Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF Design

Hi All,

hope you can help



I have a 20 site network and need them all connected. The main office in london holds all servers. all sites need local internet breakout and all need to access the main site and maybe some internet site connections.

Would there best deign be GRE/IPSEC then run OSPF?


I'm not sure the ospf design here

Would i put the wan facing ip of each site in area 0 and all ths spoke lan interface in there own area say 1,2,3,4,5,6,etc

I'm new to OSPF just wondered if anyone knew the best design. We havn't yet confirmed what router models to use at each site.




  Are you running a private



Are you running a private line based network ( you order circuits) or over the internet?


No need to complicate things with 20 sites. with the right sized router everything could reside in Area )

New Member

What does your PER to CER

What does your PER to CER connection look like?  Is it OSPF that is then redistributed into your provider's BGP network?  Or are you running a layer 2 service between your 20 sites that allows you setup OSPF logically between those 20 sites?  With regard to OSPF design, the # of areas is determined by your ability to handle and propagate changes in the areas.  You can isolate those changes by using different areas and/or stub areas.  Like the other response pointed out, this can typically be absorbed in newer hardware/models and spare you some complexity and work, or you implement some design and upfront work that will help scale the network and accomodate future change and capacity.

New Member

we will not be using BGP.we

we will not be using BGP.

we have 10 and 100mbps straight internet connection at each site provided by our isp. We just plug our kit at each site. Just wondering with 20 sites the best design. We just need all hub sites to communicate with our main office which has all the servers. How would i design OSPF to accomdate this?

I understand OSP can get complex i also understand all area must connect to the backbone of area 0 so i was thinking my main site area 0 and all the hubs in there own area? or could i have every site in area 0?

Super Bronze

DisclaimerThe Author of this


The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.



OSPF areas allow very large topologies.  You didn't note how large the main office or branches would be.


An old OSPF recommendation was no more than 50 routers per OSPF area, but OSPF area sizing is really more dependent on number of links, the physical topology, stability of links and performance of the OSPF routers.  In large enterprises with modern router equipment, OSPF areas often have many more than 50 routers per area.


For your network, one area might be all you need.


As you've described running a VPN over the Internet, you could construct point-to-point tunnels, e.g. GRE or VTI, or you might use a multipoint tunnel, e.g. mGRE or DMVPN.  OSPF will see the tunnel as "link" and happily route traffic across it.


Whether to use encryption is up to you.  Obtaining someone else's transit VPN traffic packets, on the Internet, isn't trival, unless you have access to the transit equipment.  What you do want to insure is you follow all best pactices for security for you Internet/VPN devices, at they would be a primary attack point.


You can mix Internet VPN and regular Internet access on the same ISP links, but if you do, you can not really do QoS for your VPN traffic because the shared regular Internet traffic is a bandwidth unknown.  If budget allows, I recommend one ISP connection be devoted to Internet VPN and another devoted to general Internet access.

CreatePlease login to create content