Deployement Scenario for 10 sites with 2 links from each,1 link its MPLS VPN/2nd IPSec VPN

Unanswered Question
Giuseppe Larosa Thu, 03/04/2010 - 04:29

Hello Alsayed,

the solution reference network design section of CCO can be of help

WAN section

I would suggest DMVPN for  IPSec backup links


L3 MPLS VPN enterprise consumer guide

with 10 sites it is wise to use DMVPN instead of relying  on multiple point-to-point GRE tunnels over IPsec.

In any case I would suggest to have GRE layer and to not use IPsec directly so that you can use a dynamic routing protocol over the tunnel(s).

Some care is needed at central site to avoid to have secondary routes preferred over MPLS VPN sites:

if PE-CE protocol is eBGP the WAN edge router needs to redistribute into the IGP used in central site.

The DMVPN hub router should be a distinct device and should redistribute into the  IGP the routes learned over the DMVPN cloud.

To design correctly a different IGP has to be used on the DMVPN in order to create  a need for redistribution into central site IGP at DMVPN hub device. The seed metric of redistributed routes has to be higher then those used by MPLS WAN edge router in central site so that primary link over MPLS is used  until is alive.

At remote site if there is only one router and it has eBGP session with PE node and an IGP neighborship over the DMVPN for the lower AD of eBGP routes it prefers the MPLS path as desired.

To be noted that another dimension to be used in order to build the desired hierarchy of routes and paths is the use of route summarization over the secondary paths so that most specific routes over primary paths are used first if available.

Hope to help



This Discussion