Nasir, I can also give a +1 to the ASR1Ks for DMVPN.
We operate a dual-cloud infrastructure that used to be two pools of 7206VXR/VAM2+ hubs front ended by ACE load balancers to distribute approx 1100 spokes over each pool for a total of ~2200 DMVPN terminations. We wanted for some time to move to the ASR infrastructure to simplify our environment as well as increase performance and capacity, but the ASR unfortunately lacked a key feature up until about Q2 of 2012 - per tunnel QoS. After this was released and deemed stable we moved to two ASR1Ks and could not be happier. We easily operate 1100 spokes per ASR without any issues and performance is outstanding with all features on (NBAR, Per-Tunnel QoS, PBR, ACLs, etc). We carefully tracked the development of DMVPN in regards to the ASR and discussed with some of the principal engineers @ Cisco on this. I could not recommend it more highly for this purpose. Our IGP is currently EIGRP which is rated at approximately 3000 spokes per ASR, but we are looking to move to BGP Dynamic Peer Groups as this allows us to scale well past that (I think the number was 5000-6000? I will have to check on that) and is much more efficient. Good luck, Ed -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nasir Shaikh Sent: Friday, September 14, 2012 1:28 PM To: 'Andrew Clark'; [email protected] Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K? Thanks Andrew! With 1.5k per hub do you mean the number of spokes? What IGP are you using in your DMVPN cloud? thanks -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Clark Sent: vrijdag 14 september 2012 18:26 To: [email protected] Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K? Yes. I have a pair of ASR1001s in a dual-hub dual-cloud setup serving around 120 (and counting) 881s. It should scale up to about 1.5k per hub, hopefully. So far it works fine, assuming the code is solid. There is a crashing bug in 151-3.S2, so my experience so far recommends at least 151-3.S3. You may need to tweak your IPSEC anti-replay buffer size up from the default of 64 as well, if you have queuing (due to QoS, etc.) occurring. Andrew Clark > > Message: 3 > Date: Fri, 14 Sep 2012 07:50:12 +0200 > From: "Nasir Shaikh" <[email protected]> > To: <[email protected]> > Subject: [c-nsp] Any experience with DMVPN on ASR1K? > Message-ID: <C0EC838483EB4FAAAC1744BACC11539E@jedi35ba54c7c7> > Content-Type: text/plain; charset="us-ascii" > > Hi guys, > > > > We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 > with > VAM2+ to ASR1Ks. > > Does anyone have any experience with running DMVPN on the ASRs? > > > > This is what we plan to order: > > > > Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S > > Cisco ASR 1001 IOS XE UNIVERSAL > > Cisco ASR 1000 Advanced IP Services License > > IPSEC License for ASR1000 Series > > Cisco ASR1001 4GB DRAM > > > > Thanks > > > > Nasir > > > > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
