I have a current customer network of 3660 VPN routers at the head end with numerous (30 or so) 1800 and 2600 spokes. This uses pre shared keys. The only traffic is spoke to hub, there is no requirement for spoke to spoke. All spokes have static IP addresses. This solution works great and has been running well for three years. However, the customer requires more encryption throughput. The network is to change to a 6500 with VPN module in the core and 3845 VPN routers as the spokes (a few 7200's with VAM2+ as well).
I have been reading cco pages about certificates and DMVPN. This looks like a great potential solution, though I have never configured this before. However, I think I may be making the solution overly complex for only 30 routers in this simple scenario. What would you guys recommend here? Anyone done this with fewer routers? Any certificates would have to be done on the 6500 IOS CA system. Any comments on this as a CA solution?
I have a week "play" time with this in pre staging lab before it goes live.
I should add that 20 of the 30 sites are very small sites of five or so users but five sites (with the 7200) have 500 users. If not DMVPN I was perhaps thinking of static IPSec maps to the main sites and EZVPN to the small ones.
IMHO, the power of DMVPN is realized until you have at least 50+ sites and require spoke-to-spoke communication. You'd probably be better off with static crypto maps. As far as PSK vs. Digital Certs, obviously Digital Certs are more secure. It just becomes a question about manageability. PSK would be fine as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :