Re: Prefered VPN design for OpenView NNM monitoring

sergej.gurenko · ‎03-10-2004

I need to select hub-and-spoke VPN technology. There are ~60 spokes (17xx routers) and central site (2x 3725 for redundancy, one ISP).

There is a plan to monitor routers and other equipment with HP OpenView NNM 6.41 (without ET). Also for routers maintenance CiscoWorks RWAN 1.3.

Possible designs:

1. EasyVPN Server configured 3725 on the center (ether HSPR EasyVPN Server, ether route-injection with routing between EazyVPN servers) EasyVPN Remote configured 17xx (ether with one EazyVPN server HSRP address, ether 2 server addresses)

2. Static IPSEC cryptomamp

3. Static IPSEC/GRE

4. Partial/Full DMVPN/mGRE/NHRP Dual Hub implementation with singe DMVPN layout.

***

Currently spoke-to-spoke traffic non-exists, and even there is a plan sometimes to restrict spoke-to-spoke for security. Physical WAN topology allows full-mesh traffic (ISP have big routed WAN, without MPLS). So I want to leave a chances for utilizing spoke-to-spoke traffic flows in future.

I have successful EazyVPN desigs. But I found now that Cisco TAC do not recommend EazyVPN on LAN-to-LAN environments Only for Remote access.

What is better looking design for monitoring via NNM? IPSEC, IPSEC/GRE, EzVPN, mGRE? Any experience? GRE will looks like physical p2p line – that is good. mGRE – one big subnet – not bad. What about EazyVPN?

Does DMVPN support HSRP cluster on HUB router?

P.S. Dear all, I waiting for you opinion.

drolemc · ‎03-16-2004

If you looking for ease of deployment and maintainence, router MC is also a good option. More information is available at http://www.cisco.com/en/US/products/sw/cscowork/ps3994/products_data_sheet09186a00800fcb85.html

sergej.gurenko · ‎03-18-2004

Organization decide to cut some costs and use SDM instead of VMS :)

After long thinkings I decide to use DMVPN with mGRE. mGRE tunell interface subnet looks fine inside NNM 6.41.