DMVPN: How to Get from Zero to Hero?

John (not a real name for obvious reasons) sent me the following e-mail:

I am a Sys Admin who has recently assumed duties as a Net Eng. I am currently expected to perform responsibilities utilizing DMVPN with Cisco routers though I have never worked with DMVPN and have very little router experience. I started with your DMVPN webinar and it has been extremely helpful, but there’s still a huge gap between what I know so far and what I need to know to work with DMVPN.

In a few days I will deploy to Afghanistan to start work for a customer and I was hoping you might be able to give me some advice on the matter, perhaps some how-to documents or good books to purchase that will assist in the huge learning curve.

As we know, DMVPN utilizes a particular mix of technologies, from IP routing (both underneath DMVPN tunnels and across them) and IP routing protocols to IPsec, multipoint GRE and NHRP. Assuming John needs to start from scratch, I advised him to:

  • Start with introductory material (CCNA level) to get familiar with the router's CLI and basic functions;
  • Move to CCNP-level material to get exposure to technologies underlying DMVPN;
  • Add a few networking bibles (like Jeff Doyle’s Routing TCP/IP) to the mix.
  • Read everything Petr Lapukhov and Jeremy Stretch wrote on the above-mentioned topics
  • Follow the blogs on Stretch’s list of networking blogs.

I was not able to recommend specific books as I never read them (your comments would be highly appreciated), but I did find a fantastic purchasing option: the Safari 10-slot Bookshelf allows you to read up to 10 books per month (giving you quite an error margin if you select the wrong books) and download five PDFs per month for astonishingly low $22.99.

The “only” question left is thus: which books should John select as the starting point and which ones would you recommend he reads to build his knowledge?


  1. Cisco produced a lot of very detailed design documentation for this solution and although the official design has changed a lot over time, the basics are pretty well known. It's pretty easy wrapping your head around how it works as implemented but the real challenge is when things are not working so well and you need to deploy your knowledge of troubleshooting the different technologies. Adding to the complexity, the spoke sites are generally VSAT flyaway suites of widely varying reliability, staffed by a mixed bag of uniformed military and contractors, and containing some very cool-but-fragile tunneling of several higher classification level networks with the accompanying line encryption, and you've got yourself a lot to learn in a short amount of time. good luck and stay safe my friend!

    PS managing these DMVPN networks is cake compared with dealing with the cranky TDMA network management systems provided by GD and the like. In my experience, these systems and poor configuration management were the biggest enemies of the health of these tactical networks.
  2. I think John would be off to a good start if he also did the tasks outlined in this Cisco doc:

    I know its not really a book and perhabs not everything is explained, but maybe it gives John some knowledge of what he can expect :)

  3. If it's broke and he needs to fix it right away- you can't beat the cisco docs like Kelvin mentions. From 0 to hero, having just done this (I'm not a hero yet, maybe a side kick...), I'd do:

    CCNA Official Exam Certification Library for a good intro to networking

    If you're not worried about the cert, skip the CCNP track (although the troubleshooting section is REALLY helpful) and read Doyle's Routing TCP/IP I and II.

    Stretch's blog is great- I'd also read the DMVPN design guide here:

    The trick is learning how to filter out exactly what you need to know versus what's nice to know. He really can't skip too much on the foundation, but once you get through Doyle's books everything seems to make a lot more sense, and you can see the commonality in the technology.
  4. yes it's clear
    Misbah Mumtaz
  5. Here is an update which may help you to understand the specific configurations being used.

    First, Cisco has a PDF which addreses the architecture at a high level but in more depth than the link listed by meher zmania below:

    But even better is this document specifically about the JNN with router examples which show how SIPRNET is tunneled over NIPRNET over this DMVPN architecture along with some detailed technical info on the program of record terminals which comprise many of the terminals:

    There are tons of more detailed design docs but I couldn't really find any links.
Add comment