Orhan Ergun 16 Comments

[follow_me]MPLS VPN is used mostly as primary connectivity and DMVPN as a backup in the small medium business.

You might see in some cases DMVPN is the only the circuit between remote offices and the datacenter/HQ, or for some applications MPLS VPN might be the primary,DMVPN for the others.

As an example high throughput, high latency DMVPN link might be used for data traffic, low through,low latency MPLS VPN link for voice and video.

In this post I will give you a mini network design scenario and ask some questions, we will discuss the answers in the comment box below.

When you attend to my CCDE class,we will work on tens of scenarios similar to this.

 

I will update the scenarios every week with my answer.

Update : I updated the post with my answers. Also I published a new scenario which you can reach from here.

 

mpls vpn and dmvpn

Background Info: 

In the above topology,customer wants to use MPLS L3 VPN (Right one) as its primary path between Remote office and the Datacenter.

Customer uses EIGRP 100 for the Local Area Network inside the office.

Customer runs EIGRP AS 200 over DMVPN.

Service Provider doesn’t support EIGRP as a PE-CE protocol, only static routing and  BGP.

Customer selected to use BGP instead of static routing since cost community attribute might be used to carry EIGRP metric over the MP-BGP session of service provider.

Redistribution is needed on the R2 between EIGRP and BGP (Two ways)

Since customer uses different EIGRP AS numbers for the LAN and DMVPN networks,redistribution is need on R1 too.

Question 1 : Should customer use EIGRP same AS on the DMVPN and the LAN ?

Update : No it shouldn’t. Since Customer requirement is to use MPLS VPN as primary path and nothing specified for specific application only use MPLS VPN and other should use DMVPN, if the customer runs same EIGRP AS on Local Area Network and over DMVPN, EIGRP routes is seen as internal from DMVPN but external from MPLS VPN.

Internal EIGRP is preferred over external because of Admin Distance, customer should use different AS numbers.

Question 2 : 

What is the path between remote office and the datacenter ?

Update : Since redistribution is done on R1 and R2, remote switch and datacenter devices see the routes both from DMVPN and BGP as EIGRP external. Then the metric is compared.

If the metric ( Bandwidth and Delay in EIGRP) is the same, both path can be used (Equal Cost Multipath-ECMP).

Question 3 : 

Does result fits for the customer traffic requirement ?

Update : Yes. Because if customer uses different EIGRP AS on LAN and DMVPN, with just metric adjustment, MPLS VPN path is used as primary.

Question 4 :

What happens when the primary MPLS VPN link goes down ?

Update : It depends. If you redistribute the data center prefixes which are received by R1 on R2, R2 sends the traffic towards switch and switch uses only R1.

Traffic from remote to datacenter go through Switch – R1- DMVPN path. From datacenter, since those will not be known through MPLS VPN, only DMVPN link is used. So DMVPN link is used as primary when the failure happens.

Question 5 : 

What happens when failed MPLS VPN link comes back ?

Update : This is tricky part. R2 receives the datacenter prefixes over MPLS VPN path via EBGP, also from R1 via EIGRP . When R2 receives the prefixes from R1 as an EIGRP route those prefixes shouldn’t be redistributed on R2 to send through MPLS VPN path.

If you don’t redistribute them, once the link comes back, datacenter prefixes will still be received via DMVPN and MPLS VPN and appears on the office switch as an EIGRP external.

If you redistribute them on R2, when the link comes back, R2 continues to use MPLS VPN path, so switch can do load sharing or with metric adjustment you can force to use MPLS as primary.

If it is Cisco switches or from other vendor which uses BGP weight attribute into consideration for the best path selection, then redistributed prefixes weight would be higher than the prefixes which are received through MPLS VPN so R2 uses Switch-R1 DMVPN path.

 

You may not be able to give answer for all the questions, but you should try.

These are the type of questions you might encounter in the CCDE exam !

Let’s discuss in the comment box below.

 
0.00 avg. rating (0% score) - 0 votes
  • Q 1 : Should customer use EIGRP same AS on the DMVPN and the LAN ?
    No, because if it’s the same AS, all the traffic prefer the DMVPN path because EIGRP internal AD 90 and L3VPN EIGRP external AD 170.

    Q 2 : What is the path between remote office and the datacenter ?
    the path is to L3VPN because eBGP AD is 20

    Q 3 : Does result fits for the customer traffic requirement ?
    Yes, L3VPN is the primary path like asked by customer

    Q 4 :What happens when the primary MPLS VPN link goes down ?
    the traffic pass on the DMVPN path

    Q 5 :What happens when failed MPLS VPN link comes back ?
    The traffic stay on the DMVPN path, or return on the L3VPN path only if the redistribution is done with route-map and tag (due to the remote Office route redistributed into BGP with weight 32768),

  • Stefan Geutjes

    Q1-4 same as Daniel.
    Q5 traffic returns to L3VPN because AD.

  • driss jabbar

    Same as daniel

    • Anonymous

      Q1: Should customer use EIGRP same AS on the DMVPN and the LAN ?
      A1:Yes we should use two EIGRP Process
      Q 2 : What is the path between remote office and the datacenter
      From datacenter –> Remote Office L3VPN will be preferred because of administrative distance 20 against 170
      from remote Office –> DataCenter : it depends of the metric if both DMVPN and L3VPN route have the same metric than the loadsharing will be applied.the we will fall in the asymetric routing to resolve this situation we need to play with delay 🙂 not bandwith.
      Does result fits for the customer traffic requirement ?
      it depends to my answer number 2

      Q4:What happens when the primary MPLS VPN link goes down
      A4:the trafic will pass through dmvpn

      Q 5 :What happens when failed MPLS VPN link comes back ?
      As Danniel said the CE router will still prefer Eigrp route as it is installed with weight.the route should block this route in from remote office.

      • driss jabbar

        is it me for the 2 above comment 🙂

  • Haroon

    Q 2 : What is the path between remote office and the datacenter ?
    i have to add in Daniel comments
    Data Center path will be thru level L3VPN as said but
    Remote need special workout with Attributes which is Local Preference(inbound traffic) and with AS-path as well (outbound traffic)

  • Haroon

    Correction—Q 2 : What is the path between remote office and the datacenter ?
    i have to add in Daniel comments
    Data Center path will be thru level L3VPN as said but
    Not work for this as Eigrp is running as well single link @ R2
    Remote need special workout with Attributes which is Local Preference(inbound traffic) and with AS-path as well (outbound traffic)
    Remote traffic traffic move thru DMVPN

  • Jerome

    Okay, let’s try.

    Q 1 : Should customer use EIGRP same AS on the DMVPN and the LAN ?
    I would say yes, because of redistribution on both router (R1 from EIGRP200 to EIGRP100 and R2 from BGP to EIGRP) both routes will have an AD of 170.
    Then without en EIGRP session between R1 and R2, the outgoing traffic to the DC can be problematic in case of failure of one of the two links.

    Q 2 : What is the path between remote office and the datacenter ?
    Same as Daniel: the path on R2 via L3VPN have an eBGP AD is 20, the path on R1 have an AD of 90 (EIGRP).
    But then from the LAN of the remote office, it depends what first-hop redundancy method we choose. For example, if we use HSRP and R1 as primary router, then the path to the DC is DMVPN.

    Q 3 : Does result fits for the customer traffic requirement ?
    No, without policy-routing we will not use both links.
    The request was “high throughput, high latency DMVPN link might be used for data traffic, low through, low latency MPLS VPN link for voice and video”.

    Q 4 :What happens when the primary MPLS VPN link goes down ?
    The traffic pass on the DMVPN path.

    Q 5 :What happens when failed MPLS VPN link comes back ?
    It depends on how is configured the redistribution, policy-routing (if any), first-hop redundancy and EIGRP between R1 and R2.

  • Thanks for all your answers ! I think mini design scenarios will be helpful and fun, what do you think ?
    By the way, for those who still want to share their opinion I am thinking to give my answer on Thursday.
    Every Thursday one mini scenario ?

  • Najib

    Question 1 : Should customer use EIGRP same AS on the DMVPN and the LAN ?
    ——————————————————————-
    Najib Answer : No!(MPLS must be the primary path) and with EIGRP same AS, the customer would be no need mutual redistribution in R1.
    ——————————————————————-
    Question 2 :
    What is the path between remote office and the datacenter ?
    —————————————————————————
    Najib Answer : to accomplish the requirement we must use
    higher bandwidth in BGP->EIGRP redistribution. the path from remote office to Data Center is not clear.. but the traffic is routed back via the MPLS network.

    Question 3 :

    Does result fits for the customer traffic requirement ?
    ——————————————–
    Najib Answer : No at all.
    ————————————————
    Question 4 :

    What happens when the primary MPLS VPN link goes down ?
    ———————————————————————–
    Najib Answer :The backup EIGRP route would be install and copied to FIB, so the DMVPN path is best route.
    ———————————————————————
    Question 5 :

    What happens when failed MPLS VPN link comes back ?
    Najib answer : The traffic would switch back because the eBGP AD.

  • Nizami

    1.If they use the same AS, traffic will always follow DMVPN path as intra EIGRP route, so answer should be No
    2. If considering path from Remote Office SW then assuming that identical metrics will be used during redistribution between EIGRP 200–>100 and BGP–EIGRP, then traffic should load balance between R1 and R2 since it will have identical AD of 170 and cost ( as assumed above). If metrics will be different during redistribution, then we can manipulate which path we want to use
    3. Partially, since we have to adjust metrics during redistribution to force traffic to choose MPLS link over DMVPN
    4. traffic should flow on DMPVN link
    5. After network convergence and redistribution , DataCenter networks should be installed again in SW table and assuming again that all metrics will be identical, SW table will have two equal cost routes and further traffic will be load balanced between links

  • rateiro

    Q1: No.
    Q2 : Downstream via SP (DC > Office). Upstream both paths (Balance).
    Q3 : No.
    Q4 : Up and downstream traffic will use DMVPN links.
    Q5 : Downstream via SP (DC > Office). Upstream both paths.

    • Thanks for the answers. I will be updating the post Thursday. Thursday another mini scenario will come so hope to see all of you guys comment for it as well !

  • I updated the post with my answers, thanks for the all participants, don’t forget to comment to other mini design scenario , hope it is fun 🙂

  • Pingback: OSPF Design Challenge - Network Design and Architecture()

  • Pingback: BGP Best External | Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net()