After suggestions for best Multipoint VPN solution

[Richy321]

Hi all,

I have inherited a BT managed MPLS network at work that I will take great delight in ripping out early next year, in favour of a much cheaper / faster DSL ‘in-house’ managed solution.

I am trying to work out the best solution using VPN’s to achieve this. I have a nearly new ASA 5520 in place at HQ and am looking to utilise various Cisco 800 / 1800 security routers to use at approx 25 remote sites (dependant on size). I have got a test Cisco 857 router and the ASA 5520 box working using a site-to-site VPN, and this works well, the downside being the network would become very hub & spoke in design.

I have read about multipoint VPN’s, which looks promising, but I don’t think the ASA can do this. I want to mesh the network as much as possible and use OSPF or EIGRP to make management much easier. I have read up on NHRP (Next Hop Routing Protocol) and this looks ideal.

I guess what I am trying to ask is are there any other Cisco solutions I should be looking at, that allow for an easily managed mesh network based on broadband whilst utilising the ASA? Or should I just use a decent security enable router for VPN termination with the ASA sitting behind it at the HQ site? The ASA is used for intrusion prevention as well general HQ traffic.

Any suggestions would be appreciated, and I hope the above makes sense!

 

[BigDumBear]

Richy,

You're on the right track with DMVPN, but you are also correct that you can't use it on an ASA. For a fully meshed VPN I would use DMVPN on a Cisco 2800 series (3800 if you expect the vpn network to grow past 100 or so) and run EIGRP over it. The configuration is pretty simple and it can scale to about 200 sites before you have to start looking into load-balancing and multiple headend devices.

If you really want to use the ASA, you can look at Easy VPN. It's still dynamic IPSec tunnels, but it's hub-and-spoke design. You won't be able to get your mesh environment you want.

I hope that helps a little. If you want I can link some documentation for both solutions and share some more details I've learned by setting both up.

-BDB

 

[Richy321]

BDB,

Thanks ever so much for your reply. Its good to get confirmation from somebody else that I am on the right track!

There could be potentially up to 25 sites all meshed together, it looks like I will need the 1800 series routers, the 1801 looks ideal, it supports up to 50 VPN's so hopefully will easily cope with the 25. I guess I will need a bigger router at the HQ site, as this will be where most of the traffic will be heading from / too.

I am going to run some demo's using GNS3, so I can get to grips with the multipoint VPN stuff, I have a guide to setting up NHRP, so will see if this is the way to go. Any links to other solutions would be helpful, I can see whats the best fit.

Thanks again for the reply.



Rich.
CCNA - preparing for SNPA exam

 

[jpm121]

Rich, I set up a DMVPN at 10 sites for a small client not knowing a thing about it, and just following the Cisco docs it was a breeze. I'm not CCxx anything, just basic reading/typing/reasoning skills will get you through. You'll be fine.

 

[Richy321]

Thanks jpm, I will follow the Cisco guides to get me through. I always find that there is one command either missing, or slightly different that catches me out, all part of the fun/learning I guess!

Rich.
CCNA - preparing for SNPA exam