asked on Route Influencing EIGRP over DMVPN
I have DMVPN with two hubs and an EIGRP relationship to a firewall (as well as to the spokes.)
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN hubs - HUB 1 - it's at capacity for passing encrypted traffic.
SPOKE----HUB 1----FW
SPOKE----HUB 2----FW
HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.
HUB1
redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100
HUB2
redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100
The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.
What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.
Something to the effect of..
If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.
???
spiker.png
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN hubs - HUB 1 - it's at capacity for passing encrypted traffic.
SPOKE----HUB 1----FW
SPOKE----HUB 2----FW
HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.
HUB1
redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100
HUB2
redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100
The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.
What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.
Something to the effect of..
If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.
???
spiker.png
RoutersNetworking ProtocolsCiscoVPN
Last Comment
Soulja
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a questionYeah, with the config above the firewalls would view a better metric going through HUB 1 for traffic heading into the DMVPN.
With the same seed metric it should install both routes into the routing table and not just use hub 2
as a feasible successor.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
I only identified the issue late last night and it impacts dozens of spokes. I inherited the DMVPN and need to be sure I don't make it worse with an unintended consequence. But that makes a lot of sense. The path to the Internet for example from the FW is ECLB.