dmvpn_concept

Published

November 22, 2023

DMVPN Concept

Dynamic Multipoint VPN (DMVPN) feature combines GRE tunnels, IPsec encryption, and NHRP routing.
Source cisco.com Three phase exist and each of them add functionnality to the last phase. Similar to version.

DMVPN Phase 1

Designed for Hub and Spoke communications only.
- Spokes talk to each other through the hub.

DMVPN Phase 2

  • Spoke to Spoke communications are now working since they are using mGRE tunnel.
    mGRE everywhere.
    Next-hop point to spoke instead of hub.

DMVPN Phase 3

  • Ability to add explicit route summarization(large deployment,Send summary route instead of thousand of spoke route)
  • Support multi-tiers design
  • Hub can now redirect flow.Tell the spoke about a better path via nhrp
  • Spoke can now use shortcut: NHRP is allowed to overwrite CEF.

DMVPN HUB Configuration Phase 1 No IPSEC

Production environment use VRF.This configuration doesn’t include them.

interface GigabitEthernet0/0
 ip address 1.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.168.15.1 255.255.255.252
 
ip route 0.0.0.0 0.0.0.0 1.10.10.2


 #Required
interface Tunnel100
 ip address 10.0.0.1 255.255.255.0
 ip nhrp network-id 134
 ip nhrp map multicast dynamic
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 
#Required Routing
 router eigrp dmvpnlab
 address-family ipv4 unicast autonomous-system 100
  topology base
  exit-af-topology
  network 10.0.0.0 0.0.0.255
  network 192.168.15.0 0.0.0.3
  af-interface tunnel 100
  no split-horizon
 exit-address-family
 

 #Optionnal
 ip mtu 1400
 ip nhrp authentication MYpass1
 tunnel key 7777

DMVPN Spoke1 Configuration Phase 1

interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0

interface GigabitEthernet0/1
 ip address 192.168.101.1 255.255.255.0
 
ip route 0.0.0.0 0.0.0.0 1.1.1.2

interface Tunnel100
 #Required
 ip address 10.0.0.2 255.255.255.0
 ip nhrp map 10.0.0.1 1.10.10.1
 ip nhrp map multicast 1.10.10.1
 ip nhrp network-id 134
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet0/0
 tunnel destination 1.10.10.1
 
#Required Routing
 router eigrp dmvpnlab
 address-family ipv4 unicast autonomous-system 100
  topology base
  exit-af-topology
  network 10.0.0.0 0.0.0.255
  network 192.168.101.0 0.0.0.255
 exit-address-family
 
 interface Tunnel100
 no ip split-horizon eigrp 100
 
 #Optionnal
 ip mtu 1400
 ip nhrp authentication MYpass1
 tunnel key 7777

DMVPN HUB/SPOKE Configuration Phase 1 IPSEC

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec profile IP1
 set transform-set SET1 

interface tunnel 100
tunnel protection ipsec profile IP1

DMVPN HUB Configuration Phase 2

#Same has phase 1 add the following
interface tunnel 100
 no ip next-hop-self eigrp 1

DMVPN Spoke1 Configuration Phase 2

#Same has phase 1 add the following
 tunnel mode gre multipoint

DMVPN HUB Configuration Phase 3

#Same has phase 1+2 add the following
 ip nhrp redirect

DMVPN Spoke1 Configuration Phase 3

#Same has phase 1+2 add the following
 ip nhrp shortcut

DMVPN Lab


EVE-NG Typologies without DMVPN configuration, basic connectivity done.
dmvpn-lab-01_clean.zip