Open source multipoint VPN with VyOS

Connected Mesh

Traffic Shaping

A traffic shaper reduces the available packet rate to match the rate of the link. Fast packets only slow down to prevent them from being dropped at the next hop. This leads to a somewhat higher bandwidth because a delayed packet is better than a dropped packet.

The correct value for the traffic shaper matters. Compared with OSPF, the shaper must act on packets that will violate the outgoing bandwidth of the Internet link. A lower value will waste bandwidth and a higher value will make the shaper dispensable. You could even limit incoming traffic with a policer, but that makes no sense in this setup.

Limited Perspective

The DMVPN cloud now offers communication between all peers on OSI Layer 3. Every client can address its target by IP address.

In some cases, or even to satisfy curiosity, an end-to-end communication on OSI Layer 2 is required. The hosts see each other's MAC address, and the WAN becomes one large Ethernet switch. Normally this kind of setup is typical for a data center, when merging virtual environments, or when interconnecting multiple data centers.

The solution for this sounds simple: Just bridge the LAN adapter and the tunnel interface together. However, the underlying TUN kernel module in VyOS refuses this action. Bridging is not supported for multipoint tunnels.

Surprisingly VyOS supports the virtual extensible LAN (VXLAN), which is the perfect match for this setup. The name indicates a LAN environment, but using it in the WAN is possible. VXLAN puts an Ethernet-like layer over the existing DMVPN. In correct terms, the VXLAN is the overlay network, and the DMVPN cloud is the underlay network.

If you really think about using this approach, here are the limitations: Even when it feels like Ethernet to a client, it is actually a WAN environment with packet loss, delay, jitter, and a smaller MTU than most applications would expect from a LAN.

Moreover, a spanning tree is included. A redundant path in the LAN (even if it is a disguised WAN) needs loop prevention, so the complexity of NHRP, IPsec, OSPF, and VRRP is extended by some form of spanning tree protocol.

DMVPN is flexible enough to host an OSI Layer 2 network like VXLAN, although that's not a recommended design. VXLAN on top of DMVPN is more of a workaround when Ethernet connectivity is the main goal.

Show Me the Money

Now that the pros and cons of the alternative DMVPN are exposed, what kind of investment should you expect? Cisco's smallest router for DMVPN is the C881 series and starts at $250. Although this might sound feasible for a home office with limited bandwidth, if you need to saturate an Internet link of 100Mbps, pick a Cisco 1921, which needs a budget of $600. For higher bandwidth, Cisco asks for four digits.

Clearly, open source software will win the race when it comes to nonrecurring costs, but you must also keep a close look on time and business risk. The old catch phrase, "Nobody ever got fired for buying IBM," might be true for Cisco, but not for VyOS.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

  • Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Border Gateway Protocol
    We look at the Border Gateway Protocol, how it routes packets through the Internet, its weaknesses, and some hardening strategies.
comments powered by Disqus