Scenario: You want to design a central solution to connect 100,000 WWAN devices into something topologically resembling Dual Hub DMVPN.
- All of the devices are uniform in that they all have only a single /30 IPv4 LAN behind them that needs to be routed to the hub(s).
- Dynamic spoke-to-spoke tunnels are not needed since all traffic will go Hub<->Spoke.
- The spokes only need a default route from the hub.
- All of these spokes are on the same WISP on a "private" APN carried over redundant leased lines into the hub sites.
- End-to-end encryption is a given because you don't trust anyone ever.
- Spokes are authenticated to join the network using RADIUS.
I guess this could be done using BGP over IPsec+mGRE but I guess the overhead alone would probably saturate the leased lines to the WISP. WWAN connection's nature to jump up and down every now and then, especially at scale, would probably make the hub routers sweat.
What's a good solution here? Am I too stuck in my old DMVPN thinking in that I might as well forgo mGRE completely and just go straight IPsec tunnels? Would I reach a better scalability/price if I used a couple separate IPsec Concentrator instead of terminating IPsec on a router? Is a traditional routing protocol even needed? Could one perhaps do some magic with the RADIUS attribute Framed-Route? Should I just give up and start using NAT on all the spokes?
No comments:
Post a Comment