Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
1906
Views
4
Helpful
1
Replies
saquib.tandel
Beginner
Beginner
‎08-02-2013 04:59 PM
‎08-02-2013 04:59 PM

scalability question - vpn

Hi

here is the scenario were i need some advices ; managing IPSEC over GRE with expected growth will become nightmare.

I have read the post https://supportforums.cisco.com/docs/DOC-8356  - but still not clear which routing protocol to use for simplification,

ISP + hardware redundancy to consider, ease of management, future scalability

Each HQ_C?? site has collapsed core with vpn and mpls terminating on different routers.

Total 4 Countries

Country #1   named as HQ_C1

which hosts scala erp for rest of the countries, all international countries connects via vpn gre over ipsec

  • 10 cities connect to country#1 HQ_C1 over gre over ipsec
  • single hub no redundancy

Country #2  named as HQ_C2

establishes vpn gre over ipsec with HQ_C1

  • 20 local sites in country#2 connect to HQ_C2 over local mpls provider and get scala access using VPN establish between country#2 to country#1

With growth expected ;-

  • 5 Main sites will be estalibshed in country#2, each main site will have around 100+ concurrent users and need to access scala directly from HQ_C1 and have mpls connection between main sites + HQ_C2 for other services i.e voip,  portals, messaging
  • HQ_C2 will have Two ISP to have redundancy on vpn with HQ_C1

Country #3   named as HQ_C3

establishes vpn with HQ_C1 only

  • 10 local sites in country#3 connect to HQ_C3 over local mpls provider and get scala access using VPN establish between country#3 to country#1

HQ_C3 will have two ISP for vpn redundancy with two vpn routers

Country#4  ( scenario same as country#3 with only 7 local sites )

thanks

ST

Labels:
0 Helpful
1 REPLY 1
Marwan ALshawi
Advisor
Advisor
‎08-03-2013 10:23 AM
‎08-03-2013 10:23 AM

hi ST

first the post you read was posted by myself a while and i can tell you DMVPN can provide a scalable vpn solution compared to ipsec over gre point to point tunnels

from my understanding to your topology you hav emultiple hube and spoke topologies

in each hub and spoke topology do you need spoke to spoke direct communication or all will be spoke to hub ?

between differnt topologies/countries do you need hub to hub communications only or it might required direct spoke to spoke between diffrent countries ?

if the spoke to spoke required in both cases you can consider DMVPN phase 3 which can help you to design a hierarchal topologies

for simplification with hub and spoke topologies EIGRP is a good choice, OSPF as well but a bit more complicated

hope this help

Latest Contents
Configuring & Understanding OSPF HMAC Authentication
Created by Tim Glen on 10-10-2021 11:33 AM
0
0
0
0
SummaryRequirementsConfiguration StepsVerificationFAQTroubleshootingReferences & Tools   Summary In the past when IOS 12.x was hot stuff we used MD5 to authenticate OSPF neighbors.  This worked great on ethernet networks because OSPF is a m... view more
End to End Migration from Prime Infrastructure to Cisco DNA ...
Created by pbagga on 10-07-2021 02:02 PM
1
0
1
0
Chapter 1 – Pre-requisite You have Root or Super Users access privileges of Cisco Prime Infrastructure. You have access credentials of Cisco DNA Center. You use Cisco Prime Infrastructure version 3.5 and above which is compatible with Cisco DNA Center v... view more
How to install and run PDART Tool on Cisco Prime Infrastruct...
Created by pbagga on 10-07-2021 02:01 PM
0
0
0
0
Chapter 1 – Pre-requisite You have Root or Super Users access privileges of Cisco Prime Infrastructure. You have access credentials of Cisco DNA Center. You use Cisco Prime Infrastructure version 3.5 and above which is compatible with Cisco DNA Center ... view more
(Podcast) S8|E40 Cisco Champion Unfiltered: IT Horror Storie...
Created by Amilee San Juan on 10-07-2021 01:46 PM
0
0
0
0
Listen: https://smarturl.it/CCRS8E40Follow us:  twitter.com/CiscoChampionRemember that time you forgot to put "add" in when changing VLANs? Or, when you spent hours on a config and rebooted without saving? As engineers we often feel the need to ... view more
OSPF Capability Transit and Breaking the split horizon rule
Created by meddane on 10-07-2021 10:09 AM
0
0
0
0
 Basic configuration of all routers: R1:interface Loopback0 ip address 1.1.1.1 255.255.255.0 ip ospf network point-to-point ip ospf 1 area 1!interface FastEthernet0/1 ip address 123.0.0.1 255.255.255.0 ip ospf 1 area 123... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Event
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad