GRE/mGRE

2.3 Configure and verify DMVPN (single hub)

📘CCNP Enterprise – ENARSI (300-410)

1. What is GRE?

  • GRE (Generic Routing Encapsulation) is a tunneling protocol.
  • It allows you to encapsulate packets (like IP packets) inside another IP header.
  • This is useful in IT networks when you want to connect remote sites over the internet as if they are part of the same private network.

Key points:

  • GRE creates a point-to-point tunnel between two devices.
  • Each GRE tunnel has a source IP and a destination IP.
  • Only two endpoints can communicate directly over a standard GRE tunnel.

Exam Tip: Understand that GRE by itself is not encrypted; it just encapsulates packets. To secure it, you combine GRE with IPsec.

2. What is mGRE (Multipoint GRE)?

  • mGRE is an extension of GRE.
  • Instead of a point-to-point tunnel, mGRE allows a single interface to communicate with multiple endpoints.
  • This is essential for DMVPN, because you don’t need a separate tunnel for every remote site.
  • With mGRE, the hub can dynamically connect to any spoke without manual configuration of individual tunnels.

Example in IT terms:
Think of a hub server that needs to connect to multiple branch offices. With mGRE, you just configure one interface on the hub, and all spokes can connect dynamically.

Key exam points:

  • mGRE is hub-and-spoke friendly.
  • Reduces manual configuration.
  • Supports dynamic spoke-to-spoke communication when combined with NHRP (Next Hop Resolution Protocol).

3. How GRE / mGRE is used in DMVPN

Single Hub DMVPN topology:

         Hub
        / | \
      Spoke1 Spoke2
  • Each spoke has a point-to-multipoint GRE tunnel (mGRE) to the hub.
  • The hub uses mGRE tunnel interface that can accept connections from all spokes.
  • Spoke-to-spoke communication can be established dynamically using NHRP without touching the hub config again.

DMVPN Step Flow:

  1. Hub has mGRE interface → spokes register themselves using NHRP.
  2. Spokes send packets to hub → hub forwards or replies.
  3. Spokes can learn each other’s public IP dynamically → direct spoke-to-spoke tunnels can be created.

4. Key DMVPN GRE/mGRE Commands (Cisco IOS)

On Hub:

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint

On Spoke:

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.1 192.0.2.1  ! Hub public IP
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint

Explanation:

  • tunnel mode gre multipoint → Makes the tunnel mGRE.
  • ip nhrp map multicast dynamic → Allows dynamic mapping for all spokes.
  • ip nhrp nhs → Defines the hub as the Next Hop Server for spokes.
  • tunnel source → Public IP/interface used for tunneling.

Exam Tip: Memorize these commands and understand why each is needed. Don’t just memorize blindly.

5. Verification Commands

Check tunnel interface:

show ip interface brief
show running-config

Check NHRP (Next Hop Resolution Protocol) mappings:

show ip nhrp
  • Shows registered spokes on the hub and mappings.

Ping over the tunnel:

ping 10.0.0.2 source 10.0.0.1
  • Verifies tunnel connectivity.

Optional: Show mGRE neighbors (for spoke-to-spoke learning):

show dmvpn
  • Displays phase 1-3 DMVPN status (hub-spoke and spoke-spoke info).

6. Important Exam Concepts

  1. GRE = point-to-point; mGRE = multipoint.
  2. mGRE allows dynamic spoke registration.
  3. NHRP maps public IPs to tunnel IPs for dynamic connectivity.
  4. Hub-and-spoke single hub DMVPN is usually Phase 1 or Phase 2 DMVPN depending on spoke-to-spoke communication.
  5. Tunnel IP addresses must be in the same subnet.
  6. GRE alone does not encrypt traffic → IPsec is needed for security.

Summary

  • GRE = simple point-to-point tunnel, used for connecting two sites.
  • mGRE = multipoint GRE, allows one hub interface to handle multiple spokes dynamically.
  • In DMVPN, GRE/mGRE is the foundation that allows dynamic VPN connections.
  • Hub configuration is simpler; spokes can come and go without reconfiguring the hub.
  • NHRP is used with mGRE for mapping tunnel IPs to real public IPs.
  • Understanding these concepts and commands is crucial for ENARSI 300-410 exam.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by