Dynamic Multipoint VPN (DMVPN)Design and Positioning
Mike Sullenberger
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2
Thank You for Joining Us Today
The Live Ask the Expert Event Will Begin at 10:00 am Pacific Time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3
Thank You for Joining Us Today
To submit a question just type your question below the slides and click submit
To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view
If you can hear the music, your Flash player has been installed correctly
If you cannot hear the music now, please download the latest version of Flash available in the Help section and reload the webcast console
If you still cannot hear the music, please contact [email protected]
Before We Begin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4
Thank You for Joining Us Today
Today’s presentation will include audience polling questions
We encourage you to participate!
4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 5
Thank You for Joining Us Today
If you would like a copy of the presentation slides, click the ―Download Presentation‖ button below the slide window
Downloading the Presentation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 6
Cisco Support Community—Ask the Expert
Today’s featured expert isMike Sullenberger
Ask him questions nowabout DMVPN design
Mike Sullenberger
Distinguished Engineer, Cisco
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 7
Please Note
To submit a question just type your question below the slides and click submit
To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view
This event is fully streamed; the audio is heard via your Flash media player
You can download today’s presentation by clicking on the ―Download Presentation‖ button below this slide window
To take part in the polls, please disable your pop-up blockers during the event so you may see and answer the questions
Dynamic Multipoint VPN (DMVPN)Design and Positioning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9
Cisco Support Community—Ask the Expert
Today’s featured expert isMike Sullenberger
Ask him questions nowabout DMVPN design
Mike Sullenberger
Distinguished Engineer, Cisco
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 10
Submit Your Questions Now
Use the Submit Text box Below the SlideWindow; View Answers by Clickingon the ―Refresh‖ Button
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 11
Polling Question 1
What type of IPSec VPN network have you recently worked on, designed or wanted to design?
A. EzVPN
B. DMVPN
C. GETVPN
D. Not sure which to use
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 12
Polling 1 Result
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 13
Agenda
Cisco IPsec VPN Technologies
What is DMVPN?
Scaling DMVPN
DMVPN network topologies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 14
IPSec VPN Technology Positioning
Enhanced Easy VPN DMVPN Get VPN
Encryption Style Peer-to-Peer Protection Peer-to-Peer Protection Group Protection
Network StyleHub-Spoke
(Client-to-Site)
Hub-Spoke and Dynamic
Mesh Site-to-Site
Any-to-Any (Full-Mesh)
Site-to-Site
Infrastructure
Network
Public, Internet
IP Transport
Public, Internet
IP TransportPrivate IP Transport
ScalingLarge Scale
(10,000+)
Large Scale
(10,000+, 3000+)
Medium Scale
(3000–4000)
Where to UseReplace, Alternate,
Backup for Traditional
FR/ATM WAN
Replace, Alternate,
Backup for Private/
Public WAN
Encryption for MPLS
and Private WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 15
IPSec VPN Technology Positioning (Cont.)
Enhanced Easy VPN DMVPN Get VPN
Routing Reverse-Route InjectionDynamic Routing on
Tunnel Network
Dynamic Routing on
IP WAN
Failover Redundancy N/AActive-Active and Load-
Balancing via Routing
Route Distribution Model
+ Stateful
Configuration CentralizedDistributed Dynamic
Tunnels
Centralized Key
(Group) Management
QoS Per PeerAggregate
(Per-Tunnel HubSpoke)
Same as Without
Encryption
IP MulticastMulticast Replication
at Hub
Multicast Replication
at Hub
Multicast Replication
in IP WAN Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 16
What Is Dynamic Multipoint VPN?
DMVPN is a Cisco IOS® software solution for building IPSec+GRE VPNs in an easy, dynamic and scalable manner
Relies on two proven technologies
Next Hop Resolution Protocol (NHRP)
Creates a distributed mapping database of VPN (tunnel interface) to real (public interface) addresses
Multipoint GRE Tunnel Interface
Single GRE interface to support multiple GRE/IPSec tunnels and endpoints
Simplifies size and complexity of configuration
Supports dynamic tunnel creation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 17
DMVPN: Major Features
Configuration reduction and no-touch deployment
Supports:IP unicast, IP multicast and dynamic Routing Protocols
Remote peers with dynamically assigned addresses
Spoke routers behind dynamic NAT and hub routers behind static NAT
Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs
Can be used without IPSec Encryption
Works with MPLS; GRE tunnels and/or data packets in VRFs and MPLS switching over the tunnels
QoS—Aggregate; Static/Manual per-tunnel
Transparent to most data packet level features
Wide variety of network designs and options
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 18
DMVPN Phases
Phase1Hub-and-spoke only functionality
Supported from 12.3(8), 12.3(7)T, ASR Release 3
Supported on all platforms*
Phase 2Dynamic Spoke-spoke functionality
Supported from 12.3(8), 12.3(7)T, ASR Release 3
Supported on all platforms*
Phase 3Dynamic spoke-spoke functionality
Removes some restrictions and complexities of Phase 2
Allows greater variety of DMVPN network designs
Supported from 12.4(6)T, ASR Release 5
Supported on all platforms* except Cat6500 *ISR,(/G2), 7200(/G2), 7300, Cat6500, ASR1K
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 19
Hub Placement
Data plane aggregation point—Enterprise
Usually place for data traffic patterns
May be in multiple locations
Example: Data Center
Exception—Hierarchical DMVPN (Phase 3)
Reduce control plane load on Central Hub
Spoke-spoke tunnel from spoke to Central Hub
Control plane aggregation point—ISP
Control point in ISP network
Data plane traffic uses spoke-spoke
Can statically ―nail up‖ some spoke-spoke tunnels
Mix and Match—Overlapping DMVPN networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 20
Scaling DMVPN nodes
Hub
1. Number of Routing protocol neighbors
Depends on the routing protocol
Trade-off between number of neighbors and convergence time
2. Encryption throughput
Spoke-hub traffic
Some spoke-spoke traffic
Multicast traffic
Replication on hub Multiplication factor
256 Kbps Stream 200 spokes = 51.2 Mbps
Spoke
Encryption throughput
Spoke-hub and spoke-spoke traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 21
Polling Question 2
What is your preferred routing protocol to use over DMVPN?
A. EIGRP
B. OSPF
C. RIP/RIP Passive
D. iBGP or eBGP
E. Not sure which to use
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 22
Polling 2 Result
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 23
Routing Protocol based on Scalability
Passive with IP SLA: 7200/6500/3945e
500 2000+1000 1500
EIGRP
RIPv2
SLB design using EIGRP or RIPv2 Passive
OSPF
7200/6500/3945e
BGP using Route Reflector router farm
Number of Branches
ASRBGP 7200/6500/3945e
ASR7200/6500/3945e
ASR7200/6500/3945e
ODR
**Dynamic IPsec currently limited to 1000 peers
Preferred
Preferred
Preferred
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 24
Scale preferred Routing Protocol
500 2000+1000 1500
BGP
Each DMPVN hub can terminatethis many peers
Use BGP route reflector model –BGP processing is off loaded to one or more route reflectors behind Hub and Hub is a route reflector client
Use SLB design to scale Routing Protocol using N hubs
Deploy N DMVPN clouds to scale single cloud N timesUse Hierarchical DMVPN designUse SLB design to scale RP using N number of hubs
Number of Branches
ASR1000Each DMVPN hub can terminatethis many peers
ASR10006500Each DMVPN hub can terminate
this many peers
Preferred
7200
7200/6500 (Passive RIP/IP SLA)
7200/6500
RIPv2
EIGRP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 25
Select Platform and Encryption Module
500 M 2.0 G1.0 G 1.5 G
IMIX Throughput
70% Max CPU7200/G2 VAM2+
7200 G2/VSA
SLB Design – Crypto and MGREterminated on same device.Throughput N x Hub Platform
Multi-Tier Design – Crypto terminated on 6500/SPA and mGRE terminated on 7200 (Ph1 or Ph3)
6500 with IPsec SPA as crypto headend or spoke device (DMVPN Ph1 or Ph2)
ASR
Not recommended without AS support
Throughput depends on number of hub platforms
3945e
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 26
Polling Question 3
For what type of business do you need a DMVPN design?
A. Small/Medium Business
B. Large Business
C. Home Office—Work Access
D. Franchise/Point-of-Sale/ATM
E. Extranet
F. ISP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 27
Polling 3 Result
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 28
Basic Network Designs
Hub-and-Spoke—Order(n) Phase 1: Hub bandwidth and CPU limit VPN
SLB: Many ―identical‖ hubs increase CPU power
All traffic via hub
Dynamic Spoke-to-Spoke—Order(n) « Order(n2) (full-mesh)Phase 2: Single Hub-and-Spoke layer
Phase 3: Hierarchical Hub-and-Spoke layers
Control and Multicast traffic—Hub-spoke; Hub-hub
Unicast Data traffic—Dynamic meshSpoke supports spoke-hub and spoke-spoke traffic
Hub supports spoke-hub and some spoke-spoke traffic.
Network VirtualizationVRF-lite: DMVPN per VRF
2547oDMVPN: MPLS (VPNs) over Single DMVPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 29
Network Designs
Hub and spoke
(Phase 1)
Spoke-to-spoke
(Phase 2)
Server Load Balancing
(Phase 1 or Phase 3)Hierarchical (Phase 3)
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
2547oDMVPN tunnels
VRF-lite
2547oDMVPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 30
Network Designs: Business Design
Small/Medium BusinessDMVPN Phase 3 single layer design
Dial backup and VRF for non-split-tunneling
Up to 1000 spokes, with dynamic spoke-spoke tunnels
Large BusinessDMVPN Phase 3 hierarchical layer design
Dial backup, multiple ISP connections, VRF for non-split-tunneling and group separation
1000-2000 spokes, with dynamic spoke-spoke tunnels
Home Office—Work AccessCVO (Cisco Virtual Office) designs
DMVPN Phase 3 single layer or SMB design, zero touch deployment
1000s of spokes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 31
Network Designs: Business Design (Cont.)
Franchise/Point-of-Sale/ATMServer Load Balancing (SLB) designs—Super Hub
No spoke-spoke (could enable spoke-spoke)
4000–20,000+ spokes
ExtranetDMVPN Phase 1 hub-and-spoke design
No spoke-spoke not even via the hub (using ACLs)
Probably <1000 spokes
ISPDMVPN Phase 3 or SLB designs, MPLS (2547oDMVPN), VRFs
Hub-and-spoke and spoke-spoke networks
Different size networks (number of spokes), but also supporting many DMVPN networks on the same set of hub routers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 32
Recommended Releases
17xx, 26xx, 36xx, 37xx, 720x(NPE-G1), 7301:
IOS 12.4 Mainline: 12.4(23)b, 12.4(25)bIOS 12.4 T-train: 12.4(9)T7,12.4(15)T14, 12.4(24)T4
87x, 18xx, 28xx, 38xx:
IOS 12.4 Mainline: 12.4(23)b, 12.4(25)bIOS 12.4 T-train: 12.4(9)T7, 12.4(15)T14, 124(24)T4
19xx, 29xx, 39xx:
IOS 15.0 Mainline: 15.0(1)M3IOS 15.1 T-train: 15.1(2)T1
720x(NPE-G2+VSA): IOS 12.4 T-train:
IOS 12.4 T-train: 12.4(15)T14 , 12.4(24)T4
ASR- DMVPN Hub or Spoke
Phase 2: Release 3+ (02.04.04.122-33.XND4)Phase 3: Release 5+ (02.05.02.122-33.XNE2,
02.06.02.122-33.XNF2)
6500/7600 with VPN-SPA
Sup720 (7600): 12.2(18)SXF17a, 12.2(33)SRC6
Sup720 (6500): 12.2(18)SXF17a,12.2(33)SXH7, 12.2(33)SXI3
(TCP adjust mss command supported)
Caveat: Phase 3 and Multicast not supported;OSPF routing protocol scaling.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 33
Resources
Web pages
http://www.cisco.com/go/dmvpn
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 34
We Appreciate Your Feedback!
The first 10 listeners
who fill out an Evaluation
will receive a free:
$20 USD
Amazon Gift Certificate
To complete the evaluation, please click on Evaluation
button under the slides.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 35
Q&A
Post Questions on Our Forum Here:
https://supportforums.cisco.com/community/netpro/ask-the-expert
Join us for our next Ask The Expert webinar!
Topic: Cisco Nexus 5000 & 2000 Series: Configuration & Troubleshooting
October 7th, 10am PT
Register at:
http://www.ciscolive.com/ate
Cisco Live and Networkers Virtual Premier Pass: Full Access for $395 USD or 5 Cisco Learning Credits
In addition to the benefits of the above pass the Premier pass will give you a wider array of technical programming including hundreds of technical sessions in the Session Catalog. Register today for your Cisco Live and Networkers Virtual Premier pass and start experiencing the power of knowledge for yourself.
Cisco Live and Networkers Virtual "A La Carte" Pass:Purchase individual sessions for $45 USD
In addition to the benefits of the free pass, you can purchase individual sessions selected from the hundreds of technical sessions available in the Session Catalog. Register and start experiencing the power of knowledge for yourself.
Thank You for Your Time
Please Take a Moment to Complete the Evaluation