Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco VPN / Cisco DMVPN Configuration Example

Cisco DMVPN Configuration Example

Dynamic Multipoint VPN (DMVPN) is a Cisco VPN solution used when high scalability and minimal configuration complexity is required in connecting branch offices to a central HQ Hub site.

DMVPN is one of the most scalable and most efficient VPN types supported by Cisco. It is used almost exclusively with Hub-and-Spoke topologies where you want to have direct Spoke-to-Spoke VPN tunnels in addition to the Spoke-to-Hub tunnels. This means that Spoke sites can communicate between them directly without having to go through the Hub. DMVPN is supported only on Cisco Routers.

If you want to design a VPN solution to connect numerous sites between them (I would say more than 10 sites), then DMVPN using Cisco routers is an ideal choice. Although the most common topology is Hub-and-spoke setup, DMVPN supports full mesh connectivity since all sites can communicate between them without having to configure static VPN tunnels between each other.

Some characteristics of DMVPN are the following:

  • The HUB central router acts as the DMVPN server and the Spoke routers (in branch offices) act as the DMVPN clients.
  • The HUB router must have static public IP address on its WAN interface.
  • The spoke branch routers can have either static or dynamic public IP on the WAN.
  • Each branch site (Spoke) has a permanent IPSECTunnel with the Central site (Hub).
  • The Spoke-to-Spoke tunnels are established on demand whenever there is traffic between the Spoke sites. Thereafter, packets are able to bypass the Hub site and use the spoke-to-spoke tunnel directly.
  • All tunnels are using Multipoint GREwith IPSEC
  • NHRP(Next Hop Resolution Protocol) is used to map the private IPs of Tunnel Interfaces with their corresponding WAN Public IPs.
  • The above NHRPmappings will be kept on the NHRP Server router (HUB). Each Spoke communicates with the NHRP Server (Hub) and registers its public IP address and its private Tunnel Interface IP to the Hub router. Thus, the Hub router will store all mappings for “Tunnel Interface IP / Public WAN IP” of all the Spoke sites.
  • When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRPserver in order to learn the public (outside WAN) address of the destination (target) spoke.
  • For better scalability, it is recommended to run a dynamic routing protocols (such as EIGRP) between all the routers.

DMVPN uses the following group of networking technologies

  • Multipoint GRE
  • IPSEC
  • Next-Hop Resolution Protocol – NHRP
  • Static or dynamic routing

Configuration example

In this Cisco DMVPN configuration example we present a Hub and Spoke topology with a central HUB router that acts as a DMVPN server and 2 spoke routers that act as DMVPN clients.

cisco dmvpn configuration example

All the routers involved in this tutorial are CISCO1921/K9

Step 1. Configure the HUB router

The hub router requires a static IP configured on the WAN interface facing the internet.

! Interface Configuration
interface GigabitEthernet0/0
 description to Internet-WAN
 ip address 10.10.10.1 255.255.255.252
 !
interface GigabitEthernet0/1
 description to LAN
 ip address 192.168.160.1 255.255.255.0
 duplex auto

! Configure the tunnel interface , which basically is an enhanced GRE tunnel (Multipoint GRE)
interface Tunnel1
 description DMVPN Tunnel
 ip address 172.16.1.1 255.255.255.0 < — Select a private IP subnet for the tunnels
 no ip redirects
 ip nhrp authentication nhrp1234 < —– authentication used for updates between the routers
 ip nhrp network-id 1 < —  Network identification that has to be the same on all the routers
 load-interval 30
 keepalive 5 10
 tunnel source GigabitEthernet0/0 < — source of the tunnel is the WAN interface
 tunnel mode gre multipoint     < —— designates the tunnel as a mGRE  tunnel
 tunnel protection ipsec profile protect-gre    < —– encrypts the traffic passing through this tunnel using ipsec
ip mtu 1440 < —-Reduce the MTU to allow extra overhead from mGRE and IPSEC
ip nhrp map multicast dynamic < — Enables forwarding of multicast traffic across the tunnel.

! Configure IPSEC on HUB
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key isakmp1234 address 0.0.0.0 0.0.0.0    —- > accept connection from any source to accommodate also dynamic spokes
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre     ——– > profile added to the mGRE tunnel for encryption
set security-association lifetime seconds 86400
set transform-set TS

! Configure static routing on HUB (dynamic routing is recommended for larger networks)
ip route 192.168.164.0 255.255.255.0 172.16.1.2   < —The remote LAN can be reached via the remote tunnel IP
ip route 192.168.161.0 255.255.255.0 172.16.1.3   < —The remote LAN can be reached via the remote tunnel IP

Step 2 . Configure the Spoke Routers

One of the routers has DHCP assigned IP on WAN and the other one has static WAN IP.

MORE READING:  Site to Site IPSEC VPN Between Cisco Router and Juniper Security Gateway
Spoke 1 (Dynamic IP assigned from DHCP)

interface GigabitEthernet0/0
description WAN to Internet
ip address dhcp
 duplex auto
 speed auto

interface GigabitEthernet0/1
 description To LAN
ip address 192.168.164.1 255.255.255.0
 duplex auto
 speed auto

interface Tunnel1
ip address 172.16.1.2 255.255.255.0  < —in same subnet as all the other tunnels
 no ip redirects
ip nhrp map multicast dynamic < — Enables forwarding of multicast traffic across the tunnel.
tunnel source GigabitEthernet0/0 < — source is WAN interface
 tunnel mode gre multipoint
 tunnel protection ipsec profile protect-gre
 ip nhrp authentication nhrp1234
 ip nhrp map 172.16.1.1  10.10.10.1   —– > maps the tunnel IP address of the HUB to the WAN IP of the HUB that has to be static
 ip nhrp network-id 1
 ip nhrp nhs 172.16.1.1     —— > configures NHRP client with the IP address of its NHRP server
 ip nhrp registration no-unique  —– > if a NHRP map is done for this IP another one will not be allowed
ip nhrp map multicast 10.10.10.1 < — Send multicast traffic to the Hub only. Hub will receive all multicast traffic (e.g routing protocol updates) and then send out updates to all the Spoke routers.
 ip mtu 1440
 load-interval 30
 keepalive 5 10

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key isakmp1234 address 0.0.0.0 0.0.0.0  < —Spoke routers must allow also connections from any IP in order to form IPSEC VPN tunnels with other Spokes.
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS

ip route 192.168.160.0 255.255.255.0 172.16.1.1 < –Route for HUB
ip route 192.168.161.0 255.255.255.0 172.16.1.3 < –Route for other Spoke site

Spoke 2 (Static IP on WAN)

interface GigabitEthernet0/0
description TO Internet
ip address 10.10.10.9 255.255.255.252
 duplex auto
 speed auto

interface GigabitEthernet0/1
 description To: LAN
ip address 192.168.161.1 255.255.255.0
 duplex auto
 speed auto

interface Tunnel1
ip address 172.16.1.3  255.255.255.0 < –in same subnet as all the other tunnels
 no ip redirects
ip nhrp map multicast dynamic < — Enables forwarding of multicast traffic across the tunnel.
tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile protect-gre
ip nhrp authentication nhrp1234
ip nhrp map 172.16.1.1  10.10.10.1   —– > maps the tunnel  IP address of the HUB to the WAN IP of the HUB that has to be static
 ip nhrp network-id 1
 ip nhrp nhs 172.16.1.1     —— >  configures NHRP client with the IP address of its NHRP server
 ip nhrp registration no-unique  —– > if a NHRP map is done for this IP another one will not be allowed
ip nhrp map multicast 10.10.10.1 < — Send multicast traffic to the Hub only. Hub will receive all multicast traffic (e.g routing protocol updates) and then send out updates to all the Spoke routers.
ip mtu 1440
 load-interval 30
 keepalive 5 10

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key isakmp1234 address 0.0.0.0 0.0.0.0   < —Spoke routers must allow also connections from any IP in order to form IPSEC VPN tunnels with other Spokes.
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
!crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS

ip route 192.168.160.0 255.255.255.0 172.16.1.1 < –Route for HUB
ip route 192.168.164.0 255.255.255.0 172.16.1.2 < –Route for other Spoke site

Step 3 – Verify  the  DMVPN on the HUB

show dmvpn

MORE READING:  Overview of Cisco ASA VPN Technologies and Types

Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
T1 – Route Installed, T2 – Nexthop-override
C – CTS Capable
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 10.10.10.5 (peer public IP)    172.16.1.2 (peer tunnel IP )  UP 07:51:19     D
2 10.10.10.9                                 172.16.1.3                               UP 09:41:33     D

show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst                           src             state          conn-id status
10.10.10.5     10.10.10.1 QM_IDLE           1011 ACTIVE  —— > IPsec connectivity between routers
10.10.10.9     10.10.10.1 QM_IDLE           1012 ACTIVE

HUB# ping 192.168.164.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.164.1, timeout is 2 seconds:
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

HUB# ping 192.168.161.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.161.1, timeout is 2 seconds:
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Note :  You can use either static routing or a dynamic routing protocol for enabling communication in the DMVPN cloud. In this tutorial we have used static routing but for larger networks you should enable dynamic routing such as EIGRP

DOWNLOAD ARTICLE AS PDF FILE

Related Posts

  • VPN Failover with HSRP High Availability (Crypto Map Redundancy)
  • Cisco IPsec Tunnel vs Transport Mode with Example Config
  • Site to Site IPSEC VPN Between Cisco Router and Juniper Security Gateway
  • Site-to-Site IPSEC VPN Between Cisco ASA and pfSense
  • Site-to-Site IPSEC VPN Between Two Cisco ASA – one with Dynamic IP

Filed Under: Cisco VPN

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Edilmar Santizo says

    August 17, 2015 at 6:15 am

    Hi Harriss, thanks for sharing, this is the most complete lab about DMVPN I’ve founded it.

    I followed all the steps of the lab, and it works pretty well on GNS3 routers image (C7200-ADVENTERPRISEK9-M), Version 15.2(4)M7:

    R1#show dmvpn
    Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
    N – NATed, L – Local, X – No Socket
    # Ent –> Number of NHRP entries with same NBMA peer
    NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
    UpDn Time –> Up or Down Time for a Tunnel
    ==========================================================================

    Interface: Tunnel1, IPv4 NHRP Details
    Type:Hub, NHRP Peers:2,

    # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
    —– ————— ————— —– ——– —–
    1 10.10.10.5 172.16.1.2 UP 00:15:44 D
    1 10.10.10.9 172.16.1.3 UP 00:25:50 D

    R1#

    R1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    10.10.10.1 10.10.10.5 QM_IDLE 1007 ACTIVE
    10.10.10.1 10.10.10.9 QM_IDLE 1001 ACTIVE

    IPv6 Crypto ISAKMP SA

    R1#ping 192.168.161.50
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.161.50, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 60/320/1076 ms
    R1#traceroute 192.168.161.50
    Type escape sequence to abort.
    Tracing the route to 192.168.161.50
    VRF info: (vrf in name/id, vrf out name/id)
    1 172.16.1.3 56 msec 12 msec 24 msec
    2 192.168.161.50 64 msec 20 msec 80 msec
    R1#ping 192.168.164.50
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.164.50, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 44/60/92 ms

    R1#traceroute 192.168.164.50
    Type escape sequence to abort.
    Tracing the route to 192.168.164.50
    VRF info: (vrf in name/id, vrf out name/id)
    1 172.16.1.2 56 msec 20 msec 28 msec
    2 192.168.164.50 28 msec 72 msec 48 msec
    R1#

    I just noticed that the command to introR1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    10.10.10.1 10.10.10.5 QM_IDLE 1007 ACTIVE
    10.10.10.1 10.10.10.9 QM_IDLE 1001 ACTIVE

    IPv6 Crypto ISAKMP SA

    R1#ping 192.168.161.50
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.161.50, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 60/320/1076 ms
    R1#traceroute 192.168.161.50
    Type escape sequence to abort.
    Tracing the route to 192.168.161.50
    VRF info: (vrf in name/id, vrf out name/id)
    1 172.16.1.3 56 msec 12 msec 24 msec
    2 192.168.161.50 64 msec 20 msec 80 msec
    R1#

    I just noticed that the lab has the command ip route wrong, i think that you hace to write the subnetmask no the wildcard.

    Regards!

  2. Harris Andrea says

    August 17, 2015 at 7:57 am

    Thanks Edilmar for your comment. Yes you are right. I have fixed the ip route command. I added the route afterwards and by mistake I have put wildcard mask instead of normal subnet mask.

    Thanks

    Harris

  3. U. Perez says

    August 18, 2015 at 7:28 pm

    As always great stuff, easy to follow and well explained. My questions is, does this traffic should be going through the firewall, and if it is, should I put the VPN router in front of the firewall or in the DMZ. Thank you so much.

  4. Harris Andrea says

    August 19, 2015 at 6:38 am

    Perez,
    Usually there is no need to have a firewall within the DMVPN topology. Its a good practice though to put a firewall behind the central HUB router to protect and control traffic going towards the internal HUB network. On the DMVPN routers you can configure and place an ACL on the WAN interface to allow only the DMVPN traffic protocols (GRE, IPSEC).

  5. Gerson says

    August 20, 2015 at 5:27 pm

    Hi,

    What about if I have just lets say 16 public ip addresses. I need to connect just 5 sites. It means I have enough addresses to interconnect my sites. Still MPLS is needed for this DMVPN?

  6. Harris Andrea says

    August 20, 2015 at 6:03 pm

    Gerson,

    No, MPLS is not needed for DMVPN. It is just another WAN connectivity option. You can use DMVPN over the internet or over MPLS.

  7. Chassep says

    November 12, 2016 at 10:30 am

    Hello,
    I am still fighting to understand something. There should be first reachability between all public IP addresses? Or not. Many times, people does not show this reachability between spokes public IP addresses and implement topology with switch which automatically provided this reachability among Routers. Can I run RIP for this Public connectivity and therefore EIGRP for LAN connectivity?

  8. Harris Andrea says

    November 12, 2016 at 3:55 pm

    Yes absolutely there must be reachability between the public IP addresses of all routers. Normally RIP will work as well.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2022 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

152 shares