VPN Design Question

Unanswered Question
Jun 18th, 2007

Hi Sir,

There's a requirement to connect 150-200 spoke sites to a hub router via IPSec site-to-site VPN. There may be two hub sites for redundancy. I'm exploring to deploy DMVPN.

What other technologies that could be possibly deployed taking into consideration manageability, scalability, and high availability?

Please advise.

Thank you.

B.Rgds,

Lim TS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
limtohsoon Tue, 06/19/2007 - 01:30

Hi Shadi`,

Thanks for your response.

I need some time to go thru the GET VPN concept.

By the way, do you think DMVPN scales well for these many spoke sites (150-200)? Do you recommend DMVPN?

Thank you.

B.Rgds,

Lim TS

shomar Tue, 06/19/2007 - 01:35

Hi Lim,

I think DMVPN will scale well for this number of spokes, but you will need to take care selecting the HUB platform to be will capable of handling that number :)

regards,

Shadi`

limtohsoon Mon, 06/25/2007 - 07:05

Hi Shadi`,

I'm configuring IPSec transport mode for DMVPN as follows:

!

crypto ipsec transform-set tset1 esp-des esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpnprof

set transform-set tset1

!

Which mode is more recommended for DMVPN? I understand that transport mode is required to support NAT-Transparency Aware DMVPN enhancement. But DMVPN Design Guide recommends tunnel mode.

Please advise.

Thank you.

B.Rgds,

Lim TS

majsa Mon, 06/25/2007 - 11:33

I am using DMVPN (tunnel mode GRE multipoint) with 120 or so tunnels on a DS3 (remote site T1's). Termination point is a 3825 running at an average of 15% CPU.

I've had it up just over a year now and couldn't be happier. I can deploy a new site without ever touching my main hub router and the network itself has never dropped. The best part is, I was able to move data centers on the fly by just adding a second tunnel to each remote site, then removing the original.

Actions

This Discussion