with 10 sites it is wise to use DMVPN instead of relying on multiple point-to-point GRE tunnels over IPsec.
In any case I would suggest to have GRE layer and to not use IPsec directly so that you can use a dynamic routing protocol over the tunnel(s).
Some care is needed at central site to avoid to have secondary routes preferred over MPLS VPN sites:
if PE-CE protocol is eBGP the WAN edge router needs to redistribute into the IGP used in central site.
The DMVPN hub router should be a distinct device and should redistribute into the IGP the routes learned over the DMVPN cloud.
To design correctly a different IGP has to be used on the DMVPN in order to create a need for redistribution into central site IGP at DMVPN hub device. The seed metric of redistributed routes has to be higher then those used by MPLS WAN edge router in central site so that primary link over MPLS is used until is alive.
At remote site if there is only one router and it has eBGP session with PE node and an IGP neighborship over the DMVPN for the lower AD of eBGP routes it prefers the MPLS path as desired.
To be noted that another dimension to be used in order to build the desired hierarchy of routes and paths is the use of route summarization over the secondary paths so that most specific routes over primary paths are used first if available.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...