I’ve been interested in Dynamic Multipoint VPN (DMVPN) for quite awhile, I decided to lab it a few months ago, but never posted about it. We use EasyVPN at my company, which functions similarly in that it doesn’t require static IPs on the spoke devices, which means there is less config per new deployment. What makes DMVPN so much better (IMO) than EasyVPN is it’s ability to make dynamic spoke-to-spoke tunnels. This is very, very cool. One drawback, which affects companies like mine, is that DMVPN is not supported on firewalls, which is what most of our VPN deployments use. Here’s the topology:

Let’s get to the config:

R2 (hub router)

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback25
 ip address 10.1.25.1 255.255.255.255
!
interface FastEthernet1/0
 ip address 10.1.2.2 255.255.255.252
!
interface Tunnel200
 ip address 192.168.5.2 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 200
 tunnel source 10.1.25.1
 tunnel mode gre multipoint

There aren’t any “dmvpn” configuration commands (that I know of), as you can see, it’s all done with NHRP. NHRP (Next Hop Resolution Protocol) is what makes all of this work.

R1
interface Tunnel200
 ip address 192.168.5.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.1.25.1
 ip nhrp map 192.168.5.2 10.1.25.1
 ip nhrp network-id 200
 ip nhrp nhs 192.168.5.2
 ip nhrp cache non-authoritative
 tunnel source 10.1.1.2
 tunnel mode gre multipoint
!
interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.252
 
R3
interface Tunnel200
 ip address 192.168.5.3 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.1.25.1
 ip nhrp map 192.168.5.2 10.1.25.1
 ip nhrp network-id 200
 ip nhrp nhs 192.168.5.2
 ip nhrp cache non-authoritative
 tunnel source 10.1.3.2
 tunnel mode gre multipoint
!
interface FastEthernet1/0
 ip address 10.1.3.2 255.255.255.252
 
R4
interface Tunnel200
 ip address 192.168.5.4 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.1.25.1
 ip nhrp map 192.168.5.2 10.1.25.1
 ip nhrp network-id 200
 ip nhrp nhs 192.168.5.2
 ip nhrp cache non-authoritative
 tunnel source 10.1.4.2
 tunnel mode gre multipoint
!
interface FastEthernet1/0
 ip address 10.1.4.2 255.255.255.252

Here we’ve configure all the spokes. The “nhrp map multicast” commands allows the router to send multicast traffic through the tunnel (ie for routing protocols). The “nhrp map [IP] [IP]” maps the hub’s tunnel IP to it’s routable IP. The “network-id” command makes this group unique. The “nhrp nhs” command tells the local router who to send resolution requests to, which is how it knows who to form the dynamic tunnels with. Then we just have “tunnel source”, which is the source IP the the tunnel uses and “tunnel mode gre multipoint” which makes this a point to mulipoint tunnel, without this we wouldn’t have any dynamic tunnels forming.

Now the cool part, dynamic tunnels:

R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
 
Tunnel200, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1       10.1.25.1     192.168.5.2    UP 00:00:32 S

Here we see the tunnel to the hub. Now we’ll ping one of the spokes and see what happens:

R4#ping 192.168.5.3
Sending 5, 100-byte ICMP Echos to 192.168.5.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/24 ms
 
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
 
Tunnel200, Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1       10.1.25.1     192.168.5.2    UP 00:02:19 S
     1        10.1.3.2     192.168.5.3    UP 00:00:36 D

Look at that! We have now formed a dynamic tunnel to R3, notice it’s marked with a D instead of an S like R2, the hub.

I really like DMVPN and I hope to work with it on a large scale in the future. I didn’t do any encryption with this as it was already pretty long, but I definitely encourage people to play with it. That’s all I have for today, I hope other people find this as cool as I do.

The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts