08-29-2008 11:16 PM - edited 03-03-2019 11:20 PM
Attach is the Network topology diagram that I am going to implement.
My requirement is to encrypt all traffic leaving from any branch or core location.
Is this design practically good choice.
3 separate DMVPN cloud one for each location
Permanent ipsec tunnels between Core locations
Branch to branch communication in the same location should be possible through Dynamic tunnels
Branch to branch communication between the core locations via permanent ipsec tunnel
Considering the scalability of the network doing encryption and decryption on two times at same router will it affect the router performance a lot.
Is 3845 good choice??
08-30-2008 02:56 AM
Make sure to have AIM-VPN module to offload the encryption/decryption procesing from router cpu. Also, use AES for better performance.
I have a setup (3 or more links in each routers have encryption) where I only use 2600 (now replacing them with 2800). Without the AIM-VPN module in the old 2600, performance suffers.
08-30-2008 03:40 AM
Instead of DMVPN, you might want to also look into GET-VPN.
If you include core locations within other core locations DMVPN, i.e. where's there's also a hub-spoke relationship, not clear whether you will still need to retain the permanent core-to-core tunnels.
No doubt it's a good idea to have redundancy, but unclear whether you need 3 independent DMPVN clouds. Perhaps you have in mind the benefit of hub-spoke within DMVPN, i.e. from any branch to a core location. That's true, but GET-VPN, if possible, might mitigate that advantage and then there's the additional configuration and routing paths to manage and maintain.
As to scalabilty of the 3845s, depends on how much traffic you expect to pass through them. Attached is information on the VPN performance of difference Cisco devices, both with on-board and optional crypto hardware.
09-01-2008 08:06 PM
Thanks for reply,
The design I am talking about having 3 separte DMVPN clouds, expert says it is DMVPN phase 3 and even Cisco is not sure about this maturity of this network design. So am confused what should be done.
GET-VPN is this scalable solution and I am not running any MPLS network still it is good choice.
Any design and configuration guide about this will certaily help. Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: