Saturday, July 26, 2025
Latest:
how to configure DMVPN on cisco routers

How to Configure Cisco Routers for DMVPN

Bill 27 Views 0 Comments 3 min read

Explained with Commands

Learn how to configure Cisco routers for DMVPN with full explanations for each Cisco IOS command. Ideal for network engineers looking to master dynamic multipoint VPNs.

What is DMVPN?

DMVPN (Dynamic Multipoint VPN) is a Cisco technology that allows branch offices to establish on-demand, secure tunnels over the Internet. It combines GRE tunnels, NHRP (Next Hop Resolution Protocol), and IPsec encryption to create scalable VPNs without the complexity of static tunnel configuration.

Prerequisites

  • At least one Cisco router for the hub, and one or more for spokes
  • Public IPs and Internet access for all routers
  • IOS version 12.4 or later
  • Basic understanding of IPsec, GRE, and static routing

Configure Cisco Routers for DMVPN

Step 1: Configure the DMVPN Hub Router

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

Step 2: Configure the DMVPN Spoke Router

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco123
 ip nhrp map 10.0.0.1 <HUB_PUBLIC_IP>
 ip nhrp map multicast <HUB_PUBLIC_IP>
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

🔐 Replace <HUB_PUBLIC_IP> with the real WAN IP address of the hub router.

Step 3: IPsec Profile and Encryption Setup

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec profile DMVPN-PROFILE
 set transform-set ESP-AES-SHA

DMVPN Phase Comparison

PhaseTunnel TypeSpoke-to-Spoke?Routing
1Point-to-Hub❌ NoStatic/OSPF
2Multipoint GRE✅ YesOSPF/EIGRP/BGP
3Optimized DMVPN✅ Yes (Dynamic)With NHRP Redirects

Verification Commands

show dmvpn
show crypto isakmp sa
show crypto ipsec sa

These commands show the status of tunnels, ISAKMP sessions, and IPsec security associations.

Troubleshooting Tips

  • Check that all routers use the same ip nhrp network-id and authentication string.
  • Ensure public IPs are reachable and mapped correctly.
  • Confirm that NAT rules (if used) allow GRE and IPsec traffic.
debug nhrp
debug crypto isakmp
debug crypto ipsec

Use these debug commands only during maintenance windows as they are CPU intensive.

Why Use DMVPN?

  • ✅ Reduces static tunnel overhead
  • ✅ Supports scalable branch-to-branch VPNs
  • ✅ Simplifies routing and encryption
  • ✅ Works with multiple dynamic routing protocols

Conclusion

DMVPN is a flexible and powerful VPN solution from Cisco. With the configurations and explanations above, you now understand both the how and the why behind each command. Use this to build scalable and secure multi-site networks with ease.

Advanced TutorialsCiscoConfigurationDMVPNNETWORKINGNewsRecent NewsRoutersVPN

Bill

Bill is a passionate network engineer who loves to share his knowledge and experience with others. He writes engaging blog posts for itacute.com, where he covers topics such as home and small business networking, electronic gadgets, and tips and tricks to optimize performance and productivity. Bill enjoys learning new things and keeping up with the latest trends and innovations in the field of technology.

You May Also Like

MLA Citation Generator

How to Use an MLA Citation Generator

Bill 2
ebay sold items

How to Create an App that Gets the Latest Sold Prices from eBay

Bill 0
HP Envy 34” All-in-One Desktop

HP Envy 34” All-in-One Desktop: Is it worth the starting price?

Bill 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.