Preventating Asymetric Routing in a Dual Hub DMVPN environment

marioderosa2008 · ‎11-20-2014

Hi all,

not sure if this is meant for the VPN forum or the routing forum, so please let me know if this should be moved.

We have two hub sites, geographically dispersed.

We have multiple spoke sites, around 50.

I would like each spoke router to have two GRE over IPsec tunnels, a primary and a backup.

My questions is what is the best way to advertise routes in to the backbone OSPF area 0 so that hub site A is always the preferred entry and exit point for the DMVPN network?

I was thinking that each hub should be in a different OSPF area but I cannot remember what options are available on ASBR's as to routing metrics. I know that you can filter LSA's using Distribution lists, but cannot remember if you can tweak metric's of routes.

Another option I was thinking was to run a seperate OSPF process on the Tunnel Interface on each Hub router and then use route redistribution to alter route metrics / AD's.

Also, another option I can think of is perhaps setting the ospf cost to a much higher cost at the interface level of either the Tunnel interface on the backup hub router or the ospf interface connecting the hub router in to the backbone AREA 0.

One other question that I cannot seem to answer at the moment is whether the two hub routers should be OSPF neighbors and exchange routing information? Or should I just inject the routes in to the backbone area0 and let Area0 choose the correct exit point.

Would you also recommend the Tunnel interface OSPF area to be a stub? But then how would that work if each spoke router has two possible exit points, one two each hub router? Maybe i should just inject a default route from both hub routers and make sure that the primary default route has a lower metric than the secondary default route.

Any help or experience on this kind of setup would be great. I can post a diagram of the proposed topology if that helps, but it really is a classic hub and spoke topology with a hub router in 2 data centres connected via dark fibre.

Thanks

Mario

Joseph W. Doherty · ‎11-20-2014

Just curious, why the requirement to avoid asymetric routing?

marioderosa2008 · ‎11-20-2014

Hi Josh, thanks for the reply.

I want to stay away from asymmetric routing mainly because any return traffic would take sub-optimal paths through our secondary datacentre to return to the primary datacentre, which is not ideal.

The idea is that the primary tunnel at each spoke router would normally be on a better quality link than the secondary tunnel, so again, having traffic on the secondary tunnel with low bandwidth when the primary tunnel is still active is not ideal.

Another issue i see is that we would like to keep routing table very small at each spoke router by making each router a totally NSSA OSPF area.

There could also be a requirement whereby firewalls sit behind the hub routers and if those firewalls are not in a HA cluster then return traffic could be dropped by the firewall due to the original SYN packet of a TCP connection not being seen.

I am going to try and upload a sample topology tomorrow so hopefully that will assist in what I am trying to explain.

Thanks

Mario

marioderosa2008 · ‎02-05-2015

Hi all,

I have created a proposed topology from a layer 3 perspective.

Can i have feedback on this? I am using OSPF interface metrics to ensure asymetric routing does not happen. The DMVPN areas are Totally NSSA so that we can inject a default route in to the area and still have the ability to redistribute routes back in to the core.

ASRs will be used at the edge to terminate the GRE & IPsec tunnels. The tunnel interface will be in a dedicated DMVPN area whilst the gigabit tunnels will be in the backbone area 0.

Any questions you have, please ask.

Thanks

Mario