Home > DMVPN Tutorial

DMVPN Tutorial

Go to comments

Configuring DMVPN

DMVPN can be configured in three different methods, each method is often called a “phase”:

1) DMVPN Phase I (Spoke-to-Hub only):
+ mGRE is configured on Hub, p2p GRE is configured on Spokes
+ Traffic flows between Spoke & Hub only (Spokes talk to each other through hub). No spoke-to-spoke direct communication

DMVPN Phase I

DMVPN Phase I – Static Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
!
!
!
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4

DMVPN Phase I – Dynamic Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
(Notice there are no “ip nhrp map …” commands in Hub, since
mapping will be dynamic)
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254
(“ip nhrp nhs …” command send registration request to hub,
tells our spoke router who the Next Hop Server is)
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254

First we notice in the Hub configuration there is no “tunnel destination” command because the tunnel destination is derived from NHRP database. If we are running dynamic routing protocols based on multicast (like RIP, OSPF, EIGRP …) we have to add the command “ip nhrp map multicast dynamic” in Hub to replicate all multicast traffic to all dynamic entries in the NHRP table (multicast will be proceeded as unicast traffic).

“ip nhrp network 10” uniquely identifies the DMVPN network; tunnels will not form between routers with different NHRP network IDs.

2) DMVPN Phase II (Spoke-to-Spoke):

In this phase every hub and spoke is configured with mGRE interface so we can create dynamic spoke-to-spoke connectivity, no more static tunnel destination’s will be configured.

+ Hub use mGRE tunnel
+ Spokes use mGRE tunnel
+ Spokes talk to each other directly

DMVPN Phase II

DMVPN Phase II Configuration

DMVPN Phase II – Static Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
ip nhrp map 192.168.100.254 44.44.44.4
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
ip nhrp map 192.168.100.254 44.44.44.4

DMVPN Phase II – Dynamic Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
!
!
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254
!
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254

Note: Although Phase II – Dynamic Mapping is “dynamic” but we still need to add a static entry for the hub on the spoke (e.g: ip nhrp map 192.168.100.254 44.44.44.4 on Spoke1) because without that entry, the NHRP registration cannot be sent.

If we use any dynamic routing protocol (OSPF, EIGRP…), the following command should be applied:

+ On Hub: ip nhrp map multicast dynamic
+ On Spoke: ip nhrp map multicast 44.44.44.4

To verify the DMVPN configuration we can use the “show dmvpn” or “show ip nhrp” command. The outputs of these commands are shown below:

On Hub:

Hub#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr  Peer Tunnel Add  State UpDn Tm  Attrb
 -----  --------------- ---------------  ----- -------- -----
     1  11.11.11.1      192.168.100.1    UP    00:03:08     D
     1  12.12.12.2      192.168.100.2    UP    00:03:16     D

Hub#show ip nhrp
192.168.100.1/32 via 192.168.100.1
   Tunnel1 created 00:28:51, expire 01:48:59
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 11.11.11.1
192.168.100.2/32 via 192.168.100.2
   Tunnel1 created 00:26:47, expire 01:48:57
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 12.12.12.2

On Spoke:

Spoke1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr  Peer Tunnel Add    State  UpDn Tm  Attrb
 -----  --------------- ---------------    ----- --------  -----
     1  44.44.44.4      192.168.100.254    UP    00:03:40  S
     1  12.12.12.2      192.168.100.2      UP    00:03:20  D

Spoke1#show ip nhrp
192.168.100.254/32 via 192.168.100.254
   Tunnel1 created 00:11:35, never expire 
   Type: static, Flags: used 
   NBMA address: 44.44.44.4 
192.168.100.2/32 via 192.168.100.2
   Tunnel1 created 00:11:16, expire 01:48:43
   Type: dynamic, Flags: router used nhop 
   NBMA address: 12.12.12.2
192.168.100.1/32 via 192.168.100.1
   Tunnel1 created 00:11:16, expire 01:48:45
   Type: dynamic, Flags: router unique local 
   NBMA address: 11.11.11.1 
    (no-socket)

3) DMVPN Phase III:

Same as Phase 2 but removes some restrictions and complexities of Phase 2. Also allows greater variety of DMVPN network designs we use:
+ ip nhrp redirect in hub: tells the initiator spoke to look for a better path to the destination spoke than through the Hub. Upon receiving the NHRP redirect message the spokes communicate with each other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out.
+ ip nhrp shortcut in spokes: overwrite the CEF table on the spoke. It basically overrides the next-hop value for a remote spoke network from the default initial hub tunnel IP address to the NHRP resolved remote spoke tunnel IP address)

Note: From the configuration above we can quickly find out which phase of DMVPN is being used when checking an existing DMVPN configuration by looking at the Spoke configuration. If the Spoke’s tunnel is configured as mGRE (with the command “tunnel mode gre multipoint”) then it is using DMVPN Phase II or Phase III. Next check if the Spokes have the command “ip nhrp shortcut” then they are running DMVPN Phase III.

————————————–

Reference and good resources:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-3s/nhrp-xe-3s-book/config-nhrp.html

http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/prod_presentation0900aecd80313c9d.pdf

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html

Pages: 1 2

Comments (12) Comments

Comment pages

« Previous 1 2 2257

moh3k3k

February 7th, 2023

hello guys please share latest ENARSI dumps i take exam soon thanks
JP

March 3rd, 2023

Any recommendation for PaloAlto PCCET exam dumps?
Anonymous

March 20th, 2023

the questions are updated?
Anonymous

March 22nd, 2023

can someone help to know if questions are updated?
Yan

June 18th, 2023

do you know if there are labs on the exam?
Donc26

June 21st, 2023

How come after 15 days my subscription ends…this has happened twice already
networktut

June 21st, 2023

@Donc26: Please send an email to support@networktut.com with your username or Invoice ID so that we can check for you.
Klarr

August 14th, 2023

Are there any labs on this exam
Onder

December 5th, 2023

I’ll take the exam. Is there an updated dump?
I would be very happy if you share it.
Anonymous

January 14th, 2024

are these questions updated?
IZZY

January 25th, 2024

Please kind person, please share latest CCNP ERNASI DUMPS to israel_dot_magodi_et_oldmutual_dot_co_dot_zw

_dot_ means .
_et_ means @
Anonymous

June 7th, 2024

Are these current and valid?

Comment pages

« Previous 1 2 2257

Control Plane Policing (CoPP) Tutorial Short Composite Quiz 20 Questions

DMVPN Tutorial

Premium Membership

ENARSI Training

ENARSI 300-410 v1.1

Network Resources