DMVPN - Using the GRE tunnel key

When configuring a DMVPN topology that uses dual hub dual cloud, it is always best practice to use the tunnel key feature to identify the GRE tunnels being used.

Take a look at the following DMVPN dual hub dual cloud topology:


Because of the use of unique IP addressing of tunnel interfaces, the fact that different interfaces are used at the spokes for connection to each hub, and because each hub has only a single tunnel, the tunnel key is not strictly needed for nominal operations. However, it is always best practice to use the tunnel key in such a topology, because the topology does not always operate under “normal operation”. Even in a dual hub, dual cloud scenario, tunnel keys can still play an important role, depending on the network design and the requirements. Having the tunnel key will aid in the following areas:

  1. Scalability - As your network grows, you may add more hubs and spokes, and this time add them by terminating the tunnels on the same interface, thus necessitating the use of the tunnel key.
  2. Traffic engineering - The tunnel key can also be used as a parameter to route different types of traffic via different tunnels. You can also use the tunnel keys to enforce specific routing policies.
  3. Troubleshooting, traffic monitoring, and ease of configuration - Having tunnel keys will help to monitor and troubleshoot traffic, and they can also be used as “labels” to help you keep track of the tunnels that you create, especially in more complex scenarios.

It is best practice to use the tunnel keys simply because they will typically be needed as your network grows, and/or in situations where a particular part of the network may fail, and redundancy kicks in.