SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

DMVPN: Advanced and crazy scenarios

When developing the Choose the optimal VPN service webinar, I decided to test everything I was talking about in a lab (you wouldn’t believe how much misinformation is spread across the Internet) and ended up with several DMVPN scenarios that most people would consider to be somewhere between peculiar and outrageous.

The best one: DMVPN Phase III network with ODR between spokes and level-1 hubs and OSPF inside a hierarchy of hubs ... of course fully redundant all the way down to the spokes.

The webinar has been rescheduled to July 7th (Cisco Live is taking place from June 27th to July 1st).

The design scenarios were simply too god to be left to rot on my hard drive (some of them were screaming to be documented and talked about), so I organized them into a progressively evolving story described in the DMVPN: Advanced and crazy scenarios webinar.

If you’re a CCNP/CCIE-level engineer interested in DMVPN, I’m positive you’ll enjoy this webinar (click here to register) ... and I’ll try to serve you as many curveballs as I can manage to fit within two hours.


  1. Hey mate,

    I've got one... DMVPN (dual hub, dual cloud) over international links crossing multiple ISP's for the spokes, Hubs based in Aus. Crazy crazy solution when carriers don't want to run Inter-AS VPNs. :(


  2. Ivan Pepelnjak02 June, 2010 14:36

    I would expect nothing less from you 8-)

  3. Ivan,

    Don't forget about FVRF/IVRF applied to DMVPN as well:

    It's a great solution for when your spokes need to carry a default for client internet traffic (transparent proxy at the hub) and also require a default route for spoke-to-spoke tunnel creation.


  4. I would love to attend this but I'll be at the USA Cisco Live Networkers show thta day... any chance of a recording or repeat?

  5. Ivan Pepelnjak02 June, 2010 16:31

    Thank you. Already included.

  6. Ivan Pepelnjak02 June, 2010 16:31

    Ouch. Forgot to check that. Will reschedule.

  7. Ivan Pepelnjak02 June, 2010 17:44

    Rescheduled to July 7th. Thanks again for the heads up!

  8. Hi Ivan,

    Is your seminar free?


  9. Ivan Pepelnjak26 June, 2010 13:07

    No. If you click on the webinar description or registration link, you'll find the prices.

  10. thanks for your prompt response!

    Is every seminar 49.99 or you have one fee for all seminars?

  11. Ivan Pepelnjak26 June, 2010 13:10

    The fee for all webinars is the same: $49.99 for each webinar. Regular attendees get a loyalty discount.

  12. thanks and how much is the loyalty discount?

  13. i m in very bad situation, please help me, details are given below.

    we have cisco 871 series router, one at head office and another one in branch office with site to site vpn connection.i want to connect branch office computer to head office Active directory domain, i have the following configuration:

    IP address of head office and branch office as in images.

    if i try to join the branch computer to acitve directory domain i m getting the error message.

    From Head office to branch office and vice versa can ping by ip address.

  14. If you can ping the domain controller from the remote host, there's nothing I can do to help you. I know almost nothing about Microsoft products.

  15. Hi Ivan,

    I like the way you explain complex things in simple language.
    I have to setup DMVPN in consumer-provider network where i can control the service consumption. So, I dont want the provider's network being exposed to consumer without my wish. For that instead of routing protocol, I am adding/removing static route for providers' network.
    Could you please tell me
    1) if there is any other way.
    2) if I can use phase 3 dmvpn while using statis route ?


    1. If I understand your intent correctly, you need something that could authenticate the users. There might be something in the IKE framework that would give you the tools you need, or you could use per-user keys with hub-and-spoke DMVPN (just guessing).

      Also check the new FlexVPN solutions - it's supposed to be a mixture of the goodies from all previous IPsec-based VPN technologies ;)


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.