Describe DMVPN (single hub)
Exam: Cisco 300-101 - CCNP Implementing Cisco IP Routing (ROUTE v2.0)
Overview
Cisco Dynamic Multipoint VPN (DMVPN) is a dynamic tunneling technology that enables you to construct IPsec virtual private networks. DMVPN provides a centralized network management that allows communication between multiple branch offices over the Internet or a private service provider network.
Major Components of DMVPN are:
- Next Hop Resolution Protocol (NHRP) - Creates a distributed (NHRP) mapping database of all the spoke tunnels to real (public interface) addresses
- Multipoint GRE Tunnel Interface - One GRE interface that supports multiple GRE and IPsec tunnels and simplifies configuration
You can build a simple, hub-and-spoke DMVPN model by performing static configuration of hubs on the spokes. You can use this network to dynamically configure tunnels between spokes. The configured IPsec tunnels from spokes will be linked with hub (central site). DMVPN addresses many network problems using the IPSec, NHRP, and GRE technologies. A dynamic routing protocol such as EIGRP or OSPF can be used for efficient and dynamic routing in the network. You can also configure additional hub routers to provide high availability and load balancing.
Some of the popular DMPVPN models are:
- Hub-and-spoke—This basic DMVPN model facilitates Spoke-to-spoke traffic through a single hub.
- Spoke-to-spoke—This model enables spoke-to-spoke tunnels that are dynamic in nature.
Some of the benefits of DMVPN are:
- Hubs can be configured with static NAT and spokes with dynamic NAT
- Supports dynamic addressing of spoke routers
- Additional, new spoke routers don’t require any configuration
- Supports IPSec, NHRP, and GRE tunnels
- Simple hub and spoke deployment can provide full-mesh connectivity
- Supports Unicast, Multicast, and dynamic routing protocols
- Deployments can be with or without IPsec encryption
- Supports partial- or full-mesh VPNs
Configuring DMVPN
Consider this example DMVPN network that connects the company headquarters (HQ) network to its BranchX and BranchY networks. The HQ router is the hub router and the BranchX and BranchY are spoke routers. The network topology details are as given in the table below:
| Router | Characteristic | Internal Network and Interface | Tunnel and Interface | Public IP |
| HQ (Headquarters) | Hub | 192.168.10.10/24 – Fa0/1 | Tunnel 25 – 10.1.2.3 – Fa0/2 | 1.2.3.4 |
| BranchX | Spoke | 192.168.20.20/24 – Fa0/1 | Tunnel 25 – 10.1.2.4 – Fa0/2 | 2.3.4.5 |
| BranchY | Spoke | 192.168.30.30/24 – Fa0/1 | Tunnel 25 – 10.1.2.5 – Fa0/2 | 3.4.5.6 |
To configure GRE multipoint, perform these steps on the HQ, BranchX and Branch Y routers:
1. Configure the HQ (Hub) router:
HQ(config)# interface Fa0/1
HQ(config-if)# ip address 192.168.10.10 255.255.255.0
HQ(config-if)# interface Fa0/2
HQ(config-if)# ip address 1.2.3.4 255.255.255.0
HQ(config-if)# interface tunnel 25
HQ(config-if)# ip address 10.1.2.3 255.255.255.0
HQ(config-if)# ip nhrp authentication secure
HQ(config-if)# ip nhrp map multicast dynamic
HQ(config-if)# ip nhrp network-id 5
HQ(config-if)# tunnel mode gre multipoint
HQ(config-if)# tunnel source 1.2.3.4
NHRP is a network protocol that helps the sending hosts to identify direct routes to the destination hosts. To enable secured NHRP communication, use the ip nhrp authentication command. In the above example, we have used “secure” as the NHRP authentication password. Use the ip nhrp map multicast dynamic command to enable multicast traffic flow when dynamic routing protocols like OSPF or EIGRP is used in the network. You need to configure a unique network ID for each DMVPN deployment using the ip nhrp network-id command. To define the tunnel as a multipoint GRE tunnel, use the tunnel mode gre multipoint command. The tunnel source can be the IP address defined for the exit interface or the exit interface itself.
2. Configure the Branch1 (spoke) router:
BranchX(config)# interface Fa0/1
BranchX(config-if)# ip address 192.168.20.20 255.255.255.0
BranchX(config-if)# interface Fa0/2
BranchX(config-if)# ip address 2.3.4.5 255.255.255.0
BranchX(config-if)# interface tunnel 25
BranchX(config-if)# ip address 10.1.2.4 255.255.255.0
BranchX(config-if)# ip nhrp authentication secure
BranchX(config-if)# ip nhrp map multicast dynamic
BranchX(config-if)# ip nhrp map 10.1.2.3 1.2.3.4
BranchX(config-if)# ip nhrp map multicast 1.2.3.4
BranchX(config-if)# ip nhrp network-id 5
BranchX(config-if)# ip nhrp nhs 10.1.2.3
BranchX(config-if)# tunnel mode gre multipoint
BranchX(config-if)# tunnel source Fa0/2
The ip hnrp nhs command directs the Branch (spoke) routers to the next hop server, which is the tunnel IP address of the HQ (Hub) router as per this example.
3. Configure the Branch2 (spoke) router:
BranchY(config)# interface Fa0/1
BranchY(config-if)# ip address 192.168.30.30 255.255.255.0
BranchY(config-if)# interface Fa0/2
BranchY(config-if)# ip address 3.4.5.6 255.255.255.0
BranchY(config-if)# interface tunnel 25
BranchY(config-if)# ip address 10.1.2.5 255.255.255.0
BranchY(config-if)# ip nhrp authentication secure
BranchY(config-if)# ip nhrp map multicast dynamic
BranchY(config-if)# ip nhrp map 10.1.2.3 1.2.3.4
BranchY(config-if)# ip nhrp map multicast 1.2.3.4
BranchY(config-if)# ip nhrp network-id 5
BranchY(config-if)# ip nhrp nhs 10.1.2.3
BranchY(config-if)# tunnel mode gre multipoint
BranchY(config-if)# tunnel source Fa0/2
4. Verify the DMVPN configuration on the HQ (Hub) router using the show dmvpn command:
HQ# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel25, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- ---------------------- --------------- ----- -------- -----
1 2.3.4.5 10.1.2.4 UP 00:03:28 D
1 3.3.3.10 10.1.2.5 UP 00:03:56 D
5. Verify the DMVPN configuration on the BranchX and BranchY (spokes) routers using the show dmvpn command:
BranchX# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel25, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- ---------------------- --------------- ----- -------- -----
1 1.2.3.4 10.1.2.3 UP 00:03:28 D
BranchY# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel25, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- ---------------------- --------------- ----- -------- -----
1 1.2.3.4 10.1.2.3 UP 00:04:02 D
Perform this configuration on the HQ, BranchX and BranchY routers to encrypt DMVPN Tunnels with IPSec:
crypto isakmp policy 30
encryption aes
hash md5
authentication pre-share
group 10
lifetime 90000
crypto isakmp key SECURE address 0.0.0.0
crypto ipsec transform-set TRANSET esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set security-association lifetime seconds 90000
set transform-set TRANSET
interface Tunnel 25
tunnel protection ipsec profile DMVPN
Use the show crypto session command to verify IPSec encryption over the DMVPN tunnels.
Perform this configuration on the HQ, BranchX and BranchY routers, to enable routing between the DMVPN tunnels:
Note: You can use Static routing or Dynamic routing depending on your requirements. This example shows static routing configuration between the tunnels.
HQ(config)# ip route 192.168.20.0 255.255.255.0 10.1.2.4
HQ(config)# ip route 192.168.30.0 255.255.255.0 10.1.2.5
BranchX(config)# ip route 192.168.10.0 255.255.255.0 10.1.2.3
BranchX(config)# ip route 192.168.30.0 255.255.255.0 10.1.2.5
BranchY(config)# ip route 192.168.10.0 255.255.255.0 10.1.2.3
BranchY(config)# ip route 192.168.20.0 255.255.255.0 10.1.2.4
Use the show ip route command on the routers to verify routing configuration. You can also ping the end hosts to verify connectivity.
Exam Question
Which of the following is not a characteristic of DMVPN tunnels?
- Supports dynamic addressing of spoke routers
- Simple hub and spoke deployment can provide full-mesh connectivity
- Additional, new spoke routers don’t require any configuration
- IPsec encryption is mandatory for all the DMVPN deployments
Answer: 4
Explanation: Configuration of DMVPN tunnels over IPSec is optional. IPSec encryption provides security to the tunnels, but is not mandatory for all the deployments.
Related IT Guides
- Configure and verify default routing
- Configure and verify IPv4 and IPv6 DHCP
- Configure and Verify network types, area types, and router types
- Configure and Verify RIPv2
- Configure and verify static routing
- Describe administrative distance
- Describe device security using IOS AAA with TACACS+ and RADIUS
- Describe IPv6 NAT
- Describe, configure, and verify BGP peer relationships and authentication
- Explain BGP attributes and best-path selection
- Explain Frame Relay
- Explain general network challenges
- Layer 3 technologies - Describe administrative distance
- Use Cisco IOS troubleshooting tools