Building network automation solutions

9 module online course

Start now!

DMVPN Phase 2 Fundamentals

Continuing with the DMVPN Fundamentals series, the following video explains the DMVPN Phase 2 fundamentals and detailed spoke-to-spoke packet flow with dynamic NHRP resolution and IPSec session establishment. Before watching it, you might want to read the “Sometimes you need to step back and change your design” article and watch the Phase 1 Fundamentals video.

Let’s summarize:

  • Phase 2 DMVPN uses multipoint GRE tunnels on all routers.
  • NHRP is used for dynamic spoke registrations (like with Phase 1 DMVPN), but also for on-demand resolution of spoke transport addresses.
  • Traffic between the spokes initially flows through the hub router until NHRP resolves the remote spoke transport IP address and IKE establishes the IPSec session with it.
  • The IP next-hop address for any prefix reachable over DMVPN must be the egress router (hub or spoke). From the routing perspective, Phase 2 DMVPN subnet should behave like a LAN.
  • Multicast packets (including routing protocol hello packets and routing updates) are exchanged only between the hub and the spoke routers.
  • Routing adjacencies are established only between the hub and the spoke routers unless you use statically-configured neighbors.

More information

The Phase 2 DMVPN section of the DMVPN: from Basics to Scalable Networks webinar (register here or buy a recording) also includes the following topics:

  • Spoke and hub router configuration;
  • Routing protocol configuration, including OSPF, EIGRP and BGP;
  • DMVPN redundancy and shared IPSec tunnel protection;
  • Monitoring and troubleshooting guidelines.
Add comment