DMVPN Technology and Configuration

Overall rating: 4.77 Instructor: 4.98 Materials: 4.90 more …

DMVPN is a fantastic technology when you’re trying to roll out large-scale site-to-site Internet-based VPN or improve the convergence of your MPLS/VPN-based network. It seems exceedingly simple, but could soon get you into interesting challenges, more so if you’re trying to build networks where a large number of remote sites connect to a few hub routers.

As soon as you start deploying any-to-any VPN (Phase 2 DMVPN), you’ll stumble across dual default routing problem, and the quest for scalable solutions will lead you from OSPF/EIGRP-based networks to either BGP or unidirectional RIP. With the help of this webinar your journey will be faster and more comfortable.

Designed for demanding networking engineers, this three hour advanced technical webinar is full of design and configuration guidelines and tips that will help you build and deploy scalable DMVPN networks.


This webinar is part of Virtual Private Networks roadmap and accessible with standard subscription

Access content


DMVPN Phase 1

Hub-and-spoke Phase 1 DMVPN is the easiest DMVPN topology. This section describes DMVPN design and configuration principles including:

  • Routing protocol design guidelines for OSPF, EIGRP and BGP.
  • GRE design and configuration part with special focus on GRE tunnel key requirements and caveats
  • NHRP configuration, including NHRP multicast maps and NHRP operation in dial-up networks with dynamic transport IP addresses.
  • Basic IPSec configuration with shared keys and certificates.
  • Redundant network design with each spoke router being connected to two hub routers.

DMVPN Phase 2

After describing the changes introduced by Phase 2 DMVPN (dynamic spoke-to-spoke tunnels) and their impact on routing protocol design (OSPF, EIGRP and BGP), this section details the default routing issues caused by IPSec tunnels established with unknown destination addresses and the shared IPSec protection profile caveats.

Split Default Routing

This section presents several solutions to the default routing issues introduced with direct spoke-to-spoke tunnels, from policy routing to split default routing with Virtual Routing and Forwarding (VRF) tables.

Multihomed Spoke Site

Connections to two Internet Service Providers are usually used to increase the availability of DMVPN spoke sites. Simplistic implementations of dual uplinks can easily fail if the ISPs perform strict source IP address checking (usually with Reverse Path Forwarding – RPF – mechanisms). This section describes tunnel route-via feature introduced in IOS release 12.4(11)T and an alternate design that works well with encrypted traffic.

Scaling DMVPN with Distance Vector Routing Protocols

OSPF can become a bottleneck in DMVPN designs with high spokes-per-hub ratio. A simple distance vector routing protocol (RIP or ODR) scales much better than OSPF (with obvious convergence drawbacks). This section describes a network design where the spoke sites with multiple routers use OSPF while the sites with a single router (still connected to two uplinks) use ODR, which is then redistributed into OSPF.

Spoke sites running OSPF receive full complement of routes, while the spoke sites running ODR receive just the default route from the hub routers.

DMVPN Phase 3

Simplified scalable routing comes with a price: spoke routers receive just the default route from the hub routers, not the detailed routing information needed to establish spoke-to-spoke tunnels. DMVPN Phase 3 solves this problem by introducing dynamic hub-to-spoke redirects and spoke-to-spoke shortcuts. This section describes Phase 3 configuration and design caveats caused by DMVPN-specific limitations of NHRP.

Scaling DMVPN with Unidirectional Routing

As the number of spokes per hub grows, the multicast replication on the hub router becomes a bottleneck. To scale a DMVPN network beyond this bottleneck, you have to deploy a combination of distance vector routing protocol and reliable static routing, making the hub router totally passive (from the routing perspective).

Hierarchical Hubs

Unidirectional routing (or BGP) allows you to grow the DMVPN cloud to the point where you hit the architectural and IPSec limits of the hub routers. At that point, you have to introduce a hierarchy of hub routers and carefully design the routing protocols and NHRP if you want to retain any-to-any connectivity with hub hierarchy.


The webinar does not address platform-specific issues or performance guidelines. These topics are covered in Cisco’s design guides.

IPSec configuration is largely ignored, as it’s an independent part of the DMVPN design.

Router configurations

Lab topology

Twenty sets of complete router configurations covering every single design scenario described in the webinar are included in the webinar materials.

The seven router lab topology emulates an enterprise DMVPN deployment with a redundant central site (with two hubs), a redundant remote site (with two routers) and two non-redundant remote sites (using two uplinks in a few scenarios). The seventh router emulates the Internet.

The configurations can be used on any hardware (real or otherwise) supporting recent Cisco IOS software, allowing you to test and modify the design scenarios discussed in the webinar.

The router configurations cover the following scenarios:

DMVPN Phase 1

  • GRE+NHRP configuration without IPSec, using OSPF as the routing protocol;
  • dual-hub OSPF design
  • dual-hub EIGRP design
  • dual-hub BGP design
  • spokes with dynamic (DHCP-based) transport addresses

DMVPN Phase 2

  • Simple Phase 2 DMVPN with OSPF
  • DMVPN in OSPF stub area with default routing and transport interfaces in Internet VRF
  • EIGRP with default routes and route filters
  • BGP using default-information originate
  • Spoke sites with uplinks to two ISPs, no IPSec and tunnel route selection;
  • Spoke sites with uplinks to two ISPs using two Internet VRFs;
  • ODR-based routing;
  • One-way RIP routing (hub site is passive, spokes use IP SLA-based default routing);
  • Two-tier central site with IPSec offload;
  • MPLS/VPN over DMVPN using EBGP between hub and spokes;
  • MPLS/VPN over DMVPN using directly-connected IBGP sessions;
  • Inter-AS MPLS/VPN over DMVPN

DMVPN Phase 3

  • Dual-star design with ODR routing;
  • Multiple hubs in the same DMVPN cloud and mixed RIP+OSPF routing over DMVPN;

Target audience

If you’re considering DMVPN deployment beyond a few sites, you simply must attend this advanced webinar. Regardless of whether you’re a high-end consultant, a network designer working on a complex DMVPN-based design or a deployment engineer – you’ll appreciate the high-level overviews, configuration tips and the intricate technical details of all the scenarios covered during the webinar.

To attend this webinar, you should be very familiar with IP routing and IP routing protocols (CCNP-level knowledge is highly recommended) and have rudimentary knowledge of GRE and IPSec.


Ivan PepelnjakIvan Pepelnjak, CCIE#1354 Emeritus, is an independent network architect, book author, blogger and regular speaker at industry events like Troopers, Interop, and RIPE and regional NOG meetings. He has been designing and implementing large-scale service provider and enterprise networks since 1990, and is currently using his expertise to help multinational enterprises and large cloud- and service providers design next-generation data center and cloud infrastructure using network automation, Software-Defined Networking (SDN) and Network Function Virtualization (NFV) approaches and technologies.

Ivan is the author of several books covering internetworking and data center technologies, highly praised webinars, and thousands of technical articles published on his blog.

More about Ivan Pepelnjak

Happy Campers

About the webinar

Excellent content, explained in a way that is easy to follow and Ivan keeps you interested the whole way through.

Nicky Davey
best wan network design.
Just a great overview of DNVPN; well structured with insight to the reasoning behind the technology. I’d recommend to supplement via building the appropriate labs as this helps in following the various DMVPN phases. Top marks🤓.
J Senkiw
There is no such information on the web.
It has both theoretical and practical info. After spending time on the webinar, an engineer/architect does not have to read or listen to anything else.
Simon Richard
The materials presented are absolutely helpful to understand current market offerings in vendor neutral perspective!
Julemar Combate
As with any other webinar I have viewed on, this one provides the background as to why you may or may not want to do certain things and what impact that may have (positive or negative) on your network. Then it digs into the how of actually doing something. Brilliant content as always.
Peter McCreesh

About the materials

J Senkiw
Simply one of the best presentations!
Julemar Combate is my go-to for deep dives on existing and emerging tecnologies in the networking industry. No unnecessary preamble. Gets straight to the point of why you are looking at a specific technology and explains the what and the why before getting into the how. Brilliant as always.
Peter McCreesh