2.3 Configure and verify DMVPN (single hub)
📘CCNP Enterprise – ENARSI (300-410)
DMVPN (Dynamic Multipoint VPN) is a Cisco technology that allows you to create scalable VPNs over the internet. One of its powerful features is the concept of dynamic neighbors.
1. What are Dynamic Neighbors?
In a DMVPN network, you have:
- Hub router – a central point that all remote sites (spokes) can connect to.
- Spoke routers – remote sites that connect to the hub and sometimes directly to each other.
A dynamic neighbor is a spoke router that does not have a pre-configured tunnel endpoint on the hub or on other spokes. Instead, the hub automatically learns about the spoke when it registers using NHRP (Next Hop Resolution Protocol).
Think of it this way:
- Spokes can appear and disappear without needing manual configuration on the hub.
- The hub dynamically adds them as neighbors when they connect.
- This makes DMVPN highly scalable because you do not need to manually configure hundreds of spoke tunnels.
2. How Dynamic Neighbors Work
Dynamic neighbors rely on NHRP, which is the protocol that allows the hub and spokes to discover each other. Here’s the process:
- Spoke Registration:
- When a spoke comes online, it registers itself with the hub using NHRP.
- The registration includes the public IP address of the spoke and the tunnel IP it will use for DMVPN.
- Hub Learns the Spoke:
- The hub receives the registration and adds the spoke to its NHRP database.
- This means the hub now knows the tunnel endpoint of the spoke dynamically, without any static configuration.
- Spoke-to-Spoke Tunnels:
- When a spoke wants to communicate with another spoke, it queries the hub via NHRP.
- The hub responds with the tunnel IP of the target spoke.
- A dynamic spoke-to-spoke tunnel is then established directly between the two spokes.
3. Commands to Verify Dynamic Neighbors
To ensure that dynamic neighbors are working correctly, you can use Cisco IOS commands:
- Check the NHRP table on the hub:
show dmvpn
show ip nhrp
- These commands show registered spokes (dynamic neighbors) and their tunnel IP addresses.
- Check the DMVPN interface:
show running-config | include tunnel
- Ensure that the DMVPN tunnel interface is configured correctly (with
tunnel mode gre multipointand NHRP commands).
- Check connectivity:
ping <spoke-tunnel-IP>
- You can test if the hub can reach a dynamically registered spoke.
4. Configuration Overview (Hub Example)
Here’s a simplified hub configuration showing dynamic neighbor support:
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
Key points:
ip nhrp map multicast dynamic– allows dynamic registration of spokes.tunnel mode gre multipoint– allows multiple spokes to share the same tunnel interface.- Spokes only need minimal configuration to register themselves, no manual mapping to the hub is required.
5. Exam Tips
For the CCNP ENARSI exam, focus on:
- Understanding the difference between static neighbors and dynamic neighbors.
- Static: Manually configured on hub or spoke.
- Dynamic: Automatically registered using NHRP.
- Remember the dynamic neighbor process: spoke registers → hub learns → spokes can communicate directly.
- Know the key verification commands (
show dmvpn,show ip nhrp). - Remember that dynamic neighbors improve scalability, making DMVPN suitable for hundreds of spokes without manual configuration.
✅ Summary in Simple Terms:
Dynamic neighbors are spokes that appear automatically in a DMVPN network. They register themselves with the hub, and the hub learns about them. This avoids manual configuration and allows direct spoke-to-spoke communication, making large networks easier to manage. NHRP is the key protocol that enables this dynamic behavior.
