Setting Up Dual Hub DMVPNs: Redundancy Made Easy with Modern Cisco IOS

Dual Hub DMVPN: Complete Configuration & Optimization Guide

📚 Table of Contents

• Introduction
• Why Dual Hub DMVPN
• Deployment Models
• Single DMVPN
• Dual DMVPN
• Routing Protocols
• IOS Enhancements
• CLI Examples
• Key Takeaways
• Related Articles

📖 Introduction

Dynamic Multipoint Virtual Private Network (DMVPN) is a scalable VPN solution that allows secure communication over public networks. When combined with a dual hub architecture, it provides high availability and redundancy.

💡 Core Concept: DMVPN uses GRE + IPsec + NHRP to dynamically build tunnels.

🚀 Why Dual Hub DMVPN?

• High Availability
• Fault Tolerance
• Load Sharing
• Reduced Downtime

🔽 Expand: Real-world Scenario

If Hub1 fails, spokes automatically reroute traffic to Hub2, ensuring uninterrupted service.

🧩 Deployment Models

1. Single DMVPN Cloud

• One tunnel interface
• Two hubs (dual NHS)
• Simple design

2. Dual DMVPN Cloud

• Two tunnel interfaces
• Separate routing domains
• Advanced traffic control

📡 Single DMVPN Configuration

In this model, all routers belong to the same DMVPN cloud.

Configuration Code

interface Tunnel0
 ip address 192.168.1.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile IPSEC_PROFILE
 ip nhrp map 192.168.1.1 HUB1_PUBLIC_IP
 ip nhrp map 192.168.1.3 HUB2_PUBLIC_IP
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 ip nhrp nhs 192.168.1.3

🔽 Expand Explanation

NHRP maps logical tunnel IPs to physical IPs. Dual NHS ensures redundancy.

🔁 Dual DMVPN Configuration

Each spoke connects to two hubs using separate tunnels.

interface Tunnel0
 ip address 192.168.1.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel key 100
 ip nhrp nhs 192.168.1.1

interface Tunnel1
 ip address 192.168.2.2 255.255.255.0
 tunnel source GigabitEthernet0/1
 tunnel key 200
 ip nhrp nhs 192.168.2.1

🔽 Expand Benefits

Provides granular control and allows traffic engineering using routing metrics.

📊 Routing Protocols

EIGRP

• Easy metric manipulation
• Fast convergence

OSPF

• More complex
• Requires tuning

🔽 Expand Deep Comparison

EIGRP allows delay/bandwidth tuning, while OSPF uses cost-based routing requiring more manual adjustments.

⚙️ Cisco IOS 15.9 Enhancements

• Improved NHRP convergence
• DMVPN Phase 3 optimization
• Enhanced IPsec encryption
• Advanced logging tools

💡 Insight: Phase 3 enables direct spoke-to-spoke communication.

💻 CLI Output Examples

Show DMVPN Status

show dmvpn

Legend: Attrb --> S - Static, D - Dynamic
Tunnel0, NHRP Details
Type:Spoke, NHRP Peers:2
Peer NBMA Addr: 10.1.1.1
Peer NBMA Addr: 10.1.1.2

Debug Output

*Mar 1 12:00:01: NHRP: Resolution request sent
*Mar 1 12:00:02: NHRP: Resolution reply received

🔽 Expand CLI Explanation

Shows tunnel peers and NHRP resolution process.

🎯 Key Takeaways

• Dual Hub DMVPN ensures redundancy
• Single cloud = simple, less control
• Dual cloud = complex, more control
• EIGRP preferred for flexibility
• IOS 15.9 improves performance significantly

📘 Conclusion

Dual hub DMVPN designs provide scalable, resilient, and efficient networking solutions. Choosing between single and dual DMVPN depends on complexity vs control requirements.

DMVPN Phase 3: Enhancing Scalability and Performance in VPN Networks

Dynamic Multipoint Virtual Private Network (DMVPN) is a Cisco technology used to simplify the deployment of large-scale VPNs. DMVPN Phase 3 is a refinement introduced to address the scalability and performance limitations observed in DMVPN Phase 2. Below is a breakdown of key aspects of DMVPN Phase 3, comparisons to previous phases, and considerations for older and newer routers.

---

### **Disadvantages of DMVPN Phase 2**

1. **Scalability**:

   - **Daisy-Chaining of Hubs**: Phase 2 allows multiple hubs in a daisy-chained architecture, which can lead to complex OSPF configurations in single-area setups.

   - **No Route Summarization at the Hub**: All prefixes need to be advertised to spokes, which requires every spoke to have detailed routes to set up direct spoke-to-spoke tunnels. This increases routing table size and processing requirements.

   - **OSPF DR/BDR Limitations**: A limited number of hubs can participate due to OSPF’s reliance on designated routers (DR) and backup designated routers (BDR).

2. **Performance**:

   - Initial spoke-to-spoke communication requires the hub to route the first packet, which is **process-switched** rather than handled by Cisco Express Forwarding (CEF). This results in CPU spikes on the hub.

---

### **Improvements in DMVPN Phase 3**

DMVPN Phase 3 introduces two key NHRP (Next Hop Resolution Protocol) features to address these issues:

1. **NHRP Redirect**:

   - The hub sends a **redirect message** to a spoke to inform it that a better path exists directly to another spoke. This eliminates the need for the spoke-to-spoke communication to always go through the hub.

   

2. **NHRP Shortcut**:

   - Spokes use this mechanism to update their CEF tables with the optimized path information, enabling efficient direct spoke-to-spoke communication. It allows the spoke to rewrite its CEF entry based on the NHRP response.

---

### **Behavioral Changes in Phase 3**

- **Routing Design**: 

  - All spokes must still point to the hub as the next-hop for other spoke networks. This is similar to Phase 1, maintaining a "hub-and-spoke" control plane.

  - However, unlike Phase 1, direct communication between spokes is fully optimized once the hub provides the redirect.

  

- **Reduced Route Table Size**:

  - Route summarization is now supported on the hub. Spokes no longer need detailed prefixes for other spokes, reducing the size of routing tables and improving scalability.

- **Enhanced Performance**:

  - Direct spoke-to-spoke tunnels can form with minimal hub involvement. This eliminates the hub’s process-switching bottleneck.

---

### **Impact of Cisco IOS Versions**

- **Older Routers (Pre-IOS 15.9(3)M10)**:

  - Routers running older versions may not support DMVPN Phase 3 enhancements, including NHRP Redirect and NHRP Shortcut.

  - They might also lack modern security features and optimizations.

  - Limited performance due to reliance on process-switching and lack of route summarization capabilities.

- **Newer Routers (Post-IOS 15.9(3)M10)**:

  - Cisco IOS 15.9(3)M10 and later provide full support for DMVPN Phase 3 features, ensuring better scalability, routing efficiency, and performance.

  - Updated CEF implementations and enhanced NHRP capabilities allow the full utilization of Phase 3 benefits.

  - Support for modern cryptographic protocols and features, improving overall VPN security.

---

### **Conclusion**

DMVPN Phase 3 resolves critical scalability and performance issues present in earlier phases through NHRP-based enhancements. For organizations using older routers, upgrading to devices or Cisco IOS versions that support these features is essential to realize the full potential of DMVPN Phase 3. The ability to summarize routes at the hub and enable spoke-to-spoke optimization ensures better efficiency and reduced overhead in large-scale VPN deployments.

How to Configure DMVPN Phase 2 Using EIGRP in Cisco Networks

In DMVPN Phase 2, Cisco introduced the ability for direct spoke-to-spoke communication, which improves scalability and reduces the burden on the hub router. This is a significant enhancement over Phase 1, where traffic must always go through the hub before reaching another spoke. With DMVPN Phase 2, spokes can dynamically build direct tunnels to each other without the hub acting as an intermediary. This change is especially useful in environments where multiple branch offices (spokes) need to communicate frequently, as it optimizes bandwidth utilization and reduces latency.

### Key Differences Between DMVPN Phase 1 and Phase 2

1. **Spoke-to-Spoke Communication**:

   - **Phase 1**: All communication between spokes must go through the hub.

   - **Phase 2**: Spokes can establish direct tunnels to each other after the initial communication with the hub. This direct communication is facilitated by the use of NHRP (Next Hop Resolution Protocol), which helps the spokes dynamically discover the IP addresses of each other without needing a static configuration.

2. **Routing**:

   - **Phase 1**: Static or dynamic routing protocols (like EIGRP or OSPF) can be used to share routes between the hub and spokes, but routing between spokes must be passed through the hub.

   - **Phase 2**: Dynamic routing protocols (such as EIGRP) can be used to advertise routes to each spoke. The protocol handles the dynamic discovery of spoke-to-spoke routes, allowing the spokes to communicate directly with each other.

3. **NHRP (Next Hop Resolution Protocol)**:

   - **Phase 1**: NHRP is used to map public IPs to private IPs for communication between the hub and spoke.

   - **Phase 2**: NHRP continues to be used, but it facilitates the dynamic discovery of the best path for spoke-to-spoke communication, allowing direct data transfer between spokes after the initial contact with the hub.

### Configuration Considerations for DMVPN Phase 2 with EIGRP

When configuring DMVPN Phase 2 with EIGRP, you must ensure that the routing protocol works efficiently in this topology. This involves specific commands that allow EIGRP to advertise routes between spokes after the direct tunnels are established.

1. **EIGRP Configuration**: EIGRP must be configured on the hub and spoke routers, ensuring that the routing protocol can properly advertise routes. This includes defining the EIGRP network and enabling EIGRP on the DMVPN interfaces.

2. **NHRP Configuration**: NHRP is essential for the dynamic discovery of IP addresses for spoke-to-spoke communication. It should be properly configured to ensure that the spokes know how to reach each other after the hub initiates the tunnel.

3. **Routing Protocol Tuning**: Tuning the routing protocol is critical for scalability. EIGRP’s “bandwidth” and “delay” metrics must be considered for efficient routing decisions. Additionally, **split horizon** and **route summarization** must be properly configured to avoid unnecessary overhead and ensure the network remains scalable.

### Example of Basic DMVPN Phase 2 Configuration with EIGRP

Here's a simple outline of the commands you would use to configure DMVPN Phase 2 with EIGRP:

#### 1. **Hub Router Configuration:**

interface Tunnel0

  ip address 10.0.0.1 255.255.255.0

  tunnel source GigabitEthernet0/1

  tunnel mode gre multipoint

  nhrp network-id 1

  nhrp map multicast dynamic

  nhrp map 10.0.0.2 192.168.1.2 # Spoke IP address to map

  nhrp map 10.0.0.3 192.168.1.3 # Another spoke IP

  ip nhrp holdtime 600

  ip nhrp authentication my-secret-key

  ip nhrp nhs 10.0.0.1

  router eigrp 100

    network 10.0.0.0 0.0.0.255

    passive-interface Tunnel0

#### 2. **Spoke Router Configuration:**

interface Tunnel0

  ip address 10.0.0.2 255.255.255.0

  tunnel source GigabitEthernet0/1

  tunnel mode gre multipoint

  nhrp network-id 1

  nhrp map 10.0.0.1 192.168.1.1 # Hub IP

  nhrp map multicast dynamic

  ip nhrp holdtime 600

  ip nhrp authentication my-secret-key

  router eigrp 100

    network 10.0.0.0 0.0.0.255

    passive-interface Tunnel0

#### 3. **EIGRP Configuration on Both Spokes**:

Once the tunnel and NHRP configuration are set up, you need to ensure that EIGRP can advertise routes to the other spokes dynamically.

- **EIGRP Metrics Tuning**: Adjust the metrics for EIGRP to ensure the best paths are selected.

- **Route Summarization**: In a large-scale DMVPN setup, route summarization may be necessary to reduce the size of routing tables.

### Cisco IOS 15.9(3)M10 Features for DMVPN

The version you mentioned, Cisco IOS 15.9(3)M10, includes several enhancements for DMVPN and routing protocols. These may involve:

- **Improved NHRP Functionality**: Better handling of dynamic spoke-to-spoke communication, reducing overhead on the hub router.

- **Advanced EIGRP and OSPF Integration**: Enhanced support for EIGRP and OSPF routing protocols over DMVPN, improving stability and efficiency.

- **Optimized Bandwidth Usage**: Enhanced optimizations to reduce bandwidth overhead and better handle large-scale DMVPN deployments.

- **Security Enhancements**: Improved encryption and authentication methods for NHRP and GRE tunnels.

### Conclusion

DMVPN Phase 2 is a critical enhancement for businesses looking to scale their network and improve branch-to-branch communication. By allowing direct spoke-to-spoke communication, it reduces hub overload and improves performance. Understanding the EIGRP and NHRP configurations is vital for ensuring smooth operation in a Phase 2 environment.

The Evolution of DMVPN: How Modern Routers with Cisco IOS 15.9(3)M10 Enhance Scalability, Security, and Efficiency

Dynamic Multipoint Virtual Private Network (DMVPN) is a Cisco-proprietary VPN technology that enables secure, dynamic, and scalable communication between multiple sites without requiring a permanent or static configuration for each connection. It is particularly useful in Hub-and-Spoke topologies and supports dynamic IP addressing for spoke routers.  

DMVPN simplifies the deployment and management of VPNs by using a combination of technologies such as:  

1. **GRE (Generic Routing Encapsulation):** For creating tunnels between the hub and spokes.  

2. **IPSec (Internet Protocol Security):** For encrypting data over the GRE tunnels.  

3. **NHRP (Next Hop Resolution Protocol):** To dynamically resolve and register spoke IP addresses, acting like ARP for layer 3 (IP).  

---

### **How DMVPN Works**

In a typical DMVPN setup:  

1. **Hub-Spoke Communication:** The hub router has a static IP address, while spokes can use dynamic IPs. Each spoke registers its address with the hub using NHRP.  

2. **Dynamic Tunnel Creation:** When two spokes need to communicate, they can establish a direct tunnel (spoke-to-spoke) instead of routing traffic through the hub.  

3. **GRE Multipoint Tunnels:** The hub router uses a single multipoint GRE interface to manage all spokes, avoiding the need for individual tunnel configurations.  

---

### **Key Benefits of DMVPN**

- **Dynamic IP Support:** Enables VPN connectivity even when spokes use dynamically assigned IP addresses.  

- **Simplified Configuration:** Reduces the complexity of managing individual VPN connections between sites.  

- **Scalability:** Allows seamless addition of new sites with minimal configuration changes.  

- **Direct Communication:** Supports spoke-to-spoke communication in later phases (2 and 3), improving efficiency.  

---

The Dynamic Multipoint Virtual Private Network (DMVPN) technology has undergone significant advancements since its inception by Cisco in the late 2000s. With the introduction of modern routers and Cisco IOS versions (post-15.9(3)M10), there are distinct differences and enhancements compared to older routers and earlier IOS versions. Below is a comparison focusing on key aspects:

---

### **1. Compatibility and Support**

- **Old Routers (Pre-IOS 15.9):**

  - Limited performance for DMVPN due to less optimized hardware.

  - NHRP support was basic, and features like NHRP shortcuts and redirects might require more manual configuration.

  - Some older routers may not support all DMVPN phases, especially advanced features of Phases 2 and 3.

  

- **New Routers (Post-IOS 15.9(3)M10):**

  - Improved hardware support with enhanced processing power for secure VPN tunnels.

  - Full support for DMVPN Phases 1, 2, and 3, including NHRP redirects and shortcuts, improving spoke-to-spoke communication.

  - Integration with advanced features such as SHA-2 encryption, improving security.

---

### **2. Scalability and Performance**

- **Old Routers:**

  - Limited scalability due to lower CPU and memory capacity, leading to performance bottlenecks with multiple spokes.

  - DMVPN Phase 3 may not perform well on older hardware because of the higher demands of NHRP Redirects and route optimizations.

- **New Routers:**

  - Enhanced scalability, supporting a greater number of spokes due to improved hardware.

  - Optimized performance for GRE multipoint tunnels and dynamic routing protocols (e.g., EIGRP, OSPF, BGP) over DMVPN.

  - Better handling of high-bandwidth requirements.

---

### **3. Security**

- **Old Routers:**

  - Supported IPSec encryption, but typically limited to older algorithms like SHA-1 and 3DES, which are less secure by modern standards.

  - Limited ability to integrate advanced security features, such as Certificate Authority (CA) servers or advanced key management.

- **New Routers:**

  - Support for modern cryptographic algorithms, including AES-256 and SHA-2, providing robust security.

  - Enhanced integration with Cisco TrustSec and Identity Services Engine (ISE) for better policy enforcement.

---

### **4. Ease of Configuration and Features**

- **Old Routers:**

  - Configuration was often more manual, requiring additional effort to set up and troubleshoot DMVPN.

  - Features like spoke-to-spoke direct tunnels might not be as dynamic or easy to implement.

- **New Routers:**

  - Simplified configuration with improved CLI commands and Cisco SD-WAN integration.

  - Automatic spoke-to-spoke tunnels using NHRP and dynamic routing protocols, reducing the need for manual intervention.

  - Better troubleshooting tools and logs, aiding in quicker resolution of issues.

---

### **5. Network Design Enhancements**

- **Old Routers:**

  - Pure Hub-and-Spoke topologies were more commonly implemented due to limited support for advanced phases.

  - Suboptimal performance for large-scale networks with dynamic IP spokes.

- **New Routers:**

  - Full support for hybrid topologies, including spoke-to-spoke communication.

  - Improved DMVPN Phase 3 scalability allows for efficient large-scale deployments.

---

Upgrading to newer routers with Cisco IOS 15.9(3)M10 or later offers significant advantages in terms of performance, security, scalability, and ease of management for DMVPN deployments. These advancements make it well-suited for modern dynamic and large-scale enterprise environments.