mohamed

• SSL VPN Full Tunnel - Not Reliable

  We have been trying to deploy SSL VPN on a 3825 router running 12.4.20T2 with Anyconnect V2.2.0140. It works normally for a few days, then begins to fail in different ways. First, the users do not get the login screen from the Web access. This can be reset by stopping and starting the service. However, now I get fully connected and in a single session, sometimes I can access network resources and sometimes I can't (comes and goes to various parts of the network). I know if I reboot the router, everything will be fine for a few days. I also run Client VPN on this same router and it is very stable. Whenever I call TAC, the first question I get is "Do you have an ASA that you can run SSL VPN on?", and everytime I ask if they know something about the reliability of SSL VPN on IOS. They always say "it should work".
  I guess what I am asking is, are there known reliability issues with full tunnel SSL VPN on IOS? Or, if anyone else has seen these kinds of problems and found solutions? Thanks!

  Please enable the following command and then try to connect:
  ip inspect log drop-pkt
  If I am not overlooking at the configuration, it seems to be ok, so I would like to check ZBF.
  Please check the logs generated by the Router and let me know if you see anything related to your connection.
  Thanks.
  Portu.

• SSL VPN Full and Split Tunnel Config Question

  I am Beta testing SSLVPN on an IOS router. The question I have is this:
  Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

  The below is an example using the ASA - but the principle remains the same:-
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
  HTH>

• Connecting 2 3750 Switches in Stack with 2 2960 switches in full Mesh

  Hi Friends,
             I have attached a pics  which DC design of one of our customer , as network engineer i have design this , so i am responsible for implementing it, now request you all to kindly guide me what would be technical problem i have to face in achieving this and how can i over come .Please be in detail. Waiting for your response .
  Regards
  Amit Kulshrestha

  I have attached modified diagram , please suggest.
  The major issue I see is that you have not mentioned whether the 2960's are stacked? For the design to work, they need to be stacked because you cannot create port-channels between them and the Core switches unless then 2960's are stacked.
   ==> You are right , surely 2960 Switch need to be in stack form.
  Personally I would look at more powerful switches than the 2960's, something along the lines of the 3750x range or probably now the 3850's.
  ==> This is constrain of customer, not our responsibility.
  The second issue I see is that your servers are connected to the WAN switches. Is there a reason for this? Usually they would be connected to the core switches.
  ==> For this If 1 separate 2960 series switch can be used ?.
  The final point is that you only have single connections from each of your WAN connections which begs the question as to the purpose of having two WAN switches?
  ==> Customer is having 1900 series of router , only two ports one used for WAN and other used for LAN.
  The objective of having two switches is to provide redundancy/resiliency. If you have only one connection from each WAN then why do you need two switches as there is no redundancy?
  ==> Customer has agreed to have manual change at the time of failure.

• Enterprise VPN Design - Lan to Lan via PIX

  I have 15 sites each with pix firewall 506 or better. I would like to create a VPN full mesh without creating a total of n * (n-1) tunnel configurations. How can I cut down this number?

  This should help: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/ipsec/2_2/prov_gd/ipsecpg8.htm

• Why does SSL VPN require client for full functionality?So What's the point?

  I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.
  However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?
  Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.
  "...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

  Hi,
  Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.
  Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);
  1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.
  Dandy

• DMVPN ISAKMP SA Question

  Hi all,
  I have set up a basic full mesh DMVPN, similar to the config used int the packet life
  http://packetlife.net/blog/2008/jul/23/dynamic-multipoint-vpn-dmvpn/ tutorial.
  I have one Hub and two spokes. Everything seems to be functioing ok. I have included  the config  below for the tunnels.
  My Question is, when I do a show crypto isakmp sa, for example on Spoke 2, I have three ISAKMP SA's with three different SRC addresses...
  How is this possible when I only have tunnels to two other devices, the hub and spoke 1??? and why is a foriegn source address showing up as an ISAKMP SA on this router?
  dst             src             state          conn-id slot status
  172.16.1.2      172.16.2.2      QM_IDLE              1    0 ACTIVE
  172.16.2.2      172.16.3.2      QM_IDLE              3    0 ACTIVE
  172.16.2.2      172.16.1.2      QM_IDLE              2    0 ACTIVE
  A similar result on the Hub
  dst             src             state          conn-id slot status
  172.16.2.2      172.16.1.2      QM_IDLE              2    0 ACTIVE
  172.16.1.2      172.16.2.2      QM_IDLE              1    0 ACTIVE
  172.16.1.2      172.16.3.2      QM_IDLE              3    0 ACTIVE
  Yet Spoke 1 only has 2
  172.16.1.2      172.16.3.2      QM_IDLE              1    0 ACTIVE
  172.16.2.2      172.16.3.2      QM_IDLE              2    0 ACTIVE
  Crypto config for all:
  crypto isakmp policy 10
  authentication pre-share
  crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
  crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
  crypto ipsec profile MyProfile
  set transform-set MyTransformSet
  interface Tunnel0
  tunnel protection ipsec profile MyProfile
  Hub Tunnel Config
  interface Tunnel0
  ip address 10.0.100.1 255.255.255.0
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  tunnel source fa0/0
  tunnel mode gre multipoint
  Spoke 1 Tunnel Config
  interface FastEthernet0/0
  ip address 172.16.3.2 255.255.255.0
  duplex auto
  speed auto
  interface Tunnel0
  ip address 10.0.100.2 255.255.255.0
  no ip redirects
  ip nhrp map 10.0.100.1 172.16.1.2
  ip nhrp map multicast 172.16.1.2
  ip nhrp network-id 1
  ip nhrp nhs 10.0.100.1
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel protection ipsec profile MyProfile
  Spoke 2 Tunnel Config
  interface FastEthernet0/0
  ip address 172.16.2.2 255.255.255.0
  duplex auto
  speed auto
  interface Tunnel0
  ip address 10.0.100.3 255.255.255.0
  no ip redirects
  ip nhrp map 10.0.100.1 172.16.1.2
  ip nhrp map multicast 172.16.1.2
  ip nhrp network-id 1
  ip nhrp nhs 10.0.100.1
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel protection ipsec profile MyProfile

  DMVPN's hub (in typical configuration), does not contain information about endpoints (unlike spokes who have statically configured NHS and NHRP mapping), it only learns about those during NHRP registration exchnage.
  So there should not be a need/possibility for hub to initiate IKE sessions (hence additional enforcement of "ip nhrp server-only").
  Now, what can happen is that IKE renegotiation is not triggered by spoke on time and hub tries to initiate a rekey. It typically should not happen.
  DMVPN is routing based VPN, hub will always follow routnig to determine where to send traffic, typically it will send traffic out it's default route where it will be dropped (in situation you describe).
  A few best practices:
  - Lower NHRP holdtime
  - Configure MTU and adjust MSS.
  - If you're running ISR G2, and it's a setup "for the future":
  http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
  AES and SHA are still acceptable, but you migh consider kicking it up an notch ... ;-)

• DMVPN

  Hi , I am setting up an MPLS network for a customer with over 500 sites. There will be two core data centres and the others spokes/remote sites. Customer does not trust MPLS core and so wants an additional layer of ipsec security.
  I have come up with the best solution as been the DMVPN ( Dynamic Multipoint VPN ). However it only supports OSPF and EIGRP and we are running BGP with the ISP at PE level.
  DO YOU KNOW OF A WORK AROUND ON HOW DMVPNs can work with BGP.
  Regards.

  I think DMVPNs can work with BGP however there are practical limitations to this. For example, if you have 300 spokes all configured in the same AS, they will need seperate peerings with one another. This will require n(n-1)/2 peerings = 44850 seperate TCP sessions configured. Using DMVPN, BGP will not dynamically create TCP sessions between the spokes. You will still need to apply this configuration manually for each spoke. Configuring full mesh peerings between all your spoke routers effectively eliminates the original benefits offered by DMVPN, as the amount of configuration and maintenance required does not make it an scalable option. For this reason, EIGRP is the recommended protocol to be used with DMVPN.

• CSM 4.4 depolying Site-to-Site VPN

  All,
  I am centrally managing around 100 firewalls and I need to get all this traffic within a VPN tunnel.
  My problem is that when I push the deployment and my CSM traffic goes from unencap to encap the session on the outside of the tunnel dies (expected) but CSM never recovers and the deployment fails.
  Any info on getting all this working is mucho appreciated.
  TIA,
  JD

  The steps you have provided for adding unmanaged devices is the only way of doing the same.For successful VPN discovery, the following prerequisites must be met:
  1) All devices participating in the VPN must be added to the Security Manager inventory.
  2) You must provide Security Manager with some basic information about the VPN. The VPN discovery wizard prompts you for the following information:
  -VPN topology (hub and spoke, point to point, full mesh)
  -VPN technology (Regular IPsec, IPsec/GRE, GRE dynamic IP, DMVPN, Easy VPN)
  -Devices in the VPN and their roles (hub/spoke)
  -Source of the VPN configuration. The VPN can be discovered directly from the live network or from Security
  3) Manager's Configuration Archive.
  4) Each device in the VPN must have a crypto map associated with a physical interface.
  5) Each PIX 6.3 or ASA 5505 client device in an Easy VPN topology must have a vpnclient configuration.

• Selective Route Import/Export in MPLS VPN

  Champs
  I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's  also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region  if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path)  from all 3 DCs. Spokes in the specific region should be able to import default route  from primary DC and secondary DCs only  using some route filter?
  Regards
  V

  Hello Aaron,
  the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
  The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
  So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

  Hi All,
  Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
  I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
  To best explain the question I have put together an example scenario:
  Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
  Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
  The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
  Routing on the outside interface is not of concern in this scenario.
  The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
  VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
  New subnets are added and removed at each site on a frequent basis.
  EIGRP will be running on each core router, and any stub routers at each site.
  So this results in the following example topology, of which I have exaggerated the VLSM position:
  (http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
  Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
  The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
  Is there a better method to propagate the routing information dynamically around the example scenario above?
  Is there a way to have dynamic crypto maps based on router information?
  P.S. Diagram above produced via http://www.diagram.ly/

  Hi Guys,
  Thanks for your responses!  I am learning here, hence the post.
  David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits.  The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA.  In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
  Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
  ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
  Otherwise I would agree it would be happy days...
  Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
  Kindest Regards,
  James.