• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 983
  • Last Modified:

DMVPN, Zone based FIREWALL, NAT, Dynamic routing protocol, design and implementation

Hello:

I have been asked to design and implement a mid scale VPN solution. I plan to use a hub and spoke design where:
   
some spokes are corporate sites and others are connected via the inet.
   
WAN speeds vary between 5-20 Mb/s.
   
Not all spoke sites will be "on and connected" 24/7.
   
Some spokea that are far from the hub we need to communicate direcetly with one or more other spokes
.
   iNet acces will be limited to the hub.
   
Split tunnel wan connections will not be permnitted on the spokes, but will be used on the hub for inet access
   
spokes will either have a hard router or some soft VPN client depneding on their size, uptime and number of users
My planned architecture is based on DMVPN phase 3  . This will allow
   
dynamic spoke creation
    control over spoke to spoke communications
    ability to limit iNet access through a main controlled gateway
    simplification of the HUB as the number of spokes increases over time
I also need to use
   
NAT so that we can isolate spokes and deploy a well planned LAN side address space
    ZFW- Zone based firewall is planned to be implemented as various spokes and the hub will have services running
    EIGRP is planned for the LAN side
    BGP or static is planned for the WAN side
I am old school and tend to do all my configs with CLI and not use a gui or some wizards. Maybe this will be easier?

My question relates to the order of implementation. Specifically what should be coded first and how do they interact. Can people please recommend a  deployment order for the following.
   
DMVPN
    NAT
    ZBF
    LAN -EIGRP
    WAN-BGP
For my non-router based spokes, are there any preferred VPN clients that work well with DMVPN, easy VPN, Get VPN, NCP VPN client etc.


Tips, suggestions and comments are welcome from users in this excellent forum.
0
sectel
Asked:
sectel
  • 2
  • 2
1 Solution
 
eeRootCommented:
There isn't a specific order to set things up, the important thing is that you fully test it before deploying it.  Once you have the hardware and network connection types selected, you can start planning the configs.  Do you have a IP address/VLAN schema worked out?
0
 
sectelAuthor Commented:
i do have a structured LAN and tuneel ip schema.the WAn side addre are dicated by the host locations.

IMHO, there needs to be an order to the config. i was thinking that i would do
lan int with eigrp
wan int with bgp
nat
zbf
dmvpn

any thoughts?
0
 
eeRootCommented:
that looks good
0
 
sectelAuthor Commented:
Good answer
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now