Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3026
Views
5
Helpful
4
Replies

DMVPN/IKEv2/IPSec/BGP on ISR4451 or ASR1001-X

Go to solution
oluwafemi.famuyiwa
Level 1
Level 1

‎09-28-2016 03:55 PM - edited ‎03-05-2019 07:09 AM

Hi,

 I am keen to finding out how many concurrent tunnel sessions and throughput can be achieved for a DMVPN/IKEv2/IPsec with BGP solution on the following platforms. I am currently working on a design to deploy approximately 3000 remote sites (Spokes) with 2 Hubs (in HA) and would like to find out if DMVPN/IKev2/IPSec/BGP provides a scalable and efficient solution than the FlexVPN or traditional IPsec.  Also, could you advise on the constraint on the CPU Utilisation for both platforms at what number of tunnels? Please correct me if I’m wrong, I understand the each next-hop server (NHS) can only allow upto 375 tunnel. So does this implies creating 8 tunnels with different NHS to accommodate the 3000 sites. I believe if this is so, throughput will degrades as the number of tunnel increases and If no, can you recommend a better approach please?

 

  •          ISR4451 (with Performance License)
  •          ASR1001-X (with 2.5G base license)

 

The summary is that I am sizing up a router (as an aggregator) that can scale up to 3000 sites with DMVPN/IKev2/IPSsec or any other IPsec/IKev2 solution with minimum impact on resource utilisation and thoughput.

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thiland
Level 3
Level 3
In response to oluwafemi.famuyiwa

‎10-10-2016 02:48 PM

I can't say I've heard of a specific per-peer NHS limit, but perhaps someone else can comment.

Sure you can start with a 4451 (get the HSEC license when ordering) and replace hardware later if needed.

FlexVPN is considered DMVPN Phase 4, but relies on IKEv2.  You can use other goodies like Suite-B crypto (consider AES GCM).  There are a few spoke to hub redundancy options, but you'll need to decide if you want A/A or A/S. 

Here's an example of a spoke (client) configuration where it dynamically chooses the source interface to get back to the hub.

crypto ikev2 client flexvpn CRYPTO-IKEV2-CLIENT-HUB1
  peer 1 192.0.2.1
  source 1 GigabitEthernet1 track 100
  source 2 Cellular0 track 101
  client connect Tunnel1

In your case I would think each spoke could be configured with (2) static VTIs, one going to each hub.  You could also do IKEv2 clustering and redirection.  Too many options to consider without knowing more. If you don't need IWAN, I would use FlexVPN.

Take a look here to get you started:
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

In the future should you want spoke-to-spoke traffic:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html#GUID-42323D5A-D841-48AD-A6DC-2A432EA788A5

This doc may help to compare configurations between DMVPN and FlexVPN:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116678-configure-product-00.html

Note on the HSEC license: Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
thiland
Level 3
Level 3

‎09-30-2016 08:46 AM

This doesn't answer all of your questions, but I'll offer a few considerations:

  • You don't mention needing spoke-to-spoke, but using IKEv2 routing with FlexVPN Client/Server is going to scale much higher than DMVPN with EIGRP/BGP.
  • With 3000+ tunnels, I would start with the ASR1001-X or RP2/ESP20.  If you must use 4Ks and DMVPN, then 2 HA pairs at the headend are likely required
  • If possible, offload any NAT, ACL, firewall config to a separate device at the headend

Go to solution
oluwafemi.famuyiwa
Level 1
Level 1
In response to thiland

‎09-30-2016 01:52 PM

Thanks Thiland for your reply.

I really don't know much about FlexVPN but if I may ask, with IKEv2 routing/FlexVPN, I believe I will not be needing any dynamic routing, rather using the IKEv2 authorisation to inject/accept routes.

If I am to start with about 1000 tunnels, can I still use the 4451 then upgrade when required perhaps in few years time?

Also, I will be running 2 Hubs (in HA). So if I load share traffic across both, will DMVPN scale well? My main concern about DMVPN is that I read somewhere that the next hop server can only allow a few hundred tunnels. I was wondering if I need to create about 8 tunnels with different NHS to handle the total sites I need either now or in few years.

I would like to say, Spoke-to-Spoke connectivity will not be allowed, hence I believe I can apply an ACL at the headend to filter spoke-to-spoke in a phase 2 DMVPN setup. However, if DMVPN doesn't scale well, I need to consider alternative solution.

Thanks. 

0 Helpful

Go to solution
thiland
Level 3
Level 3
In response to oluwafemi.famuyiwa

‎10-10-2016 02:48 PM

I can't say I've heard of a specific per-peer NHS limit, but perhaps someone else can comment.

Sure you can start with a 4451 (get the HSEC license when ordering) and replace hardware later if needed.

FlexVPN is considered DMVPN Phase 4, but relies on IKEv2.  You can use other goodies like Suite-B crypto (consider AES GCM).  There are a few spoke to hub redundancy options, but you'll need to decide if you want A/A or A/S. 

Here's an example of a spoke (client) configuration where it dynamically chooses the source interface to get back to the hub.

crypto ikev2 client flexvpn CRYPTO-IKEV2-CLIENT-HUB1
  peer 1 192.0.2.1
  source 1 GigabitEthernet1 track 100
  source 2 Cellular0 track 101
  client connect Tunnel1

In your case I would think each spoke could be configured with (2) static VTIs, one going to each hub.  You could also do IKEv2 clustering and redirection.  Too many options to consider without knowing more. If you don't need IWAN, I would use FlexVPN.

Take a look here to get you started:
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

In the future should you want spoke-to-spoke traffic:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html#GUID-42323D5A-D841-48AD-A6DC-2A432EA788A5

This doc may help to compare configurations between DMVPN and FlexVPN:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116678-configure-product-00.html

Note on the HSEC license: Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available.

0 Helpful

Go to solution
oluwafemi.famuyiwa
Level 1
Level 1
In response to thiland

‎10-18-2016 01:40 AM

Hi thiland

I have tested FlexVPN and it worked as expected. Also, using the IKev2 routing which is more or less static routing and this has the advantage of reducing traffic overheads associated with dynamic protocols. I believe this would improve the utilisation performance on the spokes and most especially the HUBs.

Thanks again for your help and suggestions. Much appreciated

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card