cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1111
Views
0
Helpful
5
Replies

Recommended IOS for DMVPN

wpbrown417
Level 1
Level 1

I am setting up a DMVPN between several dozen sites using 2800, 2900 and 3900 series ISRs.  The DMVPN Design Guide recommends current 12.4 or 12.4T IOS, but the DG was last updated in July 2008.  I cannot seem to find any recommendations newer than this.  I'm hoping Cisco or the community can give me an updated recommendation.

Thanks in advance.

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

William,

In general it's always best to talk to your SE if you want something more targeted for you (in term so features, stability etc etc).

That being said, I (sterss on the word "I", not Cisco) would say that you should definitely go for a MD release.

15.1(4)M is a MD release whch all the hardware you mentioned should be able to run.

Why MD?

- Long lived software train (typically quite a few revisions will guarantee stability)

- No new features added during lifetime.

- DMVPN has been relatively feature-stable.

Why would you want to go for something newer (15.2M&T +)

- IKEv2 support

- Migrate setup to FlexVPN eventually.

- Other features outside of core DMVPN/routing.

HTH,

M.

Thanks for the suggestions, Marcin.  I was thinking along these same lines.  I had initially reached out to my SE and was steered towards 15.2.2T, but once I looked into that release I didn't come away with the best feeling.  This release is over a year old, flagged with a Software Advisory, and has been superceeded by six newer T-train releases.  I've asked my SE to re-review the recommendation noting my concerns, but given the holiday season I'm not sure when I'm going to hear back from him which is why I also posted to the Community.  IOS 15.2 does appeal to me for the IKEv2 support, and feature stability is important.

Thanks!

William,

I've had great experience with recent revisions of 15.2(4)M, but that was specific to flexvpn.

irt IKEv2 - you will not be able to run it on ISR G1s, but ISR G2s will offer quite a bit more kick.

What platform were you planning as your headend?

M.

I will have three sites desiganted as regional hubs and the headends will be 3945E, 3945 and 3925 respectviely.  Model selection was based on bandwidth at the site, I would expext DMVPN performance itself would have been fine on the 3925.

I was just digging into IKEv2 platform support, it's too bad I cannot run it on the ISR G1 routers. Would you have any performance concerns with IKEv2 SHA256 vs. SHA512 on my lowest end spoke routers which would be the 2911?

William,

3945e used to scale VERY nicely as hub router (I think same went for 3925e but cannot find data to confirm) almost en par with some ASR models.

IRT second part. You might want to look into AES-GCM (in general) and VPN ISM in case performance is problem.

SHA512 and 256 are both supported (as of 15.2M&T but don't take my word for it), I'm not aware of any considerations to performance. I'd need to review the numbers, I have not been keeping up to date.

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: