Thank you.

1. still not exists, i wish to achieve it. The provider will give us layer 2 connectivity and they will allow any-to-any connectivity. more than 95% of the traffic will be from each remote site to the HQ since all our applications are located in the data center which is within HQ.

2. IPSec.

3. i think two the LAN and the loopback.

4. As i told you more than 95% of traffic will be as hub-and-spoke, but if allow site-to-site it will be prefered.

5. now they are around 30 remote sites but maybe in the future "within 2-3 years" they will be 100 at most.

Thanks again

Hello,

Thank you for your answers.

I believe that the first design choice you have to do is the kind of VPN you are going to deploy. You indicated that you intend to use IPsec. However, a vanilla IPsec deployment has numerous drawbacks:

• It can carry IP traffic only. Vanilla IPsec is unable to protect other protocols.
• It does not support multicast so running OSPF over vanilla IPsec tunnels is out of question unless you resort to static OSPF neighbor configuration.
• On Cisco devices, vanilla IPsec tunnels are configured either as a crypto map (in which case they are not even represented by routable Tunnel interfaces) or as a Tunnel interface with "tunnel protection ipsec ipv4" command. However, in both these cases, these tunnels are of point-to-point nature and have to be configured manually. With 100 sites and a requirement for a full mesh connectivity, you would need to manually configure 99 tunnels or crypto map entries on each of your 100 sites, requiring 100*99/2 = 4950 IP subnets. Clearly, this design is not scalable.

Therefore, I believe that resorting to vanilla IPsec tunnels is not the way to go.

One of the most straightforward solutions is the Dynamic Multipoint VPN, or DMVPN. DMVPN is a technology that combines multipoint GRE tunnels with IPsec protection, essentially solving all the drawbacks mentioned above: Because of GRE encapsulation, any traffic can be encapsulated, including multicast traffic, and the multipoint GRE provides a notion of a single subnet interconnecting all sites together, so instead of 4950 IP subnets for all site-to-site tunnels, just one IP subnet is required. It also provides site-to-site communication if so desired. Once again, all communication over DMVPN can be encrypted by IPsec whose configuration is greatly simplified, as the IPsec tunnel endpoint is inherited from the GRE tunnel endpoint, and that endpoint is discovered dynamically. Essentially, the entire DMVPN configuration on a single router consists of a common ISAKMP policy, a common IPsec transform set, a common IPsec crypto profile referrring to the transform set, and a single multipoint GRE tunnel that refers to the IPsec crypto profile for traffic protection. An additional protocol running in DMVPN is the Next Hop Resolution Protocol, or NHRP, that maps the internal tunnel addresses to the addresses used as "tunnel source", thereby allowing a dynamic discovery of tunnel endpoints.

There are also other possible solutions such as GETVPN that would work in your situation, but in my opinion, the DMVPN is well known, frequently deployed and well supported, and the knowledge base is large, so using DMVPN would a safe bet.

I am not going to discuss the implications of running OSPF over DMVPN for now as it is up to you first to do some studying on DMVPN (and perhaps GETVPN to just have an overview) to see if it is truly suitable for your needs. Running DMVPN will obviously require that all your sites run Cisco routers as the edge routers (DMVPN is not supported on ASA firewalls to my best knowledge, as they do not support GRE).

I recommend studying these presentations (accessing them will require registration):

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=83687&backBtn=true

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=4387&backBtn=true

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78457&backBtn=true

Best regards,
Peter

Thank you very much.

I know about DMVPN and i already worked with it and it is very good choice for my topology. but i have a problem that some sites have Cisco routers and the other have Juniper SRX210.

The HQ router is Cisco also.

I see Juniper does not support DMVPN instead they support GETVPN

http://forums.juniper.net/t5/SRX-Services-Gateway/DMVPN-supported-in-SRX-JunOS/td-p/203891

What do you say?

thanks

Hello,

The GETVPN could indeed be a solution in your network thanks to the fact that the interconnection of all your sites is a Layer2 technology and as a result, there is direct visibility between all sites and their internal networks.

Unfortunately, I cannot comment on the true compatibility of GETVPN implementation between Cisco and Juniper as I do not have access to Juniper equipment to test this. Reality has proven so often that even though multiple vendors claim to have implemented the same technology, their implementations may have differences making the interoperation problematic. Will it be possible to do the interoperability test using your equipment?

There is one issue to consider: At least in Cisco's implementation of GETVPN, the Key Server router can not be also a Group Member. This will require having a separate, dedicated router put into the role of the Key Server, preferably at the HQ location. I believe that the Key Server could be also implemented using a virtual router, such as CSR1000v.

Best regards,
Peter

Hello Peter,

Thanks you very much for your answers and support.

I see we have two issues:

1- the encryption issue in order to encrypt data traffic between sites (Remote-Site to Remote-Site and HQ to Remote-Site).

Since DMVPN is a Cisco proprietary and since i have a mix of remote sites routers of Cisco & Juniper, the available solution is to use GETVPN.

2-Configure Dynamic routing protocol, which is OSPF in my case, but we will decide later which OSPF deign to use.

In case the GETVPN is used, which OSFP design to use?

thanks in advance

Hello,

If the GETVPN is found to be okay with both Cisco and Juniper then, getting back to the original topic of your question, I would personally believe that you should run OSPF over this VPN using a single area design - that is, have the HQ and sites in a single area. Introducing several areas does not make sense in this network, as each site has, according to your own estimation, only a handful of routes to advertise, so there is no advantage in having several areas that would allow for route summarization and/or filtration.

As for the OSPF network type to be used in this VPN, I believe that the natural choice would be broadcast multiaccess, that is, having OSPF use multicast without defining neighbors statically, and elect DR/BDR. I do not see an advantage in any other network type: Clearly, point-to-point is unsuitable, non-broadcast would require you to define neighbors statically, and point-to-multipoint would result into same connectivity as broadcast with much larger overhead in terms of adjacencies and link-state database density.

Best regards,
Peter