DMVPN DUAL HUB DESIGN ADVICES NEEDED - DMVPN EXPERT ARE WELCOME

lap · ‎12-15-2010

Hi Guys,

Our customer has a DUAL DMVPN setup running perfectly with 20 sites. EIGRP is runnig betwenn HUB and SPOKES. Each HUB is connected to a a different ISP and one is Primary and the other one is backup. Here is the current design:

Now our customer wants to move to another design where the servers and the primary DMVPN router that you can see on the drawing will be moved to another location(LOCATION HUB Y on the following drawing) but the subnet of this new location will remain the same as the current one whereas the old HUB location (LOCATION HUB X on the following drawing) will only keep PCs and printers so it will be like a kind of spoke location because all the "important" ressources will be located at the new location (location HUB Y). Both locations (HUB X and HUB Y) and another one will be connected together via ISP1 MPLS. The subnet of the old HUB location (location HUB X) will be changed. I attach a drawing of the new setup so you can get a better idea of how how it will look like.

I have tried to think of a setup where I will also move SECONDARY DMVPN router to the new location to prevent hardware failure and run BGP with ISP1 on both DMVPN routers but this setup doesn't prevent problems when ISP1 loose connetion to SPOKE ISP and that happen often. That is why I wanted to run with two ISPs. I attach a drawing of what I was thinking of anyway:

At last I have thought of what could maybe be the best solution design. See following drawing:

So my issue is the following: How I can migrate the old DMVPN setup to the new DMVPN setup. In the old DMVPN setup I was using HSRP and IP SLA in order to prevent routing failure inside ISP1 AS. But what do you think is the best DMVPN design with this new physical setup? what about hardware redundancy? I am looking forward to hearing from you.

You can clik on the pictures and Zoom into them.

Best regards,

Laurent Prat

lap · ‎12-17-2010

Hi guys,

Anyone to help?

Regards,

Laurent

Marcin Latosiewicz · ‎12-20-2010

Laurent,

Let me start by saying that this sort of design is best approved by some in Advanced Services or System Engineer rather than forums :-)

There are just too many considerations.

I just had a brief read of what your requirements were.

(I've written a big post but it was kindly remove because of timeout of forum .... :{ )

The bottom line is:

- avoid situations where you could force all traffic to go over MPLS

- consider having both DMVPN clouds on both hubs (introduce DMVPN phase 3 and use summary addresses to advertise preferred routes)

- depending on cost use MPLS as a backdoor route with normal exchange over DMVPN ... or route primarily over MPLS between X and Y

- you can also consider a design where you'de source your DMVPN from loopbacks and would be free to advertise those addreses both into MPLS as well as into Internet (depending on how likely you ISP is to do this ;-))

Best practice goes to have DMVPN as primary links followed by MPLS as a secondary/management/disaster access. This is of course costly but provides full redundacy.

We can probably discuss a few more scenario as I learn more about your requirements.

Marcin

lap · ‎12-23-2010

Hi Marcin,

Thanks a lot for your message and your advices. DMVPN is already running phase 3 and HUB routers are sending a summary route to Spokes.

I have advice the customer to move both HUB routers to the HUB location and if there isn't possibility to get another ISP the customer should run BGP on both HUB with the ISP. In this case there isn´t any redundancy regarding routing failure in the ISP AS.

But I will let you know which solution the customer has choosen.

Again thanks a lot for your help.

Regards,

Laurent

Marcin Latosiewicz · ‎12-23-2010

Laurent,

Sorry not too have been too much help :-)

I think once you separate customer's "needs" and "wants" we can come up with something more clear.

Season's greetings

http://www.youtube.com/watch?v=QP8KghzOboA

Marcin