Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2975
Views
5
Helpful
3
Replies

FlexVPN Deployment Casestudy

nayanpanchal
Level 1
Level 1

‎05-31-2013 10:45 AM - edited ‎03-04-2019 08:04 PM

Dear Experts,

We are working with a customer (Critical Financial Organization) in Middle East region. Currently they have DMVPN (Hub and Spoke model) with around 50 branches. Hub location router is Cisco 7600. Due to hardware limitation of the platform, we cannot enable per-tunnel QoS with DMVPN on current infrastructure.

Now, we are considering enhancement of the existing architecture. We are planning to replace Cisco 7600 series routers with ASR 1000 series router. We're fine with the backplane capacity difference. We want to migrate from DMVPN to FlexVPN as well. We're looking for certain information which will help us to convince customer to go ahead with FlexVPN. Any help (information/pointers) from your side on following points would be very helpful.

1. Questions to be asked to Service Provider to ensure they support FlexVPN.  We have L3 VPN MPLS services as a transport medium.

2. FlexVPN Deployment Case study in real world.

3. Soft Migration approch from DMVPN to FlexVPN.

I've searched Cisco site and googled badly, to find a FlexVPN deployment in real world. Too bad, I didn't find any. I've mailed to few Cisco experts, but haven't received any response from them either.

I would be very grateful if somebody can provide me any information about this.

Thanks in advance.

Regards,

nayan

Labels:
0 Helpful
3 Replies 3

Jose Jara
Level 3
Level 3

‎06-06-2013 06:36 AM

Hello,

unfortunately, I have no experience with FlexVPN. However, I am in a similar position as you, trying to get more information about FlexVPN as I am considering an alternative for one of our customers to replace DMVPN. I think that one good resource is one of the CiscoLive sessions of Frederic Detienne, Cisco lead engineer of FlexVPN:

https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=6051&backBtn=true

Best Regards,

Jose.

pgasparovic
Level 1
Level 1
In response to Jose Jara

‎02-03-2014 08:18 AM

Hi Jose,

I came to this debate just by accident while studying some L2TPv3 stuff around and what you highlighted in your comments - became instantly uone of my top 5 networking resources ever!! I can't believe how I could have missed this in the past (but could live without ), but now I'm going to pretty dig through it.. content there, and live video shows are simply fantastic.. like been there.  I think everyone must appreciate this stuff as possibly noone can attend every year these events, to catch a bit of masses of new features rolling out every year.. THANK YOU!

I wish you a peacul next 11 months of 2014 yet and all the other years to come!

Best regards

Peter Gasparovic

0 Helpful

Graham Bartlett
Cisco Employee
Cisco Employee

‎06-21-2013 01:49 AM

Hello Nayan

I've assisted a number of customers in migrating from DMVPN to Flex. Flex uses IKEv2 which uses the same ports (UDP/500,4500) as IKEv1.

One customer that I worked with had a mix of ISR G1s and G2s. We looked at either.

1. Running Flex alongside DMVPN on the hub (if you have 7600 as your hub this will not be possible).

2. Running a new Flex Server, running the solution in parallel with the current DMVPN solution. This is the option that we went with. A number of spokes were span up and it was tested that these worked correctly, rekeying and creating dynamic spoke-spoke (Flex mesh) traffic.

The spoke sites were then migrated from DMVPN to Flex, from memory most of the spokes were ISR G2 and supported Flex, so the tunnel could be brought up and the control plane (IKEv2) tested without running production traffic over the tunnel. We used mode-config to push routes rather than a routing protocol with a lower administrative distance. When we were happy that everything was working correctly we would bring down the DMVPN tunnel on the spoke, the Flex route pushed using mode-config (with a lower administrative distance) would then come into affect and traffic would route via the Flex tunnel. This happened in a staged migration on a spoke-by-spoke basis.

Hopefully that gives you an idea of some options, because flex can use mode-config it’s not mandatory to run a routing protocol over the tunnel. We looked at a staged approach and also a “big-bang” switch over.

One of the big benefits that I see customers liking about Flex is the Next Generation Encryption support and the security built into IKEv2, such as the anti-ddos cookie challenge.

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

Flex is very powerful, so you can perform some very granular configurations, the matching of IKEv2 identities is another big benefit.

I hope that this has gone someway to trying to answer your Qs, but without knowing a lot of details about your setup it’s hard to give an exact method to achieve a migration. Jose suggestion about Fred’s presentation is the best material you will find. You might also want to listen to the TAC Security show on FlexVPN (all others shows are also excellent).

https://supportforums.cisco.com/docs/DOC-26834

I would advise contacting Cisco Advanced Services if you are not comfortable with performing the migration.

cheers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card