The purpose of this guide is to show how secure communication links between the company's central and branch offices are established using Eltex equipment and practices for using this equipment.
Intended audience
Thsi guide will be useful for engineers performing the task of establishing communication links between geographically dispersed company offices.
Proposed network diagram
The proposed solution is to deploy an overlay network over the ISP network using DMVPN implemented on ESR service routers.
Figure 1. General diagram of DMVPN cloud deployment for providing a secure communication link between offices
Advantages of the solution
The proposed solution offers a number of advantages. IPsec technology encrypts the communication channel, ensuring secure transmission of data between offices. The use of GRE tunneling provides support for multicast and broadcast traffic in communication channels between branches, allowing the full range of network protocols used in corporate networks to be utilized. The NHRP protocol, which is the basis of DMVPN technology, will minimize configuration on routers at the central office and allow temporary tunnels to be created between branch offices, reducing the load on routers at the central office and reducing delays in the communication channel between offices.
Possible product solutions
ESR service routers as DMVPN Hub in the central office
Routers that are going to be used as DMVPN Hubs should have a large FIB table size and be able to terminate a large number of IPsec tunnels. Recommended ESR router models for the DMVPN Hub role are listed in Table 1.
Table 1. Models of ESR routers best to be used as DMVPN Hub
| Model | Interfaces | FIB table size | IPsec throughput (IMIX) | Number of supported DMVPN Spokes |
|---|---|---|---|---|
| ESR-1700 | 4 × 1G Combo, 8 × 10G SFP+ | 1.7M | 7 Gbps; 1,308.1k pps | 750 |
| ESR-3300 | 4 × 25G SFP28, 4 × 100G QSFP28 | 1.7M | 1.4 Gbps; 258.5k pps | 750 |
| ESR-3200 | 12 × 25G SFP28 | 1.7M | 3.6 Gbps; 686.8k pps | 650 |
| ESR-3200L | 8 × 10G SFP+, 4 × 25G SFP28 | 1.7M | 1.88 Gbps; 353k pps | 720 |
| ESR-3250 | 8 × 1G Combo, 4 × 25G SFP28 | 1.7M | 5.3 Gbps; 1004.2k pps | 1710 |
| ESR-3350 | 8 × 1G Combo, 4 × 25G SFP28 | 1.7M | 14.5 Gbps; 2727k pps | 1800 |
Note: The ESR values shown are valid for software version 1.37.0. The current values are listed in products' datasheets on the eltex-co.com website.
ESR service routers as DMVPN Hub in branch offices
The requirements for routers used as DMVPN Spokes are lower, since the volume of routing information and the number of terminated IPsec tunnels in branch offices are significantly lower than in the central office. For this reason, the list of recommended ESR models for use as DMVPN Spokes mainly contains lower-end models from the ESR router line and is shown in Table 2.
Table 2. Models of ESR routers best to be used as DMVPN Spoke
Model | Interface | FIB table size | IPsec throughput (IMIX) |
|---|---|---|---|
| ESR-31 | 8 × 1G, 6 × 1G SFP, 2 × 10G SFP+ | 1.4M | 519.8 Mbps; 97.1k pps |
| ESR-30 | 4 × 1G, 2 × 10G SFP+ | 1.4M | 519.8 Mbps; 97.1k pps |
| ESR-15VF | 8 × 1G, 2 × 1G SFP | 1M | 135.5 Mbps; 25.2k pps |
| ESR-15R | 4 × 1G, 2 × 1G SFP | 1M | 135.5 Mbps; 25.2k pps |
| ESR-15 | 4 × 1G, 2 × 1G SFP | 1M | 135.5 Mbps; 25.2k pps |
Note: The ESR values shown are valid for software version 1.37.0. The current values are listed in products' datasheets on the eltex-co.com website.
IPsec throughput measurements were performed on Internet MIX traffic. Traffic format (frames per second : size of each frame) was 8:74; 5:512; 7:1.518. The AES128 encryption algorithm and MD5 hashing algorithm were used to create IPsec tunnels.