The Fundamental Difference between Phase 2 and Phase 3 DMVPN

DMVPN networks still confuse some engineers, particularly the true differences between Phase 2 and Phase 3 DMVPN. Here’s the explanation that worked for an engineer that sent me a question along these lines.

Phase 2 DMVPN forwarding relies exclusively on IP routing table (RIB). Whatever IP next hop is in the routing table (as computed by the routing protocol) is copied into forwarding table (FIB) and used for packet forwarding.

In Phase 3 DMVPN, there's the NHRP redirect cache below the forwarding table. FIB entries are copied from the routing table, but the next hop in the FIB table doesn’t necessarily reflect the actual next hop (which might be overridden by a dynamic NHRP entry). This functionality allows direct spoke-to-spoke traffic even if the only route spokes have is a default route toward the hub router.

In both cases, the next hop router that appears in the FIB table or NHRP cache isn’t used unless there’s an already-established IPsec session with that router. Otherwise, the packet is sent toward the best hub router (for whatever value of best).

For more details, check the ipSpace.net DMVPN webinars.

Recent posts in the same categories

1 comments:

  1. BST 12 January 2026 09:23

    Thanks for this post Ivan. I'm probably misunderstanding something, but should that second paragraph read as

    "but the next hop in the RIB (IP routing table) doesn’t necessarily reflect the actual next hop (which might be overridden by a dynamic NHRP entry)".

    SPOKE_2#show ip route next-hop-override | begin Gate Gateway of last resort is 133.2.2.10 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 133.2.2.10 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 172.16.1.254, 00:03:25, Tunnel100 D % 10.1.1.0/24 [90/28288000] via 172.16.1.254, 00:03:25, Tunnel100 [NHO][90/255] via 172.16.1.1, 00:00:43, Tunnel100

    ! Lines removed

    Replies
    1. Ivan Pepelnjak 12 January 2026 09:37

      It's been over a decade 🤷‍♂️, but IIRC when I looked at the printouts, the RIB and the FIB contained the same next hop (and the redirection happened below FIB).

      That was really surprising, as I expected RIB to have RP-derived next hop with FIB having the actual next hop.

Add comment
Home
Sidebar