cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13028
Views
95
Helpful
20
Replies

Ask the Expert- Dynamic Multi-point VPN on Cisco routers: Best Practices & Configuration

Cisco Moderador
Community Manager
Community Manager

This topic is a chance to discuss more about the best practices to configure, deploy and troubleshoot Dynamic Multi-point VPN (DMVPN) on Cisco Routers. The session provides insight about the base components involved in DMVPN and its different phases of deployment. It focus particularly on the basic configuration of its phases and on the best practices required when using DMVPN on Cisco routers.

Dynamic Multipoint VPN is a Cisco IOS/IOS-XE Software solution for building scalable IPsec Virtual Private Networks (VPNs). This routing technique is used to build Virtual Private Networks with multiple sites without having to statically configure all devices, DMVPN essentially creates a mesh VPN topology over the public or private WAN or Internet. Its deployments include mechanisms such as GRE tunneling and IPsec encryption with Next Hop Resolution Protocol (NHRP) routing, they are designed to reduce administrative burden and provide reliable dynamic connectivity between sites.

 

To participate in this event, please use theJoin the Discussion : Cisco Ask the Expertbutton below to ask your questions

 

Ask questions from Monday November 26th to Friday 14th of December, 2018

 

Featured expert

Leo-Davila.JPGLeonardo Peña Davila is a Network Engineer with over 15 years of experience on network design, enterprise networks, administration and support. He works as Network Engineer on Microplus Computo y Servicios in Mexico. Before he worked on Petroleos de Venezuela as Network Engineer administrating and managing a diverse amount of complex networks, from WLC, ACS, ASA to CUCM. Leonardo obtained his first Cisco CCNA certification in 2002 and he has a CCNP R&S as well, he is passionate about his profession and committed to keep up-to-date with new technology developments. He is interested on Data Center technology, particularly on Nexus switches, APIC, APIC-EM, VMware virtualization, ESX, ESXi, UCS and Network Programmability.

 

Leonardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security  community.

Find other events https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support  

 

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

20 Replies 20

 

Hi  nmeadows02,

 

 I'm sharing an excellent document where you can find beside of the best practices configuring DMVPN, some of the most common problems we usually face when deploying this technology and how to approach a troubleshooting  step by step.

Please take a look at this document and do not hesitate if you have further questions.

 

Regards

Leonardo

 

MTU?

 

We have various service provider connections--some are better than others. Across the Cellular connections an MTU of 922 is often the best we can achieve, while on quality Fiber connections we can achieve the tunnel max of MTU 1476.

 

My question is related to performance: should we establish multiple DMVPN endpoints? One for the "better" connections and one for the rest?

 

 

Hi  Citynet,

 

When planning to deploy DMVP you have to follow some best practices to avoid any issues. One of the the best practices recommended on Cisco Design and impementation guide :

 

IP MTU – Set the IP maximum transmission unit (MTU) to 1400 on all DMVPN tunnel interfaces to eliminate the potential for fragmentation. GRE and IPsec headers add about 60 bytes to the packet, and cause the router to fragment larger packets if this exceeds the interface MTU, straining the CPU.

 

TCP MSS – Set the TCP maximum segment size (MSS) value to 1360 on all DMVPN tunnel interfaces. This value is calculated by subtracting 40 bytes from the IP MTU value. Use the command ip tcp adjust-mss 1360 to set the value on the mGRE tunnel interface toward the spokes. This helps TCP sessions adjust to the lower MTU and is needed if Path MTU Discovery (PMTUD) does not work between end hosts.

 

Concerning the question about performance, It always depends on what kind of traffic is the most important on your environment, what Apps you need to keep up and running, based on that information you can think about what is the best design for your network .

 

Regards

Leonardo

michael2814
Level 1
Level 1

What are the best practices for a multi-hub DMVPN phase 3 environment?

Are there any configuration considerations for the tunnels that is different than a single hub?

Also, how would you configure EIGRP on the hubs/spokes in regards to summaries & split horizon in this scenario?

Hi Michael, 

 

Take a look at the following link. you will find an excellent document about Design and implementation of DMVPN.

 

https://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/dmvpn_design_guide.pdf

 

HTH

Regards

Leonardo 

Hilda Arteaga
Cisco Employee
Cisco Employee

Dear @Leonardo Pena Davila

Thanks for sharing your knowledge and for all the great assistance you’ve provided here. We kindly appreciate it, you’re an important contributor of this community