VPN design and issue

cheng.ung · ‎09-02-2003

we have a vpn core (full mesh) between three sites with Cisco 3645 routers. Each site has two 3645 routers (R1 & R2). Each router has four tunnels to a remote. On top of that, we have routing protocol (OSPF) over gre tunnel.

Here is the problem we are having: when we lost a tunnel, it takes ospf upto 8 seconds to converge. Does anyone know a better way to speed up the convergence or is there a better way to design a full mesh vpn core?

Thanks in advance.

Cheng

vcjones · ‎09-05-2003

8 seconds is pretty good for default OSPF. Have you looked at where the delays are occuring? If your tunnels are solid, you should be able to tune the hello timer down to one second and declare the tunnel down after missing two consecutive hellos, but you want to avoid having your network thrash.

If your VPNs are fast enough (delay is what counts), you could also consider switching to IS-IS, which allows configuring fast enough hellos to detect link down in one second. See chapter two of my book, High Availability Networking with Cisco, for tips on speeding up route convergence with OSPF, EIGRP and IS-IS.

Bottom line, though, is that router to router protocols are not like SONET rings and you are not going to get sub-second convergence using standard routing protocols.

Good luck and have fun!

Vincent C Jones

http://www.networkingunlimited.com