what router to chose for dmvpn

pamirian76 · ‎09-11-2012

hi,

what router would you choose to setup 1500 dmvpn tunnels (mGRE/ipsec)?

so this router will be my hub and the hub will have 1500 tunnels.

this router with this many tunnels will have to be able to provide excellent service to all spokes/tunnels.

the spokes will mainly use the tunnels for business, transfering small files and some email I would say they may transfer 500megabyte of data per day but that's the absolute maximum.

ideally please I would like to know why you say what you say.

thank you.

paolo bevilacqua · ‎09-11-2012

With such a large project, you should be talking to your local Cisco sales office, ask for "Senior Consulting Engineer".

Their job is to advice on all the aspects of the network, not just 'choosing a router'.

Joseph W. Doherty · ‎09-12-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Paolo's suggestion might be the best because the overhead involved in managing 1500 IPSec sessions isn't well documented. Normally, we're most interested in transit bandwidth that needs to be supported, but your requirements are more unusual.

When you involve someone in this requirement, keep in mind that your performance requirements will also likely be influenced by your security options and configuration settings too.

Besides a total expected bandwidth consumption for the day, you'll want to also know your aggregate burst requirements. Additionally, with DMVPN, performance requirements could also be very much impacted by volume of remote-to-remote traffic and whether you intend to allow dynamic tunneling remote-to-remote.

Again, just some reasons why your question deserves in-depth analysis.

Karsten Iwen · ‎09-12-2012

I remember a networkers-session some years ago where they were talking about scalable designs. The used a loadbalancer (7200 or 6500) to balance all incoming spoke-connections to a cluster of 7200 routers.

A big problem was that OSPF or EIGRP by far doesn't scale to >1000 spokes. The used passive RIP or ODR for that.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

paolo bevilacqua · ‎09-12-2012

karsten.iwen wrote:

I remember a networkers-session some years ago where they were talking about scalable designs. The used a loadbalancer (7200 or 6500) to balance all incoming spoke-connections to a cluster of 7200 routers.

A big problem was that OSPF or EIGRP by far doesn't scale to >1000 spokes. The used passive RIP or ODR for that.

Correct. But today (or some years ago already) the problem shifted to IPsec scalabiltiy, VPN scalability, redundancy scalabity.

Cisco has tens of thousand of simiilar networks succefuslly deployed everywhere in the word. All the banks. All the post offices. All the POS networks. All the retail stores. All the lampposts one might say.

But at the end the questions remains one only. Who designs, implement and maintain such a network? You can't afford trial and error on these. Yes some customers have trouble hiring real experts - and paying them accordingly.