Migrate DMVPN to mGRE

Unanswered Question
Mar 9th, 2010

We have recently moved encryption to the Application Layer of our network, this was a business requirement for other reasons. But from the network department we see this as an opportunity to increase the scalablity and longevity of our routers.

We are currently running a DMVPN network with approximately 800 spoke nodes, the majority being c871s. We would like to migrate the DMVPN to plain old mGRE, as the encryption is no longer a requirement of the Network Layer. This however doesn't seem like an easy task. I am trying to investigate the different options available to me complete this migration. For some reason I thought there was a way to make the encryption in DMVPN optional, such that I could make the hubs optional then migrate the spokes, however this is contingent on encryption being optional. If not the only way I can see accomplishing this is creating a new NHRP hub and migrating the spokes to this new hub one by one.

I'm all ears if someone could validate the "optional" option, or if there is a third or fourth option.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ryansharpe Wed, 03/10/2010 - 07:30

This actually wouldn't help. The goal is to eliminate the encryption overlead. I still require the tunneling, just the encryption I can do without.



Federico Coto F... Wed, 03/10/2010 - 08:45

So, you need the tunneling but not the encryption at L3.
In an DMVPN environment, normally IPsec provides the encryption while GRE provides the tunneling.

This is why you're considering plain-old GRE tunnels (without encryption)

Now, the main purpose of IPsec is encryption. You can disable encryption for phase 2 on the transform set,
but you can't have a policy for phase 1 for IPsec without encryption (you need to choose between DES, 3DES or AES)

If your final goal is to remove encryption at the network layer and leave only the tunnel, I see only the GRE option
(unfortunately this option is manual and not very flexible).
The problem here is that if we involve IPsec, it means encryption at L3 (at least for phase 1).


Laurent Aubert Wed, 03/10/2010 - 20:46


If you are not interested with Federico option based on esp-null option in the transform-set, you can create another mGRE tunnel on the hub with a new IP addressing plan and then migrate your spokes to this new cloud. It will be very smooth assuming you are already using an IGP in your encrypted tunnels.




This Discussion

Related Content