OSPF Design - 25 Branches, MPLS - DMVPN Backup/Dual Hub

Unanswered Question
Nov 13th, 2008

I have a HQ, a DR site, approx 25 branches. All are connected via a BGP MPLS as primary. Our core switch is running OSPF Area 0 in HQ, redistributing into BGP. Branch MPLS Routers are running router on a stick and advertising directly in BGP. At each branch there are two routers, one for MPLS, one for DSL. Right now branches have IPSec VPN (871s) back to main office with static route. I want to change that to DMVPN with OSPF. I also want to have dual hubs, one in HQ, one in DR site. I also plan on migrating the MPLS between the HQ and DR to a VPLS connection. I am not sure on how to configure the OSPF for the branches, how far to extend the Area 0..., etc. Can someone shed some light?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 11/13/2008 - 23:50

Hello Andy,

first of all be aware that if you use a single OSPF process/domain your DMVPN will become the primary path to the branch routers:

this because HQ routers have eBGP session with SP PEs and then they redistribute branch routes into OSPF as O E1 or O E2.

But OSPF has its hierarchy of route selection and O, O IA are preferred over O E1, O E2.

In order to be able to prefer routes over the MPLS L3 VPN:

I would use a separate OSPF process that you will redistribute on the core one (this requires careful use of route tagging and filtering ).

the configuration of the branches in the DMVPN has simply to avoid them to become DR

int tunnel 100

ip ospf priority 0

ip ospf network broadcast

ip ospf hello-interval 30

another important choice is : to use two DMVPN clouds or to have both hubs on the same cloud.

the HUB routers have to send a default route to the branch routers (this is to avoid mutual redistribution with core OSPF process/domain to be avoided).

you can have the DMVPN virtual flat network be in area 0 of second ospf process and use a different area for every remote site.

This provides you with fine control to aggregate or filter routes at every branch (this can be needed in the future).

Hope to help


trippi Mon, 12/01/2008 - 13:56

Would using GRE tunnels instead of DMVPN work also? (Without creating the 2nd OSPF process) Then have each branch as a NSSA?

Giuseppe Larosa Mon, 12/01/2008 - 14:03

Hello Andy,

the only special case could be if eBGP sessions and DMVPN are terminated on the same routers this could give you a chance to avoid to create the second OSPF process taking advantage of the lower AD of eBGP routes.

If so you can skip the creation of the second OSPF process but all core routers will think to use the DMVPN links to reach branches.

p-to-p GRE doesn't make any difference in this issue.

If you use different routers in order to provide router level redundancy you need to use the two OSPF processes as described in my previous post

Hope to help


Giuseppe Larosa Tue, 12/02/2008 - 00:15

Hello Andy,

this is a useful document that explains how multiple OSPF processes behave in a router.

My suggestions are under the following hypothesis:

the MPLS HQ router uses eBGP to learn the primary paths (the desired preferred routes)

The MPLS HQ acts as ASBR to injects the primary routes into the OSPF domain

The HQ DMVPN Hub router has two OSPF processes: this is done to create routes of comparable type (external ) that can become less preferred then those of MPLS HQ headend.

The branch router can have a single OSPF process the one used on the DMVPN IPSec tunnel : this works well under the hypothesis that this router is the only one on the branch office, or it is the single exit point for the branch: eBGP paths are preferred when available for their lower AD (20) in comparison to OSPF ones.

Using an NSSA area with a single OSPF domain doesn't provide the same benefits: the routes learned in the NSSA area if not coming from a redistribution are still inter area routes as seen in area 0 and would be preferred over the routes originated by BGP redistribution at MPLS HQ headend


if the PE-CE protocol in use is OSPF you can avoid to use two OSPF processes on the HQ DMVPN hub router: this requires coordination with the ISP.

If PE-CE protocol is BGP also on MPLS HQ headend router you need to use the approach I've described above and in previous posts

Hope to help



This Discussion