Cisco DMVPN Sanity Check

Curiosityx

Curiosityx

Curiosityx

Soldato
Joined
17 Oct 2002
Posts
3,941
Location
West Midlands
Greetings, below is the basis for an MPLS based Dmvpn network for one of my customers.

Each private ip address space will consists of 10.171.0.0 /24 networks
GRE Tunnel Interfaces will be in the 172.16.0.0 /30 range

To keep EIGRP advertisements down ill be advertising the networks below from both the hub and spoke sites.

10.171.0.0 0.0.0.255 and 172.16.0.0 0.0.0.255

Ive implemented DMVPN in a lab environment, i just need someone to say either yes it will work or suggest alternatives to the arrangement below

Regards

IPSecGreDmvpn.jpg
 
Looks ok for DMVPN,

When you say this is MPLS based, I assume you mean that the actual routers are connected to an IPVPN over xDSL circuits carried over a provider network, and your "making your own connectivity" by using tunnels back to the head office, if so then fine. If it was over anything other than xDSL and was using MPLS, i'd expect leased lines and BGP running to PE routers, in which case i'd question why tunnels were needed.

I have a few small queries:

On the head office, is there any reason why you wish to use a tunnel interface and subnet per remote site, if you configure gre multipoint on the head office you can use a single tunnel interface and use NHRP maps back to all the remote endpoint tunnels, and all the other tunnel interfaces sit on a /24 or something, that way everything is common and far more managable. (i've done hundreds of these and have always used a single tunnel, even for over 1000 sites) the only time i'd have more than one tunnel is if you have a backup head office and you want failover via an IGP, check out http://www.cisco.com/warp/public/105/dmvpn.html
 
Thank you for the reply, the remote sites are all on SDSL over MPLS and the main site will a leased line over MPLS terminating on ethernet.

Ill be honest my real concerns are that i haven't had much exposure to MPLS based designs and have been used to VPN security over best effort circuits as such i am unsure what to expect on the customer routers. On the plus side i do know that the ISP PE Routers will be running BGP.

This is where the confusion begins for me, due to the nature of MPLS and that each sites traffic is tagged is VPN Security necessary even when only Layer 2 connectivity is provided? As all the sites are on MPLS would you recommend dropping IPSec, GRE and EIGRP out the equation and simply advertising all the internal private networks using BGP, would this be secure?

To the best of my knowledge we would be going for a Layer 2 unbundled service and not a Layer 3 Managed IPVPN hence my reasoning behind running a DMVPN on top but again this comes back to the previous question regarding security.

I have a meeting with a representative of the ISP this week so i image a lot of this will become clearer, i just worry too much!

You have cleared up the question mark in regards to the tunnel interfaces though as i was unsure whether or not they had to be on different subnets.

Thank you for your time :)
 
Last edited:
Curiosityx said:
Thank you for the reply, the remote sites are all on SDSL over MPLS and the main site will a leased line over MPLS terminating on ethernet.

Ill be honest my real concerns are that i haven't had much exposure to MPLS based designs and have been used to VPN security over best effort circuits as such i am unsure what to expect on the customer routers. On the plus side i do know that the ISP PE Routers will be running BGP.

This is where the confusion begins for me, due to the nature of MPLS and that each sites traffic is tagged is VPN Security necessary even when only Layer 2 connectivity is provided? As all the sites are on MPLS would you recommend dropping IPSec, GRE and EIGRP out the equation and simply advertising all the internal private networks using BGP, would this be secure?

To the best of my knowledge we would be going for a Layer 2 unbundled service and not a Layer 3 Managed IPVPN hence my reasoning behind running a DMVPN on top but again this comes back to the previous question regarding security.

I have a meeting with a representative of the ISP this week so i image a lot of this will become clearer, i just worry too much!

You have cleared up the question mark in regards to the tunnel interfaces though as i was unsure whether or not they had to be on different subnets.

Thank you for your time :)
Click to expand...

In this design you don't actually need to use any form of tunneling for it to work, however the ipsec protection may offer security the client will want, as even though the routing is done in MPLS, its still travelling unencrypted across the provider network.
In order for the solution to work properly, you only really ever need to use tunnels if you have multiple head offices.
This is because, on a xDSL network its highly unusual to run BGP on the xDSL routers, BGP only stretches as far as the provider xDSL gateway and the HO router if it has a leased line. In this case you will define the LAN range of each xDSL site in RADIUS.
When an xDSL site comes online, it will negotiate a PPP session and this will trigger the ISP to advertise a connected and static route for the dialer and LAN on the gateway into your VPN routing table in BGP, all you need on the xDSL router is a static default pointing out of Dialer 1, so all packets get sent toward the gateway.

There are may ways of doing it, in terms of security with IPVPN routing in MPLS the customer gets their own personal routing table, in Cisco its called a VRF table <VPN router forwarding> this means that although their connection may terminate on a box with hundreds of customers, the ISP will assign them their own routing table which is kept seperate from all other networks, this is normally enough security for most people, unless they're running payments/other sensitive stuff, in which case encryption is always wanted.
 
Some very good information, cheers. I take that should tunnelling not be implemented all that's then required on each router is to allow traffic from the 10.171.0.0 subnet to pass inbound and outbound from the outside interface?
 
Curiosityx said:
Some very good information, cheers. I take that should tunnelling not be implemented all that's then required on each router is to allow traffic from the 10.171.0.0 subnet to pass inbound and outbound from the outside interface?
Click to expand...

Basically, all you need to do is have the LAN range advertised by the providers DSL Radius box, this will inject all of your remote site xDSL LAN ranges into the customer IPVPN, your head office will receive these networks via BGP.
The xDSL routers will reach everything via their default route pointing out of dialer 1, to get to other spoke routers they go via the head office.

If its a fully meshed IPVPN, you may have issues with some of the spokes talking to each other and bypassing the HO, if this is a problem the provider may be able to change the IPVPN so this doesn't happen, or you can run tunnels to ensure the only routing path is via the HO..

Out of curiosity, which provider is giving you the SDSLs and IPVPN?
 
We are partnered with a company called UKTelco who are a BT Wholesaler, we give them the customer requirements and ask them to source the necessary providers for the service. I have a meeting today with them to get the finer points ironed out and then we should know who the MPLS Provider is for this project.

I think what i need to do is see it in a working environment to get a better idea of how overall connectivity is achieved, i had envisioned all sites running BGP with each router holding a copy of the overall routing table, but as you have mentioned above this isn't the case.

You have certainly sparked more of an interest than i had anticipated!
 
Curiosityx said:
We are partnered with a company called UKTelco who are a BT Wholesaler, we give them the customer requirements and ask them to source the necessary providers for the service. I have a meeting today with them to get the finer points ironed out and then we should know who the MPLS Provider is for this project.

I think what i need to do is see it in a working environment to get a better idea of how overall connectivity is achieved, i had envisioned all sites running BGP with each router holding a copy of the overall routing table, but as you have mentioned above this isn't the case.

You have certainly sparked more of an interest than i had anticipated!
Click to expand...


I used to provision custom solutions exactly like this for some of the biggest UK companies, nowadays I support them, its all lots of fun!
Good luck with your customer!
 
Well it appears that we shall be using Thus, a subsidiary of Demon and there IPVPN Service, They appear to have the Cisco CPN mark which lends some comfort, ive managed to bag myself an MPLS engineer for next week so that i can torture him for information!

Thanks for your help :)
 
You must log in or register to reply here.
Back
Top Bottom