Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Migrate DMVPN to mGRE

We have recently moved encryption to the Application Layer of our network, this was a business requirement for other reasons. But from the network department we see this as an opportunity to increase the scalablity and longevity of our routers.

We are currently running a DMVPN network with approximately 800 spoke nodes, the majority being c871s. We would like to migrate the DMVPN to plain old mGRE, as the encryption is no longer a requirement of the Network Layer. This however doesn't seem like an easy task. I am trying to investigate the different options available to me complete this migration. For some reason I thought there was a way to make the encryption in DMVPN optional, such that I could make the hubs optional then migrate the spokes, however this is contingent on encryption being optional. If not the only way I can see accomplishing this is creating a new NHRP hub and migrating the spokes to this new hub one by one.

I'm all ears if someone could validate the "optional" option, or if there is a third or fourth option.



Everyone's tags (4)

Re: Migrate DMVPN to mGRE

New Member

Re: Migrate DMVPN to mGRE

This actually wouldn't help. The goal is to eliminate the encryption overlead. I still require the tunneling, just the encryption I can do without.



Re: Migrate DMVPN to mGRE

So, you need the tunneling but not the encryption at L3.
In an DMVPN environment, normally IPsec provides the encryption while GRE provides the tunneling.

This is why you're considering plain-old GRE tunnels (without encryption)

Now, the main purpose of IPsec is encryption. You can disable encryption for phase 2 on the transform set,
but you can't have a policy for phase 1 for IPsec without encryption (you need to choose between DES, 3DES or AES)

If your final goal is to remove encryption at the network layer and leave only the tunnel, I see only the GRE option
(unfortunately this option is manual and not very flexible).
The problem here is that if we involve IPsec, it means encryption at L3 (at least for phase 1).


Cisco Employee

Re: Migrate DMVPN to mGRE


If you are not interested with Federico option based on esp-null option in the transform-set, you can create another mGRE tunnel on the hub with a new IP addressing plan and then migrate your spokes to this new cloud. It will be very smooth assuming you are already using an IGP in your encrypted tunnels.



CreatePlease to create content