Dynamic Multipoint VPN (DMVPN)

Design and Positioning

Mike Sullenberger

Thank You for Joining Us Today

The Live Ask the Expert Event Will Begin at 10:00 am Pacific Time

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Thank You for Joining Us Today

Before We Begin To submit a question just type your question below the slides and click submit To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view
If you can hear the music, your Flash player has been installed correctly If you cannot hear the music now, please download the latest version of Flash available in the Help section and reload the webcast console If you still cannot hear the music, please contact support@ciscolivevirtual.com

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Thank You for Joining Us Today

Todays presentation will include audience polling questions We encourage you to participate!

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Thank You for Joining Us Today

Downloading the Presentation If you would like a copy of the presentation slides, click the Download Presentation button below the slide window

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Cisco Support CommunityAsk the Expert

Todays featured expert is Mike Sullenberger

Ask him questions now about DMVPN design

Mike Sullenberger
Distinguished Engineer, Cisco

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Please Note
To submit a question just type your question below the slides and click submit

To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view
This event is fully streamed; the audio is heard via your Flash media player You can download todays presentation by clicking on the Download Presentation button below this slide window To take part in the polls, please disable your pop-up blockers during the event so you may see and answer the questions

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Dynamic Multipoint VPN (DMVPN)

Design and Positioning

Cisco Support CommunityAsk the Expert

Todays featured expert is Mike Sullenberger

Ask him questions now about DMVPN design

Mike Sullenberger
Distinguished Engineer, Cisco

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Submit Your Questions Now

Use the Submit Text box Below the Slide Window; View Answers by Clicking on the Refresh Button
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

10

Polling Question 1
What type of IPSec VPN network have you recently worked on, designed or wanted to design?
A. B. C. D. EzVPN DMVPN GETVPN Not sure which to use

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

Polling 1 Result

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12

Agenda
Cisco IPsec VPN Technologies What is DMVPN? Scaling DMVPN DMVPN network topologies

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

13

IPSec VPN Technology Positioning

Enhanced Easy VPN
Encryption Style Network Style Infrastructure Network Scaling
Peer-to-Peer Protection Hub-Spoke (Client-to-Site) Public, Internet IP Transport Large Scale (10,000+) Replace, Alternate, Backup for Traditional FR/ATM WAN

DMVPN
Peer-to-Peer Protection Hub-Spoke and Dynamic Mesh Site-to-Site Public, Internet IP Transport Large Scale (10,000+, 3000+) Replace, Alternate, Backup for Private/ Public WAN

Get VPN
Group Protection Any-to-Any (Full-Mesh) Site-to-Site

Private IP Transport
Medium Scale (30004000) Encryption for MPLS and Private WAN

Where to Use

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

14

IPSec VPN Technology Positioning (Cont.)

Enhanced Easy VPN
Routing Failover Redundancy
Reverse-Route Injection N/A

DMVPN
Dynamic Routing on Tunnel Network Active-Active and LoadBalancing via Routing Distributed Dynamic Tunnels Aggregate (Per-Tunnel HubSpoke) Multicast Replication at Hub

Get VPN
Dynamic Routing on IP WAN Route Distribution Model + Stateful Centralized Key (Group) Management Same as Without Encryption Multicast Replication in IP WAN Network

Configuration
QoS

Centralized
Per Peer Multicast Replication at Hub

IP Multicast

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15

What Is Dynamic Multipoint VPN?

DMVPN is a Cisco IOS software solution for building IPSec+GRE VPNs in an easy, dynamic and scalable manner

Relies on two proven technologies

Next Hop Resolution Protocol (NHRP)
Creates a distributed mapping database of VPN (tunnel interface) to real (public interface) addresses

Multipoint GRE Tunnel Interface

Single GRE interface to support multiple GRE/IPSec tunnels and endpoints
Simplifies size and complexity of configuration Supports dynamic tunnel creation

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16

DMVPN: Major Features

Configuration reduction and no-touch deployment Supports:
IP unicast, IP multicast and dynamic Routing Protocols Remote peers with dynamically assigned addresses Spoke routers behind dynamic NAT and hub routers behind static NAT

Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs Can be used without IPSec Encryption Works with MPLS; GRE tunnels and/or data packets in VRFs and MPLS switching over the tunnels QoSAggregate; Static/Manual per-tunnel Transparent to most data packet level features Wide variety of network designs and options
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

17

DMVPN Phases
Phase1
Hub-and-spoke only functionality Supported from 12.3(8), 12.3(7)T, ASR Release 3 Supported on all platforms*

Phase 2
Dynamic Spoke-spoke functionality Supported from 12.3(8), 12.3(7)T, ASR Release 3 Supported on all platforms*

Phase 3
Dynamic spoke-spoke functionality
Removes some restrictions and complexities of Phase 2 Allows greater variety of DMVPN network designs

Supported from 12.4(6)T, ASR Release 5 Supported on all platforms* except Cat6500
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

*ISR,(/G2), 7200(/G2), 7300, Cat6500, ASR1K

18

Hub Placement
Data plane aggregation pointEnterprise
Usually place for data traffic patterns
May be in multiple locations Example: Data Center

ExceptionHierarchical DMVPN (Phase 3)

Reduce control plane load on Central Hub Spoke-spoke tunnel from spoke to Central Hub

Control plane aggregation pointISP

Control point in ISP network Data plane traffic uses spoke-spoke Can statically nail up some spoke-spoke tunnels

Mix and MatchOverlapping DMVPN networks

Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

19

Scaling DMVPN nodes

Hub
1. Number of Routing protocol neighbors
Depends on the routing protocol Trade-off between number of neighbors and convergence time

2. Encryption throughput
Spoke-hub traffic Some spoke-spoke traffic Multicast traffic Replication on hub Multiplication factor 256 Kbps Stream 200 spokes = 51.2 Mbps

Spoke
Encryption throughput
Spoke-hub and spoke-spoke traffic

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

Polling Question 2
What is your preferred routing protocol to use over DMVPN?
A. B. C. D. E. EIGRP OSPF RIP/RIP Passive iBGP or eBGP Not sure which to use

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

21

Polling 2 Result

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

22

Routing Protocol based on Scalability

Preferred

SLB design using EIGRP or RIPv2 Passive BGP using Route Reflector router farm
RIPv2 ODR

Passive with IP SLA: 7200/6500/3945e 7200/6500/3945e

Preferred

EIGRP OSPF BGP

7200/6500/3945e
7200/6500/3945e 7200/6500/3945e
500

ASR
ASR

Preferred

**Dynamic IPsec currently limited to 1000 peers

ASR
1000 1500 Number of Branches 2000+

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

23

Scale preferred Routing Protocol

BGP
Each DMVPN hub can terminate this many peers Use BGP route reflector model BGP processing is off loaded to one or more route reflectors behind Hub and Hub is a route reflector client

7200

6500

ASR1000

RIPv2
Each DMPVN hub can terminate this many peers

Use SLB design to scale Routing Protocol using N hubs

7200/6500 (Passive RIP/IP SLA)

Deploy N DMVPN clouds to scale single cloud N times Use Hierarchical DMVPN design Use SLB design to scale RP using N number of hubs

EIGRP
Each DMVPN hub can terminate this many peers

Preferred

7200/6500
500

ASR1000
Number of Branches 1000
Cisco Confidential

1500

2000+
24

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Select Platform and Encryption Module

Throughput depends on number of hub platforms

SLB Design Crypto and MGRE terminated on same device. Throughput N x Hub Platform ASR Multi-Tier Design Crypto terminated on 6500/SPA and mGRE terminated on 7200 (Ph1 or Ph3) 6500 with IPsec SPA as crypto headend or spoke device (DMVPN Ph1 or Ph2) 7200 G2/VSA 3945e 7200/G2 VAM2+
500 M 1.0 G 1.5 G IMIX Throughput 70% Max CPU Not recommended without AS support

2.0 G

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

25

Polling Question 3
For what type of business do you need a DMVPN design?
A. B. C. D. E. F. Small/Medium Business Large Business Home OfficeWork Access Franchise/Point-of-Sale/ATM Extranet ISP

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

26

Polling 3 Result

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27

Basic Network Designs

Hub-and-SpokeOrder(n)
Phase 1: Hub bandwidth and CPU limit VPN SLB: Many identical hubs increase CPU power All traffic via hub

Dynamic Spoke-to-SpokeOrder(n) Order(n2) (full-mesh)

Phase 2: Single Hub-and-Spoke layer Phase 3: Hierarchical Hub-and-Spoke layers Control and Multicast trafficHub-spoke; Hub-hub Unicast Data trafficDynamic mesh
Spoke supports spoke-hub and spoke-spoke traffic Hub supports spoke-hub and some spoke-spoke traffic.

Network Virtualization
VRF-lite: DMVPN per VRF 2547oDMVPN: MPLS (VPNs) over Single DMVPN
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

28

Network Designs

Spoke-to-hub tunnels Spoke-to-spoke tunnels 2547oDMVPN tunnels

Hub and spoke (Phase 1)

Spoke-to-spoke (Phase 2)

VRF-lite

Server Load Balancing (Phase 1 or Phase 3)

Presentation_ID

Hierarchical (Phase 3)
Cisco Confidential

2547oDMVPN
29

2010 Cisco and/or its affiliates. All rights reserved.

Network Designs: Business Design

Small/Medium Business
DMVPN Phase 3 single layer design Dial backup and VRF for non-split-tunneling Up to 1000 spokes, with dynamic spoke-spoke tunnels

Large Business
DMVPN Phase 3 hierarchical layer design Dial backup, multiple ISP connections, VRF for non-split-tunneling and group separation 1000-2000 spokes, with dynamic spoke-spoke tunnels

Home OfficeWork Access

CVO (Cisco Virtual Office) designs DMVPN Phase 3 single layer or SMB design, zero touch deployment 1000s of spokes

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

30

Network Designs: Business Design (Cont.)

Franchise/Point-of-Sale/ATM
Server Load Balancing (SLB) designsSuper Hub No spoke-spoke (could enable spoke-spoke) 400020,000+ spokes

Extranet
DMVPN Phase 1 hub-and-spoke design No spoke-spoke not even via the hub (using ACLs) Probably <1000 spokes

ISP
DMVPN Phase 3 or SLB designs, MPLS (2547oDMVPN), VRFs Hub-and-spoke and spoke-spoke networks Different size networks (number of spokes), but also supporting many DMVPN networks on the same set of hub routers

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

31

Recommended Releases
17xx, 26xx, 36xx, 37xx, 720x(NPE-G1), 7301:
IOS 12.4 Mainline: 12.4(23)b, 12.4(25)b IOS 12.4 T-train: 12.4(9)T7,12.4(15)T14, 12.4(24)T4

ASR- DMVPN Hub or Spoke

Phase 2: Release 3+ (02.04.04.122-33.XND4) Phase 3: Release 5+ (02.05.02.122-33.XNE2, 02.06.02.122-33.XNF2)

87x, 18xx, 28xx, 38xx:

IOS 12.4 Mainline: 12.4(23)b, 12.4(25)b IOS 12.4 T-train: 12.4(9)T7, 12.4(15)T14, 124(24)T4

6500/7600 with VPN-SPA

Sup720 (7600): 12.2(18)SXF17a, 12.2(33)SRC6 Sup720 (6500): 12.2(18)SXF17a,12.2(33)SXH7, 12.2(33)SXI3 (TCP adjust mss command supported) Caveat: Phase 3 and Multicast not supported; OSPF routing protocol scaling.

19xx, 29xx, 39xx:

IOS 15.0 Mainline: 15.0(1)M3 IOS 15.1 T-train: 15.1(2)T1

720x(NPE-G2+VSA): IOS 12.4 T-train:

IOS 12.4 T-train: 12.4(15)T14 , 12.4(24)T4

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

32

Resources
Web pages
http://www.cisco.com/go/dmvpn http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a0080 18983e.shtml

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

33

We Appreciate Your Feedback!

The first 10 listeners who fill out an Evaluation will receive a free: $20 USD Amazon Gift Certificate

To complete the evaluation, please click on Evaluation button under the slides.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

34

Q&A

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

35

Post Questions on Our Forum Here:

https://supportforums.cisco.com/community/netpro/ask-the-expert

Join us for our next Ask The Expert webinar!

Topic: Cisco Nexus 5000 & 2000 Series: Configuration & Troubleshooting

October 7th, 10am PT

Register at: http://www.ciscolive.com/ate

Cisco Live and Networkers Virtual Premier Pass: Full Access for $395 USD or 5 Cisco Learning Credits In addition to the benefits of the above pass the Premier pass will give you a wider array of technical programming including hundreds of technical sessions in the Session Catalog. Register today for your Cisco Live and Networkers Virtual Premier pass and start experiencing the power of knowledge for yourself. Cisco Live and Networkers Virtual "A La Carte" Pass: Purchase individual sessions for $45 USD

In addition to the benefits of the free pass, you can purchase individual sessions selected from the hundreds of technical sessions available in the Session Catalog. Register and start experiencing the power of knowledge for yourself.

Thank You for Your Time

Please Take a Moment to Complete the Evaluation