I am happy that the DMVPN side is fine.

The hub config is same as my existing hub. I can see routes being advertised over the tunnel. And I can ping both ends of the tunnel over the routers.

The 6509 is currently running hybrid OS.

Do I need to look into using VRF?

How are you doing encryption on the catalyst ?

If not using a service module, you would be better using a regular ISR for dmvpn.

The Supervisor 32 module is doing the encryption (on the MSFC).

We currently are using a 3745 as the DMVPN hub, with around 10 spokes. However, the CPU usage is maxing out, causing some drops. The plan was to use the Sup32 (and greater processing power) as the hub and replace the 3745 altogther.

The other alternative is to purchase a 3845, but this will cost in the region of £7000

I think you will find that MSFC has less processing power than the 3745, and I wasn't even aware that it supported software encryption. In fact, the remote router is complaining that is not encrypting anything.

Any ISR router has onboard crypto HW and most likely you will not need a a 3845. I've had excellent results with just 1841s as hub device.

The MSFC is running advipservices which does support DMVPNs. The tunnel is up, with cryto sessions active, so it is encrypting. As I said, I can ping over the tunnel. What's not being encrypted is traffic from different VLANs, hence my question regarding VRF etc.

As you werent even aware that it supported software encryption, can you show me where it says that a Sup32 has LESS processing power than a 3745?

You state a 1841 would be fine, but if a 3745 is struggling, how would a 1841 cope any better? In any case, a 1841 would not suit us as we requre at least 6 interfaces on the router.

Because it has hardware crypto acceleration on-board by default, that's the point you are missing.

Neither 3745 nor MSFC has that, making them poor choices for IPsec.

Being unable to get 6 interfaces on a 1841 means its not an option. In addition to this, I cannot find a rating of its performance. This router needs to be able to route to our MPLS cloud (34M) and the internet (20M) so needs to be able to handle high throughput (1841 is geared for branch offices)

The 3745 is currently at the edge of its power with our 10 spokes. the newer 3845 with its faster processor etc should be able to handle the tunnels with ease.

All I am trying to do is see if I can use our existing equipment to act as the hub.

The tunnel is up so I know it can do DMVPN. I just need to work out a way to route other VLANS through the tunnel, rather that it switching.

I did not imply that you have to get a 1841, I was just making an example. However, from marketing material it can hande up to 45 mbps of encrypted traffic, meeting or exceeding your requirements.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ps8768_Products_Brochure.html

You can also see that the only rating for 6500 switches is when equipped with optional VPN modules. I've never heard of anyone running IPSEC on the MSFC in a production environment.

If your objective is reusing existing hardware that is all good with me, but do not expect to get good results also.

The plan is to try and get this working and see what results we get.

If indeed, I cannot get the throughput required, or the 6509 too maxxes out on the CPU then the next step would be to get a 3845 with a VPN module etc.

Again, you do not need a VPN module with ISR routers. The onboard one is perfectly adequate for most uses.

The crypto module costs in the region of £2500. The 3745 is 7 years old so buying a module for it seems a bit unnecessary.

If I cant get this to work through the 6509, I will just get the 3845

Actually looking on the leading auctions site, this module can be bought for $50. Of course it is not worth to be bought new.

There are also reputable refurbished hardware dealer very helpful to those looking budget first.

Josephs suggestion is indeed a very valid one.