Chris sent me an interesting question that I haven’t covered in any of my DMVPN webinars: “How would you migrate a part of a Phase-1 DMVPN network to a Phase-2 or Phase-3 network if you can only migrate one spoke site at a time? Can I just upgrade the spokes that need spoke-to-spoke connectivity?”
While it might be theoretically possible to have a mixed Phase-1/Phase-2 DMVPN tunnel (and I just might be able to get it to work in a lab), such a solution definitely violates the KISS principle.
I would prefer to create a second Phase-2/3 DMVPN tunnel on the hub router(s) and migrate spoke sites that need any-to-any connectivity to this new Phase-2/3 DMVPN tunnel. The new tunnel would be used in parallel with the old one, and you could keep both of them running in parallel, or shut and remove the old one after all the spokes have been migrated to Phase 2/3 DMVPN.
Unfortunately you can't migrate DMVPN spokes in flocks
Interestingly, the second tunnel does not diminish the network performance. In a Phase-1 DMVPN network all the traffic goes through the hub anyway, so it doesn't matter if you have one or more tunnels on the hub router – changing the tunnel interface while forwarding an IP packet does not impact the forwarding performance. Creating a new DMVPN tunnel on the hub router thus doesn't cause any change in performance or traffic flow.
Be careful if you're using Cat 6500 as the hub, in which case you have to use a trick or two to ensure tunnels have different transport IP addresses so you're not forced to use GRE keys.
You might need two tunnel transport IP addresses anyway if you don't use GRE keys in your existing setup.