04-21-2004 01:09 PM - edited 03-09-2019 07:08 AM
Currently we have Spoke and HUB VPN tunnels configured manually for about 100 sites. We are evaluating DMVPN to simplify and enable Spoke to Spoke tunnels. As for DMVPN, spokes initialize tunnels and register to the HUB router for Next hop router. Our concern is if the HUB router has to be rebooted, it will take long time for Spokes re-register to the HUB, the whole network might be down for pretty long time.
Is it possible to have some HA solution for HUB? Will HSRP do the job, keep all the VPN tunnels and Next Hop Router tables in case of the failure of the primary router? By the way, we use EIGRP as routing protocol, how will the solution affect routing?
Thanks
Daniel
04-22-2004 04:35 AM
Hi Daniel,
you can use the single dmvpn layout with two hubs which are redundant.
Using gre tunnel this gives you the eigrp routing tables to all spokes.
04-22-2004 08:05 AM
To prevent asymmetric routing, could I define higher routing distance on spokes for HUB2? Are there any other issues I should think about? You know, usually Cisco only tells you how good is the solution, but they never tell you the bad side of it.
I need a solution which is stable and scalable. What do you think will be the best solution to achieve my goal?
Thank you,
Daniel
04-27-2004 01:30 PM
Hi Daniel,
Sorry for the delay,
For me, I'm using a dual hub single dmvpn layout. Using GRE and EIGRP.
One Hub acts as primary and the second as backup.
All spokes can create dynamic tunnels between each other.
On the hubs, to prevent asymetric routing and to able to tell to which Hub should the traffic go, I modified the tunnel interface and the inside interface.
On Hub1 (my primary)
Tunnel interface as a bandwidth of 250 and a delay of 1000.
Inside interface is by default, no modifications.
On Hub2 (my backup)
Tunnel interface as a bandwidth of 100 and a delay of 1050
The inside Interface as a delay of 50
I verified many times my routing and all is fine. No asymetric routing. No load balancing either.
I've been using this for a while now. The only thing I done lately is upgrade to a version a (12.3.6a) because of the security issue.
All my sites are running without any problems and with good performance.
Once you're setup, you will see that the old way of doing VPN is ...let say... very hardwork. The new dmvpn is easy, fast to implement once the solution for you is foudn and tested.
Good DMVPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide