Re: MPLS with DMVPN Migration to Multiple E-Lines From Separate Providers

tom.neteng · ‎01-12-2018

I have a new client who currently has a primary site and branch office, communicating over low speed MPLS with a DMVPN overlay.

They have purchased two e-lines from Tier 1 providers for additional speed and redundancy and want these implemented.

What is the best or some of the better options to provided link redundancy between two 2911 routers with and without encryption?

Is it possible to combine the two links (different speeds) into a single L3 EtherChannel so as to utilize both e-lines with a single IP on either end and simply move the DMVPN overlay on top of that?

Or would I need two separate routed interfaces with multiple VPN configurations on top of that? This is a regulated institution, and I would like all of the traffic that leaves the facility encrypted.

Tom

pigallo · ‎01-14-2018

Hi,

if you have mixed port speeds is not possible have links combined into a single ether channel.

The same happens as well with different duplex settings.

If i am not wrong 2911 should not offer fast re-convergence features like FRR or LFA so you cannot achieve re-convergence quickly in case of faulty link. But you can check it under your platform to see if it is supported.

What you could do is to terminate the new e-line over the same router handling DMVPN services and advertise this link into the underlay network of your DMVPN.

By using the routing metrics you could make this link more or less preferrable in order to be used as backup/primary link for tunnel interface to return immediately up in case of an outage.

Of course you can keep running IPSEC on it if you need it.

The only problem with e-line is that since they are strictly p2p services, if your network start to scale in the future, you won't be able to divert logical tunnel's traffic from the hub if spokes want to communicate directly so you should upgrade to VPLS service in order to achieve this setup.