cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
0
Helpful
10
Replies

800 series and VPN

darkleyabove
Level 1
Level 1

Hello all,

I have been searching high and low for an answer to this question and have come away confused.

Do I need DMVPN in order to use a VPN endpoint behind a router perfomring NAT?

ISP ------> Internet router -------> 800

Also, if the answer is no, then can al of the 800 series and soho routers support this?

I really appreciate everyones help with this.

1 Accepted Solution

Accepted Solutions

Glad to hear that.

If you encounter any other questions let us know

Please do rate helpful posts.

Federico.

View solution in original post

10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame

Depends on the specificThere are alot of questions that need to be asked here.

Will your router be a Hub?  And for how many sites?
What is the bandwidth of your WAN link?

Hi,

If the only reason you're interested in DMVPN is for the 800 behind a NAT device the answer is no.

You don't need DMVPN for that. You can have simple IPsec tunnels.

It all depends on what you want to do.

The IPsec tunnel encrypts/protects the traffic between two endpoints over the Internet.

The DMVPN solution is normally used when you want the IPsec protection but you have multiple remote sites (that could have dynamic IPs assigned by the ISP, and you need full-mesh VPN connectivity). There's a central hub (or hubs) and multiple spokes that have permanent tunnels with the hub and can dynamic build tunnels between them.

DMVPN consists of NHRP to dynamically build the tunnels and GRE and IPsec as well to allow multicast traffic and encryption for security.

If you have a single site, I would suggest not to complicate with DMVPN, as I said only when you can see the benefits of having this technology.

The 800 series indeed support DMVPN, but again depending on what you want to do.

Federico.

sorry for the lack of info.

The hub site would be just that a hub. Bandwidth is of no concern.

I would have multiple sites terminating to the hub site however they do not need to be able to reach one another.

How many remote sites?

If the spokes don't need to ''talk'' to each other, and you have a relatively small number of spokes, I don't see the need for DMVPN.

Do you need to send traffic other than IP unicast traffic through the tunnels?

Plain IPsec does not support the transmission of multicast or non-IP traffic (in this case you need GRE or VTI)

To try to better design a solution, let's see how many spokes you will have and if the traffic to be sent is other than IP unicast (like routing protocol updates).

Federico.

the traffic would be voip between the remote sites and the hub. While it would be interesting if the spokes would speak directly to each other the need is only for the hub to reach the spokes. The number of spokes I will have issomewhat of a moving target right now I have 7.

Hi,

Take a look at DMVPN and see what you decide:

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

If you have any questions let us know.

Hope it helps.

Federico.

unfortunately i don't have access to thtat doc. Is DMVPN Reqired for my setup? like I said I do not need communication between spokes just hub to spoke. the traffic flow ill always be unidirectional as in hub to spoke, This is a call center calling to remote exchanges.

The only reason that you would need DMVPN is if the traffic that you're exchanging through the tunnel is non-IP or non-unicast traffic.

If it's a call center and the voice could travel as unicast traffic in IP packets, then you could simply have IPsec tunnels between the hub and the seven spokes.

If you need call control traffic or multicast traffic to be sent through the tunnel, then plain IPsec would not work and you can create IPsec/GRE tunnels for example or end up with DMVPN.

DMVPN will work on your setup, I'm just trying to make it clear that you can have simple IPsec tunnels instead if:

- You don't need spoke-to-spoke tunnels

- There's no need for multicast or broadcast traffic or non-IP protocols through the tunnel

- There's a relatively small amount of VPN peers

Federico.

perfect thats what I needed and thought. Thanks for your help.

Glad to hear that.

If you encounter any other questions let us know

Please do rate helpful posts.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: