Run Eigrp over DMVPN in an MPLS cloud with BGP

Unanswered Question
Sep 18th, 2008


We are having 15 sites connected to each other via MPLS using BGP.

We are planning to run DMVPN over the WAN.Can we use EIGRP in the tunnel as we know Eigrp is having an administartive distance of 90 & BGP 20.We won't be able to see eigrp routes in the routing table.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Giuseppe Larosa Thu, 09/18/2008 - 03:41

Hello Sachin,

when you use DMVPN you need to separate the routing protocols actions and scopes:

you need a network infrastructure that has to be used to allow for the DMVPN to be setup in your case is an MPLS L3 VPN and you use eBGP as CE-PE protocol.

Then comes the DMVPN that can use EIGRP.

In order to work well and avoid recursion issues and so on:

eBGP will advertise the ip addresses that are used as IPSec endpoints.

NHRP will build a virtual flat backbone for EIGRP in multipoint GRE that travel inside IPSec.

In the EIGRP protocol you need to advertise the LAN subnets of every site that you want to protect.

Of course these "inside" IP subnets have to advertised only by EIGRP inside mGRE and not by the BGP.

You may need a route filter on the eBGP session or a change in your network statements to achieve this.

Another requirement is that the external ip addresses have to be not advertised by EIGRP.

I was able to use this setup but this separation of duties among BGP (infrastructure only ) and EIGRP (inside only) is needed

Hope to help


mloraditch Tue, 12/01/2009 - 05:35


Not sure if you are still watching this but I have the exact same situation and was hoping  to possibly get an example of some sort.

Say for example: is my PE/CE Link is LAN is my DMVPN Tunnel Subnet

and is my Subnet on my Outside Interface (I am not behind an ASA or other FW)

What networks would I have on my BGP configuration and which on my EIGRP? would there be any redistribution?


Giuseppe Larosa Tue, 12/01/2009 - 08:44

Hello Mloraditch,

in simple words you need to avoid recursion or the tunnel will flap.

network should be advertised on BGP.

EIGRP should have network specific commands including mask for

internal LAN

virtual flat subnet on DMVPN

if other subnets have to communicate out of DMVPN example they must not be advertised over the tunnel by EIGRP.

Hope to help


mloraditch Tue, 12/01/2009 - 08:47

Ok that makes sense and that's where I was going with the information from your older post, what about redistribution? Do i need to redistribute back and forth?

Thanks so much, very appreciated!

Giuseppe Larosa Tue, 12/01/2009 - 08:55

Hello Mloraditch,

thanks for your kind remarks

redistributing should be not needed and it should be considered carefully because it can lead to routing problems.

Being DMVPN routing based there is no extended ACL to defined traffic to be encrypted like in a standard point to point IPSec tunnel.

protected communications have to be decided on per IP subnet basis.

you cannot discriminate on a per protocol basis and you need to keep separated external routing and internal (DMVPN) routing so I don't see a need for redistribution.

Or your DMVPN is to be used for backup purposes ?

Hope to help


mloraditch Tue, 12/01/2009 - 09:00


My DMVPN is for backup purposes. the primary connections are t-1s into the MPLS network.

Does this change things?

Giuseppe Larosa Tue, 12/01/2009 - 09:39

Hello Mloraditch,

yes if DMVPN is used as a backup link there may be a need for redistribution.

I suppose primary paths are MPLS links where you receive an MPLS L3 VPN.

I also suppose your are using eBGP as PE-CE protocol on these links.

eBGP has AD 20 better then EIGRP routes (when no EIGRP summary routes are configured locally).

It is important to know if DMVPN tunnels are terminated in head quarters on a different router.

Also it is important to  know what IGP is used on head quarters and what, if any, on each remote site.

If it is EIGRP and the same EIGRP process used on DMVPN this may require some care

AD and route length can be used to prefer primary paths.

More specific routes are used first regardless of AD, if two routes have the same prefix length AD plays a role.

Hope to help


mloraditch Tue, 12/01/2009 - 10:06

You are correct. Primary is MPLS links and eBGP on PE/CE.

DMVPN is being terminated on a router that is also an MPLS Endpoint


Previously the whole network was statically routed so there were no IGPs running anywhere. The BGP is just now being implemented for the DMVPN install. The remote sites are small and only have 1 subnet so there was no need to run a routing protocol anywhere before.

I have attached a PDF that gives you an idea (hopefully) of what I had and where I am trying to go.

Thanks you again for all of your assistance!

Giuseppe Larosa Wed, 12/02/2009 - 13:04

Hello Mloraditch,

>> DMVPN is being terminated on a router that is also an MPLS Endpoint

but it is the only node on central site or there is another node in central site?

I've given a look at the network diagram but it is not possible to understand the central site structure

I think you should be fine, in case of doubt if your address plan allows it have EIGRP to use ip summary-address to advertise less specific routes.

Hope to help


hemantahire Thu, 09/22/2011 - 09:48

Hi Giuseppe

I am also working on a design to run DMVPN with EIGRP over MPLS/BGP network. In our scenario, the primary link is from another ISP running OSPF currently. Can i run EIGRP on primary link and still run EIGRP on DMVPN to keep consistency in routing protocols and maintain simplicity of design? i am concerned about how failover will work etc. let me know your thoughts. Do you feel running OSPF on primary link will make it easier?


This Discussion