Design Input

Answered Question
Oct 9th, 2009


I need design input assistant from you experts.

Our Vendor has proposed the attached design to connect our regional and international branches to HQ and DR Sites.

HQ=OSPF area0

DR= OSPF area1

each regional office connection on different ospf are

each internation office connected via GRE VPN on different area.

WAN LINK between HQ to DR = EIGRP to load balance unequal links.

QOS on all VPN router and Regional MPLS router.

Can I get some expert opinion on Routing Protocol proposed and classification of Area. We are still in discussion phase, so can change design if needed.

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 1 month ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Fri, 10/09/2009 - 08:55

Hello Nasr,

be aware that without knowing more details about your needs what can be said here has limited value some notes are possible:

the use of GRE + VPN is becoming common as reported by other collegues and may allow for consistent savings.

This can be a good solution if BW requirements for remote site to central site connectivity are not high (1-2 Mbps is fine if you need 10 mbps or more and you want to grow more you should think of VPLS or MPLS L3 VPN solutions, availability and prices depend from zone to zone).

The idea to put each regional site in a dedicated non-zero area allows for fine routing control.

The drawback may be scalability: each OSPF area even if totally stub has its own link state database to build and to keep updated.

So here this can be acceptable or not depending on the number of regional sites involved: if they are 10 to 30 it can be a good idea otherwise this simply doesn't scale.

if they are more it can be reasonable to put groups of them in the same area accepting to receive routes of other remote sites in the same area.

There are specific designs and technologies that are of great help if the number of spokes is high:

DMVPN and more recent GET VPN should be considered.

About DR and Central Site:

I wouldn't put EIGRP into the picture it makes things unnecessary complex.

Depending on the type of links there are solutions to use them also with OSPF (it is enough to find a way to logically divide the faster link in two logical links if speed ratio is 2).

also you need to think at the backup needs:

all remote sites should have a "backup" VPN terminated at DR site to be used in case of failure of primary tunnel.

if using a single OSPF domain DR site should be in area 0 as central site to avoid headaches with virtual tunnels.

This is just to give some suggestions that may be helpful or not.

Hope to help


nasr.khan Fri, 10/09/2009 - 09:33

Thanks Giuseppe for putting great points.

More details are here...

Please input more,

If needed I will input more details as requested.


All VPN Sites will primary connect to HQ and incase of failure will connect to DR Sites. Total VPN sites are 25.

Bandwidth each VPN site has 4MB.

(2). All regional sites connect to HQ via MPLS using service provider network and in case HQ connect down then all regional site will connect to DR MPLS. ( this is the plan) Maximum users in regional office is around 50.

(3) Between HQ to DR we need full redundancy & if possible load sharing on the link.

From your reply, I understand that

HQ and DR should be in same area 0.

Will have Two links between HQ and DR.



How OSPF should be configured to use the link in more Efficient way.

I have little knowledge on VPN does DualHead GRE IPSEC VPN fullfills my requirements.

Giuseppe Larosa Fri, 10/09/2009 - 10:31

Hello Nasr,

1) fine 25 sites 4 Mbps each

2) well if you use MPLS links VPN encryption may be a security measure but it is not required if not going on the internet.

MPLS provides segregation of your traffic, use VPN only if also high confidentiality is requested.


HQ and DR

what link types are these?

if you can make them to use Frame-Relay and with recent IOS images the trick is the following:

have a point-to-point subif with a 1Mbps pvc each.

assign bandwidth 1000 under each point-to-point subif.

use maximum-paths 10 under router ospf on the involved routers.

(recent IOS should allow up to 16 paths)

This works if there is a single router on each site HQ or DR.

Same idea could be used if these are LAN based using vlan based subinterfaces

Hope to help


nasr.khan Fri, 10/09/2009 - 11:02

Hi Giuseppe,

Both Link between HQ and DR is Wimax

(interface type= Ethernet)

I am still not clear what stategy for VPN.

How would my INT-Off will connect to HQ and on failover connect to DR.

What I understood from vendor is IPSEC over GRE is ideal solution with OSPF as routing protocol. Each location will have different ospf area.

Can you comment on the above.

I hope you have clear picture of our need and proposed solution, can you comment on that.

Super thanks for the assistance.

Giuseppe Larosa Fri, 10/09/2009 - 11:21

Hello Nasr,

>> Both Link between HQ and DR is Wimax

(interface type= Ethernet)

if they support vlan tagging the trick can work.

>> How would my INT-Off will connect to HQ and on failover connect to DR.

Actually they will be connected to both but OSPF path to HQ will be used (lowest cost).

When OSPF adj to HQ is lost the other path to DR site is used.

Hope to help


nasr.khan Fri, 10/09/2009 - 11:36

Many Many Many Thanks.

Can you help with cisco documents for your OSPF comments

"Actually they will be connected to both but OSPF path to HQ will be used (lowest cost).

When OSPF adj to HQ is lost the other path to DR site is used."


This Discussion