Single Tier Dual-DMVPN & hub-to-spoke + spoke-to-spoke

AJAZ NAWAZ · ‎01-31-2008

Dear All,

I'm looking for Dual-DMVPN documentation with config example perhaps for mGRE interfaces on headends and spokes. I require dynamic spoke-to-spoke connectivity - make any sense?,

i.e. 'tunnnel mode gre multipoint' configured on spoke router tunnel interface (Single)

this link does *not* have what i'm really after:

<http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html>

tia

Ajaz

sam.crooks · ‎03-15-2009

Dynamic spoke-to-spoke requires your spoke routers to have mGRE tunnel interfaces. If you ever have a spoke which sources 2 tunnels from the same physical interface, you have a problem: how to resolve which tunnel is an incoming NHRP request for?

My DMVPN is a bit different in that the crypto is GETVPN on the physical interface. There is a crypto-map applied to the physical interface and it has 2 entries which correspond to the GETVPN crypto-groups for each tunnel.

I resolved this issue by making one of the 2 tunnels on each spoke router mGRE and the 2nd one point to point. the mGRE tunnel is preferred as primary (we use eBGP through the tunnel, so routes received through the mGRE tunnel are local-pref'd high and we AS path prepend routes advertised out the point-to-point tunnel)

I haven't gone back and tested what happens when you have a spoke which has 2 tunnels sourced from the same interface and another spoke with 2 tunnels sourced from the same interface or from 2 different physical interfaces. The concern is that you may get a situation where one router uses Tunnel 2 for dynamic spoke-to-spoke tunneling, and the other uses Tunnel1, and that the dynamic tunnel setup fails because the crypto map cannot properly decide which crypto group to use for the incoming traffic on the router where 2 tunnels use the same physical interface.