Global Migration to DMVPN

Unanswered Question
Jul 6th, 2010
User Badges:

Hello All!


I am currently working on a re-design project and I'm looking for some helpful advice or "heads up" information from the guys and girls on here that may have implemented a DMVPN Solution - especially with it not being widely deployed.


Currently, there is a very messy global IP SEC VPN solution which is partial mesh from a few hub sites (15+). The existing solution is built on the Cisco ASA platform with the 5510's as hubs and the 5505's as spoke sites.


My proposal would be to place the new generation 2 of ISR Routers in front of the ASA's and create a front end firewall with the new ISR's also termiating the new dmvpn's, and a back end firewall with the ASA's, in between the two would be a double NAT'd DMZ Zone for Servers. The DMVPN connectivity for all sites would be on the new ISR Routers.


I have considered using GET VPN but my sites are connected over public Networks so this tunneless soultion is out.


Does anybody have any recomendations or advice on this type of solution?


Which of the ISR routers are best for High Avavailability NHRP Servers? Can the NHRP redundant server be at another location? Can this work as Active/Active or do I do the HA using HSRP at one site only?


I'm a bit unsure with how the HA would work with DMVPN.


Any advice no matter how much would be appreciated, my boss has asked me to order two of these ISR routers in the next two days to place in the datacentre and create the DMZ asap!


Many thanks,


ccannon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Tue, 07/06/2010 - 06:12
User Badges:
  • Cisco Employee,

ccannon,


I would not necessarily agree that DMVPN is not widely deployed.
But that may be just my perception.


The following described some of the design guidelines.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html



Two basic "redundancy" scenarios will be:

- Two hubs in one location

- Two DMVPN clouds (one cloud for each location).


You can mix and match...


It is part of design of DMVPN for the routing protocol + NHRP to do the necessary magic. You can have load balancing/sharing you can have disaster recovery etc.


As far as which ISR routers to choose in the end, you might need to ask a local SE. They will be better places to make those decisions.


Don't take my words for actual recommendations but depending on traffic you might need

7200 + VSA or 3800 + AIM (or successors) for hubs

2800 + AIM for spokes


It will all depend on amount of traffic expected and growth you see possible.


Hope this helps.


Marcin


Regarding GETVPN, no it's not mean for public internet, but yes it's a tunneling solution, but it preserves IP header.

https://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_presentation0900aecd80582031.pdf



Edit: Corrected BAAAAAAD spelling.

Actions

This Discussion