[c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?
Hey, all. I'm looking at an option to consolidate and reduce complexity of a multi-provider L3VPN network in a way that lets me also use internet-based VPNs for backup. Right now I have dual provider uplinks at all of my sites to provide me inter-office WAN connectivity. DMVPN is a nice and easy option where I can have everything run in a single routing domain, drasticially simplifying my network topology. Has anyone experience with a network running in such a design? I am concerned about increased latency, and worse, packet overhead. I'm not sure I'll be able to get jumbos on these providers, so I'll have to deal with ipsec/gre overhead. I don't do anything crazy blocking with ICMP, but I'm still hesitant to move forward with such a design. -JP Senior The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?
People do this all the time: GRE/IPSEC back up to MPLS VPN. Lots of service providers have managed service that does this for you. With modern hardware, fragmentation shouldn't be a big deal. Most providers have end to end jumbo frame so just need to be mindful of who does and who don't. Good luck. On Wed, Oct 9, 2013 at 11:30 AM, JP Senior seni...@bennettjones.com wrote: Hey, all. I'm looking at an option to consolidate and reduce complexity of a multi-provider L3VPN network in a way that lets me also use internet-based VPNs for backup. Right now I have dual provider uplinks at all of my sites to provide me inter-office WAN connectivity. DMVPN is a nice and easy option where I can have everything run in a single routing domain, drasticially simplifying my network topology. Has anyone experience with a network running in such a design? I am concerned about increased latency, and worse, packet overhead. I'm not sure I'll be able to get jumbos on these providers, so I'll have to deal with ipsec/gre overhead. I don't do anything crazy blocking with ICMP, but I'm still hesitant to move forward with such a design. -JP Senior The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 JP Senior wrote: Hey, all. I'm looking at an option to consolidate and reduce complexity of a multi-provider L3VPN network in a way that lets me also use internet-based VPNs for backup. Right now I have dual provider uplinks at all of my sites to provide me inter-office WAN connectivity. DMVPN is a nice and easy option where I can have everything run in a single routing domain, drasticially simplifying my network topology. Has anyone experience with a network running in such a design? I am concerned about increased latency, and worse, packet overhead. I'm not sure I'll be able to get jumbos on these providers, so I'll have to deal with ipsec/gre overhead. I don't do anything crazy blocking with ICMP, but I'm still hesitant to move forward with such a design. -JP Senior I have customers who run DMVPN over both L3VPN and Internet as the substrate so that they have consistency in the design and architecture. There can be MTU issues, but that varies by provider. Otherwise, it works great for them. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJVmAgACgkQE1XcgMgrtya7fQCdGzGb2iQToBCidejusDRQugh8 G/cAnA1ZOaATEI//2+mXlkW09GVwiEzE =g7Eb -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?
I run a similar topology. On the tunnel interfaces I have ip tcp adjust-mss 1452 and tunnel path-mtu-discovery. No problems encountered; though the traffic profile is basic remote office file and print. On Wed, Oct 9, 2013 at 9:30 AM, JP Senior seni...@bennettjones.com wrote: Hey, all. I'm looking at an option to consolidate and reduce complexity of a multi-provider L3VPN network in a way that lets me also use internet-based VPNs for backup. Right now I have dual provider uplinks at all of my sites to provide me inter-office WAN connectivity. DMVPN is a nice and easy option where I can have everything run in a single routing domain, drasticially simplifying my network topology. Has anyone experience with a network running in such a design? I am concerned about increased latency, and worse, packet overhead. I'm not sure I'll be able to get jumbos on these providers, so I'll have to deal with ipsec/gre overhead. I don't do anything crazy blocking with ICMP, but I'm still hesitant to move forward with such a design. -JP Senior The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Presse How much net work could a network work if a network could net work? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/