First of all, I know that (configuration example later in this document) we are not running a "pure" Phase 3 network! The reson for not being able to do so is bad EIGRP design. Therefore are the (on the hub router) "ip summary-address eigrp 1..." statement missing. I suggested that we introduced a new EIGRP process for sites that connects to the Phase 3 hub router, and running a redistribution of the 2 ASs on the hub router but then we have another issue: some of the sites are using the DMVPN as backup links in case their primary MPLS connection goes down and those sites are already running the EIGRP 1 process...
So, in order for me to able to use phase 3 (need the advantages that NHRP brings) I had to configure the hub router the way I did, here is the sample configuration from the hub router:
! crypto ipsec profile AES-Profile set transform-set AES-SET set pfs group2 !
! ! interface gig0/3 description *** PUBLIC INTERFACE NET-103 *** ip address 199.XXX.XXX.2 255.255.255.252 speed 1000 duplex full !
! interface tunnel 15 description *** NET 10.90.65.0/24 *** ip address 10.90.65.1 255.255.255.0 bandwidth 2000 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 ip pim sparse-dense-mode ip nhrp map multicast dynamic ip nhrp map multicast 199.XXX.XXX.2 ip nhrp nhs server 10.90.65.1 ip nhrp shortcut ip nhrp authentication XXXXX ip nhrp hold-time 600 ip nhrp network-id XXXXX no ip eigrp split-horizon delay 1000 qos pre-classify tunnel source 199.XXX.XXX.2 tunnel mode gre multipoint tunnel protection ipsec profile AES-Profile ! !
distribute-list 90 in no auto-summary < If I turned this off, like I should If I want to use the "ip summary-address.." then I ended up created a routing loop for all sites that had 2 links to the head office... !
access-list 90 permit "lan network of site with dual links to the head office" 200
ip route "public ip address of remote site" 255.255.255.255 199.XXX.XXX.1
On each site I have configured a static route pointing to the hub router:
ip route 0.0.0.0 0.0.0.0 10.90.65.1
ip route 199.XXX.XXX.2 255.255.255.255 "next-hop public ip address for the router"
eigrp router-id loopback80
network "local lan network" 0.0.0.0.255
network 10.90.65.0 0.0.0.0 255 (the phase 3 tunnel network, without this EIGRP will not work...)
network 10.80.1.5 0.0.0.0 (loopback)
eigrp stub connected static
Let me first say that our setup is working very well, the users are very pleased with the performance improvements moving over to the "phase 3" DMVPN from their old mix of phase 1 and 2 DMVPNs. But I know that it would run even better if I could enforce the "ip summary.." statement...
But now a colleuge have stated that we should use route-maps instead of the null route and have initiated a very heated debate about this. Maybe I am a bit stupid but I can really not see the added benefit of using route-maps.
So my question to you is:
1. Since that re-designing the main EIGRP AS is not an option should I then focus on changing the routing for the few number of sites that has dual links to the head-office? Those sites are small to medium sized (20-500 users), and frankly a static route is enough.
2. The added benefit of using route-maps.
I can if needed upload a network design drawing, let me know if you need any more information! Thanks!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :