Re: Is it possible to use HSRP/GLBP over DMVPN phase-3 tunnel ?

zobaerzihan · ‎06-07-2023

Hello everyone. I'm trying to setup a lab to experiment FHRP technology on DMVPN. As depicted on the picture above, we have two DMVPN hubs and three spokes. Both the hubs are configured as NHS on all three spokes. The DMVPN phase 3 has been implemented. The transport layer is running EIGRP and the tunnel is running OSPF. All three spokes are configured and registered with both the hubs and forms OSPF neighbour relationship as well.
The intention is to use hub-1 and hub-2 being configured with a virtual IP and then use that IP to map the NHS on spokes. So that, when the spokes will try to connect the virtual IP, it will load balance unto two hubs.
Is this goal achievable in this scenario ? If yes, how ? If no, I'm missing some logic, what would be that ?

M02@rt37 · ‎06-07-2023

Hello @zobaerzihan,

From my point of view, in a typical DMVPN deployment, the NHS feature is primarily designed for failover and redundancy purposes, rather than load balancing. The spokes will select a single hub as the primary NHS, and the other hubs will act as backups in case of failure.

While it is possible to configure multiple hubs as NHS on the spokes, the spokes will still prefer a single hub as the primary NHS and will not load balance the traffic across the hubs. The NHS feature does not inherently provide load balancing capabilities.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

zobaerzihan · ‎06-10-2023

Thanks very much. I do agree with all the points you have mentioned. Basically, I was expecting to split the traffic while choosing the NHS. Say, we have 2users in each of the spokes, in total 6. I was thinking how could I split 3users to Hub-1 and other 3users to Hub-2. My thought was that any FHRP would do the trick and split it between two Hubs.

MHM Cisco World · ‎06-07-2023

if you change TR-1 with SW then I think you can use VIP as ip nhrp map <hub1/2><VIP> in each spoke, and hence you use HSRP.

zobaerzihan · ‎06-10-2023

Thanks for your comment. The command you have proposed is valid on the spokes, the reason being, it has no idea either the IP is virtual or not. However, this command goes under tunnel configuration, which becomes the issue in Hubs. In each hub, the tunnel is not accepting any virtual IP. Any command for any FHRP is not accepted under the tunnel configuration. I believe, the tunnel being a logical interface, is not allowing any FHRP config in it.

MHM Cisco World · ‎06-10-2023

I will share Lab with you how you can config DMVPN with HSRP

zobaerzihan · ‎06-10-2023

I'm very curious to dig into it. If you can share, it will be a great help. I highly appreciate your effort. Thanks in advance.

Joseph W. Doherty · ‎06-10-2023

Cannot say for sure you cannot do this, but as FHRP, I believe, uses direct L2 not L3, this might not be possible. (However, I was surprised, years ago, when I found you can optionally enable CDP across some GRE tunnels. But, the latter, I suspect, was something Cisco decided to do as a special case and perhaps requested by customers, i.e. unlikely similar situation for any FHRP across VPN tunnels.)

In the past, I've had real world DMVPN networks, with dual hubs, where spokes used both hubs, concurrently, using hub with best path to destination or using both via ECMP. So, wondering why this approach vs. "traditional" L3?