Friday, November 20, 2009

DMVPN for Hub & Spoke Topology

A project has been started to configure VPN between head office and remote branches. This was done simply by configuring site-to-site VPN (See my Blog) between remote branch (Peshawar) and Faisalabad (next hope) as we (Peshawar hope) are using it as our next hope to reach head office. After the basic configuration of site-to-site VPN, we done with it and the communication were successful between two remote offices. The problem arises when Faisalabad configured VPN with another remote office (Abbotabad) now when they start communication with them by giving their peer address under crypto map as shown below, as the link established between the two sites, ping (communication) breaks between Peshawar and Faisalabad when again peer address of Peshawar was given here so communication breaks with the other remote offices.

Hub-Router (config) # crypto map VPN_MAP 10 ipsec-isakmp
Hub-Router (config-crypto-map) # set peer 130.13.x.x


The main problem was that we had multiple sites which are using Faisalabad as their next hop, so it becomes HUB, now we required some method to configure VPN for HUB and SPOKE topology. After searching and goggling we came with the solution that DMVPN is the right choice for it.


A Dynamic Multipoint Virtual Private Network (DMVPN) is an up gradation of the virtual private network (VPN) configuration process of Cisco IOS-based routers. What DMVPN does is that it prevents the need of configuration of pre-defined static peers in crypto-map and ISAKMP peer statement. An IPsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router or between spokes.

DMVPN Spoke is configured with one or more hub IP addresses. DMVPN hub IP addresses are typically static. DMVPN spoke IP addresses may be static, or dynamic. The spoke router is configured with the hub's IP address and allowing the spoke to connect to hub when it is online. The hub router does not need to be configured with the IP addresses of the spoke routers. This allows many-spoke VPN routers to be deployed without the need to configure additional peers on the hub.

For ROUTING we use dynamic routing protocol between the spokes and the hub, as well as other spokes. We can have the choice of using EIGRP or OSPF routing protocols between them as it is used commonly now a days, one of the reason is scalability. We used EIGRP for our internal routing.


I suppose that you are familiar with GRE tunneling configuration and sit-to-site VPN configuration, if not then look at here my blogs for step wise configuration of GRE and VPN as I will be talking about the remaining configuration that are required for DMVPN.

HUB Configuration:

HUB-Router (config) # interface tunnel 0
HUB-Router (config) # ip nhrp authentication cisco120
HUB-Router (config) # ip nhrp map multicast dynamic
HUB-Router (config) # ip nhrp network-id 10
HUB-Router (config) # no ip split-horizon eigrp 100

There is a reason why we use “no ip split-horizon” on hub, see here

HUB-Router (config) # tunnel source fastethernet 0/0
HUB-Router (config) # tunnel mode gre multipoint
HUB-Router (config) # tunnel key 0

Tunnel key is used on Point-to-Point or Multipoint

HUB-Router (config) # tunnel protection ipsec profile Cisco

Spoke Configuration:

SPOKE -Router (config) # interface tunnel 0
SPOKE -Router (config) # ip nhrp authentication cisco120
SPOKE -Router (config) # ip nhrp map multicast dynamic

Note: We can choose either static ip address or multicast (broadcasting/multicasting), if we choose dynamic it means that learn the destination address that are from client registration on hub

SPOKE -Router (config) # ip nhrp map 221.120.x.x

The first is the destination tunnel address and second is the public address of destination.

SPOKE-Router (config) # ip nhrp map multicast 221.120.x.x
SPOKE -Router (config) # ip nhrp network-id 10
SPOKE -Router (config) # ip nhrp nhs

Where “nhs” is the next hope server address

SPOKE -Router (config) # tunnel source fastethernet 0/0
SPOKE -Router (config) # tunnel mode gre multipoint
SPOKE -Router (config) # tunnel protection ipsec profile Cisco

NHRP is next-hope resolution protocol; not a routing protocol but it make use of routing information. The most prominent feature of NHRP is that it avoids extra router hopes in an NBMA.


You can further use the following command to verify and troubleshoot the configurations.

1. show crypto socket ("Display the crypto sockect between NHRP and IPSec)
2. show ip nhrp ("Display the next hope resolution protocol cache entries etc)
3. show ip route
4. show ip eigrp neighbor
5. show crypto ipsec sa ("Display the active channel)
6. show crypto engine connection active ("Display the total encrypted / decrypted SA)
7. show crypto isakmp sa ("Display isalmp security association state (SA)")

You can also do DEBUG for further understanding and logs

1. debug crypto ipsec
2. debig crypto isakmp
3. debug crypto engine
4. debug crypto socket

I hope this will be informative for you !

Cheers :)


nayyares said...

nice finding !

Anonymous said...

Dear Author !
Excuse, that I can not participate now in discussion - it is very occupied. But I will return - I will necessarily write that I think on this question.

Anonymous said...

I want to quote your post in my blog. It can?
And you et an account on Twitter?

Sohail Akhtar said...

@ Anonymous
Ofcourse you can link my post on your blog by giving my blog link as the reference.

Anonymous said...

This is the configuration between CE and PE ...what about the Ps configuration in the Core. Are you going to use PTCL BB network or someones else????

Shahid Nawaz

Anonymous said...

@Shahid Namaw.....!
Thnx for Reading me, yes ofcourse we are using PTCL (as we using DXX) this as a Main link for our communication and Telecome link as a Backup.

Cheers :)

Anonymous said...

why not:)

Anonymous said...

Today, I went to the beach with my children. I found a sea shell and
gave it to my 4 year old daughter and said "You can hear the ocean if you put this to your ear." She placed
the shell to her ear and screamed. There was a hermit crab inside and it pinched her
ear. She never wants to go back! LoL I know this is entirely off topic but I had
to tell someone!

my web site; occupational therapist assistant schools

Anonymous said...

Good info. Lucky me I found your site by accident (stumbleupon).
I have saved it for later!

Check out my weblog; Chiropractor Hip Adjustment Home

Anonymous said...

Good info. Lucky me I found your site by accident (stumbleupon).
I have saved it for later!

Also visit my web site Chiropractor Hip Adjustment Home

Anonymous said...

Thank you for sharing your info. I truly appreciate your efforts and I am waiting for your further write ups
thanks once again.

Stop by my weblog massage therapist uniforms

Anonymous said...

Hi, after reading this remarkable piece of writing i am too delighted to share
my experience here with colleagues.

My web-site

Anonymous said...

Magnificent goods from you, man. I have understand your stuff previous to and you are just too magnificent.
I really like what you've acquired here, really like what you are stating and the way in which you say it. You make it enjoyable and you still take care of to keep it sensible. I cant wait to read much more from you. This is actually a tremendous website.

Stop by my homepage Golf Schools Las Vegas

Anonymous said...

I am in fact grateful to the holder of this web site
who has shared this fantastic article at here.

My website massage therapist training

Anonymous said...

continuously i used to read smaller articles which also
clear their motive, and that is also happening with this article which I
am reading at this place.

Look at my web site - las vegas golf schools

Anonymous said...

Hi! I simply wish to give you a huge thumbs up for your great information
you have got right here on this post. I'll be coming back to your site for more soon.

Stop by my web page - Florist

Anonymous said...

magnificent points altogether, you just received a logo new reader.
What would you recommend about your submit that you made some days
in the past? Any positive?

Visit my web site :: personal injury attorney

Anonymous said...

I hardly comment, but i did a few searching and wound
up here "DMVPN for Hub & Spoke Topology".

And I do have a couple of questions for you if you usually do not mind.
Is it just me or does it look as if like a few of these remarks appear
like left by brain dead folks? :-P And, if you are posting on other online sites,
I'd like to keep up with everything new you have to post. Could you list of the complete urls of all your communal sites like your Facebook page, twitter feed, or linkedin profile?

Look at my website: Orlando Chiropractor

Anonymous said...

I really love your website.. Excellent colors & theme.
Did you build this website yourself? Please reply back as I'm looking to create my own blog and would like to know where you got this from or just what the theme is named. Many thanks!

Also visit my weblog - shogun japanese steakhouse sushi bar michigan

Fghkfhk Dfgaert said...

prada sunglasses
barcelona jersey
canada goose jackets
coach outlet online
basketball shoes
five fingers shoes
air huarache
coach outlet
polo ralph lauren
kevin durant shoes

love said...

off white clothing brand
pandora charms outlet
fitflops sale clearance
ferragamo outlet
coach factory outlet
hugo boss outlet
ralph lauren outlet
ralph lauren outlet
nike soldes

miki said...

0813jejebasket adidas nike pas cher Les travailleurs cortez nike femme kaki de la construction sont très souvent nike air max thea camel desert tenus de porter ces air jordan 11 retro price chaussures spécialement conçues par leurs asics gel lyte 3 pas cher chine employeurs. Ceux-ci sont généralement utilisés basket nike air tn dans de nombreux tournois sportifs internationaux. air jordan pas cher discount Il a reçu une air jordan noir homme pas cher réputation rapide et est cortez nike femme or devenu l'image avec le cow-boy américain. basket nike roshe run palmier