Hello,

I've got a project where the customer has over 70 sites that pretty much all use draytek vigor routers and these all connect to our network for l3vpn on the mpls.

However, they want to plug in a 4g dongle to each of these drayteks for failover. These drayteks would then need an ipsec tunnel to the colo cisco ASA so that they'd still be able to access other sites/servers etc.

I recently learned that cisco ASA's are not able to do dmvpn. So i was wondering if it be the best solution to create an object group on the ASA with all the wan IPs of the drayteks (spokes) and then a 0.0.0.0 crypto map to minimise the amount of config needed. Then if a new site needs to be added i'd just add another wan ip to the object group.

I think i'm alright with the bgp stuff for failover.

I'm going to have a bgp connection from every draytek and will probably use a peer template for that and then do local preference on the asa to deprefer the received routes from the drayteks. The primary mpls connection is using per-user static routes, so they'll disappear automatically from the network when the primary link fails.

Thanks in advance for any input.