DMVPN
When looking into the various VPN solutions provided by Cisco you may ask yourself why some are even necessary, especially when providing transport over shared services such as MPLS, VPLS, Carrier Ethernet, etc. Most VPN solutions are used for one particular reason: encryption, whether it's over those shared links or over the internet.
In this section we will be Dynamic Multipoint Virtual Private Networks. DMVPN provides 3 potential phases for communication between hubs and spokes and can be used over the internet or internally through PAT connectivity with or without encryption.
The one thing to be aware when dealing with VPN connectivity over the internet and through client based NAT connectivity DMVPN will not work using multiple clients sharing an external NAT address, FLEXVPN works over shared external NAT addresses, dmvpn does not work with overloaded NAT or PAT connnectivity.
DMVPN is an IKE and IPSEC based communication mechnaism allowing for spokes to communicate dynamically in an authenticated and encrypted point to point or point to multipoint VPN solution. The DMVPN spoke can create IPSEC tunnels between 1 or more hubs and can potentially create IPSEC tunnels to other spokes depending on the phase chosen and the configuration
*DMVPN has 3 phases.
- Phase 1
- Spoke to hub connectivity only, all communication must go throug the hub in order to reach other spokes
- Phase 2
- Provides dynamic spoke to spoke connectivity
- Must make the connection to the hub initially but then tells the spoke how to create a tunnel directly with another spoke
- Phase 3
- Like phase 2 it provides spoke to spoke connectivity but it also increases the efficiency of routing by creating summaries to the spokes
*EIGRP requires the phase approach, OSPF does not require additional configuration for spoke to spoke communication
DMVPN provides the initial connectivity between hub and spokes but the underlying routing protocol provides direction, for example OSPF and EIGRP can be used to inform the spokes how to get to other spokes in the network.
There is a major difference between routing protocols: OSPF is a link-state protocol and doesn't require additional configuration for the phases and can provide those additional requirements that EIGRP and RIP requires: no next-hop-self, and no ip split-horizon.
DMVPN uses the Next Hop Resolution Protocol, NHRP, to provide the DMVPN connectivity through an mGRE, or multipoint GRE configuration. NHRP utilizes mapping commands to map the Next-Hop-Server, NHS, to the external IP address (if using internet); and it also uses mapping for multicast as well as you'll see in the configuration below.
Keep in mind that DMVPN uses Virtual Tunnel Interfaces, VTIs, to provide route-based VPN connectivity and can be used unencrypted or encrypted transport through IPSEC tunnel protection profiles. DMVPN support IKEv1 isakmp & IKEv2 for its initial phase 1 & phase 2 confidentiality & integrity.
Click here to watch the DMVPN phases with EIGRP or you can watch at youtube.com here
Phase 1 DMVPN allows a spoke to talk to a hub device and only the hub device, for spoke to spoke configuration check out the next section Phase 2. Here we will go over the configuration commands to configure a single hub and spokes:
Hub 1
interface tunnel10
ip address 172.16.10.1 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.1 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 3
interface tunnel10
ip address 172.16.10.3 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.3 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 4
interface tunnel10
ip address 172.16.10.4 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address connecting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the NHRP real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.4 255.255.255.0 - The external IP address used to connect to the internet or network
Phase 2 DMVPN allows a spoke to talk to other spoke devices directly after the initial registration to the NHS hub. Here we will go over the configuration commands to configure a single hub and spokes:
Hub 1
interface tunnel10
ip address 172.16.10.1 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
*no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
*no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
*ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.1 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 3
interface tunnel10
ip address 172.16.10.3 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.3 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 4
interface tunnel10
ip address 172.16.10.4 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address connecting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the NHRP real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.4 255.255.255.0 - The external IP address used to connect to the internet or network
Phase 3 DMVPN allows a spoke to talk to other spoke devices directly after the initial registration to the NHS hub. Here we will go over the configuration commands to configure a single hub and spokes:
Hub 1
interface tunnel10
ip address 172.16.10.1 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
*ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.1 255.255.255.0 - The external IP address used to connect to the internet or network
router eigrp DMVPN - Creates the EIGRP process
address-family ipv4 unicast 1 - Enters the address-family for IPv4 unicast in autonomous-system 1
af-interface Tunnel1 - Enter address-family interface configuration
summary-address 10.0.0.0/8 - Specifies the summary-address to send to the spokes
Spoke device 3
interface tunnel10
ip address 172.16.10.3 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
*ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.3 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 4
interface tunnel10
ip address 172.16.10.4 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address connecting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the NHRP real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
*ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.4 255.255.255.0 - The external IP address used to connect to the internet or network
Dual hub allows multiple hubs in a single shared location, as you see the NHS for each hub is on the same network: 172.16.10.1 & 172.16.10.2 as well as the network-id and tunnel key. Here we will go over the configuration commands to configure a dual hub and spokes:
Hub 1
interface tunnel10
ip address 172.16.10.1 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
*ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
Hub 2
interface tunnel10
ip address 172.16.10.2 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.2 255.255.255.0 - The external IP address used to connect to the internet or network
router eigrp DMVPN - Creates the EIGRP process
address-family ipv4 unicast 1 - Enters the address-family for IPv4 unicast in autonomous-system 1
af-interface Tunnel1 - Enter address-family interface configuration
summary-address 10.0.0.0/8 - Specifies the summary-address to send to the spokes
Spoke device 3
interface tunnel10
ip address 172.16.10.3 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
*ip nhrp map 172.16.10.2 1.1.1.2 - NHRP must map the NHS to the external IP address conencting the hub to the internet
*ip nhrp map multicast 1.1.1.2 - If you are going to run multicast you need to map it to the real interface IP
*ip nhrp nhs 172.16.10.2 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.3 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 4
interface tunnel10
ip address 172.16.10.4 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address connecting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the NHRP real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
*ip nhrp map 172.16.10.2 1.1.1.2 - NHRP must map the NHS to the external IP address conencting the hub to the internet
*ip nhrp map multicast 1.1.1.2 - If you are going to run multicast you need to map it to the real interface IP
*ip nhrp nhs 172.16.10.2 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.4 255.255.255.0 - The external IP address used to connect to the internet or network
Dual cloud allows multiple hubs in a geographically separated locations such as west coast and east coast, as you see the NHS for each hub is on a different network: 172.16.10.1 & 172.16.20.1 as well as the network-id and tunnel key being different. Here we will go over the configuration commands to configure a dual cloud and spokes:
Hub 1
interface tunnel10
ip address 172.16.10.1 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
Hub 2
interface tunnel20
ip address 172.16.20.1 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 20 - This is the only NHRP required configuration on the hub
ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 20 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 2.2.2.1 255.255.255.0 - The external IP address used to connect to the internet or network
router eigrp DMVPN - Creates the EIGRP process
address-family ipv4 unicast 1 - Enters the address-family for IPv4 unicast in autonomous-system 1
af-interface Tunnel1 - Enter address-family interface configuration
summary-address 10.0.0.0/8 - Specifies the summary-address to send to the spokes
Spoke device 3
interface tunnel10
ip address 172.16.10.3 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface tunnel20
ip address 172.16.20.3 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.20.1 2.2.2.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 2.2.2.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 20 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.20.1 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 20 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.3 255.255.255.0 - The external IP address used to connect to the internet or network
Spoke device 4
interface tunnel10
ip address 172.16.10.4 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.10.1 1.1.1.1 - NHRP must map the NHS to the external IP address connecting the hub to the internet
ip nhrp map multicast 1.1.1.1 - If you are going to run multicast you need to map it to the NHRP real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.10.1 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface tunnel20
ip address 172.16.20.4 255.255.255.0 - IP address of the spoke VTI
ip nhrp map 172.16.20.1 2.2.2.1 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 2.2.2.1 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 20 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.20.1 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 20 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
interface ethernet0/0
ip address 1.1.1.4 255.255.255.0 - The external IP address used to connect to the internet or network
DMVPN EIGRP Dual Cloud - Encryption and alternate configs
In this section we will be looking at a Dual Hub EIGRP Phase 3 configuration that also includes encryption configuration on the tunnel as well as alternate NHS/NMBA/Multicast configuration on R17
IKEv1/isakmp/ipsec encryption
crypto isakmp policy 1 - Creates an isakmp policy labeled: 1
encryption aes - Specifies isakmp encryption to aes
hash sha - Specifies authentication has to sha
group 2 - Specifies Diffie-Hellman, DH, to group 2
authentication pre-share - Specifies isakmp authentication to use a PSK
crypto isakmp key dmvpnkey address 0.0.0.0 - Specifies the isakmp key "dmvpnkey" to all requestors
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac - Specifies ipsec encryption and authentication to esp and sha
mode transport - Specified ipsec transport mode to transport rathen than tunnel
crypto ipsec profile profile1 - Creates the ipsec profile "profile1"
set security-assocation lifetime seconds 7200 - Sets the ipsec sa lifetime to 120 minutes
set transform-set aes128 - Tell the ipsec profile to use the transform-set "aes128"
Hub 1
interface tunnel10
ip address 172.16.0.14 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
*ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 10 - This is the only NHRP required configuration on the hub
ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
tunnel protection ipsec profile profile1 - Configures ipsec tunnel protection
interface ethernet0/0
ip address 1.1.1.14 255.255.255.0 - The external IP address used to connect to the internet or network
interface loopback0
ip address 14.14.14.14 255.255.255.255 - Loopback addres
Hub 2
interface tunnel20
ip address 172.16.1.15 255.255.255.0 - This is the NHS server tunnel IP addressed that will be used on the spokes
no ip next-hop-self eigrp 1 - EIGRP works by telling the neighbor to use itself as the next hop, this changes that
no ip split-horizon eigrp 1 - Disabling split horizon allows sending learned routes out the interface they were learned
*ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp map multicast dynamic - Allows the forwarding of multicast traffic between the spokes dynamically
ip nhrp network-id 20 - This is the only NHRP required configuration on the hub
ip nhrp redirect - Tells the spokes to use the summary addresses to traverse spoke to spoke directly without initially going through the hub first
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 20 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
tunnel protection ipsec profile profile1 - Configures ipsec tunnel protection
interface ethernet0/0
ip address 1.1.1.15 255.255.255.0 - The external IP address used to connect to the internet or network
interface loopback0
ip address 15.15.15.15 255.255.255.255 - Loopback address
Spoke device 3
interface tunnel10
ip address 172.16.0.16 255.255.255.0 - IP address of the spoke VTI
*ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp map 172.16.0.14 1.1.1.14 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.14 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.0.14 - You must specify the NHS, next hop server
ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
tunnel protection ipsec profile profile1 shared - You must include the "shared" command if the tunnel source is the same across tunnels
interface tunnel20
ip address 172.16.1.16 255.255.255.0 - IP address of the spoke VTI
*ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp map 172.16.1.15 1.1.1.15 - NHRP must map the NHS to the external IP address conencting the hub to the internet
ip nhrp map multicast 1.1.1.15 - If you are going to run multicast you need to map it to the real interface IP
ip nhrp network-id 20 - The network-id must match for the NHRP process to function
ip nhrp nhs 172.16.1/15 - You must specify the NHS, next hop server
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 20 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
tunnel protection ipsec profile profile1 shared - You must include the "shared" command if the tunnel source is the same across tunnels
interface ethernet0/0
ip address 1.1.1.16 255.255.255.0 - The external IP address used to connect to the internet or network
interface loopback0
ip address 16.16.16.16 255.255.255.255 - Loopback address
Spoke device 4
interface tunnel10
ip address 172.16.0.17 255.255.255.0 - IP address of the spoke VTI
*ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp network-id 10 - The network-id must match for the NHRP process to function
*ip nhrp nhs 172.16.1.15 nbma 1.1.1.15 multicast - Specifies nhs, nbma, and multicast in a single line
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 10 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
tunnel protection ipsec profile profile1 shared - You must include the "shared" command if the tunnel source is the same across tunnels
interface tunnel20
ip address 172.16.1.17 255.255.255.0 - IP address of the spoke VTI
*ip nhrp authentication dmvpnkey - Configures NHRP authentication, the keys must match on the spokes to work
ip nhrp network-id 20 - The network-id must match for the NHRP process to function
*ip nhrp nhs 172.16.1.15 nbma 1.1.1.15 multicast - Specifies nhs, nbma, and multicast in a single line
ip nhrp shortcut - Works with the hubs "ip nhrp redirect" for spoke to spoke summaries
tunnel source ethernet0/0 - You must specify the tunnel source, as with all VTI tunnels
tunnel mode gre multipoint - DMVPN is considered and must be configured as gre multipoint
tunnel key 20 - The tunnel key will distinguish the DMVPN tunnels when there is more than one
tunnel protection ipsec profile profile1 shared - You must include the "shared" command if the tunnel source is the same across tunnels
interface ethernet0/0
ip address 1.1.1.17 255.255.255.0 - The external IP address used to connect to the internet or network
interface loopback0
ip address 17.17.17.17 255.255.255.255 - Loopback address