Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1397
Views
0
Helpful
4
Replies

Migrate DMVPN to mGRE

ryansharpe
Level 1
Level 1

‎03-09-2010 08:20 AM - edited ‎02-21-2020 04:32 PM

We have recently moved encryption to the Application Layer of our network, this was a business requirement for other reasons. But from the network department we see this as an opportunity to increase the scalablity and longevity of our routers.

We are currently running a DMVPN network with approximately 800 spoke nodes, the majority being c871s. We would like to migrate the DMVPN to plain old mGRE, as the encryption is no longer a requirement of the Network Layer. This however doesn't seem like an easy task. I am trying to investigate the different options available to me complete this migration. For some reason I thought there was a way to make the encryption in DMVPN optional, such that I could make the hubs optional then migrate the spokes, however this is contingent on encryption being optional. If not the only way I can see accomplishing this is creating a new NHRP hub and migrating the spokes to this new hub one by one.

I'm all ears if someone could validate the "optional" option, or if there is a third or fourth option.

Thanks,

Ryan

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-09-2010 12:25 PM

Hi,

What about GETVPN?

http://www.cisco.com/en/US/products/ps7180/index.html

Federico.

0 Helpful

ryansharpe
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-10-2010 07:30 AM

This actually wouldn't help. The goal is to eliminate the encryption overlead. I still require the tunneling, just the encryption I can do without.

Thanks,

Ryan

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to ryansharpe

‎03-10-2010 08:45 AM

So, you need the tunneling but not the encryption at L3.
In an DMVPN environment, normally IPsec provides the encryption while GRE provides the tunneling.

This is why you're considering plain-old GRE tunnels (without encryption)


Now, the main purpose of IPsec is encryption. You can disable encryption for phase 2 on the transform set,
but you can't have a policy for phase 1 for IPsec without encryption (you need to choose between DES, 3DES or AES)

If your final goal is to remove encryption at the network layer and leave only the tunnel, I see only the GRE option
(unfortunately this option is manual and not very flexible).
The problem here is that if we involve IPsec, it means encryption at L3 (at least for phase 1).

Federico.

0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee

‎03-10-2010 08:46 PM

Hi,

If you are not interested with Federico option based on esp-null option in the transform-set, you can create another mGRE tunnel on the hub with a new IP addressing plan and then migrate your spokes to this new cloud. It will be very smooth assuming you are already using an IGP in your encrypted tunnels.

HTH

Laurent.

0 Helpful
Customers Also Viewed These Support Documents