Re: Advice on new DMVPN Design

Dean-VA · ‎12-19-2019

Hello,

We're looking to replace an existing iWAN installation with DMVPN. The current setup utilize MPLS and INET in each location. We will be replacing MPLS links with second INET links, so each site (7 total) will have 2 Internet links, and 2 Routers. One HUB and 6 Spokes. We are not expecting this environment to grow anytime soon, so I am after a simple design with relatively fast failover when one of the internet connections goes down. Thinking of using EIGRP, but open to other suggestions. Your input would be appreciated. A lot of the documentation I looked at have only a single router in the HUB and Spokes, and we will have 2 in each location.

Thanks

Rob Ingram · ‎12-20-2019

Hi,

Sounds like a pretty straight forward design. If you are already using EIGRP in your network, then it's fine using for DMVPN as well. I'd recommend using DMVPN Phase 3, use Next Generation Encryption (NGE) algorithms.

An alternative to DMVPN is FlexVPN, it's newer than DMVPN but provides the same functionality and is fully supported by Cisco.

References:-

HTH

Dean-VA · ‎12-20-2019

Thank you! I am assuming I should go with Dual Hub, Single Cloud design? If so, that implies the following:

1. Each hub router will have its own subnet for the tunnel interfaces?

2. Two ip nhrp nhs statements for each spoke router?

3. Two nhrp network ids, one per each hub router?

Thanks

Rob Ingram · ‎12-20-2019

If you are going with Dual Hub/Single Cloud then the tunnel interfaces would all be in the same network/subnet. Yes, 2 nhrp/nhs statements for each Hub. You should not need separate network-id in single cloud.

By default traffic would be load balanced over the 2 tunnels. You can modify this by either modifying the eigrp delay, to prioritise traffic over 1 tunnel. Alternatively you can use the "max-connections" command, as described in one of the Dual Hub link previously provided.

Useful references here and here.

HTH

Dean-VA · ‎12-20-2019

It seems a lot of the examples I see are based on a single router in the Spoke. In my case, each spoke will have 2 routers, router-1 will have ISP1, and router-2 will have ISP2. We don't want to load balance the traffic, active/standby is probably best for our environment. Knowing that, would Dual Hub/Dual Cloud setup be more beneficial? Thanks

Rob Ingram · ‎12-21-2019

Ok, there isn't much information on dual spoke routers. You could run HSRP on the inside interfaces of the 2 spoke routers, you'd still need to use EIGRP delay to ensure traffic from the Hub goes to the spoke router that is HSRP active.

Dean-VA · ‎12-21-2019

HSRP for sure, but do you think since I have 2 routers in each spoke that I should go with the Dual Cloud design? If so, would each spoke router have a single or two tunnels to each HUB routers? I would think each spoke router will need to connect to both HUB routers, just not sure if this is best done via 2 separate tunnels or a single one.

Thanks

Rob Ingram · ‎12-21-2019

Well you can achieve what you want (active/standby) using either 1 or 2 tunnels. There are pros and cons of both, however it would simplify the design/reduce complexity by just having each spoke router peer with 1 hub (different) router.