2.3 Configure and verify DMVPN (single hub)
📘CCNP Enterprise – ENARSI (300-410)
In DMVPN, there are two main ways traffic can flow between sites (spokes):
- Hub-and-Spoke: All traffic goes from a spoke to the hub and then to another spoke.
- Spoke-to-Spoke (Dynamic): Spokes communicate directly with each other without sending all traffic through the hub.
Spoke-to-spoke communication is important because it reduces hub bandwidth usage and improves performance.
1. How Spoke-to-Spoke Works
In a single-hub DMVPN, the hub is always configured to know all the spokes. Each spoke initially only knows the hub. Here’s the step-by-step flow:
- Spoke-to-Hub Registration:
- Each spoke registers itself with the hub using NHRP (Next Hop Resolution Protocol).
- NHRP is like a “phonebook” for IP-to-tunnel mappings.
- Traffic Initiation:
- Suppose Spoke A wants to send traffic to Spoke B.
- Spoke A first contacts the hub to find out Spoke B’s public IP address.
- Dynamic Tunnel Creation:
- Hub responds with the real public IP of Spoke B.
- Spoke A now establishes a temporary GRE tunnel directly to Spoke B.
- This tunnel is encrypted with IPsec if configured.
- Direct Communication:
- After the dynamic tunnel is up, Spoke A and Spoke B can send data directly without going through the hub.
- This is true spoke-to-spoke communication.
- Tunnel Aging:
- The dynamic tunnel will stay active for a period (configurable).
- If no traffic is sent for a while, the tunnel will tear down automatically.
2. Requirements for Spoke-to-Spoke
To enable spoke-to-spoke communication in a single-hub DMVPN setup, you need to configure:
- On the Hub:
- mGRE interface with a network pool (e.g.,
10.0.0.0/24) for spokes. - NHRP server functionality: Hub maintains a mapping of spoke NBMA (real) IPs to their tunnel IPs.
- Optional: IPsec for encrypting tunnels.
- mGRE interface with a network pool (e.g.,
- On Each Spoke:
- mGRE interface pointing to the hub.
- NHRP client pointing to the hub (so the spoke can register itself).
- IPsec matching the hub configuration.
- Enable NHRP shortcuts (sometimes called
ip nhrp shortcut) to allow direct spoke-to-spoke tunnels.
3. Key Commands (Cisco IOS)
Hub Configuration
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp network-id 1
ip nhrp authentication DMVPN123
ip nhrp map multicast dynamic
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
Spoke Configuration
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip nhrp network-id 1
ip nhrp authentication DMVPN123
ip nhrp map 10.0.0.1 <hub-public-ip>
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
ip nhrp shortcut→ Enables spoke-to-spoke.ip nhrp map multicast dynamic→ Hub will dynamically map spokes.- Tunnel key → Must match between hub and spokes.
4. How Spoke-to-Spoke Improves IT Networks
In a DMVPN single hub:
- Before spoke-to-spoke: Spoke A → Hub → Spoke B (all traffic goes through the hub).
- Hub becomes a traffic bottleneck.
- Higher latency and more load on the hub.
- After spoke-to-spoke: Spoke A → Spoke B (direct traffic).
- Bandwidth is saved on the hub.
- Faster and more efficient communication.
- Useful for site-to-site applications like file sharing, VoIP, or replication between branch offices.
5. Verification Commands
On the Hub
show dmvpn
show nhrp
show ip nhrp
show dmvpn→ Shows the DMVPN tunnels and states.show nhrp→ Shows NHRP mappings (who is registered).
On a Spoke
ping 10.0.0.X (other spoke tunnel IP)
show dmvpn
show nhrp
- Test connectivity to other spokes.
- Check if direct tunnels are established.
6. Exam Tips
- Spoke-to-spoke requires NHRP shortcuts; without it, traffic will always go through the hub.
- Hub must be configured as NHRP server, spokes as NHRP clients.
- GRE + NHRP + optional IPsec = full DMVPN setup.
- Understand the difference between hub-and-spoke vs spoke-to-spoke traffic flow.
- Always verify with
show dmvpnandshow nhrp.
✅ Summary Table
| Feature | Hub | Spoke | Purpose |
|---|---|---|---|
| NHRP Server/Client | Server | Client | Registers spokes and provides mappings |
| GRE Tunnel | mGRE | mGRE | Multipoint GRE for dynamic tunnel creation |
| Spoke-to-Spoke | Optional config | ip nhrp shortcut | Enables direct spoke-to-spoke traffic |
| IPsec | Optional | Matching config | Encrypts traffic between hub and spokes |
In short, spoke-to-spoke in DMVPN is all about direct, dynamic communication between spokes, controlled by NHRP, and optionally secured with IPsec. For the exam, know the concept, commands, and verification steps.
