Re: Need some suggestions on this network design

Difan Zhao · ‎11-06-2010

Hi experts,

I have a request to optimize a network for a client. The following is the network diagram. It has 3 branches. The branch #2 has redundant serial links and routers. They are experiencing insufficient bandwidth to branch #1 and #2 and don't want to invest on bigger private lines. So I suggested IPSec VPN, or more specifically, DMVPN. My purpose is to build fully meshed connections between the HQ Distribution routers and each branch router(s). The branch #3 doesn't have direct connection to HQ. Their employees run Cisco VPN client software individually to connect with ASA firewalls (not drawn in the diagram) at HQ. I want to use this DMVPN to bring in their network as well.

I guess my questions are mostly about how to configure OSPF for this network. Currently no DMVPNs are in place. Each branch is in its own OSPF area. The routers at the braches are the ABRs (I know that usually the distribution routers should be the ABRs). They want to keep the IP scheme for each branch/area.

So I think I have the following options:

1. Setup the network the same way as shown in the above diagram. All the WAN links are in area 0. This setup will require the least configuration. However it might be a bad idea to put these many unstable VPN links in area 0.

2. Move the WAN links out of Area0 so that the distribution Rtrs will be the ABRs. However in this case all the branches have to belong to the same area because the DMVPN tunnel interfaces on the distribution routers each will have connections to all branch routers. Since one interface/subnet can only belong to one area, the result will be that all the branches will have to be in the same Area. (will this be necessarily bad? I mean when one WAN link at one site flaps, will it affect other branch connections to the HQ since they are all in the same Area?)

3. Don't use DMVPN. Use point-to-point GRE over IPsec VPN. Then there will be indiviual tunnel interfaces for each branch connection. Then each branch and the WAN links will still belong to their own Area. The only problem is that I need to get branches to use static public IPs.

So I guess my question is, which option will you choose and why? Is there a better solution? I don't care how much config change I have to make. I just want to make the network design right.

Thanks,

Difan

Lei Tian · ‎11-07-2010

Hi Difan,

I will consider using EIGRP as the RP for DMVPN. The reason is simple, with EIGRP, you can do summrization and filtering at anywhere you want, and it scales better than OSPF. If OSPF is must, I will prefer option 2. Yes, "when one WAN link at one site flaps, it will affect other branch connections to the HQ since they are all in the same Area", but same is ture for option 1. Do you want have all the unstable links in area 0 or in another area?

HTH,

Lei Tian

Difan Zhao · ‎11-08-2010

Hi Lei Tian,

Thanks for response!

The whole HQ network is running OSPF and I can't touch them. So if I use EIGRP I will have to do the redistribution on the routers Rtr1 and Rtr2. I guess all the serial links will have to be in the EIGRP domain as well. Do you forsee any issues if I do redistribution for all the remote sites? I also assume that the link between Rtr1 and Rtr2 should still belong to Area0 of OSPF, correct?

What about option 3? The more I think about this option, the more I like it. I just have to create 2 tunnel interfaces on Rtr1 and 3 on Rtr2 to achieve the full mesh. Not too many works and I can still put each remote site in their own area. So one site has links flapping, it won't affect other remote sites.

So in summary, I guess it's not recommended to run OSPF with DMVPN, correct??

Thanks!

Difan

Lei Tian · ‎11-08-2010

Hi Difan,

That is correct. If you want run 2 RPs, then redistribution is needed. However, no mutual redistribution is required. You can have the hub redistribute EIGRP into OSPF and only advertise the default to all remotes, and put all remotes in stub network.

For option 3, you won't have spoke to spoke communication like DMVPN has, and every time adding new remote you need to create new subnet on hubs. If that is not a problem, then yes option 3 is good too.

Yes, in summary EIGRP is better RP with DMVPN.

HTH,

Lei Tian

paolo bevilacqua · ‎11-08-2010

The opinion that EIGRP scales "much better" than EIGRP because you can "summarize where you want" is something personal and very debatable. You will actually find a bigger number of OSPF deployments among desigin by experienced network architects.

The matter of flaps, number of rotues, etc is often very exaggerated. router and links of today have no problem in handling tens of thousands. The design given at the beginning of this thread is very small, all and any routing protocol will work.

Difan Zhao · ‎11-08-2010

Hi Paolo,

Thanks for sharing your opinion. So which way will you go if we stick on OSPF? I had 3 options listed in my original post. Which way do you like the best? If you have a better one please let me know too!

Thanks,