I’ve been interested in Dynamic Multipoint VPN (DMVPN) for quite awhile, I decided to lab it a few months ago, but never posted about it. We use EasyVPN at my company, which functions similarly in that it doesn’t require static IPs on the spoke devices, which means there is less config per new deployment. What makes DMVPN so much better (IMO) than EasyVPN is it’s ability to make dynamic spoke-to-spoke tunnels. This is very, very cool. One drawback, which affects companies like mine, is that DMVPN is not supported on firewalls, which is what most of our VPN deployments use. Here’s the topology:

Let’s get to the config:

R2 (hub router)

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback25
 ip address 10.1.25.1 255.255.255.255
!
interface FastEthernet1/0
 ip address 10.1.2.2 255.255.255.252
!
interface Tunnel200
 ip address 192.168.5.2 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 200
 tunnel source 10.1.25.1
 tunnel mode gre multipoint

There aren’t any “dmvpn” configuration commands (that I know of), as you can see, it’s all done with NHRP. NHRP (Next Hop Resolution Protocol) is what makes all of this work.

R1
interface Tunnel200
 ip address 192.168.5.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.1.25.1
 ip nhrp map 192.168.5.2 10.1.25.1
 ip nhrp network-id 200
 ip nhrp nhs 192.168.5.2
 ip nhrp cache non-authoritative
 tunnel source 10.1.1.2
 tunnel mode gre multipoint
!
interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.252
 
R3
interface Tunnel200
 ip address 192.168.5.3 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.1.25.1
 ip nhrp map 192.168.5.2 10.1.25.1
 ip nhrp network-id 200
 ip nhrp nhs 192.168.5.2
 ip nhrp cache non-authoritative
 tunnel source 10.1.3.2
 tunnel mode gre multipoint
!
interface FastEthernet1/0
 ip address 10.1.3.2 255.255.255.252
 
R4
interface Tunnel200
 ip address 192.168.5.4 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.1.25.1
 ip nhrp map 192.168.5.2 10.1.25.1
 ip nhrp network-id 200
 ip nhrp nhs 192.168.5.2
 ip nhrp cache non-authoritative
 tunnel source 10.1.4.2
 tunnel mode gre multipoint
!
interface FastEthernet1/0
 ip address 10.1.4.2 255.255.255.252