Our head office has two GRE+IPSEC Tunnels to our data center. This is a Primary and Backup setup using EIGRP internal. The Head office connects to the spokes over MPLS using BGP. So we have 2way redistribution with filters in place. The spokes use the MPLS link to Head office as the primary connection to the Data center, however if the Primary at the HEad office fails, the spokes don't use their own local GREVPN backups we have configured due to admin distance issues obviously. The spokes also run EIGRP to the Data center and BGP into the MPLS core.
I can successfully tag routes on the backup VPN tunnel at the head office fine, however I am having a hard time carrying this tag over to the remote spokes and matching them to deny those routes from being injected into the route table. Any ideas?