I'm building a VPN IPSec with Vitual Tunnel Interface (VTI) and I added
dynamic routing in tunnels with OSPF.
Hardware used : ISR 3825 HSEC/K9
I have about 50 peers in this VPN connected in full meshed on Internet.
We use OSPF in Point to Point mode, so no DR or BDR.
All these peers are in area 0
Right now we have about 600 routes broadcasted in our network.
First question : next step for me is to backup links for these peers, so
we could be at more than 100 peers in area 0, is it possible ? what's
the limit ? what's the best solution from you ?
Second question : I tried to ban relays with OSPF but "distribute-list
out" doesn't work, I needed to use ACLs (out) in each interface
tunnel... but it's not great because I deny datas when they appear on my
router whereas better would be to stop them on the first router.
In resume, I would like to choose what networks I want to dispatch and
ban all others (even relayed ospf).
1. there are no hard limits. As long CPU utilization is reasonable, you can do that.
2. You cannot filter like that with OSPF. If you need such filtering, use RIP or EIGRP.
we need to distinguish between 100 neighbors on same device and 100 routers in the same area.
There are more strict limits for OSPF neigbors on a single device.
OSPF allows route filtering of only internal routes and only at area borders.
You should move to a multi area design and you can put remote sites and tunnel interfaces in totally stub areas.
However, if two remote sites are placed in the same area they see each other routes.
This comes from the link state nature of OSPF that require that the database has to be the same on all nodes in the same area.
Distribute-list can only be used to decide what prefixes are installed in ip routing table in local node but doesn't allow to filter on flooding.
you may consider to use EIGRP instead if you want a fine control on routes.
hope to help
Thanks for your replies
about scalability, if I resume what I want now :
40 routers in fullmesh VPN, so 39 neighbors on each router, in point to point mode (no DR or BDR)
=> each router is ASBR
and these 40 routers are in area 0
now I would like to backup all links => 80 routers still in area0
about filtering route, ok understood.
thanks for your help
40 routers in full mesh with point-to-point mode and 39 neighobors on each router.
I would think to partition the full mesh in 4 clouds for example if you use DMVPN.
note that if they are ASBR that is they inject external routes OSPF filtering capabilities are limited to the usage of OSPF NSSA area.
Hope to help
I can't partition, there is no hub in my system and I don't want hub
I don't use DMVPN, I use Static VTI IPsec on each router
+ behinf each router, I use a piece of RFC1918 (no overlapping), about 15 networks no summarizable.
question is more : is it possible to put in area0...let's say 100 routers configured like I said before on 3825 ? and why ?
what's the limit and how can I build that without creating some hubs ?
we need to distinguish between having N routers in the same area and having all these routers in the same lan segment/ip subnet.
The practical limit for a DR/BDR is of 50 routers.
Using point to point overload devices in comparison to having a broadcast network.
It causes all devices to build N-1 adjacencies.
Instead having 100 routers in the same area but not all in the same segment (real or logical) is a different matter.
I think the following document can help:
I see on this explained the VTI solution.
However all these solutions fit in an Hub and Spoke topology as you can see in the pictures.
Hope to help
yes I read all comments, thx
I also asked to TAC and you are right, problem is not the number but cpu usage on the router when there is a big change in network topology or if one peer falls then back.
Today routers are fast, the OSPF calculation is not so intensive after all.
Please remember to rate useful posts with the scrollbox below.