DMVPN: Advanced and crazy scenarios

When developing the Choose the optimal VPN service webinar, I decided to test everything I was talking about in a lab (you wouldn’t believe how much misinformation is spread across the Internet) and ended up with several DMVPN scenarios that most people would consider to be somewhere between peculiar and outrageous.

The best one: DMVPN Phase III network with ODR between spokes and level-1 hubs and OSPF inside a hierarchy of hubs ... of course fully redundant all the way down to the spokes.

The webinar has been rescheduled to July 7th (Cisco Live is taking place from June 27th to July 1st).

The design scenarios were simply too god to be left to rot on my hard drive (some of them were screaming to be documented and talked about), so I organized them into a progressively evolving story described in the DMVPN: Advanced and crazy scenarios webinar.

If you’re a CCNP/CCIE-level engineer interested in DMVPN, I’m positive you’ll enjoy this webinar (click here to register) ... and I’ll try to serve you as many curveballs as I can manage to fit within two hours.

17 comments:

  1. Hey mate,

    I've got one... DMVPN (dual hub, dual cloud) over international links crossing multiple ISP's for the spokes, Hubs based in Aus. Crazy crazy solution when carriers don't want to run Inter-AS VPNs. :(

    Cheers,
    Joe.

    ReplyDelete
  2. Ivan Pepelnjak02 June, 2010 14:36

    I would expect nothing less from you 8-)

    ReplyDelete
  3. Ivan,

    Don't forget about FVRF/IVRF applied to DMVPN as well:

    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

    It's a great solution for when your spokes need to carry a default for client internet traffic (transparent proxy at the hub) and also require a default route for spoke-to-spoke tunnel creation.

    Steve

    ReplyDelete
  4. I would love to attend this but I'll be at the USA Cisco Live Networkers show thta day... any chance of a recording or repeat?

    ReplyDelete
  5. Ivan Pepelnjak02 June, 2010 16:31

    Thank you. Already included.

    ReplyDelete
  6. Ivan Pepelnjak02 June, 2010 16:31

    Ouch. Forgot to check that. Will reschedule.

    ReplyDelete
  7. Ivan Pepelnjak02 June, 2010 17:44

    Rescheduled to July 7th. Thanks again for the heads up!

    ReplyDelete
  8. Hi Ivan,

    Is your seminar free?

    thanks

    ReplyDelete
  9. Ivan Pepelnjak26 June, 2010 13:07

    No. If you click on the webinar description or registration link, you'll find the prices.

    ReplyDelete
  10. thanks for your prompt response!

    Is every seminar 49.99 or you have one fee for all seminars?

    ReplyDelete
  11. Ivan Pepelnjak26 June, 2010 13:10

    The fee for all webinars is the same: $49.99 for each webinar. Regular attendees get a loyalty discount.

    ReplyDelete
  12. thanks and how much is the loyalty discount?

    ReplyDelete
  13. i m in very bad situation, please help me, details are given below.

    we have cisco 871 series router, one at head office and another one in branch office with site to site vpn connection.i want to connect branch office computer to head office Active directory domain, i have the following configuration:

    IP address of head office and branch office as in images.

    if i try to join the branch computer to acitve directory domain i m getting the error message.

    From Head office to branch office and vice versa can ping by ip address.

    ReplyDelete
  14. If you can ping the domain controller from the remote host, there's nothing I can do to help you. I know almost nothing about Microsoft products.

    ReplyDelete
  15. Hi Ivan,

    I like the way you explain complex things in simple language.
    I have to setup DMVPN in consumer-provider network where i can control the service consumption. So, I dont want the provider's network being exposed to consumer without my wish. For that instead of routing protocol, I am adding/removing static route for providers' network.
    Could you please tell me
    1) if there is any other way.
    2) if I can use phase 3 dmvpn while using statis route ?

    -regards,
    Rachna

    ReplyDelete
    Replies
    1. If I understand your intent correctly, you need something that could authenticate the users. There might be something in the IKE framework that would give you the tools you need, or you could use per-user keys with hub-and-spoke DMVPN (just guessing).

      Also check the new FlexVPN solutions - it's supposed to be a mixture of the goodies from all previous IPsec-based VPN technologies ;)

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.