Building network automation solutions

9 module online course

Start now!

Combining DMVPN with Existing MPLS/VPN Network

One of the Expert Express sessions focused on an MPLS/VPN-based WAN network using OSPF as the routing protocol. The customer wanted to add DMVPN-based backup links and planned to retain OSPF as the routing protocol. Not surprisingly, the initial design had all sorts of unexpectedly complex kludges (see the case study for more details).

Having a really smart engineer on the other end of the WebEx call, I had to ask a single question: “Why don’t you use BGP everywhere” and after a short pause got back the expected reply “wow ... now it all makes sense.”


  1. Hi Ivan,

    To have access to the case study is required to have the yearly subscription?

    Thank you
  2. Very interesting scenario.

    Regarding this paragraph:

    "While the network designers and operations engineers would have to master a new technology (on top of DMVPN) before production deployment of the Internet VPN, the reduced complexity of BGP-only WAN design more than offsets that investment."

    Could you please expand a bit more about the advantages that you see by going BGP-only in this case? How this reduce the complexity?

    IMO this study case could be very interesting topic to complement your DMVPN webinar. Specially all the design thinking process and caveats during implementation in a practical scenario.

    Thank you!
    1. "IMO this study case could be very interesting topic to complement your DMVPN webinar."

      Good suggestion. Thank you!
    2. Ivan,

      How can I get access to the case study? Do We need to subscribe to any of your webinars? Or do we need a yearly subscription?

    3. You get it with the yearly subscription or with the DMVPN Designs webinar. Thinking about a separate product, but won't happen for a week or two.
  3. Ivan, great case study!

    I think that it would be possible to use OSPF without creating different processes or injecting additional externals:

    - Area 51 would be totally-stubby NSSA.
    - CE in Remote site would redistribute the routes from BGP to OSPF.
    - ABR for the Internet connection would inject the 0/0 to Remote Site.
    - ABR for the Internet connection would filter the externals generated by the CE in Remote site.
    - ABR would also summarize the routes from Remote Site.
    - The CE's at Remote Sites should filter the summaries that the ABR's are generating.

    The Remote Site would prefer the specific externals than the 0/0, which would be used just for backup purposes.

    The Central Site would prefer the routes from MPLS/VPN, even though are LSA type 5 and the other ones via Internet are LSA type 3 due to the longest match rule as well.

    But,as you said, I see that it would easier to use BGP as the WAN protocol.
    1. Interesting approach ... it might sort-of work both with MPLS/VPN as the primary transport, and afterwards (change NSSA into regular area).

      However, you'd either need multiple routing processes on hub routers (one per site) or it would be impossible to force spoke-to-spoke traffic to go over MPLS/VPN (intra-area links are always preferred).

      I "solved" it with three OSPF processes (hub, WAN, spoke) and two-way redistribution and although I can make it work (and I'm positive you can as well), it totally stinks.
Add comment