I am currently working on a re-design project and I'm looking for some helpful advice or "heads up" information from the guys and girls on here that may have implemented a DMVPN Solution - especially with it not being widely deployed.
Currently, there is a very messy global IP SEC VPN solution which is partial mesh from a few hub sites (15+). The existing solution is built on the Cisco ASA platform with the 5510's as hubs and the 5505's as spoke sites.
My proposal would be to place the new generation 2 of ISR Routers in front of the ASA's and create a front end firewall with the new ISR's also termiating the new dmvpn's, and a back end firewall with the ASA's, in between the two would be a double NAT'd DMZ Zone for Servers. The DMVPN connectivity for all sites would be on the new ISR Routers.
I have considered using GET VPN but my sites are connected over public Networks so this tunneless soultion is out.
Does anybody have any recomendations or advice on this type of solution?
Which of the ISR routers are best for High Avavailability NHRP Servers? Can the NHRP redundant server be at another location? Can this work as Active/Active or do I do the HA using HSRP at one site only?
I'm a bit unsure with how the HA would work with DMVPN.
Any advice no matter how much would be appreciated, my boss has asked me to order two of these ISR routers in the next two days to place in the datacentre and create the DMZ asap!