VPN Infrastructure -Redundancy with MPLS and DMVPN

ITexpert · ‎02-14-2019

Hello Experts,

@Richard Burts @Peter Paluch @Joseph W. Doherty @Julio E. Moisa @paul driver

I have question, We have four sites connected with each other through MPLS circuit. We are advertising our subnets by using ospf and I want to use DMVPN as secondary way to accomplish that. I have some doubts :

1. When I make tunnels thorough internet and run other ospf process to advertise. How i will manipulate parameters so that ospf with MPLS will be primary ?

2. Also when MPLS brokes it will automatically start commuting with DMVPN but when MPLS gets back it should start using MPLS again by itself ?

Please mention all possible ways ? Also mention other ways for redundancy for site to site connection ?

Thanks

Joseph W. Doherty · ‎02-14-2019

If you're running OSPF across OSPF, and you intend to also use OSPF across DMVPN tunnels, I would think all you might need to do is set OSPF metrics so that the MPLS paths are preferred.

Mikey John · ‎02-14-2019

You can use the "default-information originate" command with a higher metric on the DMVPN tunnel to make it the secondary circuit.

Cheers

Mikey

Richard Burts · ‎02-14-2019

If we knew a bit more about the environment of the original poster we might be able to give better advice. For example does each site form OSPF neighbor relationship with each of the other 3 sites? Or is there a HQ central site and other sites are neighbors with it but not with each other? Also when you run OSPF on your router are you forming neighbor relationship with the Provider Edge Router or neighbor relationship with a Customer router at the other site?

But if you have OSPF running successfully for MPLS I believe that it should not be too difficult to run OSPF for DMVPN and to make MPLS routes preferred. The original post seems to suggest running 2 OSPF processes. I am not sure there is much to be gained from 2 processes. I believe that Joseph is pointing in the right direction. Run OSPF on interfaces for MPLS and for DMVPN and assign OSPF cost on interfaces for DMVPN that is higher than cost on MPLS interfaces. That should achieve automatic failover and automatic failback.

The suggestion about default information originate shows creative thinking. But unfortunately it would not be much of a solution. But the question in this post is not so much about what default route to use but is more about how to answer questions like "where is subnet 172.16.26.0 (which site has this subnet) and which interface do I use to get there" than it is about which default route to use.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎02-15-2019

"The original post seems to suggest running 2 OSPF processes. I am not sure there is much to be gained from 2 processes."

Unsure that OP's ". . . I want to use DMVPN as secondary way to accomplish that." means it's desired to use two OSPF processes, but if so, I agree with Rick. If fact, using two OSPF processes would probably only add to the complexity without any other benefit.

Otherwise, Rick describes in more detail how the interface metrics might be changed. However, also understand, as we don't know your topology, as also noted by Rick, it's possible, by default (using interface "bandwidths"), the MPLS paths might appear to be "better". If not, as Rick notes, you can change OSPF cost on interfaces, which could be done on the MPLS and/or DMVPN interfaces.

Oh, and with OSPF, depending on your requirement for how fast you need re-convergence between MPLS and DMVPN, you might want to "tune" other OSPF parameters, such as hello intervals, otherwise, by default, it might take up to about 30 seconds for OSPF to begin to make a switch.

Richard Burts · ‎02-16-2019

Joseph

Here is the line in the original post that I understand to indicate thinking about a second OSPF process:

When I make tunnels thorough internet and run other ospf process to advertise.

I am glad that we agree that a second OSPF process would not be helpful.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎02-17-2019

Touché