DMVPN Phases have a variety of unique properties suited for different network designs and technical requirements. For example, DMVPN Phase 1 is suited for a hub-and-spoke topology where all traffic from the spoke routers needs to travel through the hub. By contrast, DMVPN Phase 2 and Phase 3 allow for direct spoke-to-spoke communication.
DMVPN Phases provide a high-level framework for hub-and-spoke WAN network deployments. Each DMVPN Phase can be fine-tuned to meet specific technical or business requirements by implementing various routing protocols, encryption methods, and other unique design choices.
What is the difference between DMVPN Phase 2 and 3?
DMVPN Phase 3 is more scalable than DMVPN Phase 2. The following table provides several differences between the two DMVPN Phases.
DMVPN Phase 2 and Phase 3 compared
Difference
Phase 2
Phase 3
Default route
Cannot be used with Phase 2
The hub router can advertise a single default route, and NHRP installs specific shortcut routes on the spokes
Routing table
Spoke routers learn all site-specific prefixes from other spoke routers in order to reach resources in each branch location
Spoke routers can rely on only a single default route received from the hub router
Configuration
Spoke and hub router tunnel interface is configured with tunnel mode gre multipoint
Spoke and hub have multipoint GRE tunnel configured, and additionally spoke router tunnel interface has ip nhrp shortcut, hub router tunnel interface has ip nhrp redirect command configured
Phase 1 with EIGRP - configuration
The following example topology uses DMVPN Phase 1 with named EIGRP to connect two sites. In DMVPN Phase 1 traffic between the Spoke routers flows through the Hub router, there is no direct spoke-to-spoke communication.
The EIGRP command no split-horizon on the Hub router ensures that EIGRP routes are advertised out the same interface they are received on (Tunnel10). This is important so that the Spoke routers receive routes through EIGRP from the Hub.
Configuration:
Hub
Hub#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 1 tunnel **
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication p4ssw0rd
ip nhrp network-id 99
ip nhrp map multicast dynamic
tunnel source 172.16.1.1
tunnel mode gre multipoint
Hub#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
Hub#show run | sec ^router
router eigrp HUB
!
address-family ipv4 unicast autonomous-system 10
!
af-interface Tunnel10
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
eigrp router-id 2.2.2.2
exit-address-family
Hub#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.1.2
R2 (Spoke)
R2#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 1 tunnel **
ip address 10.0.0.2 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source 172.16.2.1
tunnel destination 172.16.1.1
R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host1 in Site1 **
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R2#show run | sec ^router
router eigrp SPOKE-R2
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.1.0
eigrp router-id 1.1.1.1
exit-address-family
R2#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.2.2
R3 (Spoke)
R3#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 1 tunnel **
ip address 10.0.0.3 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source 172.16.3.1
tunnel destination 172.16.1.1
R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.3.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host2 in Site2 **
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R3#show run | sec ^router
router eigrp SPOKE-R3
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.2.0
eigrp router-id 3.3.3.3
exit-address-family
R3#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.3.2
Hub#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel10, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.2.1 10.0.0.2 UP 00:34:11 D « The two spoke routers are registered with the Hub
1 172.16.3.1 10.0.0.3 UP 00:33:55 D
R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel10, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.1.1 10.0.0.1 UP 00:34:38 S
Hub#show ip eigrp neighbors
EIGRP-IPv4 VR(HUB) Address-Family Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.0.0.3 Tu10 11 00:27:30 1044 5000 0 8 « EIGRP neighborship established on DMVPN tunnel interface
0 10.0.0.2 Tu10 14 00:27:30 33 1434 0 8
R2#show ip eigrp neighbors
EIGRP-IPv4 VR(SPOKE-R2) Address-Family Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.0.1 Tu10 14 00:27:44 48 1470 0 15
Hub#show ip route eigrp | beg Ga
Gateway of last resort is 172.16.1.2 to network 0.0.0.0
D 192.168.1.0/24 [90/76805120] via 10.0.0.2, 00:28:09, Tunnel10 « Prefixes are learned from the Spoke routers
D 192.168.2.0/24 [90/76805120] via 10.0.0.3, 00:28:09, Tunnel10
R2#show ip route eigrp | beg Ga
Gateway of last resort is 172.16.2.2 to network 0.0.0.0
D 192.168.2.0/24 [90/102405120] via 10.0.0.1, 00:27:59, Tunnel10
When implementing DMVPN Phase 1 there is no direct spoke-to-spoke communication. After the Spoke routers register with the Hub router using NHRP, all traffic between the two sites flows through the Hub router. This is shown in the following outputs.
Host1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 90/90/92 ms
Host1#trace 192.168.2.2 probe 1
Type escape sequence to abort.
Tracing the route to 192.168.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 2 msec
2 10.0.0.1 45 msec « Hub DMVPN tunnel interface
3 10.0.0.3 91 msec
4 192.168.2.2 99 msec
In DMVPN Phase 1 the Hub and Spoke routers use NHRP Registration Request and Reply messages to establish the DMVPN network, as shown below. With DMVPN Phase 1 the NHRP Resolution Request/Reply and Traffic Indication messages are not used.
The following example shows a DMVPN Phase 2 configuration with named EIGRP to connect two sites. In DMVPN Phase 2 there is direct spoke-to-spoke communication as a result of NHRP Resolution Request and Resolution Reply messages. This is shown in the following output from the Hub router.
The NHRP Resolution Reply messages are exchanged directly between the Spoke routers, enabling direct spoke-to-spoke communication between the two sites. During this message exchange the spoke routers learn about each others' public NBMA IP address and the connected DMVPN tunnel IP address. This creates a mapping table, which is dynamically (D) maintained on the Spokes, as shown below.
Meanwhile, on the Hub router the EIGRP command no split-horizon and also no next-hop-self ensures that EIGRP routes are advertised out the same interface they are received on (Tunnel10), and that their next-hop address does not point to the Hub router.
Configuration:
Hub
Hub#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 2 tunnel **
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication p4ssw0rd
ip nhrp network-id 99
ip nhrp map multicast dynamic
tunnel source 172.16.1.1
tunnel mode gre multipointHub#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
Hub#show run | sec ^router
router eigrp HUB
!
address-family ipv4 unicast autonomous-system 10
!
af-interface Tunnel10
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
eigrp router-id 2.2.2.2
exit-address-family
Hub#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.1.2
R2 (Spoke)
R2#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 2 tunnel **
ip address 10.0.0.2 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source 172.16.2.1
tunnel mode gre multipointR2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host1 in Site1 **
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R2#show run | sec ^router
router eigrp SPOKE-R2
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.1.0
eigrp router-id 1.1.1.1
exit-address-family
R2#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.2.2
R3 (Spoke)
R3#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 2 tunnel **
ip address 10.0.0.3 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source 172.16.3.1
tunnel mode gre multipointR3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.3.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host2 in Site2 **
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R3#show run | sec ^router
router eigrp SPOKE-R3
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.2.0
eigrp router-id 3.3.3.3
exit-address-family
R3#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.3.2
Host1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/50/64 ms
Host1#trace 192.168.2.2 probe 1
Type escape sequence to abort.
Tracing the route to 192.168.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 2 msec
2 10.0.0.3 45 msec « DMVPN tunnel IP address of Spoke R3, direct spoke-to-spoke tunnel
3 192.168.2.2 46 msec
R2#show ip route eigrp | beg Ga
Gateway of last resort is 172.16.2.2 to network 0.0.0.0
D 192.168.2.0/24 [90/102405120] via 10.0.0.3, 00:26:54, Tunnel10
Another important aspect of DMVPN Phase 2 is that each Spoke router learns about all prefixes advertised by other Spoke routers. Specifically, each Spoke receives all the prefixes through EIGRP from the Hub. This will not be the case with DMVPN Phase 3, where NHRP interacts with the Spokes' RIB/FIB (routing table) and installs routes as necessary.
Phase 3 with EIGRP - configuration
This example topology uses DMVPN Phase 3 with named EIGRP. In DMVPN Phase 3 there is direct spoke-to-spoke communication as a result of NHRP Traffic Indication (redirect) messages, in addition to NHRP Resolution Request and Resolution Reply messages. This is shown in the following output from the Hub router.
As opposed to Phase 2, with DMVPN Phase 3 the Hub router may only send a single default route to the Spokes, and NHRP installs any further routes as necessary. This is shown in the following output.
R2#show ip route | beg Ga
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
D* 0.0.0.0/0 [90/102400000] via 10.0.0.1, 00:15:28, Tunnel10« Default route received from Hub through EIGRP
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.0.0.0/29 is directly connected, Tunnel10
L 10.0.0.2/32 is directly connected, Tunnel10
H 10.0.0.3/32 is directly connected, 00:15:05, Tunnel10« Route installed by NHRP
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.1.1/32 [1/0] via 172.16.2.2, GigabitEthernet0/0
C 172.16.2.0/30 is directly connected, GigabitEthernet0/0
L 172.16.2.1/32 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
H 192.168.2.0/24 [250/255] via 10.0.0.3, 00:15:05, Tunnel10« Route installed by NHRP
In case the Hub router only advertises an EIGRP default route to the Spokes, there is no need to disable split-horizon or next-hop-self on the Hub router. These can be enabled and will not interfere with DMVPN Phase 3 if only a default route is advertised by the Hub router.
Meanwhile, it is important to configure the ip nhrp shortcut command on the Spoke routers, and ip nhrp redirect on the Hub router.
Configuration:
Hub
Hub#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication p4ssw0rd
ip nhrp network-id 99
ip nhrp redirect
ip nhrp map multicast dynamic
tunnel source 172.16.1.1
tunnel mode gre multipoint
Hub#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
Hub#show run | sec ^router
router eigrp HUB
!
address-family ipv4 unicast autonomous-system 10
!
af-interface Tunnel10
summary-address 0.0.0.0 0.0.0.0
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
eigrp router-id 2.2.2.2
exit-address-family
Hub#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.1.2
R2 (Spoke)
R2#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.2 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source 172.16.2.1
tunnel mode gre multipoint
R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host1 in Site1 **
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R2#show run | sec ^router
router eigrp SPOKE-R2
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.1.0
eigrp router-id 1.1.1.1
exit-address-family
R2#show run | sec ip route
ip route 172.16.1.1 255.255.255.255 GigabitEthernet0/0 172.16.2.2
R3 (Spoke)
R3#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.3 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source 172.16.3.1
tunnel mode gre multipoint
R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.3.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host2 in Site2 **
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R3#show run | sec ^router
router eigrp SPOKE-R3
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.2.0
eigrp router-id 3.3.3.3
exit-address-family
R3#show run | sec ip route
ip route 172.16.1.1 255.255.255.255 GigabitEthernet0/0 172.16.3.2
Host1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 89/90/91 ms
Host1#trace 192.168.2.2 probe 1
Type escape sequence to abort.
Tracing the route to 192.168.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 1 msec
2 10.0.0.3 88 msec « DMVPN tunnel IP address of Spoke R3
3 192.168.2.2 89 msec
R2#show ip route nhrp | beg Ga
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
H 10.0.0.3/32 is directly connected, 00:00:25, Tunnel10
H 192.168.2.0/24 [250/255] via 10.0.0.3, 00:00:25, Tunnel10
R2#show ip route 10.0.0.3
Routing entry for 10.0.0.3/32
Known via "nhrp", distance 250, metric 255 (connected, via interface) « NHRP has an Admin Distance of 250
Tag 99
Last update from 10.0.0.3 on Tunnel10, 00:00:34 ago
Routing Descriptor Blocks:
* 10.0.0.3, from 10.0.0.3, 00:00:34 ago, via Tunnel10
Route metric is 255, traffic share count is 1
Route tag 99« NHRP network-ID is added as a Route Tag
Phase 3 with IPSec IKEv1
In this example DMVPN Phase 3 is configured with named EIGRP to connect two sites over an IPSec IKEv1 dynamic tunnel. Note that IPSec IKEv1 is a deprecated technology standard since April 2023.
By default, DMVPN does not include encryption of data in transit, therefore IPSec is used to secure the data transmitted through the DMVPN tunnels. The following minimal IPSec IKEv1 configuration is applied to create a secure tunnel.
R2#show run | sec ^cryptocrypto isakmp policy 10
authentication pre-share
crypto isakmp key p4ssw0rd address 0.0.0.0
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-PROFILE
set transform-set CRYPTO-TRANSFORM
The command tunnel protection ipsec profile CRYPTO-PROFILE is issued under the DMVPN tunnels to add the IPSec profile, and as a result encrypt the traffic transmitted through the DMVPN overlay network.
Configuration:
Hub
Hub#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication p4ssw0rd
ip nhrp network-id 99
ip nhrp redirect
ip nhrp map multicast dynamic
tunnel source 172.16.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile CRYPTO-PROFILEHub#show run | sec ^crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key p4ssw0rd address 0.0.0.0
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-PROFILE
set transform-set CRYPTO-TRANSFORM
Hub#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
Hub#show run | sec ^router
router eigrp HUB
!
address-family ipv4 unicast autonomous-system 10
!
af-interface Tunnel10
summary-address 0.0.0.0 0.0.0.0
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
eigrp router-id 2.2.2.2
exit-address-family
Hub#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.1.2
R2 (Spoke)
R2#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.2 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source 172.16.2.1
tunnel mode gre multipoint
tunnel protection ipsec profile CRYPTO-PROFILER2#show run | sec ^crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key p4ssw0rd address 0.0.0.0
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-PROFILE
set transform-set CRYPTO-TRANSFORM
R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host1 in Site1 **
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R2#show run | sec ^router
router eigrp SPOKE-R2
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.1.0
eigrp router-id 1.1.1.1
exit-address-family
R2#show run | sec ip route
ip route 172.16.1.1 255.255.255.255 GigabitEthernet0/0 172.16.2.2
R3 (Spoke)
R3#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.3 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source 172.16.3.1
tunnel mode gre multipoint
tunnel protection ipsec profile CRYPTO-PROFILER3#show run | sec ^crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key p4ssw0rd address 0.0.0.0
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-PROFILE
set transform-set CRYPTO-TRANSFORM
R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.3.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host2 in Site2 **
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R3#show run | sec ^router
router eigrp SPOKE-R3
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.2.0
eigrp router-id 3.3.3.3
exit-address-family
R3#show run | sec ip route
ip route 172.16.1.1 255.255.255.255 GigabitEthernet0/0 172.16.3.2
Host1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 93/94/98 ms
R2#show crypto session br
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
172.16.3.1 Tu10 172.16.3.1 00:00:16 UA« Spoke-to-spoke IPSec tunnel established
172.16.3.1 Tu10 172.16.3.1 00:00:16 UA
172.16.1.1 Tu10 172.16.1.1 00:12:11 UAR2#show crypto session
Crypto session current status
Interface: Tunnel10
Profile: CRYPTO-IKEV2-PROFILE
Session status: UP-ACTIVE
Peer: 172.16.3.1 port 500
Session ID: 0
IKEv1 SA: local 172.16.2.1/500 remote 172.16.3.1/500 Active« IKEv1 Security Association is active
Session ID: 0
IKEv1 SA: local 172.16.2.1/500 remote 172.16.3.1/500 Active
Session ID: 13
IKEv2 SA: local 172.16.2.1/500 remote 172.16.3.1/500 Inactive
IPSEC FLOW: permit 47 host 172.16.2.1 host 172.16.3.1
Active SAs: 8, origin: crypto map
Interface: Tunnel10
Session status: UP-ACTIVE
Peer: 172.16.1.1 port 500
Session ID: 0
IKEv1 SA: local 172.16.2.1/500 remote 172.16.1.1/500 Active
Session ID: 0
IKEv1 SA: local 172.16.2.1/500 remote 172.16.1.1/500 Inactive
IPSEC FLOW: permit 47 host 172.16.2.1 host 172.16.1.1
Active SAs: 2, origin: crypto map
R2#show ip route nhrp | beg Ga
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
H 10.0.0.3/32 is directly connected, 00:00:31, Tunnel10
H 192.168.2.0/24 [250/255] via 10.0.0.3, 00:00:31, Tunnel10
Phase 3 with IPSec IKEv2
In this example DMVPN Phase 3 is configured with named EIGRP to connect two sites over IPSec IKEv2. IPSec IKEv2 provides improvements in security when compared to IKEv1. The following IPSec IKEv2 configuration is created on Spoke router R2.
R2#show run | sec ^cryptocrypto ikev2 proposal CRYPTO-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 1
crypto ikev2 policy CRYPTO-POLICY
match address local 172.16.2.1
proposal CRYPTO-PROPOSAL
crypto ikev2 keyring CRYPTO-KEYRING
peer KEY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key p4ssw0rd
!
crypto ikev2 profile CRYPTO-IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local CRYPTO-KEYRING
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-IPSEC-PROFILE
set transform-set CRYPTO-TRANSFORM
set ikev2-profile CRYPTO-IKEV2-PROFILE
The command tunnel protection ipsec profile CRYPTO-PROFILE is issued under the DMVPN tunnels to add the IPSec profile, and as a result encrypt the traffic transmitted through the DMVPN overlay network.
Configuration:
Hub
Hub#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication p4ssw0rd
ip nhrp network-id 99
ip nhrp redirect
ip nhrp map multicast dynamic
tunnel source 172.16.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile CRYPTO-IPSEC-PROFILEHub#show run | sec ^crypto
crypto ikev2 proposal CRYPTO-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 1
crypto ikev2 policy CRYPTO-POLICY
match address local 172.16.1.1
proposal CRYPTO-PROPOSAL
crypto ikev2 keyring CRYPTO-KEYRING
peer KEY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key p4ssw0rd
!
crypto ikev2 profile CRYPTO-IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local CRYPTO-KEYRING
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-IPSEC-PROFILE
set transform-set CRYPTO-TRANSFORM
set ikev2-profile CRYPTO-IKEV2-PROFILE
Hub#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
Hub#show run | sec ^router
router eigrp HUB
!
address-family ipv4 unicast autonomous-system 10
!
af-interface Tunnel10
summary-address 0.0.0.0 0.0.0.0
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
eigrp router-id 1.1.1.1
exit-address-family
Hub#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.1.2
R2 (Spoke)
R2#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.2 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source 172.16.2.1
tunnel mode gre multipoint
tunnel protection ipsec profile CRYPTO-IPSEC-PROFILER2#show run | sec ^crypto
crypto ikev2 proposal CRYPTO-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 1
crypto ikev2 policy CRYPTO-POLICY
match address local 172.16.2.1
proposal CRYPTO-PROPOSAL
crypto ikev2 keyring CRYPTO-KEYRING
peer KEY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key p4ssw0rd
!
crypto ikev2 profile CRYPTO-IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local CRYPTO-KEYRING
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-IPSEC-PROFILE
set transform-set CRYPTO-TRANSFORM
set ikev2-profile CRYPTO-IKEV2-PROFILE
R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host1 in Site1 **
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R2#show run | sec ^router
router eigrp SPOKE-R2
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.1.0
eigrp router-id 2.2.2.2
exit-address-family
R2#show run | sec ip route
ip route 172.16.1.1 255.255.255.255 GigabitEthernet0/0 172.16.2.2
R3 (Spoke)
R3#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.3 255.255.255.248
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source 172.16.3.1
tunnel mode gre multipoint
tunnel protection ipsec profile CRYPTO-IPSEC-PROFILER3#show run | sec ^crypto
crypto ikev2 proposal CRYPTO-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 1
crypto ikev2 policy CRYPTO-POLICY
match address local 172.16.3.1
proposal CRYPTO-PROPOSAL
crypto ikev2 keyring CRYPTO-KEYRING
peer KEY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key p4ssw0rd
!
crypto ikev2 profile CRYPTO-IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local CRYPTO-KEYRING
crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes
mode transport
crypto ipsec profile CRYPTO-IPSEC-PROFILE
set transform-set CRYPTO-TRANSFORM
set ikev2-profile CRYPTO-IKEV2-PROFILE
R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** internet transport link **
ip address 172.16.3.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to Host2 in Site2 **
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
R3#show run | sec ^router
router eigrp SPOKE-R3
!
address-family ipv4 unicast autonomous-system 10
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.7
network 192.168.2.0
eigrp router-id 3.3.3.3
exit-address-family
R3#show run | sec ip route
ip route 172.16.1.1 255.255.255.255 GigabitEthernet0/0 172.16.3.2
Host1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/99/112 ms
R2#show crypto session br
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
172.16.3.1 Tu10 172.16.3.1 00:00:27 UA« Spoke-to-spoke IPSec tunnel established
172.16.1.1 Tu10 172.16.1.1 00:15:05 UA
172.16.1.1 Tu10 172.16.1.1 00:14:18 UAR2#show crypto session
Crypto session current status
Interface: Tunnel10
Profile: CRYPTO-IKEV2-PROFILE
Session status: UP-ACTIVE
Peer: 172.16.3.1 port 500
Session ID: 11
IKEv2 SA: local 172.16.2.1/500 remote 172.16.3.1/500 Active « IKEv2 Security Association
IPSEC FLOW: permit 47 host 172.16.2.1 host 172.16.3.1
Active SAs: 2, origin: crypto map
Interface: Tunnel10
Profile: CRYPTO-IKEV2-PROFILE
Session status: UP-ACTIVE
Peer: 172.16.1.1 port 500
Session ID: 9
IKEv2 SA: local 172.16.2.1/500 remote 172.16.1.1/500 Active
Session ID: 8
IKEv2 SA: local 172.16.2.1/500 remote 172.16.1.1/500 Active
IPSEC FLOW: permit 47 host 172.16.2.1 host 172.16.1.1
Active SAs: 4, origin: crypto map
R2#show ip route nhrp | beg Ga
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
H 10.0.0.3/32 is directly connected, 00:00:15, Tunnel10
H 192.168.2.0/24 [250/255] via 10.0.0.3, 00:00:15, Tunnel10
DMVPN network design introduction
The following table includes some considerations when examining design requirements for a DMVPN deployment.
DMVPN design considerations
Topic
Description
Hub redundancy
In a dual hub single cloud design, a spoke router has one DMVPN tunnel interface configured, and communicates with the hub routers on a single DMVPN overlay subnet. In a dual hub dual cloud design, a spoke router has two tunnel interfaces configured, and communicates with the hub routers on two separate overlay subnets.
Underlay/transport network
DMVPN is an overlay technology that relies on the services provided by an underlay or transport network. The transport network is very often the public internet. Certain considerations may be necessary regarding multihoming of internet providers, whether to choose a single or different ISPs, whether the spoke and hub routers have dynamic or static IP addresses, whether Network Address Translation (NAT) is involved, and which access technology to use (3G/4G, xDSL, fiber). Also, if a spoke router has one DMVPN tunnel interface but two WAN physical interfaces (transport multihoming ISPs), then the tunnel source could be a Loopback IP address on the spoke router which is advertised to the underlay/transport ISP network.
Routing protocols
Decisions may be influenced by a preference of already deployed protocols, requirement of scalability, possibility of route summarization, advertisement of internal or external routes due to redistribution, CPU usage due to routing protocol updates and convergence, limiting factors of multicast in large deployments or use of stub networks.
Security and IPsec
A central use case of DMVPN is to provide a secure overlay network across a public transport network. Therefore, most DMVPN deployments include IPSec to authenticate and encrypt data traffic. Certain DMVPN deployments have a dedicated encryption device deployed at the hub site which terminates the IPSec tunnels (dual tier headend architecture). This adds complexity to the deployment. Additionally, use of digital certificates for improved and scalable authentication (PKI-based DMVPN), and use of IKEv1 (deprecated as of 2023) or IKEv2 are also topics to consider.
Size and segmentation
DMVPN can scale to very large inter-regional networks, this is where a hierarchical DMVPN solution can provide benefits. A hierarchical DMVPN adds an extra layer of complexity due to multiple levels of hub routers (central DMVPN cloud, regional DMVPN clouds). Also, DMVPN can be deployed together with MPLS (also called 2547 over DMVPN, or MPLSoDMVPN) to improve segmentation of connected branch networks.
Quality of Service (QoS)
Even though there are no traffic optimization guarantees on the internet, DMVPN per-tunnel QoS can be deployed to optimize certain aspects of connectivity, for example to prioritize delay-sensitive traffic during network congestion (VoIP calls with IP DSCP class 46 Expedited Forwarding).
Bonus topic: show run commands missing
Issuing the show run int Tu10 | sec int command on a DMVPN router may not display that ip nhrp shortcut is already added.
Also, the ip nhrp map multicast dynamic command may not appear. An example of this behavior is seen below, and may be specific to IOS versions.
Router#show run int Tu10 | sec int
interface Tunnel10
description ** DMVPN Phase 3 tunnel **
ip address 10.0.0.2 255.255.255.248
no ip redirects
ip nhrp authentication p4ssw0rd
ip nhrp map 10.0.0.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source 172.16.2.1
tunnel mode gre multipoint
The show run all command provides more details about the DMVPN configuration added to an interface, many of these are default settings preconfigured and present on a router before you start configuring DMVPN.
Router#show run all | i interface Tunnel10|ip nhrp
interface Tunnel10
ip nhrp authentication p4ssw0rd
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 172.16.1.1 preference 255
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 99
ip nhrp holdtime 600
ip nhrp nhs 10.0.0.1 priority 0 cluster 0
ip nhrp record
ip nhrp max-send 10000 every 10
ip nhrp multicast batch-size 250 batch-interval 10
ip nhrp use 1
ip nhrp send-routed
ip nhrp registration no-unique
ip nhrp registration timeout 200
ip nhrp cache non-authoritative
ip nhrp shortcut
ip nhrp redirect timeout 8
ip nhrp path preference 255
Download section
Disclaimer: You download and use files from networkstudysite.com at your own risk.
Use at your own risk: networkstudysite.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information found on this website. Full disclaimer on the About page.
Privacy Policy:
networkstudysite.com does not install browser cookies to collect or store your data.
Thank you for your interest in this blog post!
Looking for something else? View infographics, explore the archives or read the recommended posts below:
