Brksec-8614 - Dmvpn - 15 Mins

Dynamic Multipoint VPN (DMVPN)Design and Positioning

Mike Sullenberger

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2

Thank You for Joining Us Today

The Live Ask the Expert Event Will Begin at 10:00 am Pacific Time



To submit a question just type your question below the slides and click submit

To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view

If you can hear the music, your Flash player has been installed correctly

If you cannot hear the music now, please download the latest version of Flash available in the Help section and reload the webcast console

If you still cannot hear the music, please contact [email protected]

Before We Begin

mailto:[email protected]



Today’s presentation will include audience polling questions

We encourage you to participate!

4



If you would like a copy of the presentation slides, click the ―Download Presentation‖ button below the slide window

Downloading the Presentation


Cisco Support Community—Ask the Expert

Today’s featured expert isMike Sullenberger

Ask him questions nowabout DMVPN design

Mike Sullenberger

Distinguished Engineer, Cisco


Please Note

To submit a question just type your question below the slides and click submit

To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view

This event is fully streamed; the audio is heard via your Flash media player

You can download today’s presentation by clicking on the ―Download Presentation‖ button below this slide window

To take part in the polls, please disable your pop-up blockers during the event so you may see and answer the questions

Dynamic Multipoint VPN (DMVPN)Design and Positioning


Cisco Support Community—Ask the Expert

Today’s featured expert isMike Sullenberger

Ask him questions nowabout DMVPN design

Mike Sullenberger

Distinguished Engineer, Cisco


Submit Your Questions Now

Use the Submit Text box Below the SlideWindow; View Answers by Clickingon the ―Refresh‖ Button


Polling Question 1

What type of IPSec VPN network have you recently worked on, designed or wanted to design?

A. EzVPN

B. DMVPN

C. GETVPN

D. Not sure which to use


Polling 1 Result


Agenda

Cisco IPsec VPN Technologies

What is DMVPN?

Scaling DMVPN

DMVPN network topologies


IPSec VPN Technology Positioning

Enhanced Easy VPN DMVPN Get VPN

Encryption Style Peer-to-Peer Protection Peer-to-Peer Protection Group Protection

Network StyleHub-Spoke

(Client-to-Site)

Hub-Spoke and Dynamic

Mesh Site-to-Site

Any-to-Any (Full-Mesh)

Site-to-Site

Infrastructure

Network

Public, Internet

IP Transport

Public, Internet

IP TransportPrivate IP Transport

ScalingLarge Scale

(10,000+)

Large Scale

(10,000+, 3000+)

Medium Scale

(3000–4000)

Where to UseReplace, Alternate,

Backup for Traditional

FR/ATM WAN

Replace, Alternate,

Backup for Private/

Public WAN

Encryption for MPLS

and Private WAN


IPSec VPN Technology Positioning (Cont.)

Enhanced Easy VPN DMVPN Get VPN

Routing Reverse-Route InjectionDynamic Routing on

Tunnel Network

Dynamic Routing on

IP WAN

Failover Redundancy N/AActive-Active and Load-

Balancing via Routing

Route Distribution Model

+ Stateful

Configuration CentralizedDistributed Dynamic

Tunnels

Centralized Key

(Group) Management

QoS Per PeerAggregate

(Per-Tunnel HubSpoke)

Same as Without

Encryption

IP MulticastMulticast Replication

at Hub

Multicast Replication

at Hub

Multicast Replication

in IP WAN Network


What Is Dynamic Multipoint VPN?

DMVPN is a Cisco IOS® software solution for building IPSec+GRE VPNs in an easy, dynamic and scalable manner

Relies on two proven technologies

Next Hop Resolution Protocol (NHRP)

Creates a distributed mapping database of VPN (tunnel interface) to real (public interface) addresses

Multipoint GRE Tunnel Interface

Single GRE interface to support multiple GRE/IPSec tunnels and endpoints

Simplifies size and complexity of configuration

Supports dynamic tunnel creation


DMVPN: Major Features

Configuration reduction and no-touch deployment

Supports:IP unicast, IP multicast and dynamic Routing Protocols

Remote peers with dynamically assigned addresses

Spoke routers behind dynamic NAT and hub routers behind static NAT

Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs

Can be used without IPSec Encryption

Works with MPLS; GRE tunnels and/or data packets in VRFs and MPLS switching over the tunnels

QoS—Aggregate; Static/Manual per-tunnel

Transparent to most data packet level features

Wide variety of network designs and options


DMVPN Phases

Phase1Hub-and-spoke only functionality

Supported from 12.3(8), 12.3(7)T, ASR Release 3

Supported on all platforms*

Phase 2Dynamic Spoke-spoke functionality

Supported from 12.3(8), 12.3(7)T, ASR Release 3

Supported on all platforms*

Phase 3Dynamic spoke-spoke functionality

Removes some restrictions and complexities of Phase 2

Allows greater variety of DMVPN network designs

Supported from 12.4(6)T, ASR Release 5

Supported on all platforms* except Cat6500 *ISR,(/G2), 7200(/G2), 7300, Cat6500, ASR1K


Hub Placement

Data plane aggregation point—Enterprise

Usually place for data traffic patterns

May be in multiple locations

Example: Data Center

Exception—Hierarchical DMVPN (Phase 3)

Reduce control plane load on Central Hub

Spoke-spoke tunnel from spoke to Central Hub

Control plane aggregation point—ISP

Control point in ISP network

Data plane traffic uses spoke-spoke

Can statically ―nail up‖ some spoke-spoke tunnels

Mix and Match—Overlapping DMVPN networks


Scaling DMVPN nodes

Hub

1. Number of Routing protocol neighbors

Depends on the routing protocol

Trade-off between number of neighbors and convergence time

2. Encryption throughput

Spoke-hub traffic

Some spoke-spoke traffic

Multicast traffic

Replication on hub Multiplication factor

256 Kbps Stream 200 spokes = 51.2 Mbps

Spoke

Encryption throughput

Spoke-hub and spoke-spoke traffic


Polling Question 2

What is your preferred routing protocol to use over DMVPN?

A. EIGRP

B. OSPF

C. RIP/RIP Passive

D. iBGP or eBGP

E. Not sure which to use


Polling 2 Result


Routing Protocol based on Scalability

Passive with IP SLA: 7200/6500/3945e

500 2000+1000 1500

EIGRP

RIPv2

SLB design using EIGRP or RIPv2 Passive

OSPF

7200/6500/3945e

BGP using Route Reflector router farm

Number of Branches

ASRBGP 7200/6500/3945e

ASR7200/6500/3945e

ASR7200/6500/3945e

ODR

**Dynamic IPsec currently limited to 1000 peers

Preferred

Preferred

Preferred


Scale preferred Routing Protocol

500 2000+1000 1500

BGP

Each DMPVN hub can terminatethis many peers

Use BGP route reflector model –BGP processing is off loaded to one or more route reflectors behind Hub and Hub is a route reflector client

Use SLB design to scale Routing Protocol using N hubs

Deploy N DMVPN clouds to scale single cloud N timesUse Hierarchical DMVPN designUse SLB design to scale RP using N number of hubs

Number of Branches

ASR1000Each DMVPN hub can terminatethis many peers

ASR10006500Each DMVPN hub can terminate

this many peers

Preferred

7200

7200/6500 (Passive RIP/IP SLA)

7200/6500

RIPv2

EIGRP


Select Platform and Encryption Module

500 M 2.0 G1.0 G 1.5 G

IMIX Throughput

70% Max CPU7200/G2 VAM2+

7200 G2/VSA

SLB Design – Crypto and MGREterminated on same device.Throughput N x Hub Platform

Multi-Tier Design – Crypto terminated on 6500/SPA and mGRE terminated on 7200 (Ph1 or Ph3)

6500 with IPsec SPA as crypto headend or spoke device (DMVPN Ph1 or Ph2)

ASR

Not recommended without AS support

Throughput depends on number of hub platforms

3945e


Polling Question 3

For what type of business do you need a DMVPN design?

A. Small/Medium Business

B. Large Business

C. Home Office—Work Access

D. Franchise/Point-of-Sale/ATM

E. Extranet

F. ISP


Polling 3 Result


Basic Network Designs

Hub-and-Spoke—Order(n) Phase 1: Hub bandwidth and CPU limit VPN

SLB: Many ―identical‖ hubs increase CPU power

All traffic via hub

Dynamic Spoke-to-Spoke—Order(n) « Order(n2) (full-mesh)Phase 2: Single Hub-and-Spoke layer

Phase 3: Hierarchical Hub-and-Spoke layers

Control and Multicast traffic—Hub-spoke; Hub-hub

Unicast Data traffic—Dynamic meshSpoke supports spoke-hub and spoke-spoke traffic

Hub supports spoke-hub and some spoke-spoke traffic.

Network VirtualizationVRF-lite: DMVPN per VRF

2547oDMVPN: MPLS (VPNs) over Single DMVPN


Network Designs

Hub and spoke

(Phase 1)

Spoke-to-spoke

(Phase 2)

Server Load Balancing

(Phase 1 or Phase 3)Hierarchical (Phase 3)

Spoke-to-hub tunnels

Spoke-to-spoke tunnels

2547oDMVPN tunnels

VRF-lite

2547oDMVPN


Network Designs: Business Design

Small/Medium BusinessDMVPN Phase 3 single layer design

Dial backup and VRF for non-split-tunneling

Up to 1000 spokes, with dynamic spoke-spoke tunnels

Large BusinessDMVPN Phase 3 hierarchical layer design

Dial backup, multiple ISP connections, VRF for non-split-tunneling and group separation

1000-2000 spokes, with dynamic spoke-spoke tunnels

Home Office—Work AccessCVO (Cisco Virtual Office) designs

DMVPN Phase 3 single layer or SMB design, zero touch deployment

1000s of spokes


Network Designs: Business Design (Cont.)

Franchise/Point-of-Sale/ATMServer Load Balancing (SLB) designs—Super Hub

No spoke-spoke (could enable spoke-spoke)

4000–20,000+ spokes

ExtranetDMVPN Phase 1 hub-and-spoke design

No spoke-spoke not even via the hub (using ACLs)

Probably <1000 spokes

ISPDMVPN Phase 3 or SLB designs, MPLS (2547oDMVPN), VRFs

Hub-and-spoke and spoke-spoke networks

Different size networks (number of spokes), but also supporting many DMVPN networks on the same set of hub routers


Recommended Releases

17xx, 26xx, 36xx, 37xx, 720x(NPE-G1), 7301:

IOS 12.4 Mainline: 12.4(23)b, 12.4(25)bIOS 12.4 T-train: 12.4(9)T7,12.4(15)T14, 12.4(24)T4

87x, 18xx, 28xx, 38xx:

IOS 12.4 Mainline: 12.4(23)b, 12.4(25)bIOS 12.4 T-train: 12.4(9)T7, 12.4(15)T14, 124(24)T4

19xx, 29xx, 39xx:

IOS 15.0 Mainline: 15.0(1)M3IOS 15.1 T-train: 15.1(2)T1

720x(NPE-G2+VSA): IOS 12.4 T-train:

IOS 12.4 T-train: 12.4(15)T14 , 12.4(24)T4

ASR- DMVPN Hub or Spoke

Phase 2: Release 3+ (02.04.04.122-33.XND4)Phase 3: Release 5+ (02.05.02.122-33.XNE2,

02.06.02.122-33.XNF2)

6500/7600 with VPN-SPA

Sup720 (7600): 12.2(18)SXF17a, 12.2(33)SRC6

Sup720 (6500): 12.2(18)SXF17a,12.2(33)SXH7, 12.2(33)SXI3

(TCP adjust mss command supported)

Caveat: Phase 3 and Multicast not supported;OSPF routing protocol scaling.


Resources

Web pages

http://www.cisco.com/go/dmvpn

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

http://www.cisco.com/go/dmvpn




We Appreciate Your Feedback!

The first 10 listeners

who fill out an Evaluation

will receive a free:

$20 USD

Amazon Gift Certificate

To complete the evaluation, please click on Evaluation

button under the slides.


Q&A

Post Questions on Our Forum Here:

https://supportforums.cisco.com/community/netpro/ask-the-expert

Join us for our next Ask The Expert webinar!

Topic: Cisco Nexus 5000 & 2000 Series: Configuration & Troubleshooting

October 7th, 10am PT

Register at:

http://www.ciscolive.com/ate

Cisco Live and Networkers Virtual Premier Pass: Full Access for $395 USD or 5 Cisco Learning Credits

In addition to the benefits of the above pass the Premier pass will give you a wider array of technical programming including hundreds of technical sessions in the Session Catalog. Register today for your Cisco Live and Networkers Virtual Premier pass and start experiencing the power of knowledge for yourself.

Cisco Live and Networkers Virtual "A La Carte" Pass:Purchase individual sessions for $45 USD

In addition to the benefits of the free pass, you can purchase individual sessions selected from the hundreds of technical sessions available in the Session Catalog. Register and start experiencing the power of knowledge for yourself.

https://www.ciscolivevirtual.com/portal/registration/CLVFULLACC






https://www.ciscolivevirtual.com/portal/registration/CNLVALACARTE




Thank You for Your Time

Please Take a Moment to Complete the Evaluation

Documents

Brksec-8614 - Dmvpn - 15 Mins