More OSPF-over-DMVPN questions

After weeks of waiting, perfect summer weather finally arrived ... and it’s awfully hard to write blog posts that make marginal sense when being dead-tired from day-long mountain biking, so I’ll just recap the conversation I had with Brian a few days ago. He asked “How would I set up a (dual) hub running OSPF with phase 1 spokes and prevent all spoke routes from being seen at other spokes? Think service provider environment.

If you want to have a scalable DMVPN environment, you have to put numerous spokes connected to the same hub in a single IP subnet (otherwise you’ll end with point-to-point tunnels), which also means they have to be in a single OSPF area and would thus see each other’s LSAs. The only mechanism to stop the LSA propagation through the hub router is OSPF database filter configured on the hub router, but then the spokes would receive no routes from the hub at all – you would have to configure static routes on them.

Static default routes on spokes are easy to implement if you have a single hub. In a dual-hub environment you can use either reliable static routing (static routes based on IP SLA results, see my Small Site Multihoming articles for more details) or tunnel health monitoring feature introduced in IOS release 15.0M. This feature would bring down a DMVPN tunnel (and make all the static routes using that tunnel disappear from the IP routing table) if the spoke cannot reach the hub through NHRP, so it’s safe to use simple static default routes pointing to both hubs.

However, OSPF is the least scalable protocol for the DMVPN environment due to its router adjacency handling. If you plan to have more than a few hundred spokes, you should consider EIGRP, passive RIP or BGP (see my DMVPN scalability post for more details).

And now I’m off to another “field trip” day, this time hiking with my lovely wife (this is the most probably destination).

More information

My DMVPN: from basics to scalable networks webinar (recording) describes how you’d run OSPF, EIGRP, RIP, passive RIP and BGP in Phase 1, 2 and 3 DMVPN networks. The New DMVPN features in IOS release 15.x webinar (recording) describes tunnel health monitoring and all the other great features added to DMVPN in recent IOS releases. When buying the webinar recordings, you'll get tons of tested router configurations covering various DMVPN deployment scenarios (including almost every feature I've mentioned in this post). Both webinars are also available as part of the yearly subscription.

3 comments:

  1. Hi gurus,


    a) I am going to be deploying a 50 - 100 spoke DMVPN sites and could go. It is going to be a dual hub configuration. Some of these sites will just be dmvpn spokes, and others, the dmvpn is going to be a backup tunnel to the our MPLS cloud. Currently the MPLS is running over OSPF, which is getting redistributed via BGP in the ISP world, therefore the routes I get are external E1 OSPF advertised routes.
    b) I would also like the dual hub to have a dmvpn vpn tunnel between them, so as a backup between the hubs incase the MPLS WAN drops.

    Im in the need of some good advice and thoughts about selecting the right routing protocol, EIGRP or OSPF.
    So anyone with experience and hands-on knowledge on such an installation - please feel free to comment on "goods and bads" regarding the two routing protocols :-)

    Questions:

    1) What would be the recommended protocol for 50 to 100 tunnels, but keeping in mind these sites can grow so scalability is key ?
    2) With External Type 1 OSPF routes being advertised, the E1 routes are required to be primary and the DMVPN redundant. Which routing protocol can handle this best with EIGRP being metric 90 and OSPF 110. What is the best way to influence metric in this scenerio ?
    3) Out standard is using OSPF, therefore would prefer to stick with OSPF for DMVPN, but handling internal v/s external routes could be a challenge as DMVPN would be internal routes ?
    4) OSPF could have scalability issues, metric preference issues ? What are your thoughts ?

    Thanks

    ReplyDelete
  2. Ivan Pepelnjak21 August, 2011 21:11

    Hi SK,

    You'll find answers to some of these questions in my DMVPN webinar

    http://www.ioshints.info/DMVPN

    If you'd like me to evaluate/discuss your design with you, there's always the ExpertExpress option:

    http://www.ioshints.info/ExpertExpress

    Ivan

    ReplyDelete
  3. Thanks. I am purchasing your DMVPN Webinar to validate my configs. I do have it all configured in a lab, running OSPF on the internal network, redistributed to EIGRP for DMVPN and running FVRF and IVRF for the DMVPN routers. When in production, MPLS is running OSPF - E1, and need to make sure it gets the preference over DMVPN.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.