Balaji BandiCCIE- RNS, CISCO

DYNAMIC MULTIPOINT VPN (DMVPN)

DMVPN is combination of 4 things:

  1. Multipoint GRE.
  2. Next Hop Resolution Protocol (NHRP).
  3. Crypto IPsec.
  4. Routing that running over the network.

Phase1:

  • All the traffic has to go from Spoke1 to the Hub to Spoke2 (No Spoke to Spoke tunnels).
  • Running mGRE (multiGRE) on the hub only while Spokes are configured with destination IP address pointing to the HUB public IP address. (without configuring the Spokes with the distention IP address it will make the DMVPN to be phase2 or Phase 3).
  • Routing summarization & default routing at the Hub to the spokes is ALLOWED.
  • Next-Hop on spokes is always changed by the Hub.

DMVPN multi-spokes to one HUB interface issue solution: For RIP:  no ip split-horizon OR Apply the following command to the HUB: default-information originate For EIGRP: no ip split-horizon eigrp 1 OR Go to the Tunnel on the HUB and apply the following command: ip summary-address eigrp 1 0.0.0.0 0.0.0.0 Notice Disabling Split Horizon command is different between RIP and EIGRP

Phase2:

  • mGRE running on hub AND spokes.
  • Routing summarization & default routing at the Hub to the spokes is NOT ALLOWED.

Phase3:

  • mGRE running on hub and spokes.
  • Routing summarization & default routing at the Hub to the spokes is ALLOWED.
  • Summary can be done on EIGRP or BGP because the hierarchy is arbitrary.

In case of OSPF you could only summarize between area boundaries.

  • Next-hop is changed from Hub IP to Spoke IP.
  • Next-hop on spokes is always changed by Hub.

Notes:

  • To avoid unnecessary dataplane overhead, Transport mode must be used instead of Tunnel mode. Tunnel mode is the default when configuring the transform set, which adds one additional IP header that is unnecessary in this case because of the existing GRE encapsulation. We must also set the MSS to 1360 (40 bytes less than the 1400 MTU of the tunnel). 1360 is the maximum size of a segment that can be transmitted over the DMVPN network without being fragmented.
  • EIGRP command “no next-hop-self” needs to be configured in the HUB when using DMVPN phase2 in order to route eigrp directly from spoke to spoke.