Thanks to everyone, using the loopback took care of it, just didnt think of using a loopback in a crypto scenario.....Sorry for confusion, the f/r sub interfaces simply come from what I had running in my voice lab to use to try out crypto before going to customer site, they dont have F/R of course, but 2 serials each directly to an ISP. Do you just use 2 default routes, one each to each ISP's gateway ?? or do you use floating static to weight it for primary ISP ??? without bgp or "dynamic" to ISP's cannot load balance so I assume they can only be setup as a backup type scenario..

You will have problems using the loopback interface in an internet scenario, because if it a private address it won't be routed on the internet, and if it taken from a PA block, it will be unreachable if the corresponding circuit is down.

Ideally, you should have BGP and PI space for that, however many customer do not meet the requirements.

So, when using two ISPs, your only choice for backup is configuring two separate DMVPN clouds, each one tied to one ISP. Then with routing inside the DMVPN, you can decide how to preference and balance traffic.

Please remember to rate useful posts with the scrollbox below.

In a real ISP world with internal addressing thru external (public) addressing I see that being an issue since we are mapping to external public ip's. So basically would it be correct to say I would have 2 tunnel interfaces (because of the mapping) but could still use a single configuration for the policy and transform sets ?? Looking to stay with the premise of dmvpn in that little configuration needs to be done when customer rolls out additional remote sites... I suppose I could lab this by removing my f/r sub interfaces from ospf routing, and just adding default static routes in each router as you would normally have in a internet vpn type scenario but since it's still one cloud, one router as a pstn switch emulator that would cause me to compelely tear up my ccie voice lab to truley attempt to recreate this just for the internet emulation...

thanks again for all the help "p" :)

Yes, even with two clouds you can share policies and a lot of other stuff.

You will find that although this may look simple, it takes a lot of attention to configure it 100% right and optimized.

Please remember to rate useful post with the scrollbox below.

Not sure what you mean, but when using loopback interfaces doesn't matter what is router via what else, as long there is complete connectivity everything works.

Eg this is the case when you have backup links, topology and wan interface can change, but the dmvpn is never down due to that.

Hello Paolo,

I was not able to use loopback interfaces with DMVPN in my first tests some years ago.

But it was working well using the physical interface to the core.

I saw some configurations from Victor Lama in another thread and if I'm not wrong the trick was similar to what I've described.

Of course now can be different with recent IOS versions.

I thought it could be useful to mention this.

Hope to help

Giuseppe

Ah nevermind, you may have meet some subtle problem at the time.

DMVPN is fine with loopback, as I said we use that for backup scenarios instead of a second tunnell.