10-04-2007 06:07 AM - edited 03-03-2019 07:01 PM
Hi,
I am planning on making our small offic vpn solution more redundant by adding a second hub router to our DMVPN solution. There are about 100 spoke routers, and there will be 2 hub routers, both located in one of our datacenters.
I have some questions around the detailed config for this (we will use EIGRP routing protocol).
Most important question is weither or not to use ISAKMP profiles with the crypto keyring commands for the pre-shared keys, or just choosing different tunnel-id, different subnet and tunnel key for each tunnel (each spoke will have two tunnel configs ofcourse).
What are the pros and cons of crypto keyring, when to use it?
Second question is about EIGRP over DMVPN (in case of two hub routers). What is the best way to force trafic to prefer one hub router as the main path?
Thanks in advance,
Leo
10-05-2007 04:27 AM
hi
i would suggest not to use tunnel keys
we have experienced that not all equiptment will do gre in hardware if you use tunnel keys.
second you might want use a pki, you can host this also on ios hardware.
you might want to have a look at the ECT Design: http://www.cisco.com/en/US/products/ps6808/products_ios_protocol_option_home.html
might help with you problem.
hth
patrick
10-05-2007 10:31 AM
no tunnel key with GRE????
ehm, that would not adhere to the DMVPN solution. Or do you mean the preshared keys for IPSec? In that I agree it would be better to have PKI but since there is only 100 spokes at this point this is not considered an issue for now.
What I need to know s when is it needed to use crypto keyring for DMVPN solution. Anybody who can shine a light there?
Thanks in advance,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide