Howdy,
This got a touch longer than I thought so Ill put the main point up here: If you have used DMVPN, I would appreciate your responses.
In my last position, I ran a 75+ site static GRE VPN Network that was increasing to 200 sites when I left (position was leaving the state thru a merger). The hub router config was getting rather ridiculous at well over 1000 lines just for the original 75 sites and I constantly worried about managing the config for 200+ sites.
I have a new position that I haven't started yet but the new CIO is the director (my boss) from my last position and is asking me to get a jump on things (and its good practice even if things fall through). We had an excellent experience with our previous network even without redundancy and would like to replicate it at the new company.
The new network is 115 remote locations with a good likelyhood of increasing to 200+ sites over the next few years.
My question is, does anyone have experience with DMVPN's? I've been reading up on them and the local Cisco Security Specialist, John Gormally does an excellent job of selling the idea.
I do have concerns around the idea. A. Security: The idea of having a 0.0.0.0 peer address bothers me at some fundamental level. Typically on all routers crossing the internet, I have only 2-3 static routes (1 to the Hub, 1 to the external internet firewall for management, and 1 to an offsite but accessible IP in case of disaster). I can continue this for a measure of security but it is concerning to know that a slightly knowledgable disgruntled employee can reboot one of my remote routers twice, get the config and create his own tunnel into my network (assuming I dont use static routes on the outside of the hub router). I know its farfetched but its part of what Im paid for.
B. Monitoring: In our previous network, we had very little remote to remote site traffic. We forced what was out there through the main Hub so that we could monitor for problems. I could probably answer this but haven't looked enough yet; in a DMVPN, can you force all traffic through the main Hub router instead of allowing the sites to create tunnels between themselves? Im thinking more of viruses trying to propigate across the network (remembering the late nights with sasser and code red). In addition to traffic monitoring, I wonder about interface monitoring. We used a mixture of Whats Up Gold (love the program, hate the name) to monitor the status and Solarwinds Orion to monitor the interfaces (traffic, errors, cpu, etc). With dynamic tunnels, I see issues monitoring traffic of the external "interfaces." I could monitor the physical interface but I want to monitor the tunnel itself.
C. VoIP: This is more of a general internet VPN question. Has anyone used VoIP over an internet VPN in a enterprise environment? What are your experiences? Lack of QOS concerns me.
I had a couple of other questions but this got so long I forgot them... Thanks for reading through this and I really appreciate any feedback you might have.