Scalability DMVPN

I have three routers Hub that I am wanting to compare DMVPN scalabiltiy functions (3825 versus 3945 and 3845).  I have trouble finding enough information anywhere on Cisco's Web site that can help me.  I know it must be there somewhere and I'm not in the right place.  But I read and read and read on DMVPN designs and I'm not finding anything.  This turns into a time killer.  Could someone please help me determine what are the limitations of these three routers DMVPN?

Thank you

Chris

Chris,

We rarely test anything less than 7200 for hubs. I can give you theoretical numbers internally, I found.

I strongly suggest you contact your account team for more precise info or SSE. News here are some estimates.

Note that the major factor to scalability is the ability to maintain the multiple routing adjacencies.

BGP must evolve better.

3825 - even up to 200 peer

3845. up to 300-400 depending on config/amount of the charge.

3945 500-750 (without going into high CPU, but can stretch far beyond)

On the flow, it will be even harder to give you a good estimate, so much more that probably we wouldn't able to much your real traffic without trials and depend on HW config.

Marcin

Tags: Cisco Security

Similar Questions

  • Scalability of DMVPN & HSEC license request

    Hi guys,.

    We have some 3900 router which is currently below s DMVPN acting as a hub router

    C3900-SPE250/K9(CISCO3945-CHASSIS)

    c3900e-universalk9-mz. Spa. 151 - 4.M4.bin

    "Need to notify if must purchase a HSEC license if it goes up to 125 spokes (sites) connection via this 3945 dmVPN router.

    Here is the output of the command desired the current settings in the router having the seck9 license.

    In searching, I found the following information.

    Without the SSEC, the SRI 3945 supports 255 IPSec tunnel. If you add SSEC, it can scale up to 2000 IPSec tunnel.

    Now, if you see the IPSec Session lower output: 212 active, max 6399, & number of tunnels max 225 Watch therefore for mentioned above new rays will be HSEC license is requires (because it things IPSEC 2 sessions and active tunnels)

    We currently have approximately 110 spokes (sites) connected to the hub router 3945.

    Reference:
    SSEC-K9 license
    http://www3.Cisco.com/c/en/us/products/collateral/routers/3900-Series-integrated-services-routers-ISR/q-and-a-C67-606268.html

    http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...
    View details of eli crypto

    show crypto isa sa countshow crypto ipsec sa countshow platform cerm-information
    -sh crypto eli hardware encryption: ACTIVE number of hardware encryption engines = 1 CryptoEngine embedded VPN Details: State = Active ability: IPPCP, OF THE, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA-Session IPSec: 212 active, 6399 max, 0 failure - sh Active County, ISAKMP Security Association of the its crypto isakmp: 101Standby ISAKMP SA: 0Currently courses of security ISAKMP negotiation: 0 = sh crypto ipsec his SA couIPsec in total : 208, active: 204, overtype: 4, unused: 0, invalid: 0 = #sh Mel-information Crypto Export Restrictions Manager (MEL) information platform: CERM feature: ENABLED - ResourceMaximum LimitAvailable - Tx Bandwidth (in kbps) Bandwidth (in kbps) 8500085000 number of tunnels 225123 Rx 8500085000 number of TLS sessions 10001000 Resource reservation information: D - dynamic - ClientTx BandwidthRx BandwidthTunnels Sessions TLS (in Kbps) (in Kbps)-VOICE 0 0 0 0 IPSEC D D 102 s/o SSLVPN D D 0 s / o statistics information : Tunnels failed: 0 Failed sessions: 0 band bandwidth tx Failed: 0 Failed rx bandwidth: 0 Failed encrypt pkts: 0 Failed decipher pkts: 0 Failed encrypt pkt bytes: 0 Failed decipher pkt bytes: 0 Passed encrypt pkts: Passed 23746321255 decrypt pkts: Passed 20079132018 encrypt pkt bytes: Passed 21892230873508 decrypt pkt bytes: 9815317896176 =.

    Yes, I would buy the HSEC license.  With that many rays, I would have suggested you buy anyway, regardless of the number of SA.

  • SRP500 can be used in a DMVPN

    I would like to use a SRP500 series router in a DMVPN solution. Or maybe is there another solution scalable VPN, I could use?

    Sent by Cisco Support technique iPhone App

    Hi kevin, dmvpn is based on EFC and protocols for routing such as ospf, eigrp, etc.. Small business products only supports standards ieee, excluding the cdp.

  • Satellite Pro M40X-132: scalable wireless Lan?

    Hello

    I have a PC laptop Toshiba M40X-132. It doesn't have a wireless installed inside the adapter. It cable antenna for this card.

    On the site where the specifications are listed, I see that the computer is "scalable wireless lan. If you want to check, here is the link: http://eu.computers.toshiba-europe.com/cgi-bin/ToshibaCSG/selected_product_option.jsp?service=EU&PRODUCT_ID= 104069 & DISC_MODEL = 0

    I opened my computer and noticed that there are no slot mini pci installed. However, I found the place on the motherboard that is generally used to install such a slot with a certain set of 15-20 minutes with a weld. :) I know I'm losing my warranty by doing this, but I think it would be better to take the risk that, in order to exploit external PCMCIA or USB devices all the time.

    So, I have a slot mini pci I bought in a store for electronic components. The place for the installation of such a location are tinned on the motherboard. I think cleaning of Tin from there and then set the slot I.

    The big question is the following: suppose that I managed to solder correctly such a slot on the motherboard. It will work or not? I mean, the slot is just the thing that does not exist, or there is some other components and electronic parts which are now absent and doing this slot work?

    Thank you for your advice. I'm really confused.

    Good day! :)

    Hello Stefan

    I really put t understand you not at all. First I put t really believe someone make these experiences and you will be very happy if someone has this kind of experience.

    And if it works, how you want to install the WiFi antenna? You want to dismantle the entire screen to do this and to do it properly? Believe me that it is a bad idea.

    The USB wireless costs about 25 euros and in 10 minutes, you can configure and use the WLAN.

    Please think about this one more time.

    Good luck!

  • How to create a scalable background image?

    Hi all

    I would put a scalable background image to a label field. I put the background image using the setBackground() method available in the field of the label. But when the text in the label field increases the background image tend to repeat rather than be put on the scale. Can someone help me on this please?

    Thank you much in advance.

    Brahim Salim

    Never tried it myself, have but you reviewed the options when you create your route?

    Take a look at this:

    http://www.BlackBerry.com/developers/docs/7.1.0api/NET/rim/device/API/UI/decor/BackgroundFactory.htm...

    and review of the

    BackgroundFactory.createBitmapBackground (Bitmap, int, int, int)

    settings, specifically looking at the REPEAT_SCALE_TO_FIT layout

  • DMVPN Question ISAKMP Security Association

    Hi all

    I have implemented a full mesh base DMVPN, similar to the int of config used life package

    http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.

    I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.

    My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...

    How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?

    status of DST CBC State conn-id slot

    172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

    172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

    172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

    A similar result on the hub

    status of DST CBC State conn-id slot

    172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

    172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

    172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

    Still 1 spoke only a 2

    172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE

    172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE

    Crypto config for all:

    crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile

    Config of Tunnel hub

    interface Tunnel0

    10.0.100.1 IP address 255.255.255.0

    dynamic multicast of IP PNDH map

    PNDH network IP-1 id

    tunnel source fa0/0

    multipoint gre tunnel mode

    Spoke 1 Tunnel Config

    !

    interface FastEthernet0/0

    address 172.16.3.2 IP 255.255.255.0

    automatic duplex

    automatic speed

    !

    interface Tunnel0

    10.0.100.2 IP address 255.255.255.0

    no ip redirection

    map of PNDH IP 10.0.100.1 172.16.1.2

    map of PNDH IP multicast 172.16.1.2

    PNDH network IP-1 id

    property intellectual PNDH nhs 10.0.100.1

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    Profile of tunnel MyProfile ipsec protection

    Spoke 2 Config of Tunnel

    !

    interface FastEthernet0/0

    IP 172.16.2.2 255.255.255.0

    automatic duplex

    automatic speed

    !

    interface Tunnel0

    IP 10.0.100.3 255.255.255.0

    no ip redirection

    map of PNDH IP 10.0.100.1 172.16.1.2

    map of PNDH IP multicast 172.16.1.2

    PNDH network IP-1 id

    property intellectual PNDH nhs 10.0.100.1

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    Profile of tunnel MyProfile ipsec protection

    SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).

    You could get in double sessions of the two scenarios IKE, are the most common.

    (1) the negotiation started at both ends "simultaneously".

    (2) renegotiation of IKE.

    What is strange to me, is that you seem to have initiated session and responsed by the hub.

    What I would do, is to add:

    -ip server only PNDH (on the hub, it is not a provided ASR)

    -DPD (on all devices).

    Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.

  • Why is 'scalable user = no' do not prevent panning and zoom?

    I build my first html5 app and I have the following on my meta tag.

    However, I found that I can zoon and pan around the page.   I thought 'scalable user = no' was supposed to prevent this.  Any thoughts on why this is the case?   My meta tag is incorrect?

    My meta tag is within of theTags.

    Oooh... made on the hellogeo app that this javascript seems to work.   The static viewport metatag does not seem to do.   It seems to work by dynamically assigning the initial-scale ratio based on the report of device pixels.

    Now to try this on my real application and I hope it works...

    ---------

    BTW, I got this info in the following article.

    http://supportforums.BlackBerry.com/T5/Web-and-WebWorks-development/how-to-set-up-the-viewport-for-a...

  • DMVPN (NAT?) solution with rais as subnets

    Hi all

    I have a large number of remote networks that are prevalent all over the world. Currently, they are all individual island with no connectivity to anywhere else.

    What I would do is connect all back to Headquarters on the internet so I can access it remotely. The internet service that I receive from all the sites will be different and unknown for example some directly on the internet, some behind NAT.

    So I think that the solution to this is DMVPN.

    But my problem is that all of the remote locations have the same internal subnet. So, how can I make sure that they are all connected and remote devices are all available at the same time?

    I wonder if I can configure NAT on the router may talk so that each device has a static nat with the Natted IP is unique. I labbed this place GNS3 and it seems to work. However the problem is that there are hundreds of devices on each site, which means a large number of NAT entries.

    I was wondering is it possible to make a fair full 1:1 Nat specifies a network to network. For example, something like 192.168.20.0/24 NAT to 10.0.1.0/24, so try to access the 192.168.20.5 in fact, it connects to 10.0.1.5

    Has anyone never has something like this work?

    Y at - it a good solution?

    Thank you, Simon

    It is possible, but (assuming they already use NAT for Internet access) you'll need to define things very carefully to avoid interference with what they have.

    Do a complete translation of subnet is easy and is a good word:

    IP nat inside source static 10.0.0.0 network 192.168.0.0/24

    The problem is that this will replace all existing for this subnet NAT, condition and the existing NAT configuration.

    Can you provide an example of how the current NAT is set up for one of these sites?

  • DMVPN BGP and EIGRP

    I am in the initial phase of research DMVPN.  We currently have an MPLS network running BGP.  Each site has Internet at home as well as a VPN site-to-site is built on the router and talks to an ASA when the SPLM fails.

    I want to implement DMVPN to do away with the site to site VPN and ASA.  I'm going to run EIGRP on routers to connect DMVPN.  Are there any good whitepapers on BGP as the main path and by EIGRP on the DMVPN as a backup?  Or no focus on a general config?

    Thank you

    It's really the main issue.

    With your configuration DMVPN roads will be internal EIGRP of an advertisement of 90, so your default DC prefer DMVPN on MPLS, which is exactly what you don't want.

    There are several ways around this as summarizing through DMPVN, redistribution connected on the sites of the branch in EIGRP so roads DMVPN are external as well and then changing measures etc.

    The other alternative I have ever done so it's for your information is really Cisco have what is called a solution IWAN where DMVPN is performed everywhere that is, even through the MPLS network.

    That would solve your problem of external routes internal EIGRP but IWAN vs is much more than just that, even if you do not need necessarily to implement the entire solution at a time.

    I just thought that it should be mentioned, and if you want more information on this I can direct you to the design guide.

    Jon

  • Scalability Be6k

    HY everybody

    I'm here to talk about scalability of Be6k. According to be6k documents. It has 2 models MD = Medium Density and HD = high density

    Attribute

    Capacity

    Maximum number of users

    1000 users

    Maximum number of letters and the ports of voicemail boxes

    1000 mailboxes mailbox and 24 ports of voicemail by server

    Storage of messages

    72 944 minute of G.711 codec

    Number of contact center agents

    100 agents and supervisors 10

    Number of users of the presence

    1000 users of presence

    Number of devices supported

    Server of average density: 1200

    Server density: 2500

    Maximum number of requests from resident co by server

    Server of average density: five applications (4 + 1 management collaboration)

    High density server: nine requests (8 + 1 management collaboration)

    Busy hour call attempts

    5000

    in both models, number of users is same which is 1000 but the number of devices is different support up to 1200 MD and HD supported up to 2500.

    be6k is c220 M3 rack server is there any solution in all cases we will increase the number of users. Suppose the number of users is 1200 is average I need another server be6k or NGC or can be be7k

    Thanks and regards,

    Umer Javed

    The system has been tested only with 1 K users and the maximum number of devices by the platform, go above that was not tested and since you're already underway running on limited resources, not taken in charge. If you still want to go ahead and go beyond those numbers, any performance problem, and/or any questions, will be your sole responsibility.

  • DMVPN/IPSEC, GRE and IPSEC Multi Point

    Hi all

    I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.

    my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.

    The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.

    Kind regards

    Satya.M

    Given your criteria, I would say THAT DMVPN would be best suited

    Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN

    Implementation in DMVPN GDOI

    Pete

  • Is it possible to use hub dual double cloud in Phase 1 DMVPN?

    Hello, I'm studying DMVPN in Phase 1. I'm doing a lab where I have 2 hubs and 2 spokes connected through 2 providers. In DMVPN phase 1, what I understand, destined for the tunnel must be configured manually (gre tunnel mode is point to point). But for each ray, I have 2 hubs. How can I specify addresses NBMA the two poles of the same tunnel interface IP spoke? I can only specify a single destination tunnel, then a hub.

    Hubs do not need four interfaces in this case, one by ISP is enough. You end up with the following connections by talk:

    Tun1-isps1 <->Tun1-isps1-Hub1
    Tun2-isps1 <->Tun1-isps1-Hub2
    Tun3-ISP2 <->Tun2-ISP2-Hub1
    Tun4-ISP2 <->Tun2-ISP2-Hub2

  • DMVPN - PSK to Auth RSA - Sig move

    Hi all

    I'm moving a laboratory DMVPN config PSK has the use of certificates.

    Installed root CA + certificates without problem.

    I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce speaks talks about but I am receiving and error on the hub "x.x.x.x IKE message failed the validation test or is incorrect.

    the problem disappears if I remove the ISAKMP policy in the hub, he returns to the original policy of the PSK. I checked the correspondence of policies a million times and the certificates are installed properly.

    I have included some of the config below. Policy 10 works very well.

    any help appreciated. Thank you

    -Hub-
    crypto ISAKMP policy 5
    BA aes
    md5 hash
    !
    crypto ISAKMP policy 10
    md5 hash
    preshared authentication
    ISAKMP crypto key address 0.0.0.0 xxxxxxxxxxxxxxxxxx
    !
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac hand
    tunnel mode
    !
    Profile of crypto ipsec ProfileName
    define security-association life seconds 900
    transformation-home game
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel0
    bandwidth 20480
    IP x.x.x.x 255.255.255.0
    no ip redirection
    IP 1400 MTU
    NBAR IP protocol discovery
    penetration of the IP stream
    IP nat inside
    property intellectual PNDH authentication Auth
    dynamic multicast of IP PNDH map
    PNDH IP network id ID
    IP virtual-reassembly in
    No cutting of the ip horizon
    IP tcp adjust-mss 1300
    CDP enable
    source of tunnel Dialer
    multipoint gre tunnel mode
    tunnel key X
    Profile of tunnel ProfileName ipsec protection
    -Speaks-
    crypto ISAKMP policy 5
    BA aes
    md5 hash
    !
    crypto ISAKMP policy 10
    md5 hash
    preshared authentication
    ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0
    !
    !
    Crypto ipsec transform-set main esp-3des esp-md5-hmac
    tunnel mode
    !
    Profile of crypto ipsec IProfile
    define security-association life seconds 900
    Set main transformation game
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel0
    IP x.x.x.x 255.255.255.0
    no ip redirection
    IP 1400 MTU
    IP nat inside
    property intellectual PNDH authentication Auth
    dynamic multicast of IP PNDH map
    property intellectual PNDH card x.x.x.x where x.x.x.x
    map of PNDH IP x.x.x.x multicast
    PNDH IP network id X
    property intellectual PNDH nhs x.x.x.x
    IP virtual-reassembly in
    No cutting of the ip horizon
    IP tcp adjust-mss 1300
    source of tunnel Dialer
    multipoint gre tunnel mode
    tunnel key X
    Profile of tunnel Iprofile ipsec protection

    Your certificates seem to be good. TGE of time is very important. Comes with service horodateurs time of the journal is your clock the ntp.

    When everything is set correctly in view, I would be very interested to get all debugs them.

    This question you have is based on the key or certificate not authencating together, coukd be mtu, could be something else.

    Would you mind to provide all debugs them and perhaps a trace of wireshark to see what is happening. Debugs isakmp, ipsec and certificates as well.

    Thank you

  • DMVPN PPPoe MTU

    Hello

    I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.

    When I do a ping on the spoker to the hub like this:

    ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.

    Spoker newspaper I have this message:

    % DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination

    I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success

    But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?

    I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...

    Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.

    Thank you

    MTU must be set on the interface of tunnel for the hubs and spockes.

    If you want to save bits, you can even use transport mode instead of tunnel of fashion.

    Thank you

    PS: Please do not forget to rate and score as good response if this solves your problem

  • IPsec DMVPN tunnel mode

    "Front of Cisco IOS release 12.3 (6) and 12.3 (7) T, for the spoke routers participate in a DMVPN network, they had to use tunnel mode IPSec." is indicated in the following doc:

    http://CCO/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html#wp1085369

    But I tried the mode of transport, he sees work very well. I use 12.2 (15) T. is it supposed to work? If not, why?

    Thank you

    The restriction you are referring is only in the case of your shelves DMVPN is behind NAT devices. If they are not behind NAT devices they can use a tunnel or transport mode correctly.

Maybe you are looking for