Overview

DMVPN (Dynamic Multipoint Virtual Private Network) is a Cisco technology for building scalable, secure VPN networks, allowing remote sites to connect easily over the internet by dynamically creating tunnels, especially spoke-to-spoke, without needing static configurations for every link, using mGRE, NHRP, and IPsec for efficiency and security, reducing latency and costs compared to traditional methods

Why Use DMVPN

1. Independent of SP access method
   • only requirement IP connectivity
2. Routing policy is not dedicated by SP
   • Eg. MPLS L3VPN restrictions
3. Highly scalable if properly design.

How DMVPN works

1. DMVPN allow on-demand full mesh IPsec Tunnel with minimal configuration trough usage of
   1. mGRE
   2. NHRP
   3. IPsec Crypto Profile
   4. Routing
2. Reduce need for n*(n-1)/2 static tunnel configurations
   1. uses one mGRE interface for all connections
   2. tunnel are created on-demand between nodes
   3. encryption is optional
3. Create on-demand tunnel between node
   1. initial tunnel is hub-spoke
   2. traffic pattern triggers spoke-spoke tunnels
   3. solve management scalability problem
4. maintain tunnel based on traffic patterns
   1. spoke-spoke is on demand (will reduce resource in spoke router for crypto process)
   2. spoke-spoke tunnel lifetime is based on traffic
5. Require two IGP: Underlay and Overlay
   1. IPv4/IPv6 supported for both transport

How DMVPN work – Hub to Spoke

1. Two main components
   • DMVPN hub / NHRP server (NHS)
   • DmVPN spokes / NHRP clients (NHC)
2. Spoke/Clients register with hub/Server
   • spoke manually specificy address for hub
   • sent via NHRP request
   • Hub dynamically learn spoke address and NBMA address
3. spokes establish tunnel to hub
   1. exchange information IGP over the tunnel

How DMVPN work – Spoke to spoke

1. Spoke knows Spoke2’s routes via IGP
   • Learned via tunnel to Hub
   • Next-hop is Spoke2’s VPN IP for DMVPN Phase2
   • Next-hop is Hub’s VPN IP for DMVPN Phase3
2. Spoke1 asks for Spoke2’s real address
   • Maps next-hop (VPN) IP to tunnel source (NBMA) IP
   • Sent via NHRP Resolution Request
3. Spoke to Spoke tunnel is formed
   • Hub only used for control plane exchange
   • Spoke-to-spoke data plane may flow through hub initially

DMVPN Phases

Lab Scenario

Topology and Labs Goals

• Tunnel IP address 177.0.0.0/24.
• Each branch has private address and need to connect via DMVPN.
• configuring IGP EIGRP and OSPF as overlay routing.
• Compare the difference between DMVPN Phase 2 and Phase 3.

Configuration

Hub Router

interface Tunnel0
 ip address 177.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication mydmvpn
 ip nhrp network-id 100
 ip nhrp holdtime 100
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/2
 tunnel mode gre multipoint
 tunnel key 100000
# IGP for overlay routing
router eigrp 1
 network 177.0.0.0 0.0.0.255

Spoke Branch A

interface Tunnel0
 ip address 177.0.0.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication mydmvpn
 ip nhrp map 177.0.0.1 100.0.0.1
 ip nhrp map multicast 100.0.0.1
 ip nhrp network-id 100
 ip nhrp nhs 177.0.0.1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
router eigrp 1
 network 172.16.0.0
 network 177.0.0.0 0.0.0.255

Spoke Branch B

interface Tunnel0
 ip address 177.0.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication mydmvpn
 ip nhrp map 177.0.0.1 100.0.0.1
 ip nhrp map multicast 100.0.0.1
 ip nhrp network-id 100
 ip nhrp nhs 177.0.0.1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
# igp overlay routing
router eigrp 1
 network 172.16.0.0
 network 177.0.0.0 0.0.0.255

Spoke Branch C

interface Tunnel0
 ip address 177.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication mydmvpn
 ip nhrp map 177.0.0.1 100.0.0.1
 ip nhrp map multicast 100.0.0.1
 ip nhrp network-id 100
 ip nhrp nhs 177.0.0.1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
# igp overlay routing
router eigrp 1
 network 172.16.0.0
 network 177.0.0.0 0.0.0.255

Verifications

Hub Router

show dmvpn

Spoke Router A

show dmvpn
# check route
show ip route eigrp

if we see we only get route from HQ, all route behind spoke router B and C is not shown, its because the split horizon eigrp Process.

we need to modify on HQ to disable split horizon in eigrp process 1.

## Hub Router
int tun 0
no ip split-horizon eigrp 1

if we check again on branch spoke A, we got all the route now.

from the output above if we ping or traceroute all the traffic is forwarded to Hub router, this process is same as Phase 1.

to create spoke-spoke communication or DMVPN phase 2 we need to change next help self on hub router.

# hub router 
int tun 0
 #no ip next-hop-self eigrp 1

check the route again it should change the next hop with spoke ip address, and try to traceroute again

when first time doing trouceroute it will forwarded to hub, when the hub receive packet and forward packet in the same interface it will start resolution NHRP. and on the second traceroute the spoke-spoke communication is happen.

DMVPN Phase 2 using IGP OSPF

# hub router 
int tun 0
 ip ospf network broadcast
 ip ospf priority 255
 ip ospf 1 area 0
# spoke router
ip ospf network broadcast
 ip ospf priority 0
 ip ospf 1 area 0

verify the route

# spoke router
show ip route
show dmvpn

disadvantage using OSPF in IGP

• Hub need to be Designated Router OSPF
• we cannot use summarize route because all the router is in same are
• we need to change the network type priority to 0, because the each spoke has no direct link to send update multicast ospf.

DMVPN Phase 3

1. mGRE on hub and spokes
   • NHRP required for spoke egistration hub
   • NHRP required for spoke to spoke resolution
2. when a hub received and forward packet out same interface
   • send NHRP redirect back to packet source
   • forward original packet down to spoke via IRB.
3. Routing
   • summarization/default route is allowed
     • Result NHRP route for spoke-spoke tunnel
     • With no-summary, NHO is performed for spoke-to-spoke tunnel
       • Next-hop is changed from hub IP to spoke IP
     • next hop on spoke is always changed by the hub
       • because of this, NHRP resolution is triggered by hub
     • Multi-level hierarchy works without daisy-chaining

Configuration

we will use EIGRP as IGP in DMVPN for this scenario

Hub Router

interface Tunnel0
 ip address 177.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1 # need to configured
 ip nhrp authentication mydmvpn
 ip nhrp network-id 100
 ip nhrp holdtime 100
 ip nhrp redirect # need for DMVPN phase 3
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 255
 tunnel source Ethernet0/2
 tunnel mode gre multipoint
 tunnel key 100000
router eigrp 1
 network 172.16.0.0
 network 177.0.0.0 0.0.0.255

Spoke Router

interface Tunnel0
 ip address 177.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication mydmvpn
 ip nhrp map 177.0.0.1 100.0.0.1
 ip nhrp map multicast 100.0.0.1
 ip nhrp network-id 100
 ip nhrp nhs 177.0.0.1
 ip tcp adjust-mss 1360
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
end

Verifications

show dmvpn
show ip route eigrp # from spoke

from the output above we see the next hop is on hub router, we can check the traceroute again . when first packet it will send to hub router however when attempt second time it will spoke to spoke.

when we try to check the routing table, the route is overrirde and it show in cef table

Route summarization in DMVPN

we can configure route summarization in hub router using EIGRP.

int tun 0 
 ip summary-address eigrp 1 172.16.0.0/16

from spoke router we check the route will summarize

show ip route 

we get summarize route end specific route for our destination spoke.