cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1270
Views
10
Helpful
11
Replies

DMVPN & GRE

bjssccouser
Level 1
Level 1

Hi,

We currently have 2 sites. The primary site has 2 WAN connections and the Secondary only 1. All 3 WAN connections terminate at 2600 series routers. I have 2 GRE tunnels setup on the Secondary site router, which terminate at each of the routers at the primary site. I've then used ospf costs on the GRE interfaces to give preference to the higher bandwidth link (I don't want to load balance)

We are loking to install a second WAN connection at the secondary site, which I will also need to introduce into the GRE network to create a kind of full mesh network. I could do this by creating 2 more tunnels on the new router, I suppose, but I would like to simplify the config instead.

If I was to modify the setup to use DMVPN GRE, all the routers will only have a single GRE tunnel, I believe. In this case, how could I control which tunnel get's preference in OSPF once the tunnels are built?

Any help would be greatly appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

Yes, that's correct if the subnets the primary site should join are directly connected to both routers of the secondary site.

Laurent.

View solution in original post

11 Replies 11

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

To get around this limitation, you should configure one mGRE tunnel per router on your primary site and still keep two different tunnel interfaces on each router of your secondary site.

This way you simplify your hub configuration when you will add other sites and you keep the control as you can decide which tunnel the secondary site will use as primary. You can then implement load-sharing if you have several sites.

HTH

Laurent.

Apologies if my understanding of this isn't great.

Curently I have to modify the ospf costs of the GRE interfaces at both sites to ensure a particular tunnel is used for traffic in both directions. If I only modify the costs at one site, return traffic ends up coming down a different tunnel.

By keeping multiple GRE interfaces at the secondary site, I will inded still be able to control which specific tunnel is used via OSPF costs.

When it comes to return traffic from the Primary site, I would then give the GRE interface of the main router a higher cost to ensure all traffic goes via this router. However, there will be 2 DMVPN tunnels established at this point, so how can I control which tunnel is used for this, the return traffic? These 2 dynamic tunnels will be of equal cost by default, I would imagine.

Thanks

With DMVPN you can still adjust the OSPF metrics by changing the bandwidth statement on the tunnel interface.

On which ever tunnel you would like to make the preferred return path set the bandwidth to be higher using the bandwidth command, or you could simple lower the cost on the interface using the “ip ospf cost statement”.

I see two options:

On the routers of the secondary site

1- Set a different OSPF cost on the LAN interface of each router if the subnet is part of OSPF domain (network statement)

2- Redistribute your LAN on the two routers with two E2 metrics

HTH

Laurent.

HI,

Thanks for this. Just to make suye I've understood you correctly, if I go for option 1, I would modify the costs of the tunnel interfaces AND the physical ethernet interfaces at the Secondary site. This would mean I wouldn't need to make any OSPF cost changes at the primary site and this would also influence return traffic. Is this corect?

Thanks

Yes, that's correct if the subnets the primary site should join are directly connected to both routers of the secondary site.

Laurent.

Thank you for all your help with this

Hi,

If it's ok I'd like to pick your brain once again. If I was to change the above setup, so I only placed a single 1812 router at the secondary site, how can I acheive this with just one router?

I've looked at this example:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

I would want both WAN connections to be in use all the time as I would need all the GRE tunnels to be up.

Thanks

I am guessing, if I setup everything as per the Cisco guide and then setup:

- the ipsec sa details and gre tunnel details

- static routes for the backup GRE tunnels to go via the backup WAN

This should allow me to use a single router?

Thanks

Hi,

If I understand you correctly, you want to to load-balance your traffic across both tunnels which are stick to a different WAN interface right ?

If it's the case then you just have to create two different tunnels each one using a different WAN interface as the source address. As you said to stick a tunnel to a WAN link, configure /32 routes to join the IPSec peers:

int tunnel 1

tunnel source fast0/1

tunnel destination 1.1.1.1

!

int tunnel 2

tunnel source fast0/2

tunnel destination 2.2.2.2

!

ip route 1.1.1.1 255.255.255.255

ip route 2.2.2.2 255.255.255.255

With this design, if you loose a WAN link, the OSPF adj in the tunnel sticks to this interface will get down and you will re-route the traffic to other tunnel

You could also decide to re-route the tunnel itself over the 2nd WAN link instead. In this case, you need to add floating routes:

ip route 1.1.1.1 255.255.255.255 250

ip route 2.2.2.2 255.255.255.255 250

It allows you to keep using the two links of your primary site even if you lost one link on your secondary site.

HTH

Laurent.

Once again, thank you for your help with this.

Review Cisco Networking for a $25 gift card