Cisco 2921 DMVPN License

dm2020 · ‎02-28-2019

Hi All,

I'm looking to configure DMVPN on a Cisco 2921 router but I only have the IP base license installed. I do not need to configure IPSec, only basic multipoint GRE tunnels and NHRP. Will the IP base license be ok for this?

Thank you

Mark Malone · ‎02-28-2019

Hi

You will require a sec k9 for dmvpn , please see doc

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html

SECK9

Offers the security features found in Advanced Security IOS image on ISR 1800,2800 and 3800 e.g. IKE v1 / IPsec / PKI, IPsec/GRE, Easy VPN w/ DVTI, DMVPN, Static VTI, Firewall, Network Foundation Protection,GETVPN etc.

SSLVPN (counted)

Intrusion Prevention (Subscription)

Content Filtering (Subscription)

None

Richard Burts · ‎02-28-2019

There is some ambiguity in the original post. It does specifically ask about needing a license for dmvpn. And certainly for dmvpn the security license is required. But the original post goes on to say that they do not need encryption and are looking to do multi point GRE. Well dmvpn is multipoint GRE with encryption. If you take away encryption then it is no longer dmvpn and I do not see why any special license would be required if the requirement is really multi point GRE. Perhaps the original poster can clarify what it is that they really are looking for.

If they are interested in multi point GRE with NHRP here is a Cisco doc that may have helpful information:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/rtng/b_169_rtng_9500_cg/configuring_unicast_and_multicast_over_point_to_multipoint_gre.pdf

HTH

Rick

HTH

Rick

grabonlee · ‎02-28-2019

Hi Richard,

I beg to disagree with your statement. DMVPN isn't multipoint GRE with encryption. The SEC license on ISR G2 routers may include encryption, but encryption isn't a requirement for DMVPN to function, as DMVPN tunnels are not encrypted by default.

Thanks

Richard Burts · ‎03-01-2019

You may certainly disagree. But this document from Cisco indicates that you are not correct.

https://www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html

HTH

Rick

HTH

Rick

Richard Burts · ‎03-02-2019

Perhaps the issue here is the precision with which we use terms. In one part of the original post it indicates that the objective is multi point GRE with NHRP. I have provided a link about this feature which perhaps is supported by the existing license. In other parts of the discussion is insistence that what is desired is DMVPN. I have provided a link which documents that this feature does encrypt traffic through the tunnels and will certainly require the security license. Perhaps you can clarify what you really need to achieve?

HTH

Rick

HTH

Rick

dm2020 · ‎03-02-2019

Hi All,

All I need is mGRE with NHRP and no IPSec encryption.

I think that the terminology for this is a little confusing as I too also thought that encryption wasn't a mandatory component of DMVPN as the encryption could be offloaded to a firewall sitting in front of the router (which is what I'm trying to do).

Thanks,

Richard Burts · ‎03-02-2019

Thanks for the clarification. I agree that sometimes our terminology gets a bit confusing. But if you do not want encryption then you do not want DMVPN and therefore as far as I can tell do not need the security license. Good luck with the implementation of mGRE and NHRP.

HTH

Rick

HTH

Rick

grabonlee · ‎03-02-2019

Would a company market a VPN technology without security? No. Does setting up Point-to-Point GRE without IPSEC mean it isn't GRE? No. Many would say a VPN technology without IPSEC isn't VPN, but I would ask if the VPN would break without adding IPsec.

According to Cisco, DMVPN has 2 mandatory components, mGRE and NHRP, while IPSEC is optional. Even Mike Sullenberger in one of his Cisco Live presentations said IPsec is integrated with DMVPN but not required.

Anyway, the post was about licensing and not technology functionality, of which Cisco bundled IPsec with DMVPN in its SEC license.