DMVPN Tidbit

In this tidbit I want to cover an overview & general understanding of DMVPN (Dynamic Multipoint Virtual Private Network). Plain & simple DMVPN is a VPN technology that is used to connect several sites/branches/customers. The topology includes hub/s & spokes.

The DMVPN core components include:

  • GRE

  • IGP route protocol

  • NHRP

  • IPsec

With DMVPN there are 3 "phases". The overview of the phases are as follows:

  • Phase 1: In phase 1 this introduces the hub-spoke tunnel deployment. All spokes have a statically configured gre tunnel to the hub. This also means all traffic for spoke to spoke communication flows through the hub (not ideal). With phase1 there are no dynamic tunnels.

  • Phase 2: In phase 2 the major configuration changes are conducted on the spokes. Instead of a single static gre tunnel interfaces to the hub the configuration on the tunnel interface uses mGRE (multipoint GRE). Introducing this allows the spokes to spin up dynamic spoke to spoke tunnels (more ideal). Alleviating possible bandwidth or latency concerns due to all traffic traversing the hub while in phase1. The downside with phase 2 is that all spokes must receive specific routes for all remote spoke subnets. NHRP plays a crucial role.

  • Phase 3: With phase 3 spokes can build dynamic spoke to spoke tunnels using NHRP traffic indication messages from the hub that essentially tell the originating spoke that a better path exists to reach the destination. The major configuration changes here include enabled nhpr redirect (#ip nhrp redirect) on the hub AND nhrp shortcut on the spokes (#ip nhrp shortcut). The redirect command tells the hub to send NHRP traffic indication messages & the shortcut command tells the spokes to accept the redirects and install the shortcut route.

Stay tuned for more DMVPN posts to come. Cheers!


Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization