Friday, September 14, 2018

DMVPN Design Issue

Hello r/networking... I have a bit of a weird one here with a DMVPN design issue that I'm struggling with.

Background/Business Requirments Basically we have about 120 locations all connected via DMVPN. The company is divesting one of it's departments, meaning about 40 of the locations will be sold off.

The interesting part about this sale is that we will be supporting those locations for the next 18 months until the new company's IT team takes over and then they will be cut off. During those 18 months they will be required to have access to our internal resources.

Management would like us to take those 40 locations and put them on their own DMVPN network ASAP, with separate ipsec profiles so that the new company doesn't have access to our credentials/pre-shared-keys/etc. I can handle the routing here so that part isn't going to be an issue.

Technical Issues So, the tough part is that we have 4 hubs. Two of them are the main office locations, the other two are AWS. This is where all of my problems are as the spokes are just any easy change to spin up a second tunnel and remove the original.

With the hubs, they will need to have both DMVPN clouds up simultaneously. I haven't, however, found a way to do with separate tunnel protection profiles. In a lab I have only been able to get this to work by using the same ipsec profile on both tunnels, which obviously is not going to work in this situation.

We are using the WAN interface on all hubs as the tunnel source. DMVPN is running phase 3. I don't know what other information you may need. I will say that I thought as subinterfaces with VRFs, but we have no way of using dot1q on the AWS side, so that seems out of the question.

If anyone has ANY ideas, I would like to hear them. I am probably going to contact Cisco Monday regardless, but I'd love to try an have an idea of what we can do before then.



No comments:

Post a Comment