Configuring Dynamic Multipoint VPN (DMVPN)

The Dynamic Multipoint VPN (DMVPN) allows for a large scale IPSec VPN deployment with reduced configuration/complexity. It uses GRE, Next Hop Resolution Protocol (NHRP) and IPSec Encryption and unlike traditional IPSec VPNs DMVPN does not require Crypto ACLs, instead DMVPN requires a single mGRE tunnel interface and a single IPSec profile. In a large DMVPN environment this greatly reduces the size of configuration on the hub router.

DMVPN can be deployed using two models; Hub-and-Spoke and Spoke-to-Spoke:

Hub-and-Spoke (Phase 1) – requires each spoke have a point-to-point to GRE interface to build a tunnel to the hub router, all traffic flows through the hub router.

Spoke-to-Spoke  (Phase 2 and Phase 3) – requires each spoke to have an mGRE interface, to provide spoke-to-spoke communication in addition to Hub-and-spoke communication.

Generic Routing Encapsulation (GRE)

  • GRE utilises tunnel interfaces to build tunnels between devices, allow routing protocols such as EIGRP or OSPF to traverse the interface
  • A GRE tunnel does not encrypt traffic, it is used in conjunction with IPSec

Configuration Steps


Hub (config)# interface Tunnel0 
Hub (config-if)# tunnel source FastEthernet0 
Hub (config-if)# tunnel mode gre multipoint 
Hub (config-if)# tunnel key 1000 
Hub (config-if)# ip address


Spoke1 config)# interface Tunnel0
Spoke1 (config-if)# tunnel source FastEthernet0 
Spoke1 (config-if)# tunnel mode gre multipoint 
Spoke1 (config-if)# tunnel key 1000 
Spoke1 (config-if)# ip address

The default MTU size is 1500 bytes, tunnelling adds a 24-bit GRE header to the packet, adding IPSec later would also increase the size of the of the packet. To avoid issues with fragmentations of packets it is recommended to set the IP MTU to 1400 and TCP Maximum Segment Size (MSS) to 1360


Hub (config)# interface Tunnel0
Hub (config-if)# ip mtu 1400 
Hub (config-if)# ip tcp adjust-mss 1360

Next Hop Resolution Protocol (NHRP)

  • The NHRP (Next Hop Resolution Protocol) maintains a database of Tunnel IP addresses and Public IP addresses of the routers.
  • The Hub router acts as the NHRP server and the spokes as the NHRP clients, the Spoke routers are configured to map to the Hub router.
  • Only one static IP address is required for the Hub router; Spoke routers can use dynamically assigned IP addresses, relying on NHRP to register the spoke’s router IP address on the hub router.


Configuration Steps


Hub (config)# interface Tunnel0 
Hub (config-if)# ip nhrp network-id 1001 
Hub (config-if)# ip nhrp authentication DMVPN 
Hub (config-if)# ip nhrp map multicast dynamic


Spoke1 (config)# interface Tunnel0 
Spoke1 (config-if)# ip nhrp network-id 1001 
Spoke1 (config-if)# ip nhrp authentication DMVPN 
Spoke1 (config-if)# ip nhrp nhs <TUNNEL IP ADDRESS OF HUB>
Spoke1 (config-if)# ip nhrp map multicast <WAN IP ADDRESS OF HUB> 
Spoke1 (config-if)# ip nhrp map


Configure the NHRP hold-time so that NHRP registrations are validated regularly and cached, if no updates are received the registrations time-out. The spoke will send a registration request every 1/3 of the configured hold-time (seconds). This will speed up the recovery if connectivity was lost between the hub and a spoke.


Hub (config)# interface Tunnel0 
Hub (config-if)# ip nhrp holdtime 60

Verification Commands

The command show ip nhrp will display the active NHRP registrations and the mapping of tunnel ip address to public (real) ip address of the spoke.

Hub (config)# show ip nhrp

Note the expiration time for the NHRP registrations on the Hub. Spoke1 ( hold-time was manually configured to re-register every 60 seconds whereas Spoke2 ( was left as default which appears to be 120 minutes.

The command show dmvpn will display ip addresses, state (up/down) and time up/down.

Hub (config)# show dmvpn

If a spoke does not appear in the NHRP database then the chances are there is a connectivity issue between the hub and the spoke, at which point check the basics routing, ACLs etc.


Dynamic Routing (EIGRP)

  • EIGRP and OSPF are both supported in a DMVPN environment
  • However EIGRP would appear to be Cisco preferred routing protocol
  • Disable Split horizon on the Hub so that the hub router advertises the routes learned from the spokes to all the other spokes

Configuration Steps (Hub-and-Spoke) – Phase 1


Hub (config)# router eigrp 1 
Hub (config-router)# no auto-summary 
Hub (config-router)# network 
Hub (config)# interface tunnel0 
Hub (config-if)# no ip split-horizon eigrp 1


Spoke1 (config)# interface loopback 1 
Spoke1 (config-if)# ip address 
Spoke1 (config)# interface loopback 2 
Spoke1 (config-if)# ip address 
Spoke1 (config)# router eigrp 1 
Spoke1 (config-router)# no auto-summary 
Spoke1 (config-router)# network 
Spoke1 (config-router)# network


Spoke2 (config)# interface loopback 1 
Spoke2 (config-if) #ip address 
Spoke2 (config)# interface loopback 2 
Spoke2 (config-if)# ip address 
Spoke2 (config)# router eigrp 1 
Spoke2 (config-router)# no auto-summary 
Spoke2 (config-router)# network 
Spoke2 (config-router)# network


In Phase 1 all spoke to spoke traffic is routed via the hub, this can be verified by checking the routing table on one of the spoke routers

Performing a traceroute to a network on another spoke reveals traffic is routed via the hub

Configuration Steps (Spoke-to-Spoke) – Phase 2

By adding the “no ip next-hop-self” command to the hub router all the spoke routers will now learn each other’s routes.


Hub (config)# interface tunnel0 
Hub (config-if)# no ip next-hop-self eigrp 1


Repeating the traceroute and viewing the routing table will reveal traffic is routed to the ip address of the spoke router instead of the hub.

IPSec Encryption

Hub (config)# crypto isakmp policy 1 
Hug (config-isakmp)# encryption aes 192 
Hug (config-isakmp)# hash sha 
Hug (config-isakmp)# authentication pre-share 
Hug (config-isakmp)# group 2 
Hug (config-isakmp)# exit 
Hub (config)# crypto isakmp key cisco123 address 
Hub (config)# crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac 
Hug (cfg-crypto-trans)# mode tunnel 
Hug (cfg-crypto-trans)# exit 
Hub (config)# crypto ipsec profile IPSEC_AES 
Hub (ipsec-profile)# set transform-set AES_SHA 
Hub (ipsec-profile)# set pfs group2 
Hub (ipsec-profile)# exit

Hub (config)# interface tunnel 0 
Hub (config-if)# tunnel protection ipsec profile IPSEC_AES 
Hub (config-if)# exit

Hub (config)# crypto isakmp keepalive 30 5

Repeat the above steps to configure IPSec on all spoke routers.


Useful links

6 thoughts on “Configuring Dynamic Multipoint VPN (DMVPN)”

    1. Hi,

      The newer 800 series routers will work with DMVPN and have integrated wireless, the higher spec 1941W router also supports wireless. I don’t think either support POE.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s