OSPF design question

Answered Question
Apr 30th, 2008
User Badges:

I've got a remote user (let's call that router RU) connected via an IPSec tunnel and a remote site (RS) connected via MetroE and an IPSec tunnel for back-up.


Both IPSec tunnel terminate at the same router (RVPN) and the MetroE terminates at a different one (RME).


RVPN and RME are both ABR and backbone routers.


RU is in OSPF area 1 and RS is in area 2.


When RU sends a packet to RS, the packet arrives at RVPN and even though the cost to reach RS is much lower via RME, it sends it via the IPSec tunnel. This is normal behaviour as RVPN is an ABR so it belongs to area 0 and area 2 and because the destination of the packet is in area 2, it doesn't take the cost into consideration as intrarea routes are always preferred over interareas (to reach RS via RME it has to cross area0)


The problem is that I want to use RME as the latency is much better. The workaround I've found is to make RME an internal router and make RS an ABR so the MetroE link is part of area 0, and the same for the IPSec tunnel between RS and RVPN. The other solution is to create a GRE tunnel between RVPN and RME and make it area 2. I've tested both solutions and both work but I don't know which one is best for a working network.


I've been looking for OSPF design books but I haven't found any. All the books I've found explain how OSPF works, LSAs, area types, configuration, etc. but no design for the real world. Any idea?




Correct Answer by Joseph W. Doherty about 8 years 11 months ago

Two other possible solutions come to mind, but before I get into them, to rehash your two choices, which are an Area 2 GRE link between RVPN and RME or extend Area 0 to RS, the former has all GRE tunnel issues, the second places an Area 0 router where it's more likely to become partitioned. Neither ideal.


Besides MetroE being faster than the IPSec tunnel, I assume the backside between RVPN and RME is also better, although not physically adjacent. If possible, instead of using a GRE tunnel (simple though), you might be able to extend a Area 2 p-2-p VLAN between RVPN and RME. This would avoid the performance issues of GRE.


If the Area 0 L2 infrastructure can not support a VLAN between RVPN and RME, they you might also see whether Area 0's infrastructure can support any of the VRF variants between the two routers.


These two possible solutions are much more complex to implement than just a GRE tunnel, but will provide optimal performance while avoiding extension of Area 0, and ABR processing, to a remote site.


If you remain with just the GRE option vs. extension of Area 0, I too, like Giuseppe, would lean toward GRE. (Don't forget usage of ip tcp adjust-mss, if supported, and tunnel keep alives.)

Correct Answer by Giuseppe Larosa about 8 years 11 months ago

Hello Oscar,

in the real world you have to take in account the impact of two options on the whole network.


If you have 20 remote sites routers with a primary metro ethernet link and you move RME inside area 0 you need to make all RSi ABR routers: you need to change the config of all of them and you may face performance issues on some of them.

Instead if you configure a GRE tunnel between RVPN and RME in area 2 you change the config of RVPN and RME only and you make RME ABR of Area(0,2) as it was already before.

RVPN will be ABR (0,1,2) as before too.

Traffic will be GRE encapsulated/deencapsulated at two powerful routers.

So I would go with the GRE tunnel.


hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Giuseppe Larosa Wed, 04/30/2008 - 06:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Oscar,

in the real world you have to take in account the impact of two options on the whole network.


If you have 20 remote sites routers with a primary metro ethernet link and you move RME inside area 0 you need to make all RSi ABR routers: you need to change the config of all of them and you may face performance issues on some of them.

Instead if you configure a GRE tunnel between RVPN and RME in area 2 you change the config of RVPN and RME only and you make RME ABR of Area(0,2) as it was already before.

RVPN will be ABR (0,1,2) as before too.

Traffic will be GRE encapsulated/deencapsulated at two powerful routers.

So I would go with the GRE tunnel.


hope to help

Giuseppe


Joseph W. Doherty Wed, 04/30/2008 - 17:38
User Badges:
  • Super Bronze, 10000 points or more

Consider creating another link (might use a subinterface on existing physical link) between RVPN and RME that's in Area 2. If cost of Area 2 path from RVPN-RME-RS less RVPN-RS, all Area 0 outbound traffic to Area 2 will prefer it. (Also very useful if you summarize Area 2 addresses.)

Giuseppe Larosa Thu, 05/01/2008 - 00:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Joseph,

I agree a direct logical link in area 2 would be the best solution if RVPN and RME are in the same POP is feasible as you suggest.


Best Regards

Giuseppe

ookr Thu, 05/01/2008 - 02:09
User Badges:

Unfortunately, they are in a different POP. That's why I though in a GRE tunnel ;-)

Even though the tunnel solution works, it doesn't look optimal, does it?

Correct Answer
Joseph W. Doherty Thu, 05/01/2008 - 04:02
User Badges:
  • Super Bronze, 10000 points or more

Two other possible solutions come to mind, but before I get into them, to rehash your two choices, which are an Area 2 GRE link between RVPN and RME or extend Area 0 to RS, the former has all GRE tunnel issues, the second places an Area 0 router where it's more likely to become partitioned. Neither ideal.


Besides MetroE being faster than the IPSec tunnel, I assume the backside between RVPN and RME is also better, although not physically adjacent. If possible, instead of using a GRE tunnel (simple though), you might be able to extend a Area 2 p-2-p VLAN between RVPN and RME. This would avoid the performance issues of GRE.


If the Area 0 L2 infrastructure can not support a VLAN between RVPN and RME, they you might also see whether Area 0's infrastructure can support any of the VRF variants between the two routers.


These two possible solutions are much more complex to implement than just a GRE tunnel, but will provide optimal performance while avoiding extension of Area 0, and ABR processing, to a remote site.


If you remain with just the GRE option vs. extension of Area 0, I too, like Giuseppe, would lean toward GRE. (Don't forget usage of ip tcp adjust-mss, if supported, and tunnel keep alives.)

ookr Fri, 05/02/2008 - 06:22
User Badges:

We've got a massive link between RVPN and RME but they're L3 so I guess the best solution would be GRE as we're getting rid of as many L2 links as possible (bye bye STP ;-) and implementing VRF would be a change too big (if something is not broken, just leave it ;-)


Thank you for your help guys.


Oscar

Actions

This Discussion