Connected Mesh

Traffic Shaping

A traffic shaper reduces the available packet rate to match the rate of the link. Fast packets only slow down to prevent them from being dropped at the next hop. This leads to a somewhat higher bandwidth because a delayed packet is better than a dropped packet.

The correct value for the traffic shaper matters. Compared with OSPF, the shaper must act on packets that will violate the outgoing bandwidth of the Internet link. A lower value will waste bandwidth and a higher value will make the shaper dispensable. You could even limit incoming traffic with a policer, but that makes no sense in this setup.

Limited Perspective

The DMVPN cloud now offers communication between all peers on OSI Layer 3. Every client can address its target by IP address.

In some cases, or even to satisfy curiosity, an end-to-end communication on OSI Layer 2 is required. The hosts see each other's MAC address, and the WAN becomes one large Ethernet switch. Normally this kind of setup is typical for a data center, when merging virtual environments, or when interconnecting multiple data centers.

The solution for this sounds simple: Just bridge the LAN adapter and the tunnel interface together. However, the underlying TUN kernel module in VyOS refuses this action. Bridging is not supported for multipoint tunnels.

Surprisingly VyOS supports the virtual extensible LAN (VXLAN), which is the perfect match for this setup. The name indicates a LAN environment, but using it in the WAN is possible. VXLAN puts an Ethernet-like layer over the existing DMVPN. In correct terms, the VXLAN is the overlay network, and the DMVPN cloud is the underlay network.

If you really think about using this approach, here are the limitations: Even when it feels like Ethernet to a client, it is actually a WAN environment with packet loss, delay, jitter, and a smaller MTU than most applications would expect from a LAN.

Moreover, a spanning tree is included. A redundant path in the LAN (even if it is a disguised WAN) needs loop prevention, so the complexity of NHRP, IPsec, OSPF, and VRRP is extended by some form of spanning tree protocol.

DMVPN is flexible enough to host an OSI Layer 2 network like VXLAN, although that's not a recommended design. VXLAN on top of DMVPN is more of a workaround when Ethernet connectivity is the main goal.

Show Me the Money

Now that the pros and cons of the alternative DMVPN are exposed, what kind of investment should you expect? Cisco's smallest router for DMVPN is the C881 series and starts at $250. Although this might sound feasible for a home office with limited bandwidth, if you need to saturate an Internet link of 100Mbps, pick a Cisco 1921, which needs a budget of $600. For higher bandwidth, Cisco asks for four digits.

Clearly, open source software will win the race when it comes to nonrecurring costs, but you must also keep a close look on time and business risk. The old catch phrase, "Nobody ever got fired for buying IBM," might be true for Cisco, but not for VyOS.