Filter
Top Products
26-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 26 GRE and DM VPNs
Dynamic Multipoint VPNs (DMVPN)
Configuring Large Scale DMVPNs
You can configure DMVPN for large scale deployments that might comprise thousands of spokes. In
large scale DMVPN topologies, IPsec Terminators, also referred to as Server Load Balance (SLB)
devices, reside between the spokes and the hubs. The hubs must be directly connected to the IPsec
Terminator—there can be no other device between them.
The IPsec Terminator, which is a Catalyst 6500/7600 device, performs encryption and decryption while
the hubs handle all tasks related to Next Hop Resolution Protocol (NHRP) and multipoint generic
routing encapsulation (mGRE). The IPsec Terminator is configured to specifically load balance GRE
traffic to the hubs, and is configured with dynamic crypto to accept any spokes with any proxies. When
using tunnel protection on spokes, these proxies are automatically set to match GRE traffic. One GRE
tunnel is configured on the spokes. All hubs connecting to the same IPsec Terminator will use the same
Tunnel IP address, and the tunnel source is the Virtual IP address of the IPsec Terminator.
In Security Manager, you configure a Large Scale DMVPN during the creation of a new hub-and-spoke
VPN topology as described in Creating or Editing VPN Topologies, page 24-28. You cannot edit an
existing standard DMVPN and convert it to a Large Scale DMVPN. When you create the Large Scale
DMVPN, keep the following points in mind:
• When you define the technology of the VPN, select DMVPN as the technology, and Large Scale
with IPsec Terminator as the type. For the procedure, see Defining the Name and IPsec Technology
of a VPN Topology, page 24-30.
• When you select the devices for the VPN, select the required IPsec Terminators (Catalyst 6500/7600
devices), the hubs and all the spokes. For the procedure, see Selecting Devices for Your VPN
Topology, page 24-32.
There must be direct connectivity between the IPsec Terminators and the hubs.
• When you configure the endpoints, as described Defining the Endpoints and Protected Networks,
page 24-33, configure the following in the Edit Endpoints dialog box:
–
For each hub device, in the Hub Interface tab, select the interface that is connected to the IPsec
Terminator. Each hub can be connected to only one IPsec Terminator. Also, identify the
protected networks. Each hub in the Large Scale DMVPN must identify itself and its protected
networks.
–
For each IPsec Terminator in the Large Scale DMVPN, specify a VPN external interface, the
crypto engine slot, and the Inside VLAN. No protected networks are configured on an IPsec
Terminator.
Hold time The time, in seconds, that routers will keep information provided in
authoritative NHRP responses. The cached IP-to-NBMA address
mapping entries are discarded after the hold time expires.
The default is 300 seconds.
Authentication An authentication string that controls whether the source and
destination NHRP stations allow intercommunication. All routers
within the same network using NHRP must share the same
authentication string. The string can be up to eight characters long.
Table 26-2 GRE Modes Page for DMVPN (Continued)
Element Description