dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2880
share rss forum feed

lildevil

join:2003-04-28
West Lafayette, IN

DMVPN vs individual tunnels

Given the choice between the hub site having a multipoint interface for multiple remote vpn peers to connect to versus creating x-number of Tunnel interfaces on that same hub, is there anything I am losing from doing multipoint DMVPN? The biggest thing I can think of is that if I'm mucking around interfaces on both end of VPN peers the multipoint will kill everything on there if the config is screwed up. Yes? Other then that, not much I'm losing going to dmvpn?

nosx

join:2004-12-27
00000
kudos:5
Granularity for QOS is the biggest issue i have run into.
If you have a head end site with a 45meg connection, and a remote site with a 6meg connection, and you run one tunnel, you can shape all the traffic in it to 6meg as to not overdrive the remote circuit.
With DMVPN there are new features coming in 15.1T that support better per-spoke QOS profiles, but since most people arent running that code yet its still a widespread disadvantage.

DMVPN really makes sense when the remote sites have dynamic IPs. static tunnels still do a piss poor job of handling that.
If you have routers on both sides, GRE is almost always preferable to pure ipsec. You can easily control routing and failover with virtual tunnel interfaces and individual neighbors with fast timers to detect faults.

nicknomo

join:2004-05-02
East Meadow, NY
reply to lildevil
said by lildevil:

Given the choice between the hub site having a multipoint interface for multiple remote vpn peers to connect to versus creating x-number of Tunnel interfaces on that same hub, is there anything I am losing from doing multipoint DMVPN? The biggest thing I can think of is that if I'm mucking around interfaces on both end of VPN peers the multipoint will kill everything on there if the config is screwed up. Yes? Other then that, not much I'm losing going to dmvpn?
I am currently faced with the migration to a DMVPN right now. I started with static tunnels, but now need a more flexible solution. I wanted to start leveraging a failover plan, and load balance two connections... I just couldn't get it to work with static ipsec tunnels. To be honest, they require a more complicated configuration and can do less.

The only bad part of it is that consumer grade equipment has static ipsec capability. I use a lot of linksys routers for remote functionality because they are cheap and field easily replaceable.

Worse comes to worse, you could always have some sort of mesh configuration.. Its entirely possible to have static ipsec tunnels and a DMVPN tunnel.

cooldude9919

join:2000-05-29
kudos:5
~120 spoke 3 hub dmvpn setup here. Works great for us. We have qos at each spoke site, so overdriving the bandwidth isnt an issue.