Follow-up question, if I may...

Is it possible to stage a DMVPN (or GETVPN) one branch at a time, rather than have to implement all WAN endpoints at the same time?  Specifically, if we rolled out the DMVPN/GETVPN headend router(s) at HQ for the purpose of encrypting connectivity over the MPLS network, would all of the remote locations lose connectivity until they were configured for DMVPN as well, or could all of these sites still communicate with each other (and the headend) until time allowed for them to be reconfigured?

This will obviously become a very big issue for larger networks, so I'm hoping the MPLS can support DMVPN and non-DMVPN connectivity during a transition/migration period.  I've been through the Design Guide, but it doesn't seem to address this question.

Thank you!

Hello Bkccards64,

with DMVPN this should be possible, as from a routing point of view, you use a different routing protocol over the DMVPN (at least a different process): when you add a new site to DMVPN the routes of the site will disappear from the external routing domain ( the one used in MPLS L3 VPN), and will appear as coming from the DMVPN hub(s).

So actually you will have for some time level of non optimal paths but with the advantage of allowing for a smooth transition

Hope to help

Giuseppe

K, just to make sure, Giuseppe:

This would work even if the customer is not rolling out DMVPN as a backup solution over the Internet?  Meaning, each router will have a single WAN connection/interface, so for the above to be supported (stage migration of the network over to DMVPN), a node would have to be able to communicate over that single interface to both DMVPN and non-DMVPN endpoints.

Thanks again!

Hello BKccards64,

I'm sorry for late answer

yes even if the DMVPN is deployed over the same L3 VPN topology as I have explained in previous post it should be possible to perform a smooth migration

Hope to help

Giuseppe