More OSPF-over-DMVPN Questions

After weeks of waiting, perfect summer weather finally arrived … and it’s awfully hard to write blog posts that make marginal sense when being dead-tired from day-long mountain biking, so I’ll just recap the conversation I had with Brian a few days ago. He asked:

How would I set up a (dual) hub running OSPF with phase 1 spokes and prevent all spoke routes from being seen at other spokes? Think service provider environment.

If you want to have a scalable DMVPN environment, you have to put numerous spokes connected to the same hub in a single IP subnet (otherwise, you’ll end with point-to-point tunnels), which also means they have to be in a single OSPF area and would thus see each other’s LSAs.

The only mechanism to stop the LSA propagation through the hub router is OSPF database filter configured on the hub router, but then the spokes would receive no routes from the hub at all – you would have to configure static routes on them.

Static default routes on spokes are easy to implement if you have a single hub. In a dual-hub environment, you can use either reliable static routing (static routes based on IP SLA results, see my Small Site Multihoming articles for more details) or tunnel health monitoring feature introduced in IOS release 15.0M. This feature would bring down a DMVPN tunnel (and make all the static routes using that tunnel disappear from the IP routing table) if the spoke cannot reach the hub through NHRP, so it’s safe to use simple static default routes pointing to both hubs.

However, OSPF is the least scalable protocol for the DMVPN environment due to its router adjacency handling. If you plan to have more than a few hundred spokes, you should consider EIGRP, passive RIP, or BGP (see my DMVPN scalability post for more details).


  1. Hi gurus,

    a) I am going to be deploying a 50 - 100 spoke DMVPN sites and could go. It is going to be a dual hub configuration. Some of these sites will just be dmvpn spokes, and others, the dmvpn is going to be a backup tunnel to the our MPLS cloud. Currently the MPLS is running over OSPF, which is getting redistributed via BGP in the ISP world, therefore the routes I get are external E1 OSPF advertised routes.
    b) I would also like the dual hub to have a dmvpn vpn tunnel between them, so as a backup between the hubs incase the MPLS WAN drops.

    Im in the need of some good advice and thoughts about selecting the right routing protocol, EIGRP or OSPF.
    So anyone with experience and hands-on knowledge on such an installation - please feel free to comment on "goods and bads" regarding the two routing protocols :-)


    1) What would be the recommended protocol for 50 to 100 tunnels, but keeping in mind these sites can grow so scalability is key ?
    2) With External Type 1 OSPF routes being advertised, the E1 routes are required to be primary and the DMVPN redundant. Which routing protocol can handle this best with EIGRP being metric 90 and OSPF 110. What is the best way to influence metric in this scenerio ?
    3) Out standard is using OSPF, therefore would prefer to stick with OSPF for DMVPN, but handling internal v/s external routes could be a challenge as DMVPN would be internal routes ?
    4) OSPF could have scalability issues, metric preference issues ? What are your thoughts ?

  2. Hi SK,

    You'll find answers to some of these questions in my DMVPN webinar

    If you'd like me to evaluate/discuss your design with you, there's always the ExpertExpress option:

  3. Thanks. I am purchasing your DMVPN Webinar to validate my configs. I do have it all configured in a lab, running OSPF on the internal network, redistributed to EIGRP for DMVPN and running FVRF and IVRF for the DMVPN routers. When in production, MPLS is running OSPF - E1, and need to make sure it gets the preference over DMVPN.
Add comment