Scalability DMVPN
I have three routers Hub that I am wanting to compare DMVPN scalabiltiy functions (3825 versus 3945 and 3845). I have trouble finding enough information anywhere on Cisco's Web site that can help me. I know it must be there somewhere and I'm not in the right place. But I read and read and read on DMVPN designs and I'm not finding anything. This turns into a time killer. Could someone please help me determine what are the limitations of these three routers DMVPN?
Thank you
Chris
Chris,
We rarely test anything less than 7200 for hubs. I can give you theoretical numbers internally, I found.
I strongly suggest you contact your account team for more precise info or SSE. News here are some estimates.
Note that the major factor to scalability is the ability to maintain the multiple routing adjacencies.
BGP must evolve better.
3825 - even up to 200 peer
3845. up to 300-400 depending on config/amount of the charge.
3945 500-750 (without going into high CPU, but can stretch far beyond)
On the flow, it will be even harder to give you a good estimate, so much more that probably we wouldn't able to much your real traffic without trials and depend on HW config.
Marcin
Tags: Cisco Security
Similar Questions
-
Scalability of DMVPN &; HSEC license request
Hi guys,.
We have some 3900 router which is currently below s DMVPN acting as a hub router
C3900-SPE250/K9(CISCO3945-CHASSIS)
c3900e-universalk9-mz. Spa. 151 - 4.M4.bin
"Need to notify if must purchase a HSEC license if it goes up to 125 spokes (sites) connection via this 3945 dmVPN router.
Here is the output of the command desired the current settings in the router having the seck9 license.
In searching, I found the following information.
Without the SSEC, the SRI 3945 supports 255 IPSec tunnel. If you add SSEC, it can scale up to 2000 IPSec tunnel.
Now, if you see the IPSec Session lower output: 212 active, max 6399, & number of tunnels max 225 Watch therefore for mentioned above new rays will be HSEC license is requires (because it things IPSEC 2 sessions and active tunnels)
We currently have approximately 110 spokes (sites) connected to the hub router 3945.
Reference:
SSEC-K9 license
http://www3.Cisco.com/c/en/us/products/collateral/routers/3900-Series-integrated-services-routers-ISR/q-and-a-C67-606268.htmlhttp://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...
View details of eli cryptoshow crypto isa sa countshow crypto ipsec sa countshow platform cerm-information
-sh crypto eli hardware encryption: ACTIVE number of hardware encryption engines = 1 CryptoEngine embedded VPN Details: State = Active ability: IPPCP, OF THE, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA-Session IPSec: 212 active, 6399 max, 0 failure - sh Active County, ISAKMP Security Association of the its crypto isakmp: 101Standby ISAKMP SA: 0Currently courses of security ISAKMP negotiation: 0 = sh crypto ipsec his SA couIPsec in total : 208, active: 204, overtype: 4, unused: 0, invalid: 0 = #sh Mel-information Crypto Export Restrictions Manager (MEL) information platform: CERM feature: ENABLED - ResourceMaximum LimitAvailable - Tx Bandwidth (in kbps) Bandwidth (in kbps) 8500085000 number of tunnels 225123 Rx 8500085000 number of TLS sessions 10001000 Resource reservation information: D - dynamic - ClientTx BandwidthRx BandwidthTunnels Sessions TLS (in Kbps) (in Kbps)-VOICE 0 0 0 0 IPSEC D D 102 s/o SSLVPN D D 0 s / o statistics information : Tunnels failed: 0 Failed sessions: 0 band bandwidth tx Failed: 0 Failed rx bandwidth: 0 Failed encrypt pkts: 0 Failed decipher pkts: 0 Failed encrypt pkt bytes: 0 Failed decipher pkt bytes: 0 Passed encrypt pkts: Passed 23746321255 decrypt pkts: Passed 20079132018 encrypt pkt bytes: Passed 21892230873508 decrypt pkt bytes: 9815317896176 =.Yes, I would buy the HSEC license. With that many rays, I would have suggested you buy anyway, regardless of the number of SA.
-
I would like to use a SRP500 series router in a DMVPN solution. Or maybe is there another solution scalable VPN, I could use?
Sent by Cisco Support technique iPhone App
Hi kevin, dmvpn is based on EFC and protocols for routing such as ospf, eigrp, etc.. Small business products only supports standards ieee, excluding the cdp.
-
Satellite Pro M40X-132: scalable wireless Lan?
Hello
I have a PC laptop Toshiba M40X-132. It doesn't have a wireless installed inside the adapter. It cable antenna for this card.
On the site where the specifications are listed, I see that the computer is "scalable wireless lan. If you want to check, here is the link: http://eu.computers.toshiba-europe.com/cgi-bin/ToshibaCSG/selected_product_option.jsp?service=EU&PRODUCT_ID= 104069 & DISC_MODEL = 0
I opened my computer and noticed that there are no slot mini pci installed. However, I found the place on the motherboard that is generally used to install such a slot with a certain set of 15-20 minutes with a weld. :) I know I'm losing my warranty by doing this, but I think it would be better to take the risk that, in order to exploit external PCMCIA or USB devices all the time.
So, I have a slot mini pci I bought in a store for electronic components. The place for the installation of such a location are tinned on the motherboard. I think cleaning of Tin from there and then set the slot I.
The big question is the following: suppose that I managed to solder correctly such a slot on the motherboard. It will work or not? I mean, the slot is just the thing that does not exist, or there is some other components and electronic parts which are now absent and doing this slot work?
Thank you for your advice. I'm really confused.
Good day! :)
Hello Stefan
I really put t understand you not at all. First I put t really believe someone make these experiences and you will be very happy if someone has this kind of experience.
And if it works, how you want to install the WiFi antenna? You want to dismantle the entire screen to do this and to do it properly? Believe me that it is a bad idea.
The USB wireless costs about 25 euros and in 10 minutes, you can configure and use the WLAN.
Please think about this one more time.
Good luck!
-
How to create a scalable background image?
Hi all
I would put a scalable background image to a label field. I put the background image using the setBackground() method available in the field of the label. But when the text in the label field increases the background image tend to repeat rather than be put on the scale. Can someone help me on this please?
Thank you much in advance.
Brahim Salim
Never tried it myself, have but you reviewed the options when you create your route?
Take a look at this:
and review of the
BackgroundFactory.createBitmapBackground (Bitmap, int, int, int)
settings, specifically looking at the REPEAT_SCALE_TO_FIT layout
-
DMVPN Question ISAKMP Security Association
Hi all
I have implemented a full mesh base DMVPN, similar to the int of config used life package
http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.
I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.
My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...
How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?
status of DST CBC State conn-id slot
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
A similar result on the hub
status of DST CBC State conn-id slot
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
Still 1 spoke only a 2
172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE
Crypto config for all:
crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile
Config of Tunnel hub
interface Tunnel0
10.0.100.1 IP address 255.255.255.0
dynamic multicast of IP PNDH map
PNDH network IP-1 id
tunnel source fa0/0
multipoint gre tunnel mode
Spoke 1 Tunnel Config
!
interface FastEthernet0/0
address 172.16.3.2 IP 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
10.0.100.2 IP address 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
Spoke 2 Config of Tunnel
!
interface FastEthernet0/0
IP 172.16.2.2 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
IP 10.0.100.3 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).
You could get in double sessions of the two scenarios IKE, are the most common.
(1) the negotiation started at both ends "simultaneously".
(2) renegotiation of IKE.
What is strange to me, is that you seem to have initiated session and responsed by the hub.
What I would do, is to add:
-ip server only PNDH (on the hub, it is not a provided ASR)
-DPD (on all devices).
Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.
-
Why is 'scalable user = no' do not prevent panning and zoom?
I build my first html5 app and I have the following on my meta tag.
However, I found that I can zoon and pan around the page. I thought 'scalable user = no' was supposed to prevent this. Any thoughts on why this is the case? My meta tag is incorrect?
My meta tag is within of the
Tags.Oooh... made on the hellogeo app that this javascript seems to work. The static viewport metatag does not seem to do. It seems to work by dynamically assigning the initial-scale ratio based on the report of device pixels.
var meta = document.createElement("meta");
meta.setAttribute('name','viewport');
meta.setAttribute('content','initial-scale='+ (1/window.devicePixelRatio) + ',user-scalable=no');
document.getElementsByTagName('head')[0].appendChild(meta);
Now to try this on my real application and I hope it works...
---------
BTW, I got this info in the following article.
-
DMVPN (NAT?) solution with rais as subnets
Hi all
I have a large number of remote networks that are prevalent all over the world. Currently, they are all individual island with no connectivity to anywhere else.
What I would do is connect all back to Headquarters on the internet so I can access it remotely. The internet service that I receive from all the sites will be different and unknown for example some directly on the internet, some behind NAT.
So I think that the solution to this is DMVPN.
But my problem is that all of the remote locations have the same internal subnet. So, how can I make sure that they are all connected and remote devices are all available at the same time?
I wonder if I can configure NAT on the router may talk so that each device has a static nat with the Natted IP is unique. I labbed this place GNS3 and it seems to work. However the problem is that there are hundreds of devices on each site, which means a large number of NAT entries.
I was wondering is it possible to make a fair full 1:1 Nat specifies a network to network. For example, something like 192.168.20.0/24 NAT to 10.0.1.0/24, so try to access the 192.168.20.5 in fact, it connects to 10.0.1.5
Has anyone never has something like this work?
Y at - it a good solution?
Thank you, Simon
It is possible, but (assuming they already use NAT for Internet access) you'll need to define things very carefully to avoid interference with what they have.
Do a complete translation of subnet is easy and is a good word:
IP nat inside source static 10.0.0.0 network 192.168.0.0/24
The problem is that this will replace all existing for this subnet NAT, condition and the existing NAT configuration.
Can you provide an example of how the current NAT is set up for one of these sites?
-
I am in the initial phase of research DMVPN. We currently have an MPLS network running BGP. Each site has Internet at home as well as a VPN site-to-site is built on the router and talks to an ASA when the SPLM fails.
I want to implement DMVPN to do away with the site to site VPN and ASA. I'm going to run EIGRP on routers to connect DMVPN. Are there any good whitepapers on BGP as the main path and by EIGRP on the DMVPN as a backup? Or no focus on a general config?
Thank you
It's really the main issue.
With your configuration DMVPN roads will be internal EIGRP of an advertisement of 90, so your default DC prefer DMVPN on MPLS, which is exactly what you don't want.
There are several ways around this as summarizing through DMPVN, redistribution connected on the sites of the branch in EIGRP so roads DMVPN are external as well and then changing measures etc.
The other alternative I have ever done so it's for your information is really Cisco have what is called a solution IWAN where DMVPN is performed everywhere that is, even through the MPLS network.
That would solve your problem of external routes internal EIGRP but IWAN vs is much more than just that, even if you do not need necessarily to implement the entire solution at a time.
I just thought that it should be mentioned, and if you want more information on this I can direct you to the design guide.
Jon
-
HY everybody
I'm here to talk about scalability of Be6k. According to be6k documents. It has 2 models MD = Medium Density and HD = high density
Attribute
Capacity
Maximum number of users
1000 users
Maximum number of letters and the ports of voicemail boxes
1000 mailboxes mailbox and 24 ports of voicemail by server
Storage of messages
72 944 minute of G.711 codec
Number of contact center agents
100 agents and supervisors 10
Number of users of the presence
1000 users of presence
Number of devices supported
Server of average density: 1200
Server density: 2500
Maximum number of requests from resident co by server
Server of average density: five applications (4 + 1 management collaboration)
High density server: nine requests (8 + 1 management collaboration)
Busy hour call attempts
5000
in both models, number of users is same which is 1000 but the number of devices is different support up to 1200 MD and HD supported up to 2500.
be6k is c220 M3 rack server is there any solution in all cases we will increase the number of users. Suppose the number of users is 1200 is average I need another server be6k or NGC or can be be7k
Thanks and regards,
Umer Javed
The system has been tested only with 1 K users and the maximum number of devices by the platform, go above that was not tested and since you're already underway running on limited resources, not taken in charge. If you still want to go ahead and go beyond those numbers, any performance problem, and/or any questions, will be your sole responsibility.
-
DMVPN/IPSEC, GRE and IPSEC Multi Point
Hi all
I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.
my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.
The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.
Kind regards
Satya.M
Given your criteria, I would say THAT DMVPN would be best suited
Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN
Pete
-
Is it possible to use hub dual double cloud in Phase 1 DMVPN?
Hello, I'm studying DMVPN in Phase 1. I'm doing a lab where I have 2 hubs and 2 spokes connected through 2 providers. In DMVPN phase 1, what I understand, destined for the tunnel must be configured manually (gre tunnel mode is point to point). But for each ray, I have 2 hubs. How can I specify addresses NBMA the two poles of the same tunnel interface IP spoke? I can only specify a single destination tunnel, then a hub.
Hubs do not need four interfaces in this case, one by ISP is enough. You end up with the following connections by talk:
Tun1-isps1 <->Tun1-isps1-Hub1
Tun2-isps1 <->Tun1-isps1-Hub2
Tun3-ISP2 <->Tun2-ISP2-Hub1
Tun4-ISP2 <->Tun2-ISP2-Hub2->->->->
-
DMVPN - PSK to Auth RSA - Sig move
Hi all
I'm moving a laboratory DMVPN config PSK has the use of certificates.
Installed root CA + certificates without problem.
I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce speaks talks about but I am receiving and error on the hub "x.x.x.x IKE message failed the validation test or is incorrect.
the problem disappears if I remove the ISAKMP policy in the hub, he returns to the original policy of the PSK. I checked the correspondence of policies a million times and the certificates are installed properly.
I have included some of the config below. Policy 10 works very well.
any help appreciated. Thank you
-Hub-crypto ISAKMP policy 5
BA aes
md5 hash
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key address 0.0.0.0 xxxxxxxxxxxxxxxxxx
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac hand
tunnel mode
!Profile of crypto ipsec ProfileName
define security-association life seconds 900
transformation-home game
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 20480
IP x.x.x.x 255.255.255.0
no ip redirection
IP 1400 MTU
NBAR IP protocol discovery
penetration of the IP stream
IP nat inside
property intellectual PNDH authentication Auth
dynamic multicast of IP PNDH map
PNDH IP network id ID
IP virtual-reassembly in
No cutting of the ip horizon
IP tcp adjust-mss 1300
CDP enable
source of tunnel Dialer
multipoint gre tunnel mode
tunnel key X
Profile of tunnel ProfileName ipsec protection-Speaks-crypto ISAKMP policy 5
BA aes
md5 hash
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0
!
!
Crypto ipsec transform-set main esp-3des esp-md5-hmac
tunnel mode
!
Profile of crypto ipsec IProfile
define security-association life seconds 900
Set main transformation game
!
!
!
!
!
!
!
interface Tunnel0
IP x.x.x.x 255.255.255.0
no ip redirection
IP 1400 MTU
IP nat inside
property intellectual PNDH authentication Auth
dynamic multicast of IP PNDH map
property intellectual PNDH card x.x.x.x where x.x.x.x
map of PNDH IP x.x.x.x multicast
PNDH IP network id X
property intellectual PNDH nhs x.x.x.x
IP virtual-reassembly in
No cutting of the ip horizon
IP tcp adjust-mss 1300
source of tunnel Dialer
multipoint gre tunnel mode
tunnel key X
Profile of tunnel Iprofile ipsec protectionYour certificates seem to be good. TGE of time is very important. Comes with service horodateurs time of the journal is your clock the ntp.
When everything is set correctly in view, I would be very interested to get all debugs them.
This question you have is based on the key or certificate not authencating together, coukd be mtu, could be something else.
Would you mind to provide all debugs them and perhaps a trace of wireshark to see what is happening. Debugs isakmp, ipsec and certificates as well.
Thank you
-
Hello
I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.
When I do a ping on the spoker to the hub like this:
ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.
Spoker newspaper I have this message:
% DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination
I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success
But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?
I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...
Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.
Thank you
MTU must be set on the interface of tunnel for the hubs and spockes.
If you want to save bits, you can even use transport mode instead of tunnel of fashion.
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
"Front of Cisco IOS release 12.3 (6) and 12.3 (7) T, for the spoke routers participate in a DMVPN network, they had to use tunnel mode IPSec." is indicated in the following doc:
http://CCO/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html#wp1085369
But I tried the mode of transport, he sees work very well. I use 12.2 (15) T. is it supposed to work? If not, why?
Thank you
The restriction you are referring is only in the case of your shelves DMVPN is behind NAT devices. If they are not behind NAT devices they can use a tunnel or transport mode correctly.
Maybe you are looking for
-
I need to permaneltly remove a choice in the search menu
Hi, the other day I somehow ended up with two choices of yahoo in my choice of search bar. I unchecked the one with the exclamation point which is actually the homepage. I want to be able to delete it PERMANENTLY out of there you can give me instruct
-
How can I change my last name?
How can I change my last name from my apple ID and also for my user account on my laptop (Administrator).
-
Cannot find 'Tools' on my firefox start page
-
Elite x 3: where can I find more information on the elite x 3
I am interested in the x 3 elite, how can I find more information about it? Thank you Bill
-
Restoration of an IPad 2 for a new user
I want to give my IPad2 my husband without my data. I have new IPad that includes the data I want my old. How to restore the old to its original settings? I'm afraid of losing my songs, photos, etc. from my new IPad Pro.