Goal: Create a Dual DMVPN cloud using two hub routers for redundancy utilizing NHRP on the Spokes to resolve your standard DSL DHCP derived address.
No problems there, it's fairly well documented, but what if your DSL goes down, and you don't want that LD bill as your Spoke dials long distance back home....
Solution: Create two more DMVPN tunnels on your Hub routers for a total of 4 seperate DMVPN clouds. Two used as primary and backup via Ethernet1 on your spokes to provide hub redundancy, and two used as primary and backup via your Async1 interface.
Hub1 goes down, your Spokes fail to Hub2. Hub 2 goes down, Spokes failover to Hub1.
DSL goes down, your router uses dialer-watch (checking a EIGRP loopback address you're pushing from your Hub routers) to dial an ISP local to your Spoke, authenticates, and brings up Tunnels 3&4 with connections back to Hub1 and Hub2. (you supress advertising the loopbacks via these tunnels) and when DSL comes back, EIGRP kicks in (now running on all 4 tunnels), overrides the Async Tunnel derived routes due to cost, and your traffic swings back over to DSL.
Issue: How to route this?
So far, I have tried Hub1 terminating DSL tunnels, and Hub2 terminating Dialup tunnels. DHCP installed default routes do so with an admin distance of 254. This can be overriden to 253 which makes is possible to install a floating static with an admin of 254 that comes up when the Async interface comes up. Problem is, once the Async interface is up, it will never fail back...and routing breaks to your DSL interface.
I've tried installing a static host route pointing to my Async interface for my Hub router's internet IP address, but for some reason IPSec seems to have issues with this. I figured if I deploy these things with static host routes for all my hub's, then on boot, the Spokes should always fire up the GRE/IPsec tunnel, at which point EIGRP will take care of the rest.
Thus far, I can get my Spoke to failover nicely if I use floating default, and unplug the DSL interface physically. When I use the static host route via Async 1, it takes about 5 minutes, then suddenly the tunnel comes up. Debugging the remote end shows me it literally doesn't receive any packets until that time, so I'm suspicious if it's the ISP that's not forwarding packets, or if I might be missing something on my Spoke router. (for reference, when I connect via dialup, it installs two /32 routes, one is my Async1 interface, and the other is the gateway)
Anyone else out there have any thoughts on this, or have deployed something similar?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :