Hi Dennis,
Cisco featured DMVPN in their ASK THE EXPERT Series late July and early August 2005:
Welcome to the Cisco Networking Professionals Ask the Expert conversation.
This is an opportunity to learn with Cisco expert Haseeb Niazi how to deploy dynamic multipoint VPN solutions using multipoint GRE (mGRE) and next hop resolution protocol (NHRP) with IPSec to enable zero-touch deployment of large scale VPN networks.
Haseeb Niazi is a solutions engineer at Cisco Systems Inc. with over five years of experience with network based security services. He holds a masters degree in electrical engineering. He has presented to both internal and external audiences at various conferences and has represented Cisco in a number of customer events.
His current focus is on testing scaling and performance of large scale network based security services.
formatting link
?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd8eec9
-------------------------------------------------
You may find this exchange of interest.
Replied by: gkleffner - Aug 5, 2005, 6:38am PST
What are the current recommendations for the number of spokes that a hub router can support? Specifically for EIGRP. Will scaling be addressed in future versions of IOS? Also, how can priority queuing be applied to a tunnel interface? It doesn't appear to be supported.
Replied by: jimmy-dotson - CCIE - Aug 5, 2005, 7:13am PST
Spokes (the number of supported tunnels, anyway) are platform dependent, I'm pretty sure. We use 7200s with the original VAM, which according to our local Cisco guys will scale to about 300-400 tunnels. Not sure about the VAM-2. There is also the 6500 IPSec VPN Service Module, which supports 8000 tunnels.
formatting link
Also, we run our remotes as EIGRP stubs when possible - cuts down on route queries significantly. Unsure if there is a published number of acceptable neighbors - we could not find this info last year when converting to EIGRP.
Finally, QoS is different but the same for GRE tunnels :) It is different from the standpoint that you apply "qos pre-classify" to your crypto maps and tunnel interfaces, and "service-policy out" to the physical interface (where the crypto map is applied). It is the same in regards to class-map and policy-map and acl (or whatever matching your doing: DSCP, etc.) config.
formatting link
hth!
Replied by: hniazi - CCIE - Aug 5, 2005, 12:16pm PST
Good response with good explanation. Couple of clarifications:
1) VAM, VAM2 OR VAM2+ do not matter in case of EIGRP spoke scalability.
2) 6500 can terminate 8000 tunnels but if running DMVPN natively on
6500, EIGRP is handled by MSFC and the EIGRP spoke limitation is
400-450.
3) For increased scale, you can use 6500 to terminate IPSec and handover MGRE/EIGRP processing to MWAM card or a number of 7200s connected to 6500 like in a server farm environment.
formatting link
4) If you only have single EIGRP hub (no daisy chaining), Stub will definitly be very helpful. If there is a neighbor on the hub MGRE tunnel that is not a Stub (say another daisy chained hub), hub will start querying all the spokes whether they are stub or not.
Replied by: jimmy-dotson - CCIE - Aug 7, 2005, 9:50am PST
That's excellent info - 400 to 450 neighbors is news, but very helful news, to me...
Do you have a URL or book reference on number 4, for further study? We have 5 EIGRP neighbors on a 7200 (internal LAN), and 130+ neighbors (as stub, we hope :)) via the IPSec GRE tunnels - we would like to verify they will in fact remain stubby (without debugging on production network - additional reading would be great place to start).
thx!
Replied by: hniazi - CCIE - Aug 7, 2005, 8:35pm PST
In your case, non-stub neighbors on the lan shall not cause issues with stub neighbors on the MGRE tunnel. Essentially there shall be no non-stub neighbor on the MGRE tunnel interface because as I understand it, the limitation is on per-interface basis.
I got the info directly from the dev. and do not have URLs or books with this info. I will try to find a reference if I can.
Replied by: jimmy-dotson - CCIE - Aug 8, 2005, 5:42am PST
Perfect - makes more sense described this way!
Sometimes you get caught up trying to make more of thngs than what is actually there :)
'preciate all of the information.
Replied by: hniazi - CCIE - Aug 5, 2005, 10:03am PST
We have tested 7200 as a headend. Recommended number of EIGRP spokes is
350-375. We are currently working on trying to make EIGRP more robust and trying to find the bottlenecks in the DMVPN scenario. Nothing concrete yet and DEs are looking into it.
One of the items we are also looking for future releases is tagging the a packet with some qos group ID and then apply QoS on it. On the tunnel you can provice the "qos pre-classify" command and apply the service policy on the physical interface. It applies QoS on traffic before encapsulation.
-------------------------------------------------
Hope this helps.
Brad Reese Worldwide Cisco Repair
formatting link