Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2249
Views
0
Helpful
1
Replies

DMVPN "Phase 3" - Design/Configuration Q`s

m-avramidis
Level 1
Level 1

‎03-15-2012 05:26 AM - edited ‎02-21-2020 05:57 PM

First of all, I know that (configuration example later in this document) we are not running a "pure" Phase 3 network! The reson for not being able to do so is bad EIGRP design. Therefore are the (on the hub router) "ip summary-address eigrp 1..." statement missing. I suggested that we introduced a new EIGRP process for sites that connects to the Phase 3 hub router, and running a redistribution of the 2 ASs on the hub router but then we have another issue: some of the sites are using the DMVPN as backup links in case their primary MPLS connection goes down and those sites are already running the EIGRP 1 process...

So, in order for me to able to use phase 3 (need the advantages that NHRP brings) I had to configure the hub router the way I did, here is the sample configuration from the hub router:

crypto isakmp policy 2
encryption aes 256
authentication pre-share
group 2
!
!
crypto iskamp key 0 XXXXXXXXXX address 0.0.0.0 0.0.0.0
!

!
crypto ipsec transform-set AES-SET esp-aes 256 esp-sha256-hmac
mode transport require
!

!
crypto ipsec profile AES-Profile
set transform-set AES-SET
set pfs group2
!

!
!
interface gig0/3
description *** PUBLIC INTERFACE NET-103 ***
ip address 199.XXX.XXX.2 255.255.255.252
speed 1000
duplex full
!

!
interface tunnel 15
description *** NET 10.90.65.0/24 ***
ip address 10.90.65.1 255.255.255.0
bandwidth 2000
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip pim sparse-dense-mode
ip nhrp map multicast dynamic
ip nhrp map multicast 199.XXX.XXX.2
ip nhrp nhs server 10.90.65.1
ip nhrp shortcut
ip nhrp authentication XXXXX
ip nhrp hold-time 600
ip nhrp network-id XXXXX
no ip eigrp split-horizon
delay 1000
qos pre-classify
tunnel source 199.XXX.XXX.2
tunnel mode gre multipoint
tunnel protection ipsec profile AES-Profile
!
!

!
router eigrp 1
eigrp router-id loopback80
network 10.78.0.0 0.0.255.255
network 10.90.65.0 0.0.0.255
eigrp log-neighbor-changes

distribute-list 90 in
no auto-summary < If I turned this off, like I should If I want to use the "ip summary-address.." then I ended up created a routing loop for all sites that had 2 links to the head office...
!

!

access-list 90 permit "lan network of site with dual links to the head office" 200

...

!

ip route "public ip address of remote site" 255.255.255.255 199.XXX.XXX.1

!

On each site I have configured a static route pointing to the hub router:

!

ip route 0.0.0.0 0.0.0.0 10.90.65.1

ip route 199.XXX.XXX.2 255.255.255.255 "next-hop public ip address for the router"

!

!

eigrp 1

eigrp router-id loopback80

network "local lan network" 0.0.0.0.255

network 10.90.65.0 0.0.0.0 255 (the phase 3 tunnel network, without this EIGRP will not work...)

network 10.80.1.5 0.0.0.0 (loopback)

eigrp stub connected static

no auto-summary

!

Let me first say that our setup is working very well, the users are very pleased with the performance improvements moving over to the "phase 3" DMVPN from their old mix of phase 1 and 2 DMVPNs. But I know that it would run even better if I could enforce the "ip summary.." statement...

But now a colleuge have stated that we should use route-maps instead of the null route and have initiated a very heated debate about this. Maybe I am a bit stupid but I can really not see the added benefit of using route-maps.

So my question to you is:

1. Since that re-designing the main EIGRP AS is not an option should I then focus on changing the routing for the few number of sites that has dual links to the head-office? Those sites are small to medium sized (20-500 users), and frankly a static route is enough.

2. The added benefit of using route-maps.

I can if needed upload a network design drawing, let me know if you need any more information! Thanks!

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-16-2012 05:29 AM

I don't comprehand the full extent of setup so let me focus on the questions, or underlying concerns as I view them.

ip summary-address is used to surpress smaller prefixes and aggregate them to a bigger one.

It's an efficency mechanism, limiting flooding and querry/update messages.

In most scenarios it will introduce a null0 route for loop avoidance.

I would advise against route-map based routing. Making exception for certain sites will always bring problems when it comes to troubleshooting should something occur.

BGP is a protocol you should use for deployments where you want best control over your routing protocol.

And of course you get added scalability factor.

Using static routes makes for a neat design, you can also use it as an efficency, there are several designs which use this, RIP passive and  (I think) EIGRP passive will use it.

Regardless, this is a big topic and with quite a lot of things to consider. Can I suggest bringing it up next time you talk to your SE?

It looks like something that could use a 30 minutes discussion with a bucket of coffee.

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents