Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Redundant DMVPN with Dual ISP Hub and Spokes

Hi All,

I have been searching for a solution to this question for quite a while and I have not found what I need just yet.  I have configured a dual cloud DMVPN that utilizes dual ISP connections at the hub and the spoke sites and it works fine, but the problem is one that I don't seem to see anyone talking about.  With the dual cloud when one link in any location fails and that site fails over to the back DMVPN side, every site fails over to the backup side.  I have this setup and tested, and no matter what site goes down (hub or spoke), every site fails over to the backup ISP side.  This is not a great solution because most backup links are not bandwidth heavy enough to run like this when their primary links are still functioning.  Every forum and design guide that I have read do not discuss this matter and say if there is a way to make each site's tunnel interfaces redundant to all other site's tunnel interfaces.

For instance if Fe0/0 is primary hub and Fe0/1 is secondary hub, and these are tunnel interfaces 0 and 1 respectively, and at the spoke site the design is the same (Fe0/0 primary, Fe0/1 secondary, tunnels 0 and 1 respectively) is there any way to have only the failing sites tunnel failover and talk to the primary of the hub.  So if the spoke primary interface goes down, which means tunnel 0 goes down on the spoke, is there any way to make the secondary interface/tunnel communicate with the primary interface/tunnel of the hub?  In simplest terms I don't want all of my sites to failover because one spoke site primary goes down, the hub secondary does not have enough bandwidth to run all of the spokes steadily, and if the primary at the hub is still up this becomes more frustrating.

If anyone has any ideas I would be very appreciative.

Thanks everyone,



Everyone's tags (1)
Cisco Employee

Brandon,  Too many "IFs" to



Too many "IFs" to reply properly to your question. 

May I suggest discussing this with your sales rep (if you have a trusted one).


We'd need to have a look at your configs and topology to suggest something. 

There are multiple way to implement similar setups including VRF-lite approach, multiple NHRP entries on spokes, BGP and advertising a loopback instead of sourcing from FAs.

Forum is hardly suitable to have a discussion like this properly. 


Also - have a look at flexvpn ...DM is OK, but flex is better :-D



CreatePlease to create content