The PfR EIGRP mGRE DMVPN Hub-and-Spoke Support feature introduces PfR route control for EIGRP. When enabled, a parent route check is performed in the EIGRP database for controlling PfR prefixes and routes in addition to the existing BGP and static route databases.

PfR can only optimize paths for prefixes, which have an exact matching route or a less specific route (also called as parent route) in the routing protocols. The route being controlled by PfR can be an exact match of the parent route or can be a more specific one. For example, if PfR wants to control 10.1.1.0/24 but the EIGRP routing table has only 10.1.0.0/16 then the parent route is 10.1.0.0/16 and PfR will inject 10.1.1.0/24 in the EIGRP routing table.

If an exact matching parent route in the EIGRP routing table is found, PfR will attempt to install a route on an exit selected by the master controller by influencing the metric. If an exact match parent is not found, then PfR introduces a new route in the EIGRP table that matches the attributes of the parent. If the route installation in the EIGRP table is successful, PfR saves the EIGRP parent and registers for any updates to the parent route. If the parent route is removed, PfR will uncontrol any routes it has installed in the EIGRP table based on this parent route.

PfR monitors traffic performance for prefixes it is controlling either passively using NetFlow or actively using IP SLA probes. Performance statistics such as delay, loss, and reachability are gathered and compared against a set of policies configured for the prefixes. If the traffic performance does not conform to the policies, the prefix is said to be out-of-policy (OOP). PfR tries to find an alternate path when the prefix goes into the OOP state.

While both BGP and static route control are enabled by default, EIGRP route control must be configured. PfR always attempts to control a prefix using BGP first. If BGP route control fails, static route control is tried. When EIGRP route control is enabled, PfR will attempt to control a prefix using BGP first. If no parent route is found, PfR will try to use EIGRP route control. If EIGRP route controls fails, static route control is tried.

To find an alternate path for a prefix, PfR tries to send active probes from all the external interfaces on the border routers to a set of hosts in the destination prefix network. Before an active probe can be sent on an external interface, a parent route lookup is performed in routing protocol tables. When the PfR EIGRP mGRE DMVPN Hub-and-Spoke Support feature is enabled, PfR checks EIGRP routing tables, in addition to BGP and static routing tables, for a parent route, before sending active probes on external interfaces. Active probes are initiated on all the external interfaces that have a parent route in the EIGRP routing table. When the probe activity completes and the timer expires, statistics are sent from the border router to the master controller for policy decision and selection of an optimal exit.

When an exit is selected, a control prefix command is sent to the border router with the selected exit, specifying EIGRP as the protocol to install or modify the route. When the border router receives the command, it checks the EIGRP table to find a parent route. If a parent route is found, PfR will install or modify the route in the EIGRP table and will notify the master controller about the route control status.

If an EIGRP route is successfully installed and advertised into the domain, PfR continues to monitor traffic performance for this prefix and takes further action as mentioned above if the prefix goes OOP.

For more details about the PfR control mode and details about other PfR exit link selection control techniques including BGP, static routes, policy-based routing, and Protocol Independent Route Optimization (PIRO), see the Understanding Performance Routing module and the Performance Routing - Protocol Independent Route Optimization (PIRO) module.

Performance Routing is supported on mGRE interfaces in Dynamic Multipoint VPN (DMVPN) topologies. DMVPN enables zero-touch deployment of IPsec encrypted VPN networks. Many DMVPN deployments use EIGRP networks, and support was added to PfR to allow DMVPN network deployments to use EIGRP route control within the DMVPN network. In the PfR EIGRP route control implementation, only hub-to-spoke network designs are supported.

In DMVPN topologies the mGRE interface works as a one-to-many interface and allows the dynamic creation of tunnels for each connected branch.

The figure below shows a typical dual DMVPN topology. The head office (R2) has one hub (hub1) that connects to the remote site spokes using one of the DMVPN networks (DMVPN 1 or DMVPN 2) or the MPLS-GETVPN network.

Remote site 1 (RS1) has spokes 1 and 2 that connect to the hub using the DMVPN1 and DMVPN2 networks. Remote site 2 (RS2) has spoke 3 and connects to the hub using DMVPN1 network only. This means that there is no redundancy at RS2 and any performance optimization is performed between the hub and RS2 only. Remote site 3 (RS3) has spoke 3 that connects to the hub using the DMVPN2 network and the MPLS-GETVPN network.

Figure 1. PfR Dual DMVPN Topology

When PfR is configured on the network, the system can perform these functions:

• Control and measure the performance of PfR traffic-classes on mGRE interfaces.
• Support load balancing for traffic over multipoint interfaces that are configured as PfR external interfaces. For example, in topologies with two DMVPN clouds PfR can be configured to load balance the traffic across the two tunnel interfaces to ensure that network performance is maintained.
• Reroute traffic from or to a multipoint interface for better performance. For example, PfR policies can be configured to select the best path to a spoke and the best path from the spoke to the hub.
• Provide a back-up connection if the primary connection fails. For example, in a topology with one MPLS-GETVPN and one DMVPN connection, the MPLS-GETVPN could act as a primary connection and PfR could be configured to use the DMVPN connection if the primary connection fails.

The DMVPN topology leverages protocols like multipoint GRE (mGRE) for hub-to-spoke functionality, and for spoke-to-spoke functionality it utilizes the Next Hop Resolution Protocol (NHRP). For more details about configuring mGRE DMVPN networks, see the "Dynamic Multipoint VPN" module in the Cisco IOS Security Configuration Guide: Secure Connectivity. For general information about DMVPN, go to http:/​/​www.cisco.com/​go/​dmvpn.

1.    enable


2.    configure terminal


3.    pfr master


4.    mode route control


5.    mode route metric eigrp tag community


6.    end

Router> enable

Router# configure terminal

Router(config)# pfr master 

Router(config-pfr-mc)# mode route control

Router(config-pfr-mc)# mode route metric eigrp tag 7000

Router(config-pfr-mc)# end 

Note	When this task is complete, PfR withdraws all the routes that are being controlled using the EIGRP protocol.

1.    enable


2.    configure terminal


3.    pfr master


4.    no mode route metric eigrp


5.    end

Router> enable

Router# configure terminal

Router(config)# pfr master 

Router(config-pfr-mc)# no mode route metric eigrp

Router(config-pfr-mc)# end 

1.    enable


2.    show pfr master prefix prefix [detail]


3.    Move to a border router to enter the next step.

4.    enable


5.    show pfr border routes eigrp [parent]

Router> enable

Router# show pfr master prefix 10.1.0.0

OER Prefix Statistics:
 Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),
 P - Percentage below threshold, Jit - Jitter (ms), 
 MOS - Mean Opinion Score
 Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million),
 E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable
 U - unknown, * - uncontrolled, + - control more specific, @ - active probe all
 # - Prefix monitor mode is Special, & - Blackholed Prefix
 % - Force Next-Hop, ^ - Prefix is denied
Prefix                  State     Time Curr BR         CurrI/F         Protocol
                      PasSDly  PasLDly   PasSUn   PasLUn  PasSLos  PasLLos
                      ActSDly  ActLDly   ActSUn   ActLUn      EBw      IBw
                      ActSJit  ActPMOS
--------------------------------------------------------------------------------
10.1.0.0/16           DEFAULT*      @69 10.1.1.1        Gi1/22          EIGRP    
                            U        U        0        0        0        0
                            U        U        0        0       22        8
                            N        N

Router> enable

Router# show pfr border routes eigrp

Flags: C - Controlled by oer, X - Path is excluded from control, 
       E - The control is exact, N - The control is non-exact
Flags Network            Parent             Tag       
CE    10.1.2.0/24        10.0.0.0/8         5000

Router# show pfr border routes eigrp parent

Network            Gateway            Intf       Flags   
10.0.0.0/8         10.40.40.2         Gi0/0/2    1       
Child Networks
Network            Flag
10.1.2.0/24        6