Home > DMVPN Tutorial

DMVPN Tutorial

February 14th, 2015 in ROUTE Knowledge Go to comments

One of the most popular network topology in practical nowadays is shown below with one HeadQuarter connecting to branch offices at some locations. The main enterprise resources are located in the HeadQuarter.


The router at the HeadQuarter undertakes the role of a Hub while branch routers take the role of Spokes. In this Hub-and-Spoke topology, each Branch can access some resources on the HeadQuarter. But there are some disadvantages with this topology:

+ When a spoke wants to communicate with another Spoke, it must go through the Hub which increases the traffic passing through the Hub, increase CPU and memory usage on Hub and can create bottle-neck problem. This also increases latency for time-sensitive applications such as VoIP, video conference…
+ Each site requires a static public IP address if the environment between them are public (like the Internet).
+ The configuration is complex, especially with large network. When a new Spoke is added, additional configuration is required on Hub

Dynamic Multipoint VPN (DMVPN) is a solution of Cisco that can be used to overcome these disadvantages. DMVPN provides the following advantages:

+ Provides full meshed connectivity with simple Hub-and-Spoke topology. The spokes can communicate between each other without going through Hub
+ Only one static public IP address is required on Hub. Spokes can use dynamic (unknown) public IP addresses
+ The configuration is simple even in large network. No additional configuration is required on Hub when new Spokes are added.


DMVPN provides full-meshed connectivity
with Hub-and-Spoke topology

But notice that DMVPN is not a protocol, it is the combination of the following technologies:

+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) to perform its job and save the administrator the need to define multiple static crypto maps and dynamic discovery of tunnel endpoints.

To keep this tutorial simple we only mention about mGRE and NHRP.

Multipoint Generic Routing Encapsulation (mGRE)

Before taking about mGRE we should learn why we have to run GRE on DMVPN. The answer is simple: because we want to run IPSec on it. And why we need IPSec? Because we want to utilize the power of cheap but insecure Internet (and other insecure public) connections at our sites.

As you may know, IPSec is a framework consisting of protocols and algorithms for protecting data through an untrusted IP network, such as the internet. Although IPSec provides a secure tunneling method but it does not support multicast and broadcast traffic so popular routing protocol (OSPF, EIGRP, …) run based on multicast cannot be used with IPSec. So we have to use GRE to “wrap” these multicast traffic. As a result, all traffic (including unicast, multicast and broadcast) between sites are encapsulated into GRE packets before being encrypted and sent over the network.

Now we knew why GRE should be used here. But traditional GRE (sometimes called point-to-point or p2p GRE) also has its limitation: for each connection to the Spoke, Hub router needs to establish a separate GRE tunnel. So when the number of Spokes increases, Hub must increase the number of tunnels at the same rate -> lots of configuration on Hub. So it is the time when mGRE takes part in.

An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not require a unique tunnel interface for each connection between Hub and spoke like traditional GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.


mGRE tunnel is treated as a non-broadcast multi-access (NBMA) environment. mGRE tunnel does not have to be configured with a tunnel destination so we need another protocol to take care of the destination addresses. In this case NHRP is used for NBMA environment.

Note: Besides the Tunnel IP address, each Spoke and Hub will have a NBMA IP address, which is a public IP address used as the tunnel source IP address. We post the configuration here as an example to help you understand more about the difference of these two IP addresses:

interface fa0/0
ip address
interface tunnel 1
ip address -> Tunnel IP address (private IP)
tunnel source fa0/0 -> NBMA IP address (public IP)
Spoke (Branch 3)
interface fa0/0
ip address
interface tunnel 1
ip address -> Tunnel IP address (private IP)
tunnel source fa0/0 -> NBMA IP address (public IP)

So the Tunnel address is the address configured under “interface tunnel” while the NBMA address is the address used as source of the tunnel.


Next Hop Resolution Protocol (NHRP), defined in RFC 2332, is a Layer 2 address resolution protocol and cache, like Address Resolution Protocol (ARP). NHRP is used by a branch router connected to a non-broadcast, multi-access (NBMA) sub-network to determine the IP address of the “NBMA next hop”; in this case, the headend router or the destination IP address of another branch router.

NHRP is used to map tunnel IP addresses to “physical” or “real” IP addresses, used by endpoint routers. It resolves private addresses (those behind mGRE and optionally IPSEC) to a public address. NHRP is layer 2 resolution protocol and cache, much like Address Resolution Protocol (ARP) or Reverse ARP (Frame Relay).

In order for DMVPN to work correctly, DMVPN relies on NHRP to create a mapping database of all spoke tunnels to real (public) IP addresses. When a Spoke joins a DMVPN network it will register itself with the Hub via NHRP. The NHRP Registration Process is described below:

+ When a Spoke joins a DMVPN network, it sends a Registration Request to the Hub whose IP address has already been configured on the Spoke (via the “ip nhrp nhs <Hub IP address>” command)
+ The Registration Request contains the Spoke’s Tunnel and NBMA addresses along with the hold time -> Hub does not have to statically configure Spoke IP -> simplify Hub configuration
+ Hub then create an NHRP mapping entry in its NHRP cache (just like an ARP cache) to keep the mapping between Spoke’s Tunnel and NBMA addresses. The hold time of this mapping equals to the hold time in the Registration Request.
+ Hub sends a NHRP Registration Reply to the Spoke to complete the process


NHRP Registration Process

+ The Spoke who sends NHRP Registration Request is called NHRP Client (NHC) while the Hub who replies the request is called NHRP Server (NHS).
+ The Spoke’s NBMA address is often its public IP and obtained dynamically while the Spoke’s Tunnel address is the private IP
+ NHRP mapping can be statically configured on both Spoke and Hub

A cool advantage of NHRP is the ability to help DMVPN establish direct Spoke-to-Spoke communication without going through Hub. Let’s see how NHRP works in this case.


NHRP Resolution Process

1. Before a spoke can directly send traffic to another spoke, it must still query the Hub to get the NBMA address of the destination spoke. To do this, Spoke must send a NHRP Resolution Request to the Hub asking for the NBMA address of the destination spoke.
2. The Hub replies with the NBMA (public) address of Spoke 3 (which is in this case). If the Hub does not known NBMA of Spoke 3 it will query Spoke 3 first.
3. The direct IPsec tunnel between two spokes is built only after that. But the spoke-to-spoke tunnel is only temporary and is torn down after a pre-configured period of inactivity to save resources.

+ In case NHS does not have an entry in its cache for the NHC’s query, NHS returns an error and the spoke will install an entry pointing to the NHS. So traffic must flow through the Hub
+ Instead of asking NHS, the destination spoke IP can be statically configured on the NHC.
+ “Resolution” is only used for spoke to spoke communication

Now let’s see the whole picture of how NHRP takes part in the routing process.

1. Suppose Spoke 1 wants to send traffic to network behind Spoke 2. It will look up its routing table and see an entry like this: … via, Tunnel0

(means this subnet was learned from next-hop via its Tunnel0)

2. Spoke 1 looks up its NHRP mapping table to search for the NBMA address of If it can’t find one, it will send an NHRP Resolution Request to get the mapping information from the Hub. Suppose the NBMA address of configured on Spoke 2 is
3. Now Spoke 1 has enough information to encapsulate original packets. It will encapsulate packets with IP source of (its NBMA address) and IP destination of (Spoke 2’s NBMA address) then send to the destination.


In the next part we will learn how to configure DMVPN

Comment pages
1 2 1024
  1. anonymous
    November 26th, 2017

    thank you

  2. anonymous
    November 26th, 2017

    thank you so much fella

  3. Micheal
    December 21st, 2017

    This isn’t a quote from Taylor Swift pku. None of the things you’re claiming she’s said are true. What is wrong with you? What enjoyment do you receive out of spreading false information? ced ALL White people are fcking racist PEDOPHILES oci i will kill white people, you are all racist this is SEWER 2154 baedd {email not allowed}


  4. Noel
    December 23rd, 2017


    any one who has CCNP Route pdf file to share? i got video, but an additional resource like reading materials will give us a solid understanding. thanks. n o a @ y a h o o . c o m my email address

  5. Sandeep Singh
    January 17th, 2018

    Take a look on the DMVPN Article

    If you want to take a look on difference between DMVPN and IPSEC

  6. dumpspro
    January 26th, 2018

    latest dumps ccnp


  7. LATEST DUMPS + VCE Player + LABs + etc
    February 20th, 2018

    Guaranteed Latest Stuff to pass exam.
    20 US$ only

    Below link

  8. Anonymous
    March 22nd, 2018

    I am going to take switch 300-101 exam. Kindly anyone can share latest pdf file on the below address amin.asna89 @ gmail.com

  9. Adnan
    April 2nd, 2018

    Hello to all !

    Please, can you send me the the 539q dumps ?

    My address email is adnan255 @ hotmail . com !

    Thank you for your support !!!

  10. Anonymous
    May 18th, 2018

    Very easy to understand article for a complex topic. Thank you!

  11. zaw lin
    May 22nd, 2018

    please give me CCNP update lab file
    Dmvpn & update
    {email not allowed}

  12. cool
    June 5th, 2018

    I passed the route exam today! Thanks 9tut. Your documents rocks especially the explanation of each items. It could be good to have more practical labs on various topic like bgp, dmvpn, gre etc.

  13. Sui_Generis
    July 28th, 2018

    Could someone please share Link to download the latest CCNP ROUTE 300-101 dumps

  14. dacy liam
    August 10th, 2018

    I loved the result I drew after studying through (300-101) Practice Test Questions I bought from (VceTests.com). I never had expected to do so well in just one attempt.

  15. exams4help
    August 10th, 2018

    Here we provide best study resource for your Cisco 300-101 exam and give guaranteed success. We have valuable study for our students and provide 300-101 dumps question. Download verified CCDP 300-101 exam questions and answers. Here you get complete solution with 300-101 pdf dumps.

  16. Anonymous
    September 3rd, 2018

    @dacy liam can you share your dumps for 300-101

  17. Cisco engineer
    September 9th, 2018

    Hello everone.
    Please somebody could send me actual question to sys.yuriy at gmail.com.
    Thanks a lot.

  18. drfgg
    October 23rd, 2018

    W w w.

    mps.xyz/ccna_rs.p hp?utm_source=bbs&utm_medium=bbs

    The inside of this turn is real and effective, if you need it, you can go and see.

  19. cisco
    November 5th, 2018

    For dumps you can contact me
    xoomtrack at gmail

  20. 305Q&As
    January 19th, 2019

    GROUP Buy @ just 20$
    Just passed the CCNP Switch exam with 950/1000. the mcq are still very the same here.

    Here we go.
    Get EXAM MATERIAL at below:

    Copy below. Remove asteriks

  21. mm
    April 24th, 2019

    nice explanation

  22. Rick_and_morty
    July 17th, 2019

    His palms are sweaty, knees weak, arms are heavy
    There’s vomit on his sweater already, mom’s spaghetti
    He’s nervous, but on the surface he looks calm and ready

  23. Spoto Club
    August 2nd, 2019

    If you wish to gain more knowledge about the DMVPN, you should check out the training courses offered at the SPOTO CCIE Lab Sections.


  24. Anonymous
    August 3rd, 2019

    thanks you so much, really appreciate you.

  25. Anonymous
    August 22nd, 2019

    Thanks for the nice article. But I see tunnel mode gre multipoint under the int tunnel in phase 1. Seems it need to be corrected.

  26. maybe
    October 4th, 2019
  27. digitaltut
    October 5th, 2019

    @maybe: Thanks for your detection, we have just updated that link!

  28. Anonymous
    October 17th, 2019



  29. Sam
    December 25th, 2019

    Hi, I want to give CCNP 300-101 route Exam. Is there any dumps available. Please help.

Comment pages
1 2 1024
  1. No trackbacks yet.