07-23-2009 10:43 AM - edited 02-21-2020 04:17 PM
Hi gurus,
Im facing a DMVPN project with approx. 100 sites. Its going to be a classic 2-5 HUB central site, and 90-100 spoke sites.
Im in the need of some good advice and thoughts about selecting the right routing protocol, EIGRP or OSPF.
So anyone with experience and hands-on knowledge on such an installation - please feel free to comment on "goods and bads" regarding the two routing protocols :-)
Im leaning towards OSPF myself, as I know this one best though. So why should I choose EIGRP for instance? :)
Thx!
07-23-2009 03:32 PM
Hi,
OSPF is good, but in this solution I prefer to use EIGRP because the theory says that OSPF can to operate in environment to up 50 routers aprox. The other hand, do you know the GET VPN concept?. GET VPN concept can solve this routing problem because it doesn't alter IP headers.
Please, visit www.cisco.com/go/getvpn
Regards,
DT.
07-23-2009 07:17 PM
I'm working with one large DMVPN EIGRP environment that has VIP load balancing across several hubs. No issues until you get to around 600 EIGRP spokes on each HUB (Cisco 7206 NPE-G2 or 7301). What hardware platform is your hub?
I'd go with EIGRP in your case. 100 spokes is not a problem (depending on hardware)
- Use DMVPN Phase 3, don't use Phase 2
- Configure route summarization of all spokes subnets on HUB's tunnel. If all spoke sites fall into 10.0.0.0/8 range, configure EIGRP summary for 10.0.0.0/8 on the HUB's tunnel
- Make sure remote sites are configured as EIGRP stubs
- Configure EIGRP hello/hold with larger values
I would also recommend BGP, it will scale beyond 600 spokes on 7200/7300, but there are few problems with it, the main one is IOS config size on HUB side :)
Regards,
Roman
07-23-2009 11:56 PM
First of all - thx for all your input, I really appriciate it :-)
DT - Im pretty sure that GetVPN cant be used over the Internet, since it preserves its original IP addresses in the header, so thats out of the question.
Roman - your hints and points are just what I was looking for. Thx a bunch :)
SB
07-24-2009 12:01 AM
Oh! One other thing.
Do you guys suggest a single dmvpn-cloud or dual dmvpn-cluds? (so that spokes use 1 or two tunnel interfaces) ? :-)
Thx!
SB
07-24-2009 03:43 AM
Hi Roman,
Can tell us which load balancer you use.
Are your spoke on private network or Internet.
07-24-2009 03:57 AM
Hubs and all spokes are connected to the Internet.
07-24-2009 10:34 AM
IOS SLB on 7200 running 12.2S. Since 12.2S Security image doesn't exist, IPSEC must happen on the hubs behind it. It's actually ok, this way it's load balancing IPSEC too. Cisco removed a bunch of SLB features from 12.4T that are needed for this setup, so you're stuck with 12.2S
Internet, but could be private (MPLS) as well.
Regards,
Roman
07-24-2009 10:30 AM
Dual. I like to see the spoke with two tunnel interfaces. Gives me better control over EIGRP metrics/routing. There are also some situations where single dmvpn cloud can't be used. In the load-balancing scenario I've mentioned, since both hubs would be behind VIP, I can't use single cloud.
Regards,
Roman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide