Hi , I am setting up an MPLS network for a customer with over 500 sites. There will be two core data centres and the others spokes/remote sites. Customer does not trust MPLS core and so wants an additional layer of ipsec security.
I have come up with the best solution as been the DMVPN ( Dynamic Multipoint VPN ). However it only supports OSPF and EIGRP and we are running BGP with the ISP at PE level.
DO YOU KNOW OF A WORK AROUND ON HOW DMVPNs can work with BGP.
I think DMVPNs can work with BGP however there are practical limitations to this. For example, if you have 300 spokes all configured in the same AS, they will need seperate peerings with one another. This will require n(n-1)/2 peerings = 44850 seperate TCP sessions configured. Using DMVPN, BGP will not dynamically create TCP sessions between the spokes. You will still need to apply this configuration manually for each spoke. Configuring full mesh peerings between all your spoke routers effectively eliminates the original benefits offered by DMVPN, as the amount of configuration and maintenance required does not make it an scalable option. For this reason, EIGRP is the recommended protocol to be used with DMVPN.
You can run whatever you like over a DMVPN tunnel interface, including BGP. As the previous author mentioned, you may wish to look into scalability issues before making a final decision. There is no reason why you could not run two different routing protocols on your DMVPN network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...