1. Home
  2. Cisco Systems
  3. GRE DMVPN Experiences

GRE DMVPN Experiences

Howdy,

This got a touch longer than I thought so Ill put the main point up here: If you have used DMVPN, I would appreciate your responses.

In my last position, I ran a 75+ site static GRE VPN Network that was increasing to 200 sites when I left (position was leaving the state thru a merger). The hub router config was getting rather ridiculous at well over 1000 lines just for the original 75 sites and I constantly worried about managing the config for 200+ sites.

I have a new position that I haven't started yet but the new CIO is the director (my boss) from my last position and is asking me to get a jump on things (and its good practice even if things fall through). We had an excellent experience with our previous network even without redundancy and would like to replicate it at the new company.

The new network is 115 remote locations with a good likelyhood of increasing to 200+ sites over the next few years.

My question is, does anyone have experience with DMVPN's? I've been reading up on them and the local Cisco Security Specialist, John Gormally does an excellent job of selling the idea.

I do have concerns around the idea. A. Security: The idea of having a 0.0.0.0 peer address bothers me at some fundamental level. Typically on all routers crossing the internet, I have only 2-3 static routes (1 to the Hub, 1 to the external internet firewall for management, and 1 to an offsite but accessible IP in case of disaster). I can continue this for a measure of security but it is concerning to know that a slightly knowledgable disgruntled employee can reboot one of my remote routers twice, get the config and create his own tunnel into my network (assuming I dont use static routes on the outside of the hub router). I know its farfetched but its part of what Im paid for.

B. Monitoring: In our previous network, we had very little remote to remote site traffic. We forced what was out there through the main Hub so that we could monitor for problems. I could probably answer this but haven't looked enough yet; in a DMVPN, can you force all traffic through the main Hub router instead of allowing the sites to create tunnels between themselves? Im thinking more of viruses trying to propigate across the network (remembering the late nights with sasser and code red). In addition to traffic monitoring, I wonder about interface monitoring. We used a mixture of Whats Up Gold (love the program, hate the name) to monitor the status and Solarwinds Orion to monitor the interfaces (traffic, errors, cpu, etc). With dynamic tunnels, I see issues monitoring traffic of the external "interfaces." I could monitor the physical interface but I want to monitor the tunnel itself.

C. VoIP: This is more of a general internet VPN question. Has anyone used VoIP over an internet VPN in a enterprise environment? What are your experiences? Lack of QOS concerns me.

I had a couple of other questions but this got so long I forgot them... Thanks for reading through this and I really appreciate any feedback you might have.

Reply to
Nick
Loading thread data ...

Nick, I have implemented this and am happy with it. Please see in line answers below...

I'm not especially fond of the 0.0.0.0 config either. It is nice since you don't have to get static ip's at each remote site and the config is a whole lot easier. However, you can easily prevent this through the access-lists - just set who can communicate with the router via gre, esp and isakmp. Probably any one of them would work, but all three make is safer. The config still is easier using the dmvpn setup rather than having a whole bunch of crypto maps.

Yes, you can. Again, with the access-lists. On the remote sites, you can just allow the gre, esp and isakmp from the host site. It still will try to connect to the remotes, but will fail. What is your actual question about the monitoring? Personally, I monitor the physical connection. Not sure what the tunnel interface will buy you. That said, I do a ping monitor to the tunnel interface, which will let me know when the vpn drops. Just not any kind of traffic monitoring on the tunnel interface. Just as a test, I fired up the Bandwidth Guage from Solarwinds and it does show traffic stats on the tunnel interface.

Mixed results. QOS is a concern. You will have better results if the two sites use the same isp - less hops and lower latency. I would still do QOS for your own results, which should help some (be sure to do a pre-classify on the vpn). Have you used Vonage or any other network phone provider? Most of the time, it is good enough, even without the QOS, but sometimes, beyond your control, there will be issues. If this is a critical phone setup, I wouldn't trust it. But, if you can tolerate the occasional anomoly, it is worth the try. Bigger concern if you have multiple calls using these vpn's since it is best effort bandwidth. If you have the dsp modules to manage your codecs, it would be worth investigating using a higher compression for these calls.

Hope that helps. Let me know if you have any more questions.

Jim

Reply to
Scooby

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.