Run DMVPN. It's specifically designed for this type of scenario.
Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13
bmcgahan_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
Sent: Saturday, July 20, 2013 7:40 PM
To: Jitendra Anbu
Cc: Nadeem Anjum; Cisco certification
Subject: Re: Real world scenario
I'm not sure of your layout, but you would create a tunnel interface, source as the Ethernet IP, destination of the remote Ethernet IP, with a common subnet between the tunnel interfaces. This builds your GRE. Add your IPSEC on top of it if security tightening is needed. Apply BGP.
Regards,
Jay McMickle- 2x CCIE #35355 (R/S,Sec)
Sent from my iPhone 5
On Jul 20, 2013, at 3:56 PM, Jitendra Anbu <jitanbu_at_gmail.com> wrote:
> Hi Jay & Nadeem, yes this is an option I am looking at & also simply
> running
IPSec over BGP. I suppose what keeps bugging me is the BGP peering between the Hub and the spokes (branches). That is, do I create Dot1Q interfaces with multiple IP addresses of /30 between the Hub and the spokes OR because all devices are in the same VLAN do I simply peer based on their interface IP addresses (which is a pool of /24). I also intend to provide QoS guarantees between the Hub and the spokes, so I feel individual /30 would be the best way to go. Like to know what you guys think.
>
> Thanks heaps.
>
> Jit
>
>
> On Fri, Jul 19, 2013 at 9:31 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>
wrote:
>> I'm not sure I understand the issue fully, but can't your create a
>> GRE
tunnel between each hub/spoke and run BGP over the tunnel? You can password protect BGP and/or run IPSEC over GRE if you are really concerned about Security.
>>
>> Regards,
>> Jay McMickle- 2x CCIE #35355 (R/S,Sec) Sent from my iPhone 5
>>
>> On Jul 19, 2013, at 1:40 AM, Jitendra Anbu <jitanbu_at_gmail.com> wrote:
>>
>> > Thanks Nadeem, I guess you're right, this method will work fine.
>> > But, I
was
>> > wondering if there was any Cisco best practice when it comes to
>> > this
sort
>> > of implementations.
>> >
>> > Rgds,
>> > Jit
>> >
>> >
>> > On Fri, Jul 19, 2013 at 4:20 PM, Nadeem Anjum
>> > <nadeemkool_at_yahoo.com>
wrote:
>> >
>> >>
>> >>
>> >> This is already a batter way. Do you require any specific feature
>> >> btw
this
>> >> connectivity.
>> >>
>> >>
>> >>
>> >> Thanks,
>> >> Nadeem Anjum
>> >>
>> >> ------------------------------
>> >> *From:* Jitendra Anbu <jitanbu_at_gmail.com>
>> >> *To:* Cisco certification <ccielab_at_groupstudy.com>
>> >> *Sent:* Friday, July 19, 2013 9:54 AM
>> >> *Subject:* Real world scenario
>> >>
>> >> Hi experts, I have a real world question & hoping someone can
>> >> provide
some
>> >> advice/guidance. The diagram bellow represents network
>> >> connection(s)
with a
>> >> service providers Layer 2 switched network. These connections are
Ethernet
>> >>
>> >> and all customer devices have layer 3 reachability between the Hub
router
>> >> and the Branch routers. Here are my questions and concerns;
>> >>
>> >> What is the best way to run a "secure" BGP connection(s) between
>> >> the
HUB
>> >> and the branches B1 and B2? Assuming each branch and Hub will be
>> >> in its
own
>> >> private AS. Also, the ISP does not take part in any routing. This
>> >> might sound simple, just running p2p BGP sessions between the Hub
>> >> and the branches and using IPSec to secure the data plane. But is
>> >> there a
better
>> >> way to do this?
>> >>
>> >> HUB
>> >>
>> >> |
>> >>
>> >> ___|___
>> >>
>> >> |__ISP__|
>> >>
>> >> | |
>> >>
>> >> | |
>> >>
>> >> B1 B2
>> >>
>> >> Thanks,
>> >> J
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> __________________________________________________________________
>> >> _____ Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > ___________________________________________________________________
>> > ____ Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Jul 21 2013 - 10:27:59 ART
This archive was generated by hypermail 2.2.0 : Thu Aug 01 2013 - 08:45:50 ART