[c-nsp] Two DMVPN spokes on a single 8xx

Tomas Daniska Tomas.Daniska at soitron.com
Mon Dec 6 05:17:37 EST 2010


Ben,

> -----Original Message-----
> From: Benjamin Lovell [mailto:belovell at cisco.com]
> Sent: Saturday, December 04, 2010 12:53 PM
> 
> Minor correction. Traffic will still be CEF switched but will be
> software CEF switched not MLS CEF switched.

yup, got the point from Oli as well.
 
> This is a limitation of the EARL 7 generation of forwarding engines.
> GRE decap can only be done based on dest IP so you need a unique IP
> endpoint for each tunnel. This is not a problem on any software
> platform as there is no ASIC to be subject to this limitation.
> 
> For DMVPN w/ IPSEC you can use the same IP address for two mGRE
> tunnels as long as you use the same crypto profile and the shared KW.

can you elaborate a little more please. 

(by KW, do you mean the key-string with standard IPSEC protection?)

What we need to do is terminate two distinct *GETVPNS* at the CE, each in its own VRF. That means, two different GDOI groups, one for each tunnel interface. Sorry if saying 'DMVPN' confused you, I meant the mGRE part of it.

The reason for mGRE here is that the underlying transport is an L3 VPN from a carrier. We need to integrate these remote sites into an existing GETVPN, that means the hub(s) is going to terminate mGRE only, and GDOI being processed at edges as usually.

Should I deduct from what you wrote that we need two distinct IPs for each of the mGRE spoke tunnel interfaces? 

I've tried searching explicit documents on this before, I have found many on DMVPN on 8xx, many on GDOI in VRF on 8xx, but nothing extra on mGRE/VRF/GDOI in combination.


Thanks much!

--

deejay




More information about the cisco-nsp mailing list