Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

DMVPN with Configuration example.

 

 

Introduction:

This document gives information about DMVPN with a configuration example.

 

What is DMVPN?

 

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks. In short, DMVPN is combination of the following technologies:

 

  • Multipoint GRE (mGRE)
  • Next-Hop Resolution Protocol (NHRP)
  • Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
  • Dynamic IPsec encryption
  • Cisco Express Forwarding (CEF)

 

Physical Connectivity:

 

physical-dmvpn.png

 

HUB:

HUB.png

 

ROUTER 2

 

Router 2.png

 

 

 

ROUTER 3

 

router 3.png

 

 

ROUTER 4

 

router 4.png

 

 

DMVPN Config:

 

Once you have physical connectivity you can add the DMVPN configuration.

 

HUB

 

DMVPN HUB.png

 

 

ROUTER 2

 

DMVPN router 2.png

 

 

ROUTER 3

 

DMVPN router 3.png

 

 

ROUTER 4

 

DMVPN router 4.png

 

IPSEC:

Next you will need to add IPSEC, this will ensure that traffic is not sent in clear text. This configuration will be added to each router except router 1.

 

DMVPN ipsec.png

 

Dynamic Routing

To enable dynamic routing i am using EIGRP add the following configuration to each routers except router 1.

 

dynamic routing.png

 

 

Verification:

 

Dynamic Tunnels:

 

dynamic tunnels.png

 

 

NHRP Tunnels:

 

nhrp tunnels.png

Acknowledgement:

DMVPN

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 03:47 AM
Updated by:
 
Labels (1)
Contributors
Comments
New Member

Anim:

Seems we are missing the configuration for Router 1, would you mind uploading it if you still have it documented somewhere? :)

Thanks for the help!

 

New Member

R1 is the cloud :)

The R1 is your ISP router - it's configuration is not relevant (except that the external interfaces of the other routers should be able to reach each other).

New Member

Any DMVPN Phase 3 doc?

New Member

Is this layout supporting a NAT scenario?

New Member

So curiously, how is this config example working if you have statics on the hub for the NBMA networks of the remote routers?

 

You'd need statics (or a default, not shown here) on the spoke routers to reach the NBMA addresses of the other spokes, since it won't be populated from the hub.

 

I tried dropping a similar config in and I see the FD as infinity on the hub for those remote sites NBMA networks, since the statics exist on the hub -- at which point, the EIGRP route for the NBMA never makes it from hub-to-spoke and traffic is broken  between spokes.

!
hostname Router1
!
ip cef
!
interface FastEthernet0/0
 description to Router2
 ip address 192.168.2.1 255.255.255.0
 duplex full
 speed 100
 !
!
interface FastEthernet0/1
 description to Router3
 ip address 192.168.3.1 255.255.255.0
 duplex full
 speed 100
 !
!
interface FastEthernet1/0
 description to Hub
 ip address 192.168.1.1 255.255.255.0
 duplex full
 speed 100
 !
!
interface FastEthernet1/1
 description to Router4
 ip address 192.168.4.1 255.255.255.0
 duplex full
 speed 100
 !
!
end

New Member

Excellent work Did the scenario using the eigrp named mode (kept it simple)

New Member

This configuration is for a Phase 2 DMVPN - which should probably be noted somewhere here (probably in the title). The only problem with a Phase 2 DMVPN is scalability. If you have a very large number of networks sitting behind each spoke (or a very large number of spokes with a couple of networks behind them), the routing table will get very large and Phase 2 DMVPNs don't support using summarization to reduce the size of the routing table.

To make this a Phase 3 DMVPN is quite easy. To understand what these commands do, isn't so easy.

On the hub add:

Hub(config)# int tunnel 0

Hub(config-if)# ip nhrp redirect

Hub(config-if)# ip nhrp shortcut

 

On the spokes add:

Router2(config)# int tunnel 0

Router2(config-if)# ip nhrp shortcut 

Hello Anim,

two questions - 

usually external interfaces for R2,R3,R4 have dynamic IP (from ISP), how this config will be for that situation ? For this situation is it required to use dynamic IP routing - for example - EIGRP ?

 

Best Regards,

Marcin 

New Member

Hello Anim,

Is it possible to use this configuration with 1 central Hub router with all four spokes connecting to the Hub?

New Member

some time sh dmvpn not accept in router so main while use show crypto isakmp sa for phase 1 policy and

show crypto engine connection active for phase 1 and phase 2.

New Member

HI , 

As per your   DMVNphase 2  configuration mentioned above  we tested in a lab however spoke to spoke  ping  was not  working as removed no ip eigrp nexthop self  it started working .  please comment.