DMVPN to FlexVPN migration questions

Hello, if anyone has performed this migration, please share your thoughts on these points.

1. Does FlexVPN solve the latency issue experienced by spoke-to-spoke traffic (specifically, voice packets)? This is an issue with DMVPN's delay in bringing up the spoke-to-spoke IPsec negotiations and P2P tunnel.

2. Do you still need to rely on GetVPN to address the latency issue for Spoke-to-spoke tunnels, or is IKEv2's negotiation phase fast enough for real-time/voice traffic between spokes?

3. For large-scale deployments, can you have the two Hub's in different domain ID's? If so, is it just a matter of "peering" the Hubs so traffic from a spoke in one domain/cloud simply gets rerouted over a GRE tunnel between the Hubs to reach another spoke in the other domain/cloud?

4. Is it possible for the Hubs to use redundant AAA/RADIUS servers instead of only one (as in no redundancy with using the Key Server in GetVPN)?

Many thanks.

Mike

Comments

  • Hi,

       1. Using flexvpn(ikev2) or regular dmvpn(ikev1) you have the same NHRP behaviour and same final functionality for spoke-to-spoke tunnels., so same delays, more or less.

       2. You would still need to rely on GETVPN, IKEv2 is insignificanlt faster in bringing up the tunnel (of course it depends on the router platform you're running it on), but spoke-to-spoke traffic works thorugh the hub untl the spoke-to-spoke tunnel is established.

       3. Yes, or you can hierarchical DMVPN implemented.

       4. What exactly would you be using the AAA/RADIUS servers for?

     

    Regards,

    Cristian. 

     

  • Hello Cristian,

    What i learned is that you can use RADIUS not just for central authentication when peers want to initiate IKEv2 to build the tunnels but also to push policies (QoS, etc...). Although my primary interest is to have a redundant server setup (unlike a Key Server in GDOI which i understand is NOT possible to set up as a redundant cluster).

    This talks about VoDMVPN, i was hoping to find something similar for FlexVPN.

    http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/VoSDMVPN.html

    Thanks.

    Mike

  • One clarification - my understanding is FlexVPN requires "tunnel protection" however GDOI requires you NOT to use "tunnel protection". Am i missing something?

    -Mike

  • Hi,

       Yes you can use redundant ACS/ISE/radius servers. You can also have redundant Key Servers in GETVPN. who told you you can't have redundant/multiple KS in a GETVPN deployment?

    Regards,

    Cristian.

  • Hi,

        The real problem is that GETVPN is not IKEv2 ready yet. Otherwise you could have fixed the problem the same way you did with IKEv1: build the DMVPN network without encryption and let GETVPN deal witht he encryption.

    Regards,

    Cristian.

     

  • Hello Cristian,

    Thanks for the clarification. I read from one of the CCO pages/docs that you can only back up the key/database of the Key Server in case you need to recover from a hardware failure, but not deploy two as an HA pair. If this is indeed possible, then that reduces the need for using RADIUS (in my situation).

    -Mike

  • I just found on CCO about COOP for KS redundancy. Thanks for pointing me in the right direction.

     

    -Mike

Sign In or Register to comment.