Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
Silver

DMVPN, redundant hub routers, design questions

Hi,

I am planning on making our small offic vpn solution more redundant by adding a second hub router to our DMVPN solution. There are about 100 spoke routers, and there will be 2 hub routers, both located in one of our datacenters.

I have some questions around the detailed config for this (we will use EIGRP routing protocol).

Most important question is weither or not to use ISAKMP profiles with the crypto keyring commands for the pre-shared keys, or just choosing different tunnel-id, different subnet and tunnel key for each tunnel (each spoke will have two tunnel configs ofcourse).

What are the pros and cons of crypto keyring, when to use it?

Second question is about EIGRP over DMVPN (in case of two hub routers). What is the best way to force trafic to prefer one hub router as the main path?

Thanks in advance,

Leo

2 REPLIES

Re: DMVPN, redundant hub routers, design questions

hi

i would suggest not to use tunnel keys

we have experienced that not all equiptment will do gre in hardware if you use tunnel keys.

second you might want use a pki, you can host this also on ios hardware.

you might want to have a look at the ECT Design: http://www.cisco.com/en/US/products/ps6808/products_ios_protocol_option_home.html

might help with you problem.

hth

patrick

Silver

Re: DMVPN, redundant hub routers, design questions

no tunnel key with GRE????

ehm, that would not adhere to the DMVPN solution. Or do you mean the preshared keys for IPSec? In that I agree it would be better to have PKI but since there is only 100 spokes at this point this is not considered an issue for now.

What I need to know s when is it needed to use crypto keyring for DMVPN solution. Anybody who can shine a light there?

Thanks in advance,

Leo

303
Views
0
Helpful
2
Replies
CreatePlease to create content