0
I've done some testing with specifying DMVPN hubs (NHRP servers, really) using their DNS name, rather than IP address.
This matters to me because of some goofy environments where spoke routers can't predict what network they'll be on (possibly something other than internet), and where I can't leverage multiple hubs per tunnel due to a control plane scaling issue.
The DNS-based configuration includes the following:
interface Tunnel1
ip nhrp nhs dynamic nbma dmvpn-pool.fragmentationneeded.net
There's no longer a requirement for any
ip nhrp map or
ip nhrp nhs x.x.x.x configuration when using this new capability.
My testing included some tunnels with very short ISAKMP and IPSec re-key intervals. I found that the routers performed the DNS resolution just once. They didn't go back to DNS again for as long as the hub was reachable.
Spoke routers which failed to establish a secure connection for whatever reason would re-resolve the hub address each time the DNS response expired its TTL. But once they succeeded in connecting, I observed no further DNS traffic for as long as the tunnel survived.
The record I published (dmvpn-pool.fragmentationneeded.net above) includes multiple A records. The DNS server randomizes the record
Continue reading