Solved: DMVPN as IPsec / HSRP replacement

adamtodd16 · ‎07-21-2014

Currently making the move from IPsec to HSRP.

I have yet to switch our IPSec sites that run dual routers / HSRP. I know HSRP and DMVPN don't mesh together, so wondering if you someone can give me a basic config example for doing the same thing with DMVPN (with EIGRP).

Currently if R1 fails at the spoke, R2 becomes active via HSRP. How do I do the same thing with DMVPN?

For this example, let's assume the spoke is running 2 881's.

ghostinthenet · ‎07-22-2014

There's no reason why HSRP can't work with a DMVPN/EIGRP configuration.

Each router can be configured as a DMVPN spoke with the primary router having a track watching a route advertised from the hub.

track 1 ip route 192.168.128.0 /24 reachability

You can then set your HSRP on the LAN interface with the primary router set for pre-emption, lower its priority when the track goes down. When this happens, the backup router will take the default gateway and start using its own DMVPN connection for connectivity.

If you want to be sure that you don't have asymmetric routing, you can pad the EIGRP advertisements from the backup router so that that path is only used when the primary goes down.

Also, ensure that you set the LAN interfaces to be passive in EIGRP. If you don't, the primary router will get the advertisements from the backup router and never sense that the connection has gone down.

View solution in original post

ghostinthenet · ‎07-22-2014

There's no reason why HSRP can't work with a DMVPN/EIGRP configuration.

Each router can be configured as a DMVPN spoke with the primary router having a track watching a route advertised from the hub.

track 1 ip route 192.168.128.0 /24 reachability

You can then set your HSRP on the LAN interface with the primary router set for pre-emption, lower its priority when the track goes down. When this happens, the backup router will take the default gateway and start using its own DMVPN connection for connectivity.

If you want to be sure that you don't have asymmetric routing, you can pad the EIGRP advertisements from the backup router so that that path is only used when the primary goes down.

Also, ensure that you set the LAN interfaces to be passive in EIGRP. If you don't, the primary router will get the advertisements from the backup router and never sense that the connection has gone down.