Yes, until the spoke-to-spoke tunnel is built, the traffic
WILL traverse the
spoke---hub---spoke path, so you may need to size your
connectivity to
accommodate this.
On 4/9/06 12:07 PM, "John Neiberger" wrote:
> And that also explains what happens to initial data
packets between
> sites before a dynamic tunnel is created. I thought
perhaps the
> packets were queued, but it sounds like they're just
routed through
> the hub since it's already secure.
>
> Thanks for the clarification!
>
> John
>
> On 4/9/06, Richard Dumoulin wrote:
>> Yes right. Although no tunnel will still be built
up between spokes, the
> hub
>> will announce a route to the spoke by announcing
the next hop of the
spoke!
>> And when needed a spoke to spoke tunnel would be
set up. In the meantime
> the
>> traffic will flow via the Hub
>>
>> -- Richard
>>
>> -----Message d'origine-----
>> De : John Neiberger [mailto:jneiberger gmail.com]
>> Envoyi : dimanche 9 avril 2006 17:37
>> : Richard Dumoulin
>> Cc : ciscogroupstudy.com
>> Objet : Re: RE : RE : Migrating to DMVPN [7:108707]
>>
>> Oh, I see. A secondary IGP like EIGRP runs over the
static tunnels,
>> not over the dynamic spoke-to-spoke tunnels? Or
does it do both?
>>
>> That explains my earlier confusion. Now I see how
easy it would be to
>> do split tunneling. Once a site has been converted.
its routes will be
>> advertised over the WAN via BGP and over the
tunnels via EIGRP, for
>> example. If SiteQ only sees routes for SiteZ in the
BGP table then it
>> will route it normally. If SiteQ sees the EIGRP
routes over the tunnel
>> then the process to setup a dynamic tunnel begins.
>>
>> Is that correct?
>>
>> On 4/9/06, Richard Dumoulin wrote:
>>> Well, the GRE tunnel is set up automatically
well before any data traffic
>>> has to pass through it. Actually EIGRP or some
other IGP provokes the
>> build
>>> up of the tunnel. So the answer is yes,
depending on whether the
>> destination
>>> is MPLS or IPSec your hub router will be able
to split the traffic
>> depending
>>> on what the routing table says (actually the
FIB).
>>>
>>> Regarding your example, SiteA will already know
through an IGP how to
>> reach
>>> SiteC. If A is your hub then it will direct the
packets to C directly
>>> through the MPLS cloud. If B is the hub then A
will direct the packets to
>> B
>>> in order to reach C because the IGP would have
told A so.
>>>
>>> Regards
>>>
>>> -- Richard
>>>
>>> -----Message d'origine-----
>>> De : nobodygroupstudy.com
[mailto:nobodygroupstudy.com] De la part de
>> John
>>> Neiberger
>>> Envoyi : dimanche 9 avril 2006 04:55
>>> : ciscogroupstudy.com
>>> Objet : Re: RE : Migrating to DMVPN [7:108707]
>>>
>>> Can you do, in effect, split tunneling so only
traffic to converted
>>> destinations is encrypted? I'm trying to
figure out what happens to
>>> initial traffic at a router while the router
tries to determine if it
>>> can be encrypted or not.
>>>
>>> Let me explain. Let's say you have three
sites, two of which have been
>>> converted (SiteA and SiteB). SiteC has yet to
be converted. If a
>>> device at SiteA tries to talk to SiteC, isn't
the router going to
>>> waste time trying to do an unnecessary NHRP
lookup? Will the router
>>> eventually route the traffic following normal
routing rules? If so,
>>> how long does it wait?
>>>
>>> Thanks,
>>> John
>>>
>>> On 4/8/06, Richard Dumoulin wrote:
>>>>
>>>>
>>>> Migrating at once is not a viable option I
think. You could choose one
>>> site
>>>> as a Hub and plug it into the Internet.
Then you could point the
> tunnels
>>> of
>>>> the remote sites one by one to this
interface. The other option is to
>>>> install another Ipsec hub router that would
receive the encrypted
>> traffic.
>>>> Then just enable dynamic routing between
the MPLS and the IPSec router.
>>>> During the migration you will not have any
to any connectivity though,
>>>>
>>>> -- Richard
>>>>
>>>> -----Message d'origine-----
>>>> De : nobodygroupstudy.com
[mailto:nobodygroupstudy.com] De la part de
>>> John
>>>> Neiberger
>>>> Envoyi : samedi 8 avril 2006 22:27
>>>> : ciscogroupstudy.com
>>>> Objet : Migrating to DMVPN [7:108707]
>>>>
>>>>
>>>> I have another question related to DMVPN.
How would you handle a
>>>> migration from an unencrypted network to
one supporting DMVPN? It
>>>> seems to me that you might have to convert
your entire network at
>>>> once. Is that correct or is there some sort
of migration path that
>>>> would allow encrypted tunnels between
converted sites and unencrypted
>>>> communications to unconverted sites?
>>>>
>>>> Thanks,
>>>> John
>>>>
************************************************************
**********
>>>> Any opinions expressed in the email are
those of the individual and
> not
>>>> necessarily the company. This email and any
files transmitted with it
>> are
>>>> confidential and solely for the use of the
intended recipient. If you
>> are
>>>> not the intended recipient or the person
responsible for delivering it
>> to
>>>> the intended recipient, be advised that you
have received this email in
>>>> error and that any dissemination,
distribution, copying or use is
>> strictly
>>>> prohibited.
>>>>
>>>> If you have received this email in error,
or if you are concerned with
>>> the
>>>> content of this email please e-mail to:
e-security.supportvanco.info
>>>>
>>>> The contents of an attachment to this
e-mail may contain software
>> viruses
>>>> which could damage your own computer
system. While the sender has taken
>>>> every reasonable precaution to minimise
this risk, we cannot accept
>>>> liability for any damage which you sustain
as a result of software
>>> viruses.
>>>> You should carry out your own virus checks
before opening any
>> attachments
>>> to
>>>> this e-mail.
>>>>
************************************************************
**********
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7
&i=108740&t=108707
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.
groupstudy.com/list/cisco.html
|