Solved: Decision over DMVPN and simple L2L IPsec tunnels

ciscobigcat · ‎02-16-2012

I have a project where I need to make a decision on what solution to apply... environment is as follows....

4 branches.
Each branch has 2 subnets; one for DATA and one for VOICE
2 ISPs in each (one Internet ISP and one MPLS provider)
Branch #1 is not necessarily the HUB office although all file and database servers are located there
Branch #2 is actually where the phone equipment is located
Other 2 branches are just spoke branches (perhaps no need ever for DATA interconnectivy but they do need VOICE interconnectivity when they call from one spoke directly to the other one)
MPLS is currently being used for phone traffic.
ISP provider link is used for site-to-site tunnels that traverse the internet and this is the primary path for DATA. Meaning all branch DATA subnets use the site-to-site tunnels as the primary route to reach Branch #1 where all files and databases are located.
I will like to have redundancy in case MPLS network goes down so all VOICE traffic can failover to the L2L tunnels.

My Option #1

Given that there isnt really a HUB-to-Spoke need, I really don;t know if I want to implement DMVPN, although I read great things about it. Plus another reason I might have against DMVPN is the "delay" involved, at least during initialization, that spoke-to-spoke communications have. There is always a dropped packet when a spoke wants to initiate communication with another one.

My Option #2

My other option is just deploy L2L IPSec tunnels between all 4 branches. This is certainly a lot easier to setup than DMVPN although DMVPN can pass routing protocols which I think I will need. But with these plain L2L IPSec tunnels I can also add GRE tunnels and put the routing protocols traffic there as well as any multicast traffic. In addition, I can easily setup some simple IP SLAs that will keep all tunnels UP forever.

Can anyone please help on choosing one over the other one? and/or if I am just OK with doing option #2

thank you in advance

Herbert Baerten · ‎02-21-2012

Hi ciscobigcat

yes, OSPF will send periodic "hello" packets and these will keep the tunnels up at all times.

The numbers you see (143 and 1001) are the "cost" of the path, so (simplified) OSPF will calculate what different paths there are to a destination, and assign a "cost" to each of them (by assigning a cost to each segment of the path, e.g. GigabitEthernet is "lower cost" than Fastethernet, and then adding up the costs of all the segments).

Then it will pick the path with the lowest cost (143 in your case, in normal operation) and insert this into the routing table.

So since the traffic is already going the right way, I'm not sure if you still need any tweaking? Personally I wouldn't add a second routing protocol since that usually makes things more complicated.

For QoS, the important thing is to use "qos pre-classify"

see e.g.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

hth

Herbert

View solution in original post

Herbert Baerten · ‎02-19-2012

Hi ciscobigcat,

with just 4 sites, I would tend to agree that #2 will do. BTW if you do dynamic routing over the GRE/IPsec tunnels then the routing protocol will keep the tunnels up so no need for IP SLA.

However if you plan to add more branches in the future, then DMVPN (or FlexVPN) might make more sense as adding a branch only requires you to configure the new branch router; whereas with option #2 you would have to add a new tunnel to each of the other routers.

In both scenarios you'll need to tweak your routing parameters to specify different preferred paths for voice/data, and you'll probably also want to do QoS over the tunnels and/or on your ISP connection to prioritize the voice traffic when the MPLS is down.

hth

Herbert

ciscobigcat · ‎02-20-2012

Hi Herbert,

Thank you very much for the input. Finally I did go for option 2 and I have been looking into this and you are right, the tunnels seem to stay up all the time. I think this is because the routing protocols are always talking to each and therefore the tunnels stay up.... am I correct on this statement?

For the FlexVPN, I briefly looked at it just to learn about it, and looks like you need a "server" per se??? Can you confirm how this technoology could serve a scenario like the one I had?

As far as the routing protocol go, I have only left it at defaults. I am actually running OSPF and so far is good. All 4 branches communicate smoothly via the MPLS. At any given time under normal circumstances, the local routing tables at any of the branch routers show the routes for the destination. The table contains only one entry per destination. The AD is [110/143]. I assume 110 is because is OSPF but the other number I am not 100% sure. This number varies in some entries.

Now when I shut down the MPLS interface on a branch router, the route entries containing the other branch nutworks drop but within seconds, I'd say 1 second, the routing table obstains those same entries except that the gateway is now the tunnel interfaces for the GRE. And the number next to the network entries changes as well. I mean the 110 stays the same but the other number changes from 143 to a very high number like 1001.

Again, all is smooth but I am not just 100% about those numbers.

But as you can see, I am also using OSPF for the GRE/IPSec tunnels and all is very good.

But like you say, I wish I could tweak the parameters a bit in order to have more control of this. Perhaps adding EIGRP just for the GRE/IPSec tunnels??

An also you are right about the QoS. That is actually my next step. I need to configure QoS on every one of those 4 routers so whenever there is contention, the routers will prioritize the voice packets over the data ones.The MPLS circuits are already doing QoS for the voice traffic.

let me know your inputs and thank you again

Herbert Baerten · ‎02-21-2012

Hi ciscobigcat

yes, OSPF will send periodic "hello" packets and these will keep the tunnels up at all times.

The numbers you see (143 and 1001) are the "cost" of the path, so (simplified) OSPF will calculate what different paths there are to a destination, and assign a "cost" to each of them (by assigning a cost to each segment of the path, e.g. GigabitEthernet is "lower cost" than Fastethernet, and then adding up the costs of all the segments).

Then it will pick the path with the lowest cost (143 in your case, in normal operation) and insert this into the routing table.

So since the traffic is already going the right way, I'm not sure if you still need any tweaking? Personally I wouldn't add a second routing protocol since that usually makes things more complicated.

For QoS, the important thing is to use "qos pre-classify"

see e.g.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

hth

Herbert

ciscobigcat · ‎02-21-2012

Hi Herbert,

thank you for the inputs. It certainly makes a lot more sense now, specially about those tunnels which now stay up all the time.

I have configured many site to site tunnels and customers always asked about some delays when reconnecting after a period of inactivity.... so my answer to that was IP SLAs, which really did the trick, but this thing about dynamic routing protocols I am liking a bit more.... but I am very green on them.

Now for the QoS, I will need to configure this and apply it to my interface that faces the MPLS. But when my MPLS link is down, and my tunnel goes via the IPSEC/GRE, where do I apply it? on the tunnel interface? or on the crypto?

I will read those documents you sent which look good. again thank you for the help.

before I forget, do you have other great links about OSPF, especially the details about the cost of the path?

thanks

ciscobigcat

Kishore Chennupati · ‎05-25-2012

Herbert, I love your Avatar . so cute