Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamic Point-To-Point VPN

I want to implement IPSEC among 350 branches, all branches are connected to head office via point-to-point DXX circuits and radio's, i am unable to use DMVPN because it is use in multipoint netwroks. I made few changes in DMVPN configurations and convert it into dynamic point-to-point VPN, but i am not sure about the athenticity of configuration, i will attach configuration and topology diagram kindly review and reply me.

8 REPLIES
Silver

Re: Dynamic Point-To-Point VPN

Wonder why you want to do this ? Any-to-any connectivity is not a good option using DMVPN or for that matter with IPSec. DMVPN doesnt need point-to-multipoint links like FR. It is more to do with NHRP and all that and works over point-to-point links as well. I certainly dont get the DPVPN concept, it looks the same as DMVPN to me. If you can point out the differences between DMVPN and DPVPN wrt to your config, it will be great. I think the best option will be to move to a MPLS-VPN if the service is available.

Let me know if iam off the mark

New Member

Re: Dynamic Point-To-Point VPN

If this is not a good option then what will i do? define 350 peers for each and every router in 350 branches??? define 350 line acl?

In DMVPN all remote branches will registerd with same physical interface interface of hub router, but in this topology i dont have a same single interface for all routers.

Silver

Re: Dynamic Point-To-Point VPN

Ok are all the spokes through the same provider. Then you can setup tunnels through a logical interface. doesnt have to be a physical interface.

And I still stand by what i said, for any-to-any connection, IPSec itself is bad (forget DMVPN) because it is cumbersome.

New Member

Re: Dynamic Point-To-Point VPN

Please check my attach file, i already do this.

Why IPSec is bad?? due to overhead?

Silver

Re: Dynamic Point-To-Point VPN

This is doable. I agree and has been done. But IPSec is a point-to-point protocol more suitable for hub and spoke scenarios. DMVPN is an enhancement to allow for some traffic to flow between spokes thanks to mGRE and NHRP. However, when the requirement is huge with significant traffic between spokes, even Cisco doesnt recommend DMVPN for reasons best known to them. Cisco suggests 80-20 split (80 to hub and 20 to spokes). Ideally, the best full mesh vpn which is what u need i think is an MPLS-VPN.

Apart from this using DMVPN will increase your overhead , adding both IPsec and GRE headers to your IP packet which isnt good as well.

Let me know if it helps. I would be great if somebody else had other thoughts.

New Member

Re: Dynamic Point-To-Point VPN

We are using DXX/E1 circuits so bandwidth is not an issue, but i am looking into CET because it has less overhead then IPSec

New Member

Re: Dynamic Point-To-Point VPN

I disagree. DMVPN is fully scalable beyond 350 sites with appropriate hardware 7206vxr npeg1, with sam2 hw accelerator card, etc.

You can make the multipoint dmvpn network, point to point between hub and spokes only (no spoke to spoke tunnels) by keeping the default eigrp split horizon limitation in place (or similar rules for your routing protocol) on the hub's tunnel interface. You can also make the mgre into standard gre if you want point to point, by dynamic tunnels.

with a solid internet service provider (qwest, mci) you can easily get some good qos working as well. both of those networks even on their internet backbones have very low jitter, and excellent ping times.. you can use qos pre-classify on the tunnel interfaces, and a service policy on the external interfaces to handle your egress queueing strategy, etc.

Silver

Re: Dynamic Point-To-Point VPN

Yes right it can scale to 375 tunnels with EIGRP which is not quite far from 350 i would say if i turned on other features. My contention wasnt with the hardware it was more to do with the feature itself deisgned primarily for p2p communication with a bit of leverage for spoke-2-spoke. It isnt a solution for a full mesh VPN.

This is a very useful link. May just help you.

http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313ca3.pdf

http://www.cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html

203
Views
0
Helpful
8
Replies