- Encryption
- Routers
- Cisco
- Switches / Hubs
- VPN
- Networking Hardware-Other
- Networking Protocols
- Internet Protocol Security
- Network Analysis
- Networking
Route Influencing EIGRP over DMVPN
I have DMVPN with two hubs and an EIGRP relationship to a firewall (as well as to the spokes.)
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN hubs - HUB 1 - it's at capacity for passing encrypted traffic.
SPOKE----HUB 1----FW
SPOKE----HUB 2----FW
HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.
HUB1
redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100
HUB2
redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100
The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.
What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.
Something to the effect of..
If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.
???
spiker.png
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN hubs - HUB 1 - it's at capacity for passing encrypted traffic.
SPOKE----HUB 1----FW
SPOKE----HUB 2----FW
HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.
HUB1
redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100
HUB2
redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100
The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.
What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.
Something to the effect of..
If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.
???
spiker.png
Why are you using a higher delay in the seed metric for HUB2's redistribution. That alone would make them prefer HUB1. Have you tried using the same seed metric and do equal cost load balancing?
I only identified the issue late last night and it impacts dozens of spokes. I inherited the DMVPN and need to be sure I don't make it worse with an unintended consequence. But that makes a lot of sense. The path to the Internet for example from the FW is ECLB.
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
On Cisco Nexus 9508 What is the Maximum VPN Throuhput? -
![]()
wrote an Article
![]()
IPsec VPN Configuration On Cisco IOS XE - Part 7 - Single Tier Dynamic Multipoint VPN (DMVPN) Cloud
-
![]()
created a Video
![]()
Setup Mikrotik routers with OSPF… Part 1
-
Explore Cloud Class® ![]()
Practical Implementation of Route Redistribution between Networks
Premium Content
You need an Expert Office subscription to comment.Start Free Trial