Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
2
Replies

Large Scale DMVPN with 72xx SLB and 38xx/28xx VPN farm

dbreithaupt
Level 1
Level 1

‎10-01-2005 12:54 PM - edited ‎02-21-2020 02:00 PM

Hello,

does anyone here has experiences with a "Large Scale DMVPN", using i.e. 72xx as load balancers (SLB) and a farm of 38xx/28xx routers as DMVPN-endpoints?

We're currently designing a network capable of holding 1500 to 2000 spokes in an EIGRP-enabled certificate based 'Hub-To-Spoke Large Scale DMVPN'.

We're using C836 routers as spokes with EIGRP and EIGRP STUB enabled. The WAN connection goes over ADSL with ISDN backup. The central HUB farm WAN capacity will be below or around 100 MBit/s.

I'm searching for network pro's, who have some real life experiences about the performance and potential problems with that construct.

I'm very interested in exchanging some thougts and experiences about capacity (no. of spokes, throughput), load distribution (SLB), redundancy (SADB sync?), failover and so on...

Our Cisco Account Team is with us, supporting us with the design, but some additional real life experience would be very appreciated, too. :)

Thank you in advance,

Dennis Breithaupt

Labels:
0 Helpful
2 Replies 2

b.hsu
Level 5
Level 5

‎10-06-2005 10:52 AM

Dynamic Multipoint VPN (DMVPN) enables zero-touch deployment of IPsec networks. DMVPN Spoke-to-Spoke Functionality is an enhancement that enables the secure exchange of data between two branch offices without traversing the head office. This improves network performance by reducing latency and jitter, while optimizing head office bandwidth utilization.

DMVPN can be sold in two versions: DMVPN Hub-to-Spoke or DMVPN Spoke-to-Spoke. The difference between the two is configuration changes required at the hub and spoke.

http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313ca3.pdf

http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313c9d.pdf

0 Helpful

dbreithaupt
Level 1
Level 1
In response to b.hsu

‎10-06-2005 07:51 PM

Thanks for your answer.

We already knew that document and even had chosen the design with a 72xx Load Balancer with a farm of 28xx/38xx VPN-endpoints as it was pointed out by that document.

But Cisco told us, that EIGRP would not be able to handle a large network of about 1000+ spokes even distributed over a router farm.

At this time I don't know why that should be the case and the discussion with Cisco is still going on.

I'm even confused more, as Cisco itself tells in the EIGRP whitepaper, that the number of neighbors in an EIGRP AS would only be limited by CPU/memory etc.. (http://www.cisco.com/warp/public/103/eigrp-toc.html) But now there is a limit of 350/700 spokes per DMVPN router on the one side, and another limit of some number smaller than ~1500 EIGRP STUB router in one EIGRP AS at whole, which I've never seen any reference to in any official document :(

That is why I'm searching for netpros already have designed or administrated a (very) large hub-and-spoke VPN in reality and who is maybe willing to share some experiences. :)

Thanks in advance,

Dennis Breithaupt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents