OSPF design for branch offices across MPLS

Marc Bouchard · ‎02-26-2015

Hello fellow networking engineers,

I want to implement OSPF in our network. We have multiple branch offices, all linked to an MPLS backbone.

I know that in order to get linked areas, I would need to setup GRE tunnels between them, but I want to avoid static/manual configurations as much as possible. With multiple sites, it would become cumbersome to create a mesh real fast.

Is running OSPF independent areas at each site, and simply redistributing over eBGP a valid solution? This will host voice and data, and will failover to VPN connection (Cisco ASAs) if the MPLS goes down.

For the VPN backup links, I thought of two options. Either simply using the default route to send everything to the ASA in case of MPLS "death", or inject routes using IP SLA...

Any input would be appreciated.

Jon Marshall · ‎02-27-2015

Marc

You don't GRE tunnels to link your areas if that is what you want to do.

If the SP supports it then you can exchange your OSPF routes between areas and they will still be seen as inter area routes rather than OSPF externals which they would if you simply treated each area as isolated from each other.

In effect the MPLS network becomes an OSPF super backbone area and your main site would also be part of the backbone area with all your other sites having an area each.

You still redistribute your OSPF routes into BGP but with some extra configuration on both your CEs and the SP PE devices.

Like I say you would need to check with your SP but it is possible.

Whether or not you need or want it I don't know.

Your other option is as you have proposed to treat each OSPF area as an isolated one and simply redistribute into OSPF at each CE. Then within each site all non local routes would be seen as OSPF external routes.

Either way in terms of backup I would keep it simple and use a default route at each site pointing to the ASA device. I can't see what you gain from IP SLA because if the main MPLS link goes down at any site the only other path they have out is via the ASA so there is nothing really worth tracking.

The only other thing I would mention is remote site to remote site traffic. If there is any then presumably with your VPN tunnels you would be doing a sort of hub and spoke where the hub is the main site so you may need to think about traffic coming in from one VPN tunnel and going out to another VPN tunnel on the main site ASA.

This would only really be needed if two or more sites had to use their backup links at the same time.

In terms of which is better ie. OSPF inter area across the MPLS cloud or OSPF externals I can't really say to be honest. With the MPLS networks i have worked on we ran EIGRP and simply treated each remote site as an isolated AS.

If you are already running OSPF then you may want to preserve your existing areas so it would make sense to go with the inter area option.

If it is a new setup then I don't really know the pros and cons of either so can't really comment.

Perhaps others may add to the thread with their thoughts.

Jon

Marc Bouchard · ‎02-27-2015

Hi Jon,

thanks for taking the time to respond.

I already asked the SP about doing a Super backbone and it seems they dont offer/support that. I think that would have been the best solution. We have to run OSPF because we have some non-cisco (Brocade) switches, plus I think OSPF would be more scalable long term.

We MAY have some traffic going over the VPN, to use the extra bandwidth so I will probably need an IP SLA anyway for the route map (backup/replication traffic etc...) but not at all sites.

Everything you mentioned is pretty much what I figured out, there isn't a ton of options. Glad to see I wasn't way out.

When it comes to convergence, wouldn't OSPF be faster at removing dead routes than waiting for eBGP to notify the partners then redistribute to the OSPF areas?

I still have to figure out the details for the VPN, it is between ASAs everywhere so I need to check what's available (DMVPN? FlexVPN? Standard point to point?)

Thanks!

Jon Marshall · ‎02-27-2015

Mark

When it comes to convergence, wouldn't OSPF be faster at removing dead routes than waiting for eBGP to notify the partners then redistribute to the OSPF areas?

Yes it would but not, as I understand it, with the super backbone solution as you are still using BGP as the underlying protocol to send the routes across the MPLS network.

If you meant by using GRE tunnels though then yes it would be. BGP is not the quickest and it may be worth considering reducing the timers if you can although again this needs to be discussed with the SP and depends on the quality and reliability of the CE to PE links.

DMVPN is commonly used as backup although then you have the further consideration of passing routes via DMVPN being preferred over your redistributed BGP routes but obviously there are ways around.

Unfortunately it isn't supported on ASAs so it's not an option for you.

Can't really comment on FlexVPN as I haven't used that technology.

Standard tunnels are obviously available and if you when you say it is between the ASAs everywhere you are talking about having a full mesh then no need to worry about traffic going in and out via VPN at the main site but that is a lot of configuration (depending on the number of sites).

Perhaps FlexVPN, if it is supported makes this easier.

Jon

Marc Bouchard · ‎03-01-2015

Thanks again for your feedback.

Avoiding intervention from the provider is probably the best solution, as they tend to not always be flexible in their topology design. Will definitely ask but won't hold my breath. We will be setting up parallel MPLS links on our network, so we have the opportunity to test convergence times before going to production...