cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
1
Helpful
7
Replies

moving to OSPF

MehulCho
Level 1
Level 1

We have several branch offices currently setup in a hub-n-spoke fashion to the central one with all static routes on IPSEC tunnels. We would like to move to a full mash  network with OSPF and get rid of static routes. what is the best way to do this without affecting the traffic flow? Can Static routes co-exist with OSPF during this transition?  I am looking for high-level conceptual ideas. I would like to do this on one site at a time.

Thanks!

7 Replies 7

hard task, 
NOW 

there is Spoke-to-Spoke connection ?
why you not run DMVPN ?
why you select OSPF not EIGRP ?

Yes, you can implement OSPF without affecting static routes as their AD is 1 and OSPF AD is 110. However, the OSPF routes need to be exactly hat the static routes/mask are because the rule of routing is only if the routes are the same then move to the next selection criteria which would be AD.

 

AS @MHM Cisco World mentioned if you are trying to implement DMVPN for spoke to spoke communication then EIGRP would be easier. If you still need OSPF then your connections from spoke to hub need to be in the same Area, the DR needs to be at the HUB with no chance of the spokes becoming DR and you need to be careful about what Area you put at the spoke locations where you could run into incomplete routing.

-David

Joseph W. Doherty
Hall of Fame
Hall of Fame

Good news, with full mesh you might  reduce site-to-site latency and possibly reduce traffic to/from hub.

Bad news, with full mesh, you lose bandwidth management between sites making QoS near impossible, unless your device supports the adaptive QoS DMVPN feature.  (Of course, if QoS is a non-issue, then you need not worry about the change in topology.)

BTW, I'm assuming you also don't wish to get involved with PfRv3, IWAN or SD-WAN.

Richard Burts
Hall of Fame
Hall of Fame

There is much that we do not know about this environment and that makes it difficult to give good advice. How is the IPSEC implemented? Is it simple PSEC that encrypts traffic to the peer? Is is IPSEC using some tunneling protocol (GRE or VTI)? I assume that it is not DMVPN.

Your description of a hub and spoke network suggests that there is not currently any direct spoke to spoke communication (it would be spoke to hub to spoke). Is that correct? Then moving to a full mesh network (where spoke to spoke communication is possible) is a big change and I suggest that implementing DMVPN would be appropriate. If the emphasis is on moving from static routes to a dynamic protocol between sites then the options for tunnels with IPSEC might be appropriate.

HTH

Rick

MehulCho
Level 1
Level 1

Thank you all so much for your great advices and time! You all are great! Basically I inherited  this Palo Alto environment (and hence the OSPF) where we have these IPSEC site to site VPN tunnels set up with static routes from the hub to all spokes. QoS or any Bandwidth management is not a concern at this time. Main goal is to remove latency from spoke to spoke, dynamic routing would be a bonus if one path fails. There are about 10 sites in total. Thank you again!

Hello @MehulCho ,

>> this Palo Alto environment (and hence the OSPF) where we have these IPSEC site to site VPN tunnels set up with static routes from the hub to all spokes

DMVPN is Cisco Proprietary you should try to look for standards based solution like GET VPN ( Cisco term but it is based on IPSec extensions that support GDOI   Group VPN)

at first glance I don't find GDOI in palo alto web site

https://www.paloaltonetworks.com/blog/network-security/

 

Hope to help

Giuseppe

 

since the hub is Palo Alto, 
I suggest to ask your Q in Palo alto community, 
I check and see there is solution like DMVPN called LSVPN. 
but again it better to check Palo community