DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes will, can to communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.

This technology has been developed to address the needs for automatically created VPN tunnels when dynamic IP addresses on the spokes are in use. This pure hub-and-spoke topology where all branches may communicate with each other securely through the hub.
There are four topics you need to know.
Multipoint GRE (mGRE)
NHRP (Next Hop Resolution Protocol)
Routing (RIP, EIGRP, OSPF, BGP, etc.)
IPsec (not required but recommended)
Multipoint GRE (mGRE)
Our regular GRE tunnels are point-to-point and don’t scale well. It becomes messy quickly so much point to point tunnels. but When we use GRE Multipoint, there will be only one tunnel interface on each router. mGRE interfaces do not have a tunnel destination. its keeping cost low, minimizing configuration complexity, and increasing flexibility. Multipoint GRE(Mgre) Uses tunnel source and tunnel mode (mgre). the Tunnel can have many endpoints by using a single tunnel interface. The endpoint can be configured as GRE or MGRE and Mapping is done by NHRP Protocol.
NHRP (Next Hop Resolution Protocol)
We want something which can help us our router to figure out what the public IP address is of the other router, we do this with the help of a protocol called NHRP (Next Hop Resolution Protocol). Next hop resolution protocol (NHRP) Maps the tunnel IP with NBMA address (public IP ) (static or dynamic). NHRP Provides layer 2 address resolution protocol and caching services similar to ARP and inverse ARP. All it does is building a dynamic database store on the hub with information about spokes IP addresses.
How NHRP works:
- One router will be the NHRP server next-hop server (NHS).
- All other routers will be the NHRP client's next-hop client (NHC).
- NHRP clients register themselves with the NHRP server and report their public IP address NHC send a query to the NHS if they want to communicate with another NHC.
- The NHRP server keeps track of all public IP addresses in its cache, NHS acts as a mapping agent and stores all registered mappings NHS reply to queries made by NHC.
- When one router wants to tunnel something to another router, it will request the NHRP server for the public IP address of the other router.
DMVPN has different three versions. we call phases.
Phase 1
Phase 2
Phase 3
DMVPN phase 1
Phase 1
before we started I want to let you know Phase 1 is Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces.No spokes hub and spokes topology were dynamic IP address on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.
So our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.
DMVPN Phase 2 and 3 we will talk about in the next chapter.
let see the configuration:
Topology:

Goal:https://mpls.internetworks.in/
- configure the topology as per the diagram
- assign the IP addresses to their port as per the topology
- configure static routing on router 2
- configure default routing on router 1 3 4
- configure DMVPN Phase 1 on router 1, 3 and 4
- configure router 1 Hub and router 3 and 4 should be spokes routers
- configure tunnel interfaces 192.168.1.0/24
- configure NHRP using Stating mapping.
R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit
R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#interface serial 4/1
R2(config-if)#ip address 3.3.3.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#interface serial 4/2
R2(config-if)#ip address 4.4.4.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#interface fastethernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit
R3(config)#interface serial 4/1
R3(config-if)#ip address 3.3.3.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit
R4(config)#interface serial 4/2
R4(config-if)#ip address 4.4.4.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#interface fastethernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
Serial4/0 1.1.1.1 YES manual up up
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.1.1.1 YES manual up up
Serial4/0 1.1.1.2 YES manual up up
Serial4/1 3.3.3.1 YES manual up up
Serial4/2 4.4.4.1 YES manual up up
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 30.1.1.1 YES manual up up
Serial4/1 3.3.3.2 YES manual up up
R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 40.1.1.1 YES manual up up
Serial4/2 4.4.4.2 YES manual up up
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
R1(config)#exit
R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0
R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0
R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1
R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1
R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2
R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2
R2(config)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
R3(config)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2
R4(config)#exit
R1#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial4/0
R2#show ip route static
Gateway of last resort is not set
S 10.0.0.0/8 is directly connected, Serial4/0
S 30.0.0.0/8 is directly connected, Serial4/1
S 40.0.0.0/8 is directly connected, Serial4/2
R3#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial4/1
R4#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial4/2
R1(config)#interface tunnel 999
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel mode GRE multipoint
R1(config-if)#ip NHRP network-id 01
R1(config-if)#ip NHRP map 192.168.1.2 3.3.3.2
R1(config-if)#ip NHRP map 192.168.1.3 4.4.4.2
R1(config-if)#exit
R3(config)#interface tunnel 999
R3(config-if)#ip address 192.168.1.2 255.255.255.0
R3(config-if)#tunnel source 3.3.3.2
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#ip NHRP network-id 02
R3(config-if)#ip NHRP map 192.168.1.1 1.1.1.1
R3(config-if)#exit
R4(config)#interface tunnel 999
R4(config-if)#ip address 192.168.1.3 255.255.255.0
R4(config-if)#tunnel source 4.4.4.2
R4(config-if)#tunnel destination 1.1.1.1
R4(config-if)#ip NHRP network-id 03
R4(config-if)#ip NHRP map 192.168.1.1 1.1.1.1
R4(config-if)#exit
R4(config)#end
R1#show ip nhrp
192.168.1.2/32 via 192.168.1.2
Tunnel999 created 00:44:20, never expire
Type: static, Flags: used
NBMA address: 3.3.3.2
192.168.1.3/32 via 192.168.1.3
Tunnel999 created 00:44:04, never expire
Type: static, Flags: used
NBMA address: 4.4.4.2
R3#show ip NHRP
192.168.1.1/32 via 192.168.1.1
Tunnel999 created 00:29:11, never expire
Type: static, Flags:
NBMA address: 1.1.1.1
R4#show ip NHRP
192.168.1.1/32 via 192.168.1.1
Tunnel999 created 00:23:36, never expire
Type: static, Flags:
NBMA address: 1.1.1.1
R4#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 1616 msec 92 msec 36 msec
R4#traceroute 192.168.1.2
Type escape sequence to abort.
Tracing the route to 192.168.1.2
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 12 msec 48 msec 40 msec
2 192.168.1.2 700 msec 328 msec 84 msec
R3#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 80 msec 72 msec 72 msec
R3#traceroute 192.168.1.3
Type escape sequence to abort.
Tracing the route to 192.168.1.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 72 msec 56 msec 96 msec
2 192.168.1.3 240 msec 188 msec 188 msec
R1#traceroute 192.168.1.2
Type escape sequence to abort.
Tracing the route to 192.168.1.2
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.2 8 msec 72 msec 96 msec
R1#traceroute 192.168.1.3
Type escape sequence to abort.
Tracing the route to 192.168.1.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.3 72 msec 100 msec 100 msec
https://mpls.internetworks.in/