Home > DMVPN Tutorial

DMVPN Tutorial

Go to comments

Configuring DMVPN

DMVPN can be configured in three different methods, each method is often called a “phase”:

1) DMVPN Phase I (Spoke-to-Hub only):
+ mGRE is configured on Hub, p2p GRE is configured on Spokes
+ Traffic flows between Spoke & Hub only (Spokes talk to each other through hub). No spoke-to-spoke direct communication

DMVPN_Topo_Configuration_Phase_1.jpg

DMVPN Phase I

DMVPN Phase I – Static Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
!
!
!
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4		 DMVPN Phase I – Dynamic Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
(Notice there are no “ip nhrp map …” commands in Hub, since
mapping will be dynamic)
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254
(“ip nhrp nhs …” command send registration request to hub,
tells our spoke router who the Next Hop Server is)
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel destination 44.44.44.4
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254

First we notice in the Hub configuration there is no “tunnel destination” command because the tunnel destination is derived from NHRP database. If we are running dynamic routing protocols based on multicast (like RIP, OSPF, EIGRP …) we have to add the command “ip nhrp map multicast dynamic” in Hub to replicate all multicast traffic to all dynamic entries in the NHRP table (multicast will be proceeded as unicast traffic).

“ip nhrp network 10” uniquely identifies the DMVPN network; tunnels will not form between routers with different NHRP network IDs.

2) DMVPN Phase II (Spoke-to-Spoke):

In this phase every hub and spoke is configured with mGRE interface so we can create dynamic spoke-to-spoke connectivity, no more static tunnel destination’s will be configured.

+ Hub use mGRE tunnel
+ Spokes use mGRE tunnel
+ Spokes talk to each other directly

DMVPN_Topo_Configuration_Phase_2.jpg

DMVPN Phase II

DMVPN Phase II Configuration

DMVPN Phase II – Static Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
ip nhrp map 192.168.100.254 44.44.44.4
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.1 11.11.11.1
ip nhrp map 192.168.100.2 12.12.12.2
ip nhrp map 192.168.100.254 44.44.44.4		 DMVPN Phase II – Dynamic Mapping
Hub
interface tunnel 1
ip address 192.168.100.254 255.255.255.0
tunnel source 44.44.44.4
tunnel mode gre multipoint
ip nhrp network 10
!
!
Spoke 1
interface tunnel 1
ip address 192.168.100.1 255.255.255.0
tunnel source 11.11.11.1
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254
!
Spoke 2
interface tunnel 1
ip address 192.168.100.2 255.255.255.0
tunnel source 12.12.12.2
tunnel mode gre multipoint
ip nhrp network 10
ip nhrp map 192.168.100.254 44.44.44.4
ip nhrp nhs 192.168.100.254

Note: Although Phase II – Dynamic Mapping is “dynamic” but we still need to add a static entry for the hub because without that entry, the NHRP registration cannot be sent.

If we use any dynamic routing protocol (OSPF, EIGRP…), the following command should be applied:

+ On Hub: ip nhrp map multicast dynamic
+ On Spoke: ip nhrp map multicast 44.44.44.4

To verify the DMVPN configuration we can use the “show dmvpn” or “show ip nhrp” command. The outputs of these commands are shown below:

On Hub:

Hub#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr  Peer Tunnel Add  State UpDn Tm  Attrb
 -----  --------------- ---------------  ----- -------- -----
     1  11.11.11.1      192.168.100.1    UP    00:03:08     D
     1  12.12.12.2      192.168.100.2    UP    00:03:16     D
Hub#show ip nhrp
192.168.100.1/32 via 192.168.100.1
   Tunnel1 created 00:28:51, expire 01:48:59
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 11.11.11.1
192.168.100.2/32 via 192.168.100.2
   Tunnel1 created 00:26:47, expire 01:48:57
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 12.12.12.2

On Spoke:

Spoke1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr  Peer Tunnel Add    State  UpDn Tm  Attrb
 -----  --------------- ---------------    ----- --------  -----
     1  44.44.44.4      192.168.100.254    UP    00:03:40  S
     1  12.12.12.2      192.168.100.2      UP    00:03:20  D
Spoke1#show ip nhrp
192.168.100.254/32 via 192.168.100.254
   Tunnel1 created 00:11:35, never expire 
   Type: static, Flags: used 
   NBMA address: 44.44.44.4 
192.168.100.2/32 via 192.168.100.2
   Tunnel1 created 00:11:16, expire 01:48:43
   Type: dynamic, Flags: router used nhop 
   NBMA address: 12.12.12.2
192.168.100.1/32 via 192.168.100.1
   Tunnel1 created 00:11:16, expire 01:48:45
   Type: dynamic, Flags: router unique local 
   NBMA address: 11.11.11.1 
    (no-socket)

3) DMVPN Phase III:

Same as Phase 2 but removes some restrictions and complexities of Phase 2. Also allows greater variety of DMVPN network designs we use:
+ ip nhrp redirect in hub: tells the initiator spoke to look for a better path to the destination spoke than through the Hub. Upon receiving the NHRP redirect message the spokes communicate with each other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out.
+ ip nhrp shortcut in spokes: overwrite the CEF table on the spoke. It basically overrides the next-hop value for a remote spoke network from the default initial hub tunnel IP address to the NHRP resolved remote spoke tunnel IP address)

Note: From the configuration above we can quickly find out which phase of DMVPN is being used when checking an existing DMVPN configuration by looking at the Spoke configuration. If the Spoke’s tunnel is configured as mGRE (with the command “tunnel mode gre multipoint”) then it is using DMVPN Phase II or Phase III. Next check if the Spokes have the command “ip nhrp shortcut” then they are running DMVPN Phase III.

————————————–

Reference and good resources:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-3s/nhrp-xe-3s-book/config-nhrp.html

http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/prod_presentation0900aecd80313c9d.pdf

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html

Pages: 1 2
Comments (11) Comments
Comment pages
1 2 2257
  1. moh3k3k
    February 7th, 2023

    hello guys please share latest ENARSI dumps i take exam soon thanks

  2. JP
    March 3rd, 2023

    Any recommendation for PaloAlto PCCET exam dumps?

  3. Anonymous
    March 20th, 2023

    the questions are updated?

  4. Anonymous
    March 22nd, 2023

    can someone help to know if questions are updated?

  5. Yan
    June 18th, 2023

    do you know if there are labs on the exam?

  6. Donc26
    June 21st, 2023

    How come after 15 days my subscription ends…this has happened twice already

  7. networktut
    June 21st, 2023

    @Donc26: Please send an email to support@networktut.com with your username or Invoice ID so that we can check for you.

  8. Klarr
    August 14th, 2023

    Are there any labs on this exam

  9. Onder
    December 5th, 2023

    I’ll take the exam. Is there an updated dump?
    I would be very happy if you share it.

  10. Anonymous
    January 14th, 2024

    are these questions updated?

  11. IZZY
    January 25th, 2024

    Please kind person, please share latest CCNP ERNASI DUMPS to israel_dot_magodi_et_oldmutual_dot_co_dot_zw

    _dot_ means .
    _et_ means @

Comment pages
1 2 2257