cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
142974
Views
55
Helpful
13
Comments
Anim Saxena
Level 1
Level 1

 

 

Introduction:

This document gives information about DMVPN with a configuration example.

 

What is DMVPN?

 

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks. In short, DMVPN is combination of the following technologies:

 

  • Multipoint GRE (mGRE)
  • Next-Hop Resolution Protocol (NHRP)
  • Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
  • Dynamic IPsec encryption
  • Cisco Express Forwarding (CEF)

 

Physical Connectivity:

 

physical-dmvpn.png

 

HUB:

HUB.png

 

ROUTER 2

 

Router 2.png

 

 

 

ROUTER 3

 

router 3.png

 

 

ROUTER 4

 

router 4.png

 

 

DMVPN Config:

 

Once you have physical connectivity you can add the DMVPN configuration.

 

HUB

 

DMVPN HUB.png

 

 

ROUTER 2

 

DMVPN router 2.png

 

 

ROUTER 3

 

DMVPN router 3.png

 

 

ROUTER 4

 

DMVPN router 4.png

 

IPSEC:

Next you will need to add IPSEC, this will ensure that traffic is not sent in clear text. This configuration will be added to each router except router 1.

 

DMVPN ipsec.png

 

Dynamic Routing

To enable dynamic routing i am using EIGRP add the following configuration to each routers except router 1.

 

dynamic routing.png

 

 

Verification:

 

Dynamic Tunnels:

 

dynamic tunnels.png

 

 

NHRP Tunnels:

 

nhrp tunnels.png

Acknowledgement:

DMVPN

Comments
hacabreraACS
Community Member

Anim:

Seems we are missing the configuration for Router 1, would you mind uploading it if you still have it documented somewhere? :)

Thanks for the help!

 

daniel_tarbuck
Level 1
Level 1

R1 is the cloud :)

The R1 is your ISP router - it's configuration is not relevant (except that the external interfaces of the other routers should be able to reach each other).

Rodsal Rivas
Community Member

Any DMVPN Phase 3 doc?

Is this layout supporting a NAT scenario?

ryan.lambert
Level 1
Level 1

So curiously, how is this config example working if you have statics on the hub for the NBMA networks of the remote routers?

 

You'd need statics (or a default, not shown here) on the spoke routers to reach the NBMA addresses of the other spokes, since it won't be populated from the hub.

 

I tried dropping a similar config in and I see the FD as infinity on the hub for those remote sites NBMA networks, since the statics exist on the hub -- at which point, the EIGRP route for the NBMA never makes it from hub-to-spoke and traffic is broken  between spokes.

Rene Groenigen, van
Community Member

!
hostname Router1
!
ip cef
!
interface FastEthernet0/0
 description to Router2
 ip address 192.168.2.1 255.255.255.0
 duplex full
 speed 100
 !
!
interface FastEthernet0/1
 description to Router3
 ip address 192.168.3.1 255.255.255.0
 duplex full
 speed 100
 !
!
interface FastEthernet1/0
 description to Hub
 ip address 192.168.1.1 255.255.255.0
 duplex full
 speed 100
 !
!
interface FastEthernet1/1
 description to Router4
 ip address 192.168.4.1 255.255.255.0
 duplex full
 speed 100
 !
!
end

James Simpson
Level 1
Level 1

Excellent work Did the scenario using the eigrp named mode (kept it simple)

benjamin.peck
Level 1
Level 1

This configuration is for a Phase 2 DMVPN - which should probably be noted somewhere here (probably in the title). The only problem with a Phase 2 DMVPN is scalability. If you have a very large number of networks sitting behind each spoke (or a very large number of spokes with a couple of networks behind them), the routing table will get very large and Phase 2 DMVPNs don't support using summarization to reduce the size of the routing table.

To make this a Phase 3 DMVPN is quite easy. To understand what these commands do, isn't so easy.

On the hub add:

Hub(config)# int tunnel 0

Hub(config-if)# ip nhrp redirect

Hub(config-if)# ip nhrp shortcut

 

On the spokes add:

Router2(config)# int tunnel 0

Router2(config-if)# ip nhrp shortcut 

Hello Anim,

two questions - 

usually external interfaces for R2,R3,R4 have dynamic IP (from ISP), how this config will be for that situation ? For this situation is it required to use dynamic IP routing - for example - EIGRP ?

 

Best Regards,

Marcin 

derek.perea
Level 1
Level 1

Hello Anim,

Is it possible to use this configuration with 1 central Hub router with all four spokes connecting to the Hub?

sushil1987
Community Member

some time sh dmvpn not accept in router so main while use show crypto isakmp sa for phase 1 policy and

show crypto engine connection active for phase 1 and phase 2.

swamy105
Level 1
Level 1

HI , 

As per your   DMVNphase 2  configuration mentioned above  we tested in a lab however spoke to spoke  ping  was not  working as removed no ip eigrp nexthop self  it started working .  please comment.

Savas_savas
Level 1
Level 1

Why you are calling this DMVPN when you are using static routing at the first instance. Imagine to have ISP network where you want to use millions of CPEs where particular traffic has to be GRE encapsulated. Your config is misleading guys here. 

If there will be a change of IP on HUB site what you would do with millions of these CPEs deployed?

Make an example where DYNAMIC logic has to be used. Than suddenly you will end in different configuration rather than this one. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: