Options

BGP over IPSEC

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
in CCNP
Does anyone have any experience running a route based vti using bgp as the INTERIOR routing protocol? I have a client who wants to run the ipsec vpn this way and the senior Network Engineer says we have to do it.
· Share on FacebookShare on Twitter

Comments

  • Options
    ColbyGColbyG Member Posts: 1,264
    With GRE tunnels? I've run DMVPN with BGP. Traditional IPSec should work too.
    http://blog.alwaysthenetwork.com
    · Share on FacebookShare on Twitter
  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Yes. Sorry I should have mentioned that. I really want to use OSPF for this but the customer is always right.

    How well did that work out? I am assuming you advertised a private ASN between the tunnels.

    I originally thought about using DMVPN but I am having some trouble with the "how". I guess we could have multiple spoke routers. Can a router be a hub and a spoke at the same time (assuming the networks are different)?
    · Share on FacebookShare on Twitter
  • Options
    shodownshodown Member Posts: 2,271
    What are the design requirements, and more importantly what problem are we trying to solve?
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
    · Share on FacebookShare on Twitter
  • Options
    ColbyGColbyG Member Posts: 1,264
    Each site was an AS. I prefer BGP greatly when routing between sites. You have much, much more control. OSPF can be annoying to design for a DMVPN deployment if you want multiple areas.

    What do you mean a hub and a spoke? You have a diagram?
    http://blog.alwaysthenetwork.com
    · Share on FacebookShare on Twitter
  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    ColbyG wrote: »
    What do you mean a hub and a spoke? You have a diagram?
    shodown wrote: »
    What are the design requirements, and more importantly what problem are we trying to solve?



    Ok. R5-8 are our routers. R1-4 are our client. On R1 and R2 and R5 and R6 there are vpn tunnels two each other (these actually represent an HSRP pair). The same configuration is on R7, R8, R3 and R4. Those tunnels are the primary tunnel for traffic. R1 and R2 also have backup tunnel to R7 and R8 in case R5 and R6 fail. R3 and R4 have a similar connection. Now behind are routers (R5-icon_cool.gif are devices that need to talk to things behind their devices (R1-4). Now. Both sets of vpn devices have client devices talking at the same time that are in different subnets. So lets say that behind R1 and R2 the subnet is 10.1.0./24 which pairs to the subnet behind R5 and R6 which is 192.168.1.0/24. R3 and R4 have the subnet 10.2.0.0/24 which pairs to R7 and R8 which has 192.168.2.0/24.

    So in case of a failure of both of our routers on one side, we will have tunnels as backups. IMO we don't need BGP for this as we could just use tunnels with weights (and use RRI on the crypto maps as we have other devices behind R5/6 and R7/8 that could fail). I was thinking of making R5/6 and R7/8 DMVPN Hubs and the others spokes and have each a spoke to both hub pairs.
    Hopefully you aren't confused and I explained it well as my limited experience probably means my idea doesn't make sense.
    · Share on FacebookShare on Twitter
  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I think I figured out what I am going to do for this. I am going to use tunnels with different metrics on them. I have like 6 2811s and 2 3945s at work I can try this with.
    · Share on FacebookShare on Twitter
  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Colby did you use private ASNs for your network?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.