Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

GET VPN Design

Hi all I can anyone provide some feedback on the following points, it would be greatly appreciated, thanks.

Is GET VPN be a better  choice than DMVPN in order to support VoIP, Video over IP, Advanced QoS  and Multicast? I think it should be the better choice based on what is described as the benefits and how it works but I just want  an expert opinion.

Can separate groups be created using the same key serves? I need to protect two functionally separate WAN segments that terminate on the same DC core routers. However I want the separate WAN segments to have different encryption policies. Is this possible?

It is stated in the deployment guide for GET VPN that "Network Address  Translation (NAT) is not supported by GETVPN. NAT must be performed  before encryption or after decryption when GET is used." However the NAT  capability is required on all the routers. Can anyone offer any real world advice on this and why it will not work?

The 2900 series routers has embedded hardware encryption but according to the router perfomance guide, with a mix of traffic such as NAT, QoS and IPSec VPN they are unable to provide 100 mbps of throughput. Does anyone know if the new ISM VPN modules would allow the routers to acheive 100 mbps of throughput with the services mentioned above?

I know it's a lot to ask but it would really appreciated, thanks.

  • VPN
5 REPLIES
Cisco Employee

GET VPN Design

Hi,

DMVPN and GET are targeted for different deployments.

DMVPN is mostly thought for Internet, while GET is MPLS VPN etc.

Since GET is in fact not creating tunnels it has  bit more flexibility in comparing to DMVPN is some of the aspects you mention.

A GM can have multiple groups configured and one KS can server multiple groups (the majror differentiator is the "identity").

I believe this was and is still restriction - you cannot have GM behind NAT. Almost all other aspects of NAT + VPN should be OK. Was that what you meant?

2900 + ISM - IMIX traffic performance ranges from ~150Mbit to almost 400mbit, according to datasheet.

Typically gain as compare to onboard engine is around 3x.

Feel free to check this with your SE I saw very early result set.

Marcin

GET VPN Design

Hi Marcin, thanks for the information.

In the design guide for DMVPN spoke to spoke has limited QoS and seems to only support RIPv2 and EIGRP, however I am currently running OSPF so it seems GET VPN will be a better fit.

As long as I can create different groups with different encryption policies then it will be OK.

In regards to the NAT if I am able to configure static NAT or static PAT on the GM router itself then I should be fine however you are saying that the GM itself cannot sit behind a NAT device?

I have seen the data sheets I just wanted some confirmation but I will try my SE again, hopefully I can get some feedback this time. Thanks again!

Cisco Employee

Re: GET VPN Design

In the design guide for DMVPN spoke to spoke has limited QoS and seems to only support RIPv2 and EIGRP, however I am currently running OSPF so it seems GET VPN will be a better fit.

Can you share the source? I'm not sure I get all the implications :-)

In all our crypto implmentations NAT is done before encryptiona and after decryption, I'm not aware of GDOI being any different. Please take care that GDOI talks with non-NATed IPs.

Edit: Just to add to QoS for DMVPN; Since we have one multipoint interface we cannot differentiate different spokes easily (unless we use NHRP - in case of per-tunnel QoS). Upcoming implementations will allow a lot more flexibility in this regard, for more news, wait till Cisco Live :-)

Re: GET VPN Design

Thanks I will look out for that. I have been using the following source and I have been looking at the best practices and known limitations section.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html

I hope its not old. I have an idea but I am going to check to see the specific nat requirements to ensure it will work.

Cisco Employee

Re: GET VPN Design

I can't find and I'm not aware of limitations of QoS with DMVPN in regards to routing protocol used.

Granted that my QoS knowledge might not be up to date, but QoS + QoS preclassify + maybe per-tunnel QoS

(

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_per_tunnel_qos.html ) are not dependand on RP (that I'm aware or).

I would say before rolling out even a pilot have a long discussion with your SE.

We're going to release something that's going to address most of your needs early next year, can't say more ;-)

M.

555
Views
0
Helpful
5
Replies