I want to implement IPSEC among 350 branches, all branches are connected to head office via point-to-point DXX circuits and radio's, i am unable to use DMVPN because it is use in multipoint netwroks. I made few changes in DMVPN configurations and convert it into dynamic point-to-point VPN, but i am not sure about the athenticity of configuration, i will attach configuration and topology diagram kindly review and reply me.
Wonder why you want to do this ? Any-to-any connectivity is not a good option using DMVPN or for that matter with IPSec. DMVPN doesnt need point-to-multipoint links like FR. It is more to do with NHRP and all that and works over point-to-point links as well. I certainly dont get the DPVPN concept, it looks the same as DMVPN to me. If you can point out the differences between DMVPN and DPVPN wrt to your config, it will be great. I think the best option will be to move to a MPLS-VPN if the service is available.
This is doable. I agree and has been done. But IPSec is a point-to-point protocol more suitable for hub and spoke scenarios. DMVPN is an enhancement to allow for some traffic to flow between spokes thanks to mGRE and NHRP. However, when the requirement is huge with significant traffic between spokes, even Cisco doesnt recommend DMVPN for reasons best known to them. Cisco suggests 80-20 split (80 to hub and 20 to spokes). Ideally, the best full mesh vpn which is what u need i think is an MPLS-VPN.
Apart from this using DMVPN will increase your overhead , adding both IPsec and GRE headers to your IP packet which isnt good as well.
Let me know if it helps. I would be great if somebody else had other thoughts.
I disagree. DMVPN is fully scalable beyond 350 sites with appropriate hardware 7206vxr npeg1, with sam2 hw accelerator card, etc.
You can make the multipoint dmvpn network, point to point between hub and spokes only (no spoke to spoke tunnels) by keeping the default eigrp split horizon limitation in place (or similar rules for your routing protocol) on the hub's tunnel interface. You can also make the mgre into standard gre if you want point to point, by dynamic tunnels.
with a solid internet service provider (qwest, mci) you can easily get some good qos working as well. both of those networks even on their internet backbones have very low jitter, and excellent ping times.. you can use qos pre-classify on the tunnel interfaces, and a service policy on the external interfaces to handle your egress queueing strategy, etc.
Yes right it can scale to 375 tunnels with EIGRP which is not quite far from 350 i would say if i turned on other features. My contention wasnt with the hardware it was more to do with the feature itself deisgned primarily for p2p communication with a bit of leverage for spoke-2-spoke. It isnt a solution for a full mesh VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...