• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1796
  • Last Modified:

DMVPN Want to send voip(sip/rtp) over the tunnel, and all other data traffic out WAN port

Greetings,

I have a basic Hub-Spoke DMVPN network.  I would like for all voip(SIP /RTP) traffic to go over the VPN tunnels, and everything else(standard Internet data) to go out the WAN port(uplink to ISP).

Any help would be appreciated.
0
chikagoh
Asked:
chikagoh
  • 5
  • 5
1 Solution
 
decoleurCommented:
DMVPN provides access to the tunnel through routing. If you want SIP/RTP traffic to go through the tunnels make the routing for those networks or that type of traffic prefer the tunnel as the path. Are you concerned with hub to spoke communication or spoke to hub? Also what type of routing are you doing on your dmvpn config, EIGRP or OSPF. If you can identify the networks of interest and the basic routing/tunnel configs we can provide more specific configuration guidance.

-t
0
 
chikagohAuthor Commented:
I am using EIGRP.  Currently I use a route-map to send all traffic from each spoke's LAN over the VPN to the Hub and then onto the Internet(from the Hub's ISP connection).  I would like to limit this to just VoIP, and all other traffic go out the WAN.

Hub Config:

crypto keyring dmvpnspokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key XXX
!        
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp profile DMVPN
   keyring dmvpnspokes
   match identity address 0.0.0.0
!        
!        
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!        
crypto ipsec profile DMVPN_BRIT
 set transform-set strong
 set isakmp-profile DMVPN

interface Tunnel0
 bandwidth 1000
 ip address 11.11.11.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXX
 ip nhrp map multicast dynamic
 ip nhrp network-id XXX
 ip nhrp holdtime 300
 ip nhrp redirect
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 no ip mroute-cache
 delay 1000
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key XXX
 tunnel protection ipsec profile DMVPN_BRIT



Spoke Config:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key XXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN_BRIT
 set security-association lifetime seconds 120
 set transform-set strong


interface Tunnel0
 bandwidth 1000
 ip address 11.11.11.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nat outside
 ip nhrp authentication XXX
 ip nhrp map 11.11.11.1 x.x.x.x
 ip nhrp map multicast x.x.x.x
 ip nhrp network-id XXX
 ip nhrp holdtime 300
 ip nhrp nhs 11.11.11.1
 ip nhrp shortcut
 ip nhrp redirect
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1360
 no ip mroute-cache
 delay 200
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key XXX
 tunnel protection ipsec profile DMVPN_BRIT


interface FastEthernet0/0
 description TO-_ISP
 ip address dhcp client-id FastEthernet0/0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled


interface Vlan1
 description INSIDE
 ip address 172.16.211.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip policy route-map TOVPN

access-list 111 permit ip 172.16.211.0 0.0.0.255 any

route-map TOWAN permit 10
 match ip address 111
 set interface Tunnel0

0
 
chikagohAuthor Commented:
Also, the remote networks of interest is nearly impossible to identify.  We use a voip hosting provider with SBCs, AS's and thousands of media gateways.  I am hoping to identify the protocol to determine the route to take (VPN or Fa0/0 NAT)
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
decoleurCommented:
is this a cisco voice solution or something else? if so you could use the dsp clasification of the RTP and C&C streams as the classifier if you can trust the devices with QoS.
0
 
chikagohAuthor Commented:
No cisco call manager  Polycom phones, cisco 1861 routers
0
 
decoleurCommented:
perfect. you can classify the traffic based to be routed through the tunnels upon the source ips and destination protocols as well as dscp values. I would match dscp values 3 and 5 and af41 and send them through the tunnel. you could also do any to any on tcp/2000.

let me know if you need more help setting this up.

-t
0
 
chikagohAuthor Commented:
What is tcp/2000 for?  I know SIP is udp/5060 and RTP is an upper range of UDP ports.

Could I also use class/policy maps (i've used these for qos) to send SIP and RTP Audio through the tunnel, or does it need to be dscp only?

I can work a config and post it tonight to make sure it's correct.
0
 
decoleurCommented:
tcp/2000 is skinny or sccp the alternative to sip.

you could absolutely use class/policy maps like you would use for QoS for this. That is kind of what I was leading you towards, just didn't know how much you had done before.

-t
0
 
chikagohAuthor Commented:
I would want to use whichever is best in regards to performance and minimal overhead.  I will also want to implement QoS at some point, so whatever will work easiest with that.
0
 
decoleurCommented:
I would use a basic QoS design to identify the traffic of interest and also route that traffic through your VPN tunnels. Set it up once right and then you don't need to revisit it later.

What I typically recommend is to allocate 33% to RTP and 5-10% to C&C depending on the bandwidth available. everything else is best effort.

Are you going to be doing video as well? that would also go into the 33%.

hope this helps,

-t
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now