Orhan Ergun No Comments

DMVPN Routing Considerations

Routing over DMVPN is probably the most important decision you should take for the VPN design.

Which routing protocol is suitable for your environment ? EIGRP over DMVPN , OSPF over DMVPN or BGP over DMVPN?

Let me just share some brief information about the routing protocol over the overlay tunnels in this post.

The best routing protocol over DMVPN is BGP or EIGRP for the large scale DMVPN deployments.

What is large depends on your links, stability, how is the redundancy, how many routes spokes have, which phase is in use and so on.

If you have 20.000 routes in total behind all your spokes, unless you are doing SLB design for your HUB, only BGP can support that number of routes.

As I stated earlier in this post, IS-IS cannot be used with DMVPN since it doesn’t run on top of IP. So forget about it!

OSPF can be used but has serious design limitations with DMVPN.

Since OSPF is a link state protocol, its operation doesn’t match with the DMVPN’s NBMA style.

OSPF Point to Multipoint network type is not supported over Phase 2, because HUB changes the next hop of the spokes to itself with P2MP OSPF network type in OSPF.

But in Phase 2, as I stated earlier in DMVPN article, HUB must preserve the next hop of spokes for the spoke to spoke direct tunnels.

If you use OSPF over Phase 2, the only options would remain either Broadcast or Non-Broadcast.

Since you need to specify each unicast neighbor manually for OSPF Non-Broadcast, you lose the ease of configuration benefit of DMVPN.

Phase 3 removes the point to multipoint network type limitation of OSPF but the problem is still that, OSPF requires all the nodes in one area to keep the same database and routing table.

If you design Multi-area OSPF, where would you put the ABR to limit the topology information?

If you put a non-backbone area on the LAN segments of the spokes and a backbone area on the tunnels, then Area 0 still would still have 2.000 spokes.

So failure on one spoke – link failure for example –  would cause all the spokes and hub to run full SPF.

With EIGRP and BGP this wouldn’t be a problem since EIGRP and BGP allows summarization at each node in the network.

OSPF allows inter-area summarization only on the ABR and external prefix summarization on the ASBR.

Even RIP can scale much better than OSPF in the DMVPN networks. Long live RIP ! 🙂 

NHRP is used in all Phases.

In Phase 1, spokes don’t use NHRP for next hop resolution but use NHRP for underlay to overlay address mapping registration.

Routing protocol neighborship is created only between Hub and Spokes. Not between Spokes!

On-demand tunnels are created to pass data plane traffic, not the control plane!

If you have more than one HUB, routing protocol neighborship is created between HUBs as well.

Spoke to spoke dynamic on demand tunnels are removed when traffic ceases.

Spoke to DMVPN HUB tunnels are always up.

DMVPN is very common in Enterprise networks. It is used as either a primary or a backup path.

Even if you enable QoS over overlay tunnels, if you use DMVPN over Internet, don’t forget that Underlay transport (Internet) is still the best effort ! 

If multi tenancy is necessary, VRF lite can be used with DMVPN.

With VRF-lite, MPLS is not needed to create an individual VPN. But VRF-lite has scalability problems.

For the large scale multi tenant deployment, 2547oDMVPN is an architecture where we use MPLS Layer 3 VPN over DMVPN networks. 

What about you? 

Are you using DMVPN in your network?

Which Phase is enabled?

Which routing protocol do you use on your DMVPN tunnels?

Are you using encryption?

Is it your primary or backup path?

Let’s discuss about your design in the comment box below so everyone can benefit from your knowledge.

 
0.00 avg. rating (0% score) - 0 votes