We are having 15 sites connected to each other via MPLS using BGP.
We are planning to run DMVPN over the WAN.Can we use EIGRP in the tunnel as we know Eigrp is having an administartive distance of 90 & BGP 20.We won't be able to see eigrp routes in the routing table.
when you use DMVPN you need to separate the routing protocols actions and scopes:
you need a network infrastructure that has to be used to allow for the DMVPN to be setup in your case is an MPLS L3 VPN and you use eBGP as CE-PE protocol.
Then comes the DMVPN that can use EIGRP.
In order to work well and avoid recursion issues and so on:
eBGP will advertise the ip addresses that are used as IPSec endpoints.
NHRP will build a virtual flat backbone for EIGRP in multipoint GRE that travel inside IPSec.
In the EIGRP protocol you need to advertise the LAN subnets of every site that you want to protect.
Of course these "inside" IP subnets have to advertised only by EIGRP inside mGRE and not by the BGP.
You may need a route filter on the eBGP session or a change in your network statements to achieve this.
Another requirement is that the external ip addresses have to be not advertised by EIGRP.
I was able to use this setup but this separation of duties among BGP (infrastructure only ) and EIGRP (inside only) is needed
Hope to help
Not sure if you are still watching this but I have the exact same situation and was hoping to possibly get an example of some sort.
Say for example:
10.1.1.0/30 is my PE/CE Link
10.2.1.0/24 is LAN
10.3.1.0/24 is my DMVPN Tunnel Subnet
10.4.1.0/29 is my Subnet on my Outside Interface (I am not behind an ASA or other FW)
What networks would I have on my BGP configuration and which on my EIGRP? would there be any redistribution?
in simple words you need to avoid recursion or the tunnel will flap.
network 10.1.1.0/30 should be advertised on BGP.
EIGRP should have network specific commands including mask for
virtual flat subnet on DMVPN 10.3.1.0
if other subnets have to communicate out of DMVPN example 10.4.1.0 they must not be advertised over the tunnel by EIGRP.
Hope to help
Ok that makes sense and that's where I was going with the information from your older post, what about redistribution? Do i need to redistribute back and forth?
Thanks so much, very appreciated!
thanks for your kind remarks
redistributing should be not needed and it should be considered carefully because it can lead to routing problems.
Being DMVPN routing based there is no extended ACL to defined traffic to be encrypted like in a standard point to point IPSec tunnel.
protected communications have to be decided on per IP subnet basis.
you cannot discriminate on a per protocol basis and you need to keep separated external routing and internal (DMVPN) routing so I don't see a need for redistribution.
Or your DMVPN is to be used for backup purposes ?
Hope to help
My DMVPN is for backup purposes. the primary connections are t-1s into the MPLS network.
Does this change things?
yes if DMVPN is used as a backup link there may be a need for redistribution.
I suppose primary paths are MPLS links where you receive an MPLS L3 VPN.
I also suppose your are using eBGP as PE-CE protocol on these links.
eBGP has AD 20 better then EIGRP routes (when no EIGRP summary routes are configured locally).
It is important to know if DMVPN tunnels are terminated in head quarters on a different router.
Also it is important to know what IGP is used on head quarters and what, if any, on each remote site.
If it is EIGRP and the same EIGRP process used on DMVPN this may require some care
AD and route length can be used to prefer primary paths.
More specific routes are used first regardless of AD, if two routes have the same prefix length AD plays a role.
Hope to help
You are correct. Primary is MPLS links and eBGP on PE/CE.
DMVPN is being terminated on a router that is also an MPLS Endpoint
Previously the whole network was statically routed so there were no IGPs running anywhere. The BGP is just now being implemented for the DMVPN install. The remote sites are small and only have 1 subnet so there was no need to run a routing protocol anywhere before.
I have attached a PDF that gives you an idea (hopefully) of what I had and where I am trying to go.
Thanks you again for all of your assistance!
>> DMVPN is being terminated on a router that is also an MPLS Endpoint
but it is the only node on central site or there is another node in central site?
I've given a look at the network diagram but it is not possible to understand the central site structure
I think you should be fine, in case of doubt if your address plan allows it have EIGRP to use ip summary-address to advertise less specific routes.
Hope to help
I am also working on a design to run DMVPN with EIGRP over MPLS/BGP network. In our scenario, the primary link is from another ISP running OSPF currently. Can i run EIGRP on primary link and still run EIGRP on DMVPN to keep consistency in routing protocols and maintain simplicity of design? i am concerned about how failover will work etc. let me know your thoughts. Do you feel running OSPF on primary link will make it easier?
Have a look at the bellow link for deisgn consideration where you have dmvpn as abs Kip to the mpls wan
In your case only difference is that you do not have bgp same concepts still apply
Hope this help
If helpful rate