07-05-2015 05:47 AM - edited 03-05-2019 01:48 AM
Hello,
I'm planning to connect my sites around 100 sites to the HQ site, the provider will connect them using Layer 2 connectivity "wireless" and i will secure the traffic by using site-to-site VPN "the 100 sites will connect to the HQ Router".
I will use OSPF, so i need your advise which OSPF design to use, keep in mind also if we can achieve full mesh connectivity.
All the 100 sites WAN ip addresses will be within the same Network ID.
Thanks in advance
Solved! Go to Solution.
07-14-2015 03:03 PM
Hello,
Since DMVPN is a Cisco proprietary and since i have a mix of remote sites routers of Cisco & Juniper, the available solution is to use GETVPN.
I agree, provided that the GETVPN implementations on Cisco and Juniper devices are compatible.
In case the GETVPN is used, which OSFP design to use?
I believe I have commented on the OSPF design already here:
https://supportforums.cisco.com/discussion/12549691/design-recommendation#comment-10633571
If you have anything else in mind when discussing the OSPF design please let me know.
Best regards,
Peter
07-05-2015 10:38 AM
Hello,
Can you please answer a few more questions? We need to understand your situation better.
Looking forward to reading your response!
Best regards,
Peter
07-05-2015 03:25 PM
Thank you.
1. still not exists, i wish to achieve it. The provider will give us layer 2 connectivity and they will allow any-to-any connectivity. more than 95% of the traffic will be from each remote site to the HQ since all our applications are located in the data center which is within HQ.
2. IPSec.
3. i think two the LAN and the loopback.
4. As i told you more than 95% of traffic will be as hub-and-spoke, but if allow site-to-site it will be prefered.
5. now they are around 30 remote sites but maybe in the future "within 2-3 years" they will be 100 at most.
Thanks again
07-06-2015 01:38 AM
Hello,
Thank you for your answers.
I believe that the first design choice you have to do is the kind of VPN you are going to deploy. You indicated that you intend to use IPsec. However, a vanilla IPsec deployment has numerous drawbacks:
Therefore, I believe that resorting to vanilla IPsec tunnels is not the way to go.
One of the most straightforward solutions is the Dynamic Multipoint VPN, or DMVPN. DMVPN is a technology that combines multipoint GRE tunnels with IPsec protection, essentially solving all the drawbacks mentioned above: Because of GRE encapsulation, any traffic can be encapsulated, including multicast traffic, and the multipoint GRE provides a notion of a single subnet interconnecting all sites together, so instead of 4950 IP subnets for all site-to-site tunnels, just one IP subnet is required. It also provides site-to-site communication if so desired. Once again, all communication over DMVPN can be encrypted by IPsec whose configuration is greatly simplified, as the IPsec tunnel endpoint is inherited from the GRE tunnel endpoint, and that endpoint is discovered dynamically. Essentially, the entire DMVPN configuration on a single router consists of a common ISAKMP policy, a common IPsec transform set, a common IPsec crypto profile referrring to the transform set, and a single multipoint GRE tunnel that refers to the IPsec crypto profile for traffic protection. An additional protocol running in DMVPN is the Next Hop Resolution Protocol, or NHRP, that maps the internal tunnel addresses to the addresses used as "tunnel source", thereby allowing a dynamic discovery of tunnel endpoints.
There are also other possible solutions such as GETVPN that would work in your situation, but in my opinion, the DMVPN is well known, frequently deployed and well supported, and the knowledge base is large, so using DMVPN would a safe bet.
I am not going to discuss the implications of running OSPF over DMVPN for now as it is up to you first to do some studying on DMVPN (and perhaps GETVPN to just have an overview) to see if it is truly suitable for your needs. Running DMVPN will obviously require that all your sites run Cisco routers as the edge routers (DMVPN is not supported on ASA firewalls to my best knowledge, as they do not support GRE).
I recommend studying these presentations (accessing them will require registration):
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=83687&backBtn=true
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=4387&backBtn=true
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78457&backBtn=true
Best regards,
Peter
07-06-2015 04:01 AM
Thank you very much.
I know about DMVPN and i already worked with it and it is very good choice for my topology. but i have a problem that some sites have Cisco routers and the other have Juniper SRX210.
The HQ router is Cisco also.
I see Juniper does not support DMVPN instead they support GETVPN
http://forums.juniper.net/t5/SRX-Services-Gateway/DMVPN-supported-in-SRX-JunOS/td-p/203891
What do you say?
thanks
07-06-2015 09:45 AM
Hello,
The GETVPN could indeed be a solution in your network thanks to the fact that the interconnection of all your sites is a Layer2 technology and as a result, there is direct visibility between all sites and their internal networks.
Unfortunately, I cannot comment on the true compatibility of GETVPN implementation between Cisco and Juniper as I do not have access to Juniper equipment to test this. Reality has proven so often that even though multiple vendors claim to have implemented the same technology, their implementations may have differences making the interoperation problematic. Will it be possible to do the interoperability test using your equipment?
There is one issue to consider: At least in Cisco's implementation of GETVPN, the Key Server router can not be also a Group Member. This will require having a separate, dedicated router put into the role of the Key Server, preferably at the HQ location. I believe that the Key Server could be also implemented using a virtual router, such as CSR1000v.
Best regards,
Peter
07-14-2015 05:25 AM
Hello Peter,
Thanks you very much for your answers and support.
I see we have two issues:
1- the encryption issue in order to encrypt data traffic between sites (Remote-Site to Remote-Site and HQ to Remote-Site).
Since DMVPN is a Cisco proprietary and since i have a mix of remote sites routers of Cisco & Juniper, the available solution is to use GETVPN.
2-Configure Dynamic routing protocol, which is OSPF in my case, but we will decide later which OSPF deign to use.
In case the GETVPN is used, which OSFP design to use?
thanks in advance
07-14-2015 03:03 PM
Hello,
Since DMVPN is a Cisco proprietary and since i have a mix of remote sites routers of Cisco & Juniper, the available solution is to use GETVPN.
I agree, provided that the GETVPN implementations on Cisco and Juniper devices are compatible.
In case the GETVPN is used, which OSFP design to use?
I believe I have commented on the OSPF design already here:
https://supportforums.cisco.com/discussion/12549691/design-recommendation#comment-10633571
If you have anything else in mind when discussing the OSPF design please let me know.
Best regards,
Peter
07-09-2015 02:38 PM
Hello,
If the GETVPN is found to be okay with both Cisco and Juniper then, getting back to the original topic of your question, I would personally believe that you should run OSPF over this VPN using a single area design - that is, have the HQ and sites in a single area. Introducing several areas does not make sense in this network, as each site has, according to your own estimation, only a handful of routes to advertise, so there is no advantage in having several areas that would allow for route summarization and/or filtration.
As for the OSPF network type to be used in this VPN, I believe that the natural choice would be broadcast multiaccess, that is, having OSPF use multicast without defining neighbors statically, and elect DR/BDR. I do not see an advantage in any other network type: Clearly, point-to-point is unsuitable, non-broadcast would require you to define neighbors statically, and point-to-multipoint would result into same connectivity as broadcast with much larger overhead in terms of adjacencies and link-state database density.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide