Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
2
Replies

DMVPN or not to DMVPN?

sharwal
Level 1
Level 1

‎11-29-2012 07:40 AM - edited ‎03-03-2019 06:51 AM

Hello all, we are in the process of determing our future Cisco network design and I had a few questions as I am unsure of what the BEST design is, and most importantly...WHY

We have two ISPs

We are considering new ASA 5515 firewalls, 2960 8 port switches, and 2900 series routers

We are SIMPLY trying to achieve full resiliency and failover between our devices, sites, and business partners; so here are my questions...

1) If I connect the links from both ISPs directly into the ASAs (ISP1 into ASA1 and ASA2 and ISP2 into ASA 1 and ASA2...correct?), can I achieve complete failover resliency on all levels in the event of a hardware failure, ISP failure, network failure, etc.? For both internal/inbound and external/outbound traffic? Without the users noticing any dropped connections? (it's ok if they need to refresh their browser)

Or do I NEED switches and/or routers between the firewalls and ISP lines to achieve this? If so, WHY?

2) Say ASA1 goes down (hardware failure or whatever), can ASA2 continue to use ISP1?

3) What purpose would DMVPN serve me, and do I even need it or is it overkill?

4) What are the benefits of GETVPN and IPSec VPN? For a small network with 4-5 sites which would work best?

I have heard a lot of 'depends on your needs' type responses but I would really like like straight-forward, technical responses, as my requirements (to me) are fairly simple as I stated above

Thanks for your help in advance

Labels:
0 Helpful
2 Replies 2

sharwal
Level 1
Level 1

‎11-30-2012 06:54 AM

Anyone?

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎11-30-2012 10:43 AM

Hi there
In brief
Using pair of cisco ASA can provide you with smooth failover capability using ASA failover and statfull failover

I am not sure how you connect each ISP to both ASAs? Do u have two links from each ISP or you are assuming here!!
Because normally you have one link from each ISP
If you have one link from each ISP I would recommend you using the following design

Connect each ISP link to a router
If you want to use the ISP links in active/standby mode then, use a switch between the routers and the outside interfaces of the ASAs using a shared Vlan (here you may use public IPs )
Configure hsrp at routers side
Configure failover between the firewalls
Use the inside firewall virtual ip as the default gateway for internal hosts
Use the routers hsrp VIP as the next hop ip for the static routes in the firewall for traffic going out
DMVPN is support on cisco routers only and by using the above approach where the routers are the edge devices you can use DMVPN and the main benefit of DMVPN is it's scalability as you can have one tunnel at the hub side peering with many remote/spoke sites
In your case if you have only 4 to 5 sites either normal site to site VPN or DMVPN can work

Hope this help
If helpful rate

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents