Network Design suggestion needed

Unanswered Question
Aug 29th, 2008

Attach is the Network topology diagram that I am going to implement.

My requirement is to encrypt all traffic leaving from any branch or core location.

Is this design practically good choice.

3 separate DMVPN cloud one for each location

Permanent ipsec tunnels between Core locations

Branch to branch communication in the same location should be possible through Dynamic tunnels

Branch to branch communication between the core locations via permanent ipsec tunnel

Considering the scalability of the network doing encryption and decryption on two times at same router will it affect the router performance a lot.

Is 3845 good choice??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Sat, 08/30/2008 - 02:56

Make sure to have AIM-VPN module to offload the encryption/decryption procesing from router cpu. Also, use AES for better performance.

I have a setup (3 or more links in each routers have encryption) where I only use 2600 (now replacing them with 2800). Without the AIM-VPN module in the old 2600, performance suffers.

Joseph W. Doherty Sat, 08/30/2008 - 03:40

Instead of DMVPN, you might want to also look into GET-VPN.

If you include core locations within other core locations DMVPN, i.e. where's there's also a hub-spoke relationship, not clear whether you will still need to retain the permanent core-to-core tunnels.

No doubt it's a good idea to have redundancy, but unclear whether you need 3 independent DMPVN clouds. Perhaps you have in mind the benefit of hub-spoke within DMVPN, i.e. from any branch to a core location. That's true, but GET-VPN, if possible, might mitigate that advantage and then there's the additional configuration and routing paths to manage and maintain.

As to scalabilty of the 3845s, depends on how much traffic you expect to pass through them. Attached is information on the VPN performance of difference Cisco devices, both with on-board and optional crypto hardware.

hasnain321 Mon, 09/01/2008 - 20:06

Thanks for reply,

The design I am talking about having 3 separte DMVPN clouds, expert says it is DMVPN phase 3 and even Cisco is not sure about this maturity of this network design. So am confused what should be done.

GET-VPN is this scalable solution and I am not running any MPLS network still it is good choice.

Any design and configuration guide about this will certaily help. Thanks


This Discussion