DMVPN : Choosing the right routing protocol, EIGRP or OSPF ?

Unanswered Question
Jul 23rd, 2009

Hi gurus,

Im facing a DMVPN project with approx. 100 sites. Its going to be a classic 2-5 HUB central site, and 90-100 spoke sites.

Im in the need of some good advice and thoughts about selecting the right routing protocol, EIGRP or OSPF.

So anyone with experience and hands-on knowledge on such an installation - please feel free to comment on "goods and bads" regarding the two routing protocols :-)

Im leaning towards OSPF myself, as I know this one best though. So why should I choose EIGRP for instance? :)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
darwintobardelgado Thu, 07/23/2009 - 15:32


OSPF is good, but in this solution I prefer to use EIGRP because the theory says that OSPF can to operate in environment to up 50 routers aprox. The other hand, do you know the GET VPN concept?. GET VPN concept can solve this routing problem because it doesn't alter IP headers.

Please, visit



Roman Rodichev Thu, 07/23/2009 - 19:17

I'm working with one large DMVPN EIGRP environment that has VIP load balancing across several hubs. No issues until you get to around 600 EIGRP spokes on each HUB (Cisco 7206 NPE-G2 or 7301). What hardware platform is your hub?

I'd go with EIGRP in your case. 100 spokes is not a problem (depending on hardware)

- Use DMVPN Phase 3, don't use Phase 2

- Configure route summarization of all spokes subnets on HUB's tunnel. If all spoke sites fall into range, configure EIGRP summary for on the HUB's tunnel

- Make sure remote sites are configured as EIGRP stubs

- Configure EIGRP hello/hold with larger values

I would also recommend BGP, it will scale beyond 600 spokes on 7200/7300, but there are few problems with it, the main one is IOS config size on HUB side :)



brown.susan Thu, 07/23/2009 - 23:56

First of all - thx for all your input, I really appriciate it :-)

DT - Im pretty sure that GetVPN cant be used over the Internet, since it preserves its original IP addresses in the header, so thats out of the question.

Roman - your hints and points are just what I was looking for. Thx a bunch :)


brown.susan Fri, 07/24/2009 - 00:01

Oh! One other thing.

Do you guys suggest a single dmvpn-cloud or dual dmvpn-cluds? (so that spokes use 1 or two tunnel interfaces) ? :-)



ronald.ramzy Fri, 07/24/2009 - 03:43

Hi Roman,

Can tell us which load balancer you use.

Are your spoke on private network or Internet.

Roman Rodichev Fri, 07/24/2009 - 10:34

IOS SLB on 7200 running 12.2S. Since 12.2S Security image doesn't exist, IPSEC must happen on the hubs behind it. It's actually ok, this way it's load balancing IPSEC too. Cisco removed a bunch of SLB features from 12.4T that are needed for this setup, so you're stuck with 12.2S

Internet, but could be private (MPLS) as well.



Roman Rodichev Fri, 07/24/2009 - 10:30

Dual. I like to see the spoke with two tunnel interfaces. Gives me better control over EIGRP metrics/routing. There are also some situations where single dmvpn cloud can't be used. In the load-balancing scenario I've mentioned, since both hubs would be behind VIP, I can't use single cloud.




This Discussion