Discussion:
[c-nsp] Any experience with DMVPN on ASR1K?
Nasir Shaikh
2012-09-14 05:50:12 UTC
Permalink
Hi guys,



We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.

Does anyone have any experience with running DMVPN on the ASRs?



This is what we plan to order:



Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S

Cisco ASR 1001 IOS XE UNIVERSAL

Cisco ASR 1000 Advanced IP Services License

IPSEC License for ASR1000 Series

Cisco ASR1001 4GB DRAM



Thanks



Nasir



_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Andrew Clark
2012-09-14 16:26:26 UTC
Permalink
Yes. I have a pair of ASR1001s in a dual-hub dual-cloud setup serving
around 120 (and counting) 881s. It should scale up to about 1.5k per hub,
hopefully.
So far it works fine, assuming the code is solid. There is a crashing bug
in 151-3.S2, so my experience so far recommends at least 151-3.S3.
You may need to tweak your IPSEC anti-replay buffer size up from the
default of 64 as well, if you have queuing (due to QoS, etc.) occurring.

Andrew Clark
Message: 3
Date: Fri, 14 Sep 2012 07:50:12 +0200
Subject: [c-nsp] Any experience with DMVPN on ASR1K?
Content-Type: text/plain; charset="us-ascii"
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Nasir Shaikh
2012-09-14 18:28:04 UTC
Permalink
Thanks Andrew!
With 1.5k per hub do you mean the number of spokes?
What IGP are you using in your DMVPN cloud?

thanks

-----Original Message-----
From: cisco-nsp-***@puck.nether.net
[mailto:cisco-nsp-***@puck.nether.net] On Behalf Of Andrew Clark
Sent: vrijdag 14 september 2012 18:26
To: cisco-***@puck.nether.net
Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K?

Yes. I have a pair of ASR1001s in a dual-hub dual-cloud setup serving
around 120 (and counting) 881s. It should scale up to about 1.5k per hub,
hopefully.
So far it works fine, assuming the code is solid. There is a crashing bug
in 151-3.S2, so my experience so far recommends at least 151-3.S3.
You may need to tweak your IPSEC anti-replay buffer size up from the
default of 64 as well, if you have queuing (due to QoS, etc.) occurring.

Andrew Clark
Message: 3
Date: Fri, 14 Sep 2012 07:50:12 +0200
Subject: [c-nsp] Any experience with DMVPN on ASR1K?
Content-Type: text/plain; charset="us-ascii"
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Iwanski, Edward E
2012-09-16 02:02:41 UTC
Permalink
Nasir,

I can also give a +1 to the ASR1Ks for DMVPN.

We operate a dual-cloud infrastructure that used to be two pools of 7206VXR/VAM2+ hubs front ended by ACE load balancers to distribute approx 1100 spokes over each pool for a total of ~2200 DMVPN terminations. We wanted for some time to move to the ASR infrastructure to simplify our environment as well as increase performance and capacity, but the ASR unfortunately lacked a key feature up until about Q2 of 2012 - per tunnel QoS. After this was released and deemed stable we moved to two ASR1Ks and could not be happier. We easily operate 1100 spokes per ASR without any issues and performance is outstanding with all features on (NBAR, Per-Tunnel QoS, PBR, ACLs, etc). We carefully tracked the development of DMVPN in regards to the ASR and discussed with some of the principal engineers @ C
isco on this. I could not recommend it more highly for this purpose.

Our IGP is currently EIGRP which is rated at approximately 3000 spokes per ASR, but we are looking to move to BGP Dynamic Peer Groups as this allows us to scale well past that (I think the number was 5000-6000? I will have to check on that) and is much more efficient.

Good luck,

Ed


-----Original Message-----
From: cisco-nsp-***@puck.nether.net [mailto:cisco-nsp-***@puck.nether.net] On Behalf Of Nasir Shaikh
Sent: Friday, September 14, 2012 1:28 PM
To: 'Andrew Clark'; cisco-***@puck.nether.net
Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K?

Thanks Andrew!
With 1.5k per hub do you mean the number of spokes?
What IGP are you using in your DMVPN cloud?

thanks

-----Original Message-----
From: cisco-nsp-***@puck.nether.net
[mailto:cisco-nsp-***@puck.nether.net] On Behalf Of Andrew Clark
Sent: vrijdag 14 september 2012 18:26
To: cisco-***@puck.nether.net
Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K?

Yes. I have a pair of ASR1001s in a dual-hub dual-cloud setup serving around 120 (and counting) 881s. It should scale up to about 1.5k per hub, hopefully.
So far it works fine, assuming the code is solid. There is a crashing bug in 151-3.S2, so my experience so far recommends at least 151-3.S3.
You may need to tweak your IPSEC anti-replay buffer size up from the default of 64 as well, if you have queuing (due to QoS, etc.) occurring.

Andrew Clark
Message: 3
Date: Fri, 14 Sep 2012 07:50:12 +0200
Subject: [c-nsp] Any experience with DMVPN on ASR1K?
Content-Type: text/plain; charset="us-ascii"
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
N. Max Pierson
2012-09-16 15:47:56 UTC
Permalink
As Edward points out, the ASK1k has pretty much taken the 7200's former
"swiss army knife" of routers title away IMHO. We use it for ~600 - 700
DMVPN's running EIGRP at the moment. It handles that with no sweat.

Highly recommended solution for DMVPN deployment (and probably 1000 other
uses as well).

--
max
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Andrew Clark
2012-09-17 15:29:31 UTC
Permalink
Yes, 1.5K spokes per hub is what I plan to end up with.
I'm doing DMVPN phase III and using iBGP to send summaries. There's a
little localpref and extended community stuff to set traffic flows.
Just 3 routes from hub to spoke and one from spoke to hub (excepting larger
spoke sites) and NHRP takes care of the rest.

Andrew Clark
Post by Nasir Shaikh
Thanks Andrew!
With 1.5k per hub do you mean the number of spokes?
What IGP are you using in your DMVPN cloud?
thanks
-----Original Message-----
Sent: vrijdag 14 september 2012 18:26
Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K?
Yes. I have a pair of ASR1001s in a dual-hub dual-cloud setup serving
around 120 (and counting) 881s. It should scale up to about 1.5k per hub,
hopefully.
So far it works fine, assuming the code is solid. There is a crashing bug
in 151-3.S2, so my experience so far recommends at least 151-3.S3.
You may need to tweak your IPSEC anti-replay buffer size up from the
default of 64 as well, if you have queuing (due to QoS, etc.) occurring.
Andrew Clark
Message: 3
Date: Fri, 14 Sep 2012 07:50:12 +0200
Subject: [c-nsp] Any experience with DMVPN on ASR1K?
Content-Type: text/plain; charset="us-ascii"
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2
with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Nasir Shaikh
2013-02-19 13:47:44 UTC
Permalink
Hi,

Finally got the ASR1Ks delivered and configured but somehow DMVPN is not
working! I accepted the EULA for the IPSec license, it shows activated and I
have adjusted and copied the config from the 7206npe-g2 to the ASR1k. The
router accepts all the configuration but does not recognize a "sh dmvpn"or
"sh ip nhrp" command. Isakmp SAs are not being established.



Do I need to activate something else?



ASR1K#sh hard



Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M),
Version 15.2(2)S1, RELEASE SOFTWARE (fc1)



IOS XE Version: 03.06.01.S

System image file is "bootflash:asr1001-universalk9.03.06.01.S.152-2.S1.bin"

License Level: advipservices

License Type: EvalRightToUse

Next reload license Level: advipservices



cisco ASR1001 (1RU) processor with 1163448K/6147K bytes of memory.



Configuration register is 0x2102





ASR1K##sh license feature

Feature name Enforcement Evaluation Subscription Enabled
RightToUse

adventerprise yes yes no no
yes

advipservices yes yes no yes
yes

ipsec yes yes no yes
yes



ASR1K##sh dmvpn ^



% Invalid input detected at '^' marker.





-----Original Message-----
From: cisco-nsp-***@puck.nether.net
[mailto:cisco-nsp-***@puck.nether.net] On Behalf Of Andrew Clark
Sent: vrijdag 14 september 2012 18:26
To: cisco-***@puck.nether.net
Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K?



Yes. I have a pair of ASR1001s in a dual-hub dual-cloud setup serving

around 120 (and counting) 881s. It should scale up to about 1.5k per hub,

hopefully.

So far it works fine, assuming the code is solid. There is a crashing bug

in 151-3.S2, so my experience so far recommends at least 151-3.S3.

You may need to tweak your IPSEC anti-replay buffer size up from the

default of 64 as well, if you have queuing (due to QoS, etc.) occurring.



Andrew Clark
Message: 3
Date: Fri, 14 Sep 2012 07:50:12 +0200
Subject: [c-nsp] Any experience with DMVPN on ASR1K?
Content-Type: text/plain; charset="us-ascii"
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________

cisco-nsp mailing list cisco-***@puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

d lists
2012-09-18 01:29:56 UTC
Permalink
We use ASR 1002 + ESP 5 as VPN hubs using both a dual tunnel and a SLB
type architecture (different hubs for different types). Currently
terminating 3500-4000 remote sites per ASR @ 12% cpu. Plan on moving
to BGP + dynamic neighbor in the near future, we'll see how that
scales. Current routing is a mix of static, eigrp & RIP passive.
Very happy with the ASR once the early IOS versions got sorted.

-dlists95
Post by Nasir Shaikh
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Nasir Shaikh
2012-09-20 09:05:00 UTC
Permalink
Thank you all for the valuable input.
I have now ordered 2 asr1001 to replace my 7206vxr NPE-G2s.
I only expect to service ~400 spokes per router so these routers with ESP
2.5 should be OK, I think.
I am sticking to phase 2. I have split our global network into 4 regional
(dual) DMVPNs with dual hubs - interconnected via a MPLS backbone. More
manageable that way, imho. So staying away from phase 3 for now.
I will however move from EIGRP to BGP dynamic peer groups.

Thanks again.

Nasir

-----Original Message-----
From: d lists [mailto:***@gmail.com]
Sent: dinsdag 18 september 2012 3:30
To: Nasir Shaikh
Cc: cisco-***@puck.nether.net
Subject: Re: [c-nsp] Any experience with DMVPN on ASR1K?

We use ASR 1002 + ESP 5 as VPN hubs using both a dual tunnel and a SLB
type architecture (different hubs for different types). Currently
terminating 3500-4000 remote sites per ASR @ 12% cpu. Plan on moving
to BGP + dynamic neighbor in the near future, we'll see how that
scales. Current routing is a mix of static, eigrp & RIP passive.
Very happy with the ASR once the early IOS versions got sorted.

-dlists95
Post by Nasir Shaikh
Hi guys,
We are planning to replace/upgrade our DMVPN hubs from 7206vxr npe-G2 with
VAM2+ to ASR1Ks.
Does anyone have any experience with running DMVPN on the ASRs?
Cisco ASR1001 System,Crypto, 4 built-in GE, Dual P/S
Cisco ASR 1001 IOS XE UNIVERSAL
Cisco ASR 1000 Advanced IP Services License
IPSEC License for ASR1000 Series
Cisco ASR1001 4GB DRAM
Thanks
Nasir
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Loading...