cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
1
Replies

Phase 2 DMVPN (Spoke to Spoke)

Matt Addy
Beginner
Beginner

Hi,

I am trying to get DMVPN phase 2 working, I have recently decided to change all of our spoke routers default gateway to go over the DMVPN tunnel back to the hub. I have done this to reduce the admin work on firewall rules to the Internet and have all spokes come back to our central ASA for Internet access. I have a static route on the spokes to our outside hub ip address forwarding to our ISP next hop so phase one tunnel comes up. Till now I have not discovered a best practice on how to bring up phase 2 with this configuration. The only thing I can think of is using a local policy on the router with a match ESP traffic and forward to the next hop. Does anyone either use or know of another recommend way?

Thanks

1 Reply 1

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello Matthew,

For spoke-to-spoke tunnels in DMVPN Phase2, the key requirement is to have an appropriate content in your spokes' route tables. The routing must be set up so that all networks learned from spoke A use the next hop of spoke A on all other spokes, all networks learned from spoke B use the next hop of spoke B on all other spokes, etc. Simply, if a spoke advertises a set of networks, other spokes must be using the this spoke, not the hub, to reach those networks. This will facilitate the creation of spoke-to-spoke tunnels. Clearly, this is not feasible to be done manually - instead, a routing protocol should be used for this. OSPF, EIGRP and BGP are good protocols that can be configured so that they maintain the next hop addresses of spoke networks.

However, you may actually be interested in running DMVPN Phase3 that allows for spoke-to-spoke tunnels while making the configuration easier than in DMVPN Phase2. In DMVPN Phase3, all spokes point towards the hub for all networks, including spoke networks. However, if the hub receives a packet from a spoke that is supposed to be routed to another spoke, it will send a NHRP Redirect message to the sending spoke, instructing it of a better route. This way, you can be fine with having default routes on your spokes pointing to the hub, not even requiring the knowledge of other spokes' networks, and still have spoke-to-spoke tunnels. Read more about DMVPN Phase3 here:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_nhrp.html

https://supportforums.cisco.com/message/3822682#3822682

DMVPN Phase2 and Phase3 are in fact mutually exclusive - you either run Phase2 or Phase3 but not both.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers