Michael Klose left an interesting remark on my Regional Internet Exits in Large DMVPN Deployment blog post saying…
Would BGP communities work? Each regional Internet Exit announce Default Route with a Region Community and all spokes only import default route for their specific region community.
That approach would definitely work. However, you have to decide where to move the complexity.
Before reading the rest of this blog post, I’d recommend you read the original one.
In my proposed design, the hub routers need to know which spoke routers reside in the same region, and use different route maps for in-region spokes. In Michael’s design the hub routers don’t differentiate between the spokes but you need different configurations on spoke routers.
There’s no right-or-wrong here. Michael’s design keeps the hub router configuration simple, but requires slight modifications to spoke routers. You might want to avoid that if you’re deploying a large network and want to unify the spoke configurations as much as possible.
My design assumes that you can split spoke routers into in-region and out-of-region groups on the hub routers. You could do that by using explicit BGP neighbors, or ACLs with dynamic BGP neighbors to classify spokes. You could make ACLs simple with a good addressing plan, which might then limit your growth (if you get too many spokes in one region).
Michael’s design makes it simple to move spokes between regions. Don’t even try to do that in my design without readdressing the spoke (you don’t want to deal with lengthy ACLs).
Which alternative should you use? How about the third way: building router configurations from a simple data model? Once you go down that path, you could stop caring about details I’m discussing in this blog post because it’s very simple to switch from one deployment model to another by changing the configuration templates. For more details, watch the Ansible for Networking Engineers webinar (in particular the DMVPN Case Study sections and Using NAPALM with Ansible section).
Oh, and of course you could hide the complexity behind an SD-WAN façade, or buy a controller or orchestration system that does that for your more traditional network from your favorite $startup or $vendor. Just keep in mind that you can’t avoid the complexity, you can only hide it (abstract tends to be the buzzword du jour).