Interesting links keep appearing in my Inbox. Thank you, my Twitter friends and all the great bloggers out there! Here’s this week’s collection:

Cores and more Cores… We don’t need them! More is not always better.

Emulating WANs with WANem. I wanted to blog about WANem for at least three years, now I don’t have to; like always, Stretch did an excellent job.

New Year's Resolutions for Geeks Like Me. The ones I like most: Deploy a pure IPv6 subnet somewhere; Put something in public cloud. And there’s “find a mentor” ... more about that in a few months ;)

After all the DMVPN-related posts I’ve published in the last days, we’re ready for the OSPF-over-DMVPN design challenge, but let’s step back a few more steps and start from where every design project should start: deriving the technical requirements and the WAN network design from the business needs.

Do I Need a VPN?

Whenever considering this question, you’re faced with a buy-or-build dilemma. You could buy MPLS/VPN (or VPLS) service from a Service Provider or get your sites hooked up to the Internet and build a VPN across it. In most cases, the decision is cost-driven, but don’t forget to consider the hidden costs: increased configuration and troubleshooting complexity, lack of QoS over the Internet and increased exposure of Internet-connected routers.

Cliffs Notes version (details in the DMVPN webinar):

• Configure ip nhrp multicast-map for the hub on the spoke routers. Otherwise, the spokes will not send OSPF hellos to the hub.
• Use dynamic NHRP multicast maps on the hub router, or the spokes will not receive its OSPF hellos.
• Use broadcast network type on all routers.

Phase 2 DMVPN in a nutshell:

• Multipoint GRE tunnels on all routers.
• NHRP is used for dynamic spoke registrations (like with Phase 1 DMVPN), but also for on-demand resolution of spoke transport addresses.
• Traffic between the spokes initially flows through the hub router until NHRP resolves the remote spoke transport IP address and IKE establishes the IPSec session with it.
• The IP next-hop address for any prefix reachable over DMVPN must be the egress router (hub or spoke). From the routing perspective, Phase 2 DMVPN subnet should behave like a LAN.
• Multicast packets (including routing protocol hello packets and routing updates) are exchanged only between the hub and the spoke routers.
• Routing adjacencies are established only between the hub and the spoke routers unless you use statically configured neighbors.

For more details watch the DMVPN webinar webinar.

This is how you configure OSPF in a Phase 1 DMVPN network (read the introductory post and Phase 1 DMVPN fundamentals first):

Remember:

• Use point-to-multipoint network type on the hub router to ensure the hub router is always the IP next hop for the DMVPN routes.
• Use point-to-multipoint network type on the spoke routers to ensure the OSPF timers match with the hub router.
• The DMVPN part of your network should be a separate OSPF area; if at all possible, make it a stub or NSSA area.
• If absolutely needed, use OSPF LSA flood filter on the hub router and a static default route on the spokes.

For more information, watch the DMVPN Technology and Configuration webinar.

Phase 1 DMVPN in a nutshell:

• Point-to-point GRE tunnel on spoke routers
• Multipoint GRE tunnel on the hub router.
• All the DMVPN traffic (including the traffic between the spokes) flows through the hub router.
• On the spoke routers, the hub router must be the IP next-hop for all destinations reachable through the DMVPN subnet (including other spokes).
• Multicast packets (including routing protocol hello packets and routing updates) are exchanged only between the hub and the spoke routers.

A few days ago I received the following e-mail from one of my readers:

I am trying presently to put in place a DMVPN solution running OSPF. I was wondering if you ever saw a solution with dual hub dual cloud design with OSPF working in practice because since I started I have issue with asymmetric routing because of the OSPF functionality.

Actually, I did… and exactly the same setup is included in the tested router configurations you get with the DMVPN: from Basics to Scalable Networks webinar. While there are many things that can go wrong with DMVPN, I’ve never heard about asymmetric routing problems, so I started to investigate what’s actually going on.

More than five years after the MPLS/VPN-in-mGRE encapsulation was standardized (add a few more years for the work-in-progress and IETF draft stages), it finally debuted in a mainstream-wannabe IOS release running on ISR routers (15.1(2)T), making it usable for the enterprise WAN designers, who are probably its best target audience.

I was writing about the two conflicting MPLS/VPN over mGRE implementations a while ago and got the impression the Service Providers aren’t too excited about this option. No wonder – most of them use full-blown MPLS backbones, so they have no need for GRE tunnels.

Upendra wrote the following comment to my “EEM CLI patterns are not context sensitive” post:

I am totally confused with sync yes|no skip yes|no. What is the mean of sync and skip, when we use these keywords and what is the mean of yes and no.

The online documentation on this topic is pretty extensive, but obviously not explicit enough, so let’s try to reword it.

Jedi Mind Tricks: HTTP Request Smuggling – an intriguing HTTP vulnerability and the countermeasure using ... what else ... F5.

Flailing IPv6 – up to 13% of IPv6 connections fail, mostly due to broken tunnels. Stop tunneling!

Cisco UCS criticism and FUD: Answered – another great article by @bradhedlund. Assuming he’s not making it up, some competitors must be really desperate.

Understanding Inter-Area Loop Prevention Caveats in OSPF Protocol – a masterpiece by @plapukhov. I thought I knew almost everything there is to know about OSPF. Boy was I wrong.

Remember how I was always saying the big picture is important? Here's the wallystic approach:

If you’re building a DMVPN network with large spoke-to-hub ratio, BGP is one of the better options – it has no scalability limitations associated with multicast flooding; the only parameter you have to consider is the number of BGP sessions the hub router can handle (and according to this presentation, ASR can handle 2000+ spokes).

Just before 2010 disappeared, a tweet by my friend Greg @etherealmind Ferro triggered a minor twitstorm. He wrote:

If we had implemented IPv6 ten years ago, would we have MPLS today? I think not.

His tweet contains two major misconceptions:

• MPLS was designed to implement layer-3 VPN services;
• We wouldn’t need VPNs if everyone would be using global IPv6 addresses.

I’ll focus on the first one today; the inaccuracy of the second one is obvious to anyone who was asked to implement MPLS VPNs in enterprise networks to ensure end-to-end path separation between departments or users with different security levels.

John McManus published excellent Remote (in Band) Configuration Tips post on etherealmind.com last week, prompting a “Too bad there isn't a fix for forgetting ‘reload in’” tweet by @mfratto. My immediate reaction was “this should be easy to solve with EEM” ... and it is.

New Year Resolution #1: I shall clean my Inbox on a weekly basis. Here are the links that started gathering dust during the last week:

• It’s amazing how similar the sysadmin problems are to ours: give us CLI, not eye candy, ASCII configurations and APIs. One could only hope the networking vendors would listen as well.
• Moving To The Cloud Is Not Cut And Paste. Some people will try to move their existing broken applications to the cloud. Some people have used screen scrapers to GUIze their existing 3270 SNA applications. The results will probably be the same.
• The Curious Case of the MBO Cloud ... and some people will move to the cloud just to get the yearly bonus. Fantastic motivation; expect pure awesomeness.
• The Recertification Treadmill – great news; I can stop ranting about stupidities in our industry. @networkingnerd is doing a great job.
• Cisco Nexus 7000 connectivity solutions for Cisco UCS – what else would you expect from @bradhedlund but another great UCS/Nexus post.
• Technology Short Take #9 – Another great summary from Scott Lowe.
• An introduction to Net Neutrality. A nice introductory article.
• Q-tools: An approach for discovery and knowledge work – a bit academic, but a must-read.
• Controller-less WLANs – the controller pendulum is swinging.