DMVPN question

michael.dolan · ‎04-19-2008

Im currently working for an organization that has over 80 sites worldwide. They are currently using Watchguard Fireboxs with IPSec tunnels configured between each other in a kind of partial-mesh topology.

Ive been reading up on DMVPNs and in the process of putting together a proposal.

Key benefits being dynamic spoke-spoke tunnels (for VoIP and video), multicast support and ease of management.

, however I have a few questions.

Firstly, I would like to seperate the function of firewalling a VPN devices so am considering creating a VPN DMZ at the hub site off of the firewalls. However at the remote sites, some of which are less than 50 users would it be advisable to use the DMVPN router as a firewall also? how will this affect its performace or do we need to implement an ASA at each location as well?. Is the Cisco IOS Firewall as good as a PIX?.

What are peoples experiences with DMVPN's in general.

Thanks in advance

mchin345 · ‎04-24-2008

The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html

michael.dolan · ‎04-28-2008

Thanks. Ive read that due to the delay in setting up dynamic VPNs between spokes VoIP will not work effectively over DMVPN. GetVPN seems to help. So would DMVPN and GetVPN over the internet be a decent strategy for a networks wanting to use its VPN tolpogy for Voice and Video? Assuming the bandwidth is there of course.

Will the overhead of GRE and IPSec negatively affect voice quality.

Finally, for spoke sites would it be recommended to use a firewall (ASA) as well as a router (for DMVPN) or would a router with the firewallfeatureset be enough?

Thanks in advance