Friday, January 10, 2020

Finally able to convert from static crypto-map based partial mesh to a Phase 3 DMVPN deployment. Is it worth it to go full IWAN?

All,

The company that I'm at has a network of around 100 sites ranging from one or two users up to several hundred. Around half of them have multiple internet circuits. Some are DIA fiber, some are business broadband, some are still freaking T1s.

The network is currently configured as a partial mesh of static crypto-maps (GRE over IPSec) with distribute lists everywhere making management a hassle, especially when the VoIP guys come up and ask for new tunnels to connect to other sites to trim the latency incurred by transiting a hub site. Hundreds of tunnels have been built over the years with no documentation about what connects to where. To say that it is a pain to manage is an understatement. I literally get angry every time I think about it. I haven't had to deal with a network like this since the late 90s/early 2000s.

All that being said, I have finally gotten approval to convert to DMVPN. A more current SD-WAN solution is out of the running due to budget constraints. I have to work with existing hardware, which is a mix of Cisco ISRs (some of which are too old for Viptella images) and ASRs. I'm kicking around the idea of going full-on IWAN to take advantage of the PfRv3/QoS/NBAR application based routing decisions. I'm just trying to determine if the juice is worth the squeeze.

I have been working with DMVPN since 2005 and I'm really comfortable with implementing and troubleshooting it. Not so much with PfRv3 though. I have it up and running in the lab, but that can only tell you so much. What are your thoughts, oh great ones of the internets?



No comments:

Post a Comment