09-28-2016 03:55 PM - edited 03-05-2019 07:09 AM
Hi,
I am keen to finding out how many concurrent tunnel sessions and throughput can be achieved for a DMVPN/IKEv2/IPsec with BGP solution on the following platforms. I am currently working on a design to deploy approximately 3000 remote sites (Spokes) with 2 Hubs (in HA) and would like to find out if DMVPN/IKev2/IPSec/BGP provides a scalable and efficient solution than the FlexVPN or traditional IPsec. Also, could you advise on the constraint on the CPU Utilisation for both platforms at what number of tunnels? Please correct me if I’m wrong, I understand the each next-hop server (NHS) can only allow upto 375 tunnel. So does this implies creating 8 tunnels with different NHS to accommodate the 3000 sites. I believe if this is so, throughput will degrades as the number of tunnel increases and If no, can you recommend a better approach please?
The summary is that I am sizing up a router (as an aggregator) that can scale up to 3000 sites with DMVPN/IKev2/IPSsec or any other IPsec/IKev2 solution with minimum impact on resource utilisation and thoughput.
Thanks.
Solved! Go to Solution.
10-10-2016 02:48 PM
I can't say I've heard of a specific per-peer NHS limit, but perhaps someone else can comment.
Sure you can start with a 4451 (get the HSEC license when ordering) and replace hardware later if needed.
FlexVPN is considered DMVPN Phase 4, but relies on IKEv2. You can use other goodies like Suite-B crypto (consider AES GCM). There are a few spoke to hub redundancy options, but you'll need to decide if you want A/A or A/S.
Here's an example of a spoke (client) configuration where it dynamically chooses the source interface to get back to the hub.
crypto ikev2 client flexvpn CRYPTO-IKEV2-CLIENT-HUB1 peer 1 192.0.2.1 source 1 GigabitEthernet1 track 100 source 2 Cellular0 track 101 client connect Tunnel1
In your case I would think each spoke could be configured with (2) static VTIs, one going to each hub. You could also do IKEv2 clustering and redirection. Too many options to consider without knowing more. If you don't need IWAN, I would use FlexVPN.
Take a look here to get you started:
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
In the future should you want spoke-to-spoke traffic:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html#GUID-42323D5A-D841-48AD-A6DC-2A432EA788A5
This doc may help to compare configurations between DMVPN and FlexVPN:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116678-configure-product-00.html
Note on the HSEC license: Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available.
09-30-2016 08:46 AM
This doesn't answer all of your questions, but I'll offer a few considerations:
09-30-2016 01:52 PM
Thanks Thiland for your reply.
I really don't know much about FlexVPN but if I may ask, with IKEv2 routing/FlexVPN, I believe I will not be needing any dynamic routing, rather using the IKEv2 authorisation to inject/accept routes.
If I am to start with about 1000 tunnels, can I still use the 4451 then upgrade when required perhaps in few years time?
Also, I will be running 2 Hubs (in HA). So if I load share traffic across both, will DMVPN scale well? My main concern about DMVPN is that I read somewhere that the next hop server can only allow a few hundred tunnels. I was wondering if I need to create about 8 tunnels with different NHS to handle the total sites I need either now or in few years.
I would like to say, Spoke-to-Spoke connectivity will not be allowed, hence I believe I can apply an ACL at the headend to filter spoke-to-spoke in a phase 2 DMVPN setup. However, if DMVPN doesn't scale well, I need to consider alternative solution.
Thanks.
10-10-2016 02:48 PM
I can't say I've heard of a specific per-peer NHS limit, but perhaps someone else can comment.
Sure you can start with a 4451 (get the HSEC license when ordering) and replace hardware later if needed.
FlexVPN is considered DMVPN Phase 4, but relies on IKEv2. You can use other goodies like Suite-B crypto (consider AES GCM). There are a few spoke to hub redundancy options, but you'll need to decide if you want A/A or A/S.
Here's an example of a spoke (client) configuration where it dynamically chooses the source interface to get back to the hub.
crypto ikev2 client flexvpn CRYPTO-IKEV2-CLIENT-HUB1 peer 1 192.0.2.1 source 1 GigabitEthernet1 track 100 source 2 Cellular0 track 101 client connect Tunnel1
In your case I would think each spoke could be configured with (2) static VTIs, one going to each hub. You could also do IKEv2 clustering and redirection. Too many options to consider without knowing more. If you don't need IWAN, I would use FlexVPN.
Take a look here to get you started:
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
In the future should you want spoke-to-spoke traffic:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html#GUID-42323D5A-D841-48AD-A6DC-2A432EA788A5
This doc may help to compare configurations between DMVPN and FlexVPN:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116678-configure-product-00.html
Note on the HSEC license: Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available.
10-18-2016 01:40 AM
Hi thiland,
I have tested FlexVPN and it worked as expected. Also, using the IKev2 routing which is more or less static routing and this has the advantage of reducing traffic overheads associated with dynamic protocols. I believe this would improve the utilisation performance on the spokes and most especially the HUBs.
Thanks again for your help and suggestions. Much appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide